Indicator match


I'm sorry if this information had already been asked but I didn't find my answer on old topic.
I'm stuck on a indicator match rule and idk if I misunderstand this type of rule:

I have 2 index, lets call them index1 and index2.
On index1, I filter on " deny event action" for exemple
On index2, I filter on " rejected event action" for exemple.

My goal is to match same source.ip between index1 & index2. As well, the source.ip field is different on both index.
Is that thing that make indicator match to not retrieve data ?

Thank you for your feedback :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.