This rule is designed to trigger alerts when there is a match between local observations (e.g., endpoint event data such as file hashes) and indicators from Threat Intelligence integrations. It checks for matches in a range of threat indicators, such as file hashes, IP addresses, URLs, and registry paths, based on data from the last thirty days. Since this rule has been deprecated, users are encouraged to migrate to alternative indicator-based rules provided in the setup guide. The rule generates enriched fields that provide details on the matched indicators, allowing for an effective investigation workflow. Investigators should validate findings, consider the context of the matches, and evaluate potential false positives carefully, as legitimate tools can trigger alerts. Finally, appropriate responses include isolating suspicious behavior and validating mitigative actions to prevent further incidents.