We are using ES 7.10.1 altogether with Logstash and Kibana.
We have ingested TI feeds from MISP and index named as filebeat and we wanted to map and match it to Zscaler logs.
We have tested tens of times just to map and match to it but it seems like the results didn't match and incorrect. Also, the exported fields from MISP is not shown under detection results. What is only shown was the fields from Zscaler logs.
I followed exactly as what is written from elastic documentation about indicator match; for instance; indice A: url.destination:* and indice B: url.full:* and technically if viewed from Elastic Discover for each of these indice: it will shown exactly as: url.destination: and url.full: .
However, when we get these via indicator match rule creation, it didn't work as expected.
In order to test this out;
I took malicious url from MISP and get it browsed via browser: http://www.laforestaincantata.dog/konto/c7a25/ falls under indice B: url.full and from discover it is shown as url.full: http://www.laforestaincantata.dog/konto/c7a25/
then indice A, url.destination shown as url.destination: http://www.laforestaincantata.dog/konto/c7a25/ whereby this results will be shown once we accessed to it via web browser.
Then, detection logic for indicator match by right should be like this:
Results under threat match also indicates the URL that is not malicious and not coming from MISP tagged as under threat match, also the malicious url that I tested not even shown;
a. Under rule creation, I also tested with MISP exported field with/without kql for this detection and no results shown.
b. Under rule creation, I also tested with a combination "or" and "and" condition and not giving accurate results.
c. Even if it shown results, the MISP fields is not shown under threat match and if I take the malicious url from MISP and get it browsed via browser, it is not even giving results under threat match.