This rule is designed to detect matches between local observations (such as file hashes or IP addresses) and indicators from the Threat Intel Filebeat module (v8.x). It utilizes data from a variety of indices, including auditbeat, endgame, and packetbeat, to correlate events from the last 30 days against threat intelligence indicators. While it provided critical risk scoring (99) for potential threats, this rule has been deprecated since version 8.8 of the Elastic Stack due to performance considerations. Users are encouraged to transition to newer indicator-based rules for ongoing threat detection. This document includes detailed triage and analysis guidelines for investigating matches, potential false positive scenarios, and recommended response actions.