Threat Intelligence rules heavily depend on the threat feed databases you're using, which already provide indicators of compromise to match with any IP address accessed on your network. Associating it with a port can also lead to false positives, as exclusive ports for C&C (Combat & Counter) aren't always used. For example, you could use a C2 (Combat/Center) communicating on port 443, 8010, or 53, or even using the ICMP protocol.
You can use the free threat feeds from the AbuseCH and OTXAlienVault projects, which already have native integration with Elastic Security.
I believe that combining a good threat feed database can improve the effectiveness of your detection, although for detecting malicious activity, it's more beneficial to use rules based on TTPs (Threat to Protocol) or machine learning jobs.