You can do this if the event has already been enriched to include the threat intel feed information when it's written to ES.
We use the SIEM detection rules with something like
_exists_:threat_intel.found_in, and ensure it covers all of the indexes we're interested in generating a Signal against. Currently, we do this on Logstash (general devices like un-supported NGFW (junos or Symantec)), or Filebeat (Zeek data).
We don't use the dictionary feature, however, but it doesn't matter which mutate feature you use. As long as the threat data is in the individual event, you can generate a Signal against it.