Ahh I think I understand the reasoning for your change.
My argument would be: why not have both?
- The proper attack pattern with the right logical operators in attack_pattern(_kql)
- The raw indicators in the appropriate ECS fields, like e.g. url.domain and dns.question.name for indicator type domain.
To illustrate why one could still need the raw indicators, here is a use case:
I have DNS query logs that store domains in the field dns.question.name (millions per day). I also have a MISP-Feed and would like to search for domain IOCs in my query logs. Now, I could use the attack_pattern_kql and issue one query for each IOC (also in the thousands). If I do this regularly, it causes a massive search load on the cluster.
Instead, I coalesce all domain indicators into a dns.question.name array of one document using a transform. Then I run one terms lookup query against the DNS query logs, which comes back in <1s.
This approach is not possible anymore if I don't have the raw domain indicators somewhere, but instead only have pre-written KQL strings.
Leaving the raw indicators in without the KQL logic enables custom use cases, and does not hurt people who do want to rely on the pre-written queries.