Hello folks,
I really like this Threat Intel feature in Elastic Security, but sadly I can't seem to make a single rule related to this work. They always fail: "Request timed out".
I run ELK on a SSD with enough RAM for my setup and cpu always below maximum.
I saw another thread with the same question (closed now) where the general tip was to extend the Schedule time to something like 60 minutes, which I did but with no different result.
I even tried to separate the main Threat Intel rule into different rules for the queried categories: One for file hashes one for IPs one for domains and one for registry events. The last one is the only rule from all of them that works without failing, but I just have like 200 registry indicators so this doesn't surprise me.
I have only about 100k indicators (running for about 8d) so I can't even imagine to query like 30 days as I planned...
Is there anything I can do to make the rules work?