The most valuable information in a Threat Intelligence alert is a description (context of an indicator). We had checked inside of the alert a presence of matched ioc description today (kibana 7.16.3) and it's absent. Also it's impossible to understand which IOC (document[s]) and which feed[s] triggered the alert. This lead to impossibility of an IOC pivoting and a big disappointment with the Threat Intelligence rules feature. If your developers worked as SOC analysts, they would understand this pain. Second point. There is no possibility of a custom cleaning (for example removing IP 127.0.0.1) of the feeds (exceptions is not a right way to do this). Third point. There is no any de-duplication. So if five feeds contains the same IP the query will be 5 times heavier. I know this point is not so easy to implement but possible anyway.

Hellow from marokko, appreciated!

Hi, I someone have bought a paid threat intelligence, how can we ingest TI from those sources?

why when I tried to map with Cisco ASA index with filebeat-* it didn't work as expected? everything was failed!