Hi all,
I am running a self-managed Elastic Stack (v9.3.0) with a Basic license.
I have ingested threat intelligence data from MISP using the official integration, and I am trying to create an Indicator Match rule in Elastic Security.
What I did
-
Created a test event document with:
destination.ip: 40.119.33.98
-
Verified that the same IP exists in the MISP TI index:
threat.indicator.ip: 40.119.33.98
-
Confirmed both documents are searchable in Discover and via Dev Tools
-
Created an Indicator Match rule with:
-
Event index:
logs-*(also tested with a dedicated lab index) -
Indicator index: MISP TI index (also tested with a custom TI index)
-
Mapping:
destination.ip MATCHES threat.indicator.ip -
Query:
*
-
What is happening
-
Rule runs successfully (no visible errors)
-
No alerts are generated
-
Even when using a simplified lab setup (same index, same value), still no alerts
What I have already checked
-
Data is present and searchable
-
Field values match exactly
-
Mapping types aligned (tested both
ipandkeyword) -
Time range is correct
-
Rule is enabled and executed
Question
Is this expected behavior under the Basic license?
Do Indicator Match rules require a higher license tier (e.g., Trial / Platinum) to generate alerts?
Any clarification would be appreciated.
Thanks!