Threat Intel Indicator Rule: Request timed out

Hello folks,

I really like this Threat Intel feature in Elastic Security, but sadly I can't seem to make a single rule related to this work. They always fail: "Request timed out".

I run ELK on a SSD with enough RAM for my setup and cpu always below maximum.

I saw another thread with the same question (closed now) where the general tip was to extend the Schedule time to something like 60 minutes, which I did but with no different result.

I even tried to separate the main Threat Intel rule into different rules for the queried categories: One for file hashes one for IPs one for domains and one for registry events. The last one is the only rule from all of them that works without failing, but I just have like 200 registry indicators so this doesn't surprise me.

I have only about 100k indicators (running for about 8d) so I can't even imagine to query like 30 days as I planned...

Is there anything I can do to make the rules work?

Unfortunately this has been a fairly common issue. The rule split was the only thing that worked for me, and it looks like it's only helping a part of your issue.

The Threat Intel module is still very new, I'm hopeful these issues clear up as it matures.

Yeah I thought there is maybe a solution where you tell elastic to just not timeout for x minutes. I guess the value for when a request officially times out has to be set by someone somewhere. I mean I am willing to give extra resources for this rule so it takes like 10 minutes for one check but with the current setting it just won't use them anyway.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.