I was wanting to see if both
destination.ip fields are of the same data type which would be
ip and match my side of trying to see if/where a bug might be on this one.
What do you mean "lists are smaller than the data sets"?
In most cases the lists are smaller than the 5 minute blocks of events/data sets, so we pull in the threat intelligence in chunks and then match that against the data set rather than the other way around.
The code for this rule type isn't really complex/fancy from an engineering perspective. It just pulls in the list in chunks and then queries against the dataset.
This is the first time though I have heard of a false positive occurring which could indicate a "one off bug" we might have or possibly a mapping difference where somewhere there is a CIDR that is causing a match with a
Have you seen this false positive just once or is it a reoccurring reproducible false positive that is happening?