You should post you threatintel.yml configuration.
Also you should verify if you activate it with
filebeat modules enable threatintel
And double check in die module.d/ directory if the filename of treatintel.yml is without .disabled
Finally you could activate the SIEM Build in Rule "Threat Intel Filebeat Module Indicator Match" this correlates the data you ingest for example via Filebeat with the blocklists and alert if there's a match.