Indicator matching rule recommendation

Are there any recommendations regarding the use of indicator matching rules?
I have ingesting threat intel data using the threat intel module from filebeat.
Whenever I enable a rule to match logs to IOC the performance of the cluster becomes extremely slow, to the point that its unusable and I have to disable the rule. I have a 3 node cluster with 8 CPU cores, 64 GB RAM and 2.5 TB of SSD disk per node.

Hello Ameer!

I was wondering if you had the chance to use the indicator index query to narrow down the data from the indicator documents. Similarly, the custom query can be used to narrow down the source events. Please let us know if you are able to see any performance improvements by narrowing down both the indicator and source events. If you could let us know some more details regarding your rule configuration, we might be able to offer some suggestions as to what those queries may look like.

Hi Ece,

My current rule looks like this, using filters since I have read that filters are cheaper than queries but yeah I haven't used indicator index query may be I can narrow it down to perform lookup where the indicator type is IP.
I have separate rules for hash matching, domain and url matching.
My index pattern has a wild card because we have separate indexes for separate locations so instead of adding all of then we are using the wild card.

Let me update you by updating the query to narrow down.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.