I received a ipv6 match (destination.ip) from an indicator however the destination ip doesn't exist in my threat intel feed! I've linked my detection rule, the match event as well as the CSV of the threat intel feed (all just public feeds). misp threat intel <a href="https://threatbear-public.s3.dualstack.us-east-1.amazonaws.com/rules.ndjson?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAQAN64NHDWHJIMUHU%2F20201214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201214T002436Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=59e9854cdda2c8eb20982532ca5c3139ef909c0fe260f9a76212367a94a5e5bd" rel="noopener nofollow ugc">rules <a href="https://threatbear-public.s3.dualstack.us-east-1.amazonaws.com/weird-match.json?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAQAN64NHDWHJIMUHU%2F20201214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20201214T002559Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=fdf533de9fdbd74724a0a6d1e4d062a7a6b25c3ec092d5c2415fcbab9d23b8f3" rel="noopener nofollow ugc">match Any ideas why is this is…

Indicator false match on ipv6

hilt86 (Hilt86) December 15, 2020, 5:22am 5

There aren't any mappings really {} as it inherits the mapping from filebeat-* I would think (see Filebeat Apache Module Change Index Name)

What do you mean "lists are smaller than the data sets"?

Topic		Replies	Views
Indicator Match Detection Rule Not Matched and Mapped to Intel Feeds SIEM detection-rules	17	2307	April 1, 2021
Indicator match rule not matched and Mapped with filebeat-* (MISP Module) SIEM	2	552	April 2, 2021
False Positives in the 1000's SIEM	2	503	October 21, 2021
Threat Intelligence Rule fails Elastic Security	3	372	March 3, 2022
Tons of Alerts Using "Threat Intel Indicator Match" Elastic Security	5	411	November 15, 2022