Troubleshoot indicators of compromise
If indicator data is not appearing in the Indicators table after you installed a threat intelligence integration:
Verify that the index storing indicator documents is included in the default Elastic Security indices (
securitySolution:defaultIndex). The index storing indicator documents will differ based on the way you’re collecting indicator data:- Elastic Agent integrations -
logs_ti* - Filebeat integrations -
filebeat-*
- Elastic Agent integrations -
Ensure the indicator data you’re ingesting is mapped to Elastic Common Schema (ECS).
Note
These troubleshooting steps also apply to the Threat Intelligence view.