What I would like to do is add a filter rule that also includes the source and destination IP addresses from the alert.
I'm not clear on the intent behind the use of "filter rule" this statement; if this is a requirement additional to your other statements, please clarify and we can address that.
If I could have the alert email show the source and destination Ip addresses they could take action if needed using our other tools.
If the IP information is available on the alert, then you should be able to add it to the email (or any other alert action) as described in the Rule Action Variables documentation. Since you will have multiple alerts, you'll need to loop through them in your templating (the section on context has an example).
Since these are Indicator Match alerts, they should also have indicator enrichments which could also be referenced in your action. This may be useful to your use case.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.