@arav no, licensing should not be an issue here, I don't think 
.
My first thought is that this sounds like either a mapping or timing issue, so let's try to gather a little more data in those regards:
-
Can you share a full (without sharing any sensitive information, of course) rule definition for the rule in question? That would help complete the picture of what might be happening, here.
-
Can you confirm the mappings on both indices by sharing the results of GET mappings responses for both the source and indicator index patterns? E.g.
GET /{threat_index_pattern/_mapping/field/destination.ip -
If you have examples of both a source document and a indicator document that you think should be matching but aren't, those would also be helpful information.
I think between those three things, we can narrow down on a root cause here.