Hello,
I'm sorry if this information had already been asked but I didn't find my answer on old topic.
I'm stuck on a indicator match rule and idk if I misunderstand this type of rule:
I have 2 index, lets call them index1 and index2.
On index1, I filter on " deny event action" for exemple
On index2, I filter on " rejected event action" for exemple.
My goal is to match same source.ip between index1 & index2. As well, the source.ip field is different on both index.
Is that thing that make indicator match to not retrieve data ?
Thank you for your feedback