Indicator match rules

Overview

Indicator match rules continuously compare field values in your security event indices against field values in threat indicator indices. When a match is found, an alert is generated, enriched with metadata from the matched indicator. This makes indicator match rules the primary mechanism for operationalizing threat intelligence feeds within Elastic Security.

When to use an indicator match rule

Indicator match rules are the right fit when:

You maintain an index of known threat indicators (IP addresses, domains, file hashes, URLs) and want to detect when any of them appear in your event data.
You need to compare fields across two separate indices (source events and threat intelligence).
You want alerts automatically enriched with indicator metadata, such as threat type, confidence, and source feed.

Indicator match rules are not the best fit when:

You are matching against values within the same index. Use a custom query rule instead.
You need to detect event sequences or ordering. Use an EQL rule instead.
Your indicators are in a flat file rather than an Elasticsearch index. First upload them as a value list or import them through the Machine Learning Data Visualizer.

Data requirements

Indicator match rules require:

Source event indices containing the security events you want to scan.
Indicator indices containing threat intelligence data. Data in these indices must be ECS compatible and must contain a @timestamp field.

Writing effective indicator match rules

Designing threat mappings

Threat mappings define which fields to compare between your source events and indicator indices. Good mappings are:

Specific: Use the most specific fields available when mapping. For example, map destination.ip to threat.indicator.ip rather than a generic text field.
Combined with AND: Join multiple mapping entries to increase precision. Requiring both source.ip and destination.port to match narrows results to truly relevant hits.
Scoped with DOES NOT MATCH: After defining matching conditions, add DOES NOT MATCH entries to exclude known-safe values. At least one MATCHES entry is required.

Indicator index query

The default indicator index query @timestamp > "now-30d/d" limits matches to indicators ingested in the past 30 days. Adjust this window based on your threat intelligence freshness requirements:

Shorter window (7-14 days): Reduces stale matches but may miss long-lived indicators.
Longer window (60-90 days): Catches more indicators but increases the volume of matches and rule execution time.

Using value lists as indicator indices

You can use value lists as the indicator index. This is useful when you have a flat list of indicators (IPs, domains, hashes) that you want to match against without creating a full indicator index:

Upload a value list of indicators.
In the Indicator index patterns field, enter .items-<{{kib}} space> (the hidden index where value lists are stored).
In the Indicator index query field, enter list_id : <your-list-name>.
In Indicator mapping, set the Indicator index field to the list type (keyword, text, or IP).

Best practices

Keep indicator indices current. Stale indicators generate false positives and waste analyst time.
Use the Indicator prefix override advanced setting if your indicator data uses a non-standard field structure (default is threat.indicator).
Create Timeline templates before building indicator match rules. When investigating alerts in Timeline, query values are automatically replaced with corresponding alert field values.

Tip

See it in practice. These prebuilt rules use indicator matching:

Threat Intel Indicator Match: The foundational indicator match rule that compares source events against threat intelligence indices across multiple field types (IP, domain, hash).
Threat Intel Hash Indicator Match: A focused variant matching file hashes (file.hash.sha256, file.hash.md5) against indicator indices for malware detection.

Indicator match field reference

The following settings are specific to indicator match rules. For settings shared across all rule types, refer to Rule settings reference.

Source

The index patterns or data view that store your source event documents. Prepopulated with indices from the default Elastic Security indices advanced setting.

Custom query

The query and filters used to retrieve source event documents. Field values in matching documents are compared against indicator values according to the threat mapping. Defaults to *:* (all documents).

Indicator index patterns

The index patterns that store threat indicator documents. Prepopulated with indices from the securitySolution:defaultThreatIndex advanced setting.

Indicator index query

The query used to retrieve indicator documents. Defaults to @timestamp > "now-30d/d", which searches for indicators ingested in the past 30 days.

Indicator mapping

Threat mapping conditions that compare values in source event fields with values in indicator fields. Configure:

Field: A field from your source event indices.
MATCHES / DOES NOT MATCH: Whether the values should match or not match. At least one MATCHES entry is required.
Indicator index field: A field from your threat indicator index.

Multiple mapping entries can be combined with AND and OR clauses. Only single-value fields are supported.

Suppress alerts (optional)

Reduce repeated or duplicate alerts. For details, refer to Alert suppression.

Required fields (optional)

An informational list of fields the rule needs to function. This does not affect rule execution.

Related integrations (optional)

Associate the rule with one or more Elastic integrations to indicate data dependencies and allow users to verify each integration's installation status.