Indicator Match rule not generating alerts (Basic license, self-managed 9.3.0)

Elastic Security
1

Hi all,

I am running a self-managed Elastic Stack (v9.3.0) with a Basic license.

I have ingested threat intelligence data from MISP using the official integration, and I am trying to create an Indicator Match rule in Elastic Security.

What I did

  • Created a test event document with:

    • destination.ip: 40.119.33.98

  • Verified that the same IP exists in the MISP TI index:

    • threat.indicator.ip: 40.119.33.98

  • Confirmed both documents are searchable in Discover and via Dev Tools

  • Created an Indicator Match rule with:

    • Event index: logs-* (also tested with a dedicated lab index)

    • Indicator index: MISP TI index (also tested with a custom TI index)

    • Mapping:
      destination.ip MATCHES threat.indicator.ip

    • Query: *

What is happening

  • Rule runs successfully (no visible errors)

  • No alerts are generated

  • Even when using a simplified lab setup (same index, same value), still no alerts

What I have already checked

  • Data is present and searchable

  • Field values match exactly

  • Mapping types aligned (tested both ip and keyword)

  • Time range is correct

  • Rule is enabled and executed

Question

Is this expected behavior under the Basic license?

Do Indicator Match rules require a higher license tier (e.g., Trial / Platinum) to generate alerts?

Any clarification would be appreciated.

Thanks!

2

@arav no, licensing should not be an issue here, I don't think :+1: .

My first thought is that this sounds like either a mapping or timing issue, so let's try to gather a little more data in those regards:

  1. Can you share a full (without sharing any sensitive information, of course) rule definition for the rule in question? That would help complete the picture of what might be happening, here.

  2. Can you confirm the mappings on both indices by sharing the results of GET mappings responses for both the source and indicator index patterns? E.g. GET /{threat_index_pattern/_mapping/field/destination.ip

  3. If you have examples of both a source document and a indicator document that you think should be matching but aren't, those would also be helpful information.

I think between those three things, we can narrow down on a root cause here. :+1: