- How many IOCs exist in the last 30 days? How many are
ip-dist
?
69,014 for 30 days. This is only which have ip-dist.
- How many network events are ingested in a 5 minute window?
2620
- You're adding time clauses to your queries, but there's also an "outer" range for rule execution, as defined by the Schedule: "Rule runs every" and "Additional look-back time" fields. Could you please share that configuration from your rule? A full NDJSON export of the rule would be ideal.
I play a little with configuration. Now it looks like this:
{"id":"66449ca0-fac4-11ed-8785-31b707a79fa9","updated_at":"2023-05-28T23:22:01.513Z","updated_by":"elastic","created_at":"2023-05-25T06:21:36.657Z","created_by":"elastic","name":"Malicious network activity (MISP)","tags":["MISP"],"interval":"5m","enabled":true,"description":"MISP malicious IP feeds","risk_score":73,"severity":"high","license":"","output_index":".siem-signals-default","meta":{"from":"1m","kibana_siem_app_url":"https://<redacted>:5601/app/security"},"author":[],"false_positives":[],"from":"now-360s","rule_id":"b8b8d859-dda9-4d42-9b30-f0ef56b7d4ba","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":30,"exceptions_list":[],"immutable":false,"type":"threat_match","language":"kuery","index":["winlogbeat-*"],"query":"not winlog.event_data.DestinationIp : 10.* and not winlog.event_data.DestinationIp : 255.255.255.255","filters":[{"$state":{"store":"appState"},"meta":{"negate":false,"alias":null,"index":"185fa530-d435-11ed-9b91-b596ef7bb041","disabled":false,"params":{"query":"Microsoft-Windows-Sysmon"},"type":"phrase","key":"event.provider"},"query":{"match_phrase":{"event.provider":"Microsoft-Windows-Sysmon"}}},{"$state":{"store":"appState"},"meta":{"negate":false,"alias":null,"index":"185fa530-d435-11ed-9b91-b596ef7bb041","disabled":false,"type":"phrase","params":{"query":"3"},"key":"event.code"},"query":{"match_phrase":{"event.code":"3"}}}],"saved_id":"Sysmon Network activity (last 15 minutes)","threat_filters":[],"threat_query":"@timestamp >= now-6h and misp.threat_indicator.type: \"ip-dst\" ","threat_mapping":[{"entries":[{"field":"winlog.event_data.DestinationIp.keyword","type":"mapping","value":"destination.ip"}]}],"threat_language":"kuery","threat_index":["filebeat-*"],"threat_indicator_path":"","throttle":"no_actions","actions":[]}
{"exported_count":1,"missing_rules":[],"missing_rules_count":0}
- Is all of your data on the hot tier?
Yes, i don't use any other types of tires.
- Is it possible for there to be
ip-dist
IOCs without a destination.ip
? That may be another optimization.
It's impossible. If the event have type = ip-dst it always have the field destination.ip with data.
- Is there duplication of your IOC data? The IM rule does not deduplicate identical values, so duplicates will waste CPU.
Really, i don't know. Its data from MISP.