Threat Intel Rules and Threat Enrichments

I have some questions about the timing of detection rules and their threat enrichments. I am working with the prebuilt rule “Threat Intel IP Address Indicator Match” and I am trying to reduce false positives.

My goal is to create an exception so that alerts are only generated when:

• threat.enrichments.indicator.description = "ip:port combination that is used for botnet Command&Control (C&C)" and
• destination.port is identical to threat.enrichments.indicator.port.

Currently, I am unsure about the behavior of enrichment fields:

• At what stage are threat.enrichments.* fields added to the event?
• Are they available at rule execution time or only afterward?
• Can rule exceptions reliably match against enrichment fields such as
  threat.enrichments.indicator.port?

Has anyone implemented a similar port-matching approach to reduce false positives in this rule, or is there a better recommended method?

Any guidance or experience would be appreciated.

Threat Intelligence rules heavily depend on the threat feed databases you're using, which already provide indicators of compromise to match with any IP address accessed on your network. Associating it with a port can also lead to false positives, as exclusive ports for C&C (Combat & Counter) aren't always used. For example, you could use a C2 (Combat/Center) communicating on port 443, 8010, or 53, or even using the ICMP protocol.

You can use the free threat feeds from the AbuseCH and OTXAlienVault projects, which already have native integration with Elastic Security.

I believe that combining a good threat feed database can improve the effectiveness of your detection, although for detecting malicious activity, it's more beneficial to use rules based on TTPs (Threat to Protocol) or machine learning jobs.