[Bug] Threat Intel Hash Indicator Matches Empty Hash Fields

[MakoWish]

Describe the bug Quite a lot of Threat Intel indicators contain empty fields for the hashes. This is causing false positives for events that do not do not contain the field.

Expected behavior Rule should not match events to indicators with empty indicator fields.

Screenshots

Desktop (please complete the following information):

• OS: Any
• Version: Any

Additional context

In the following threat intel document from MalwareBazaar, the field threat.indicator.file.pe.imphash is empty, and this is causing an incredible number of false-positive matches.

{
    "input": {
      "type": "httpjson"
    },
    "agent": {
      "name": "Redacted",
      "id": "cdcd8072-1d30-414a-aa71-c96d2cb5e259",
      "type": "filebeat",
      "ephemeral_id": "e58cd5a2-1d47-4b89-b490-c1e13b364d7f",
      "version": "8.8.1"
    },
    "@timestamp": "2023-06-22T07:35:41.076Z",
    "ecs": {
      "version": "8.8.0"
    },
    "related": {
      "hash": [
        "B9DAFC265A8BFEAA7EB30A2BA415310235381E48",
        "8E45F8B7642FA964FE628039040D5D77A7D3F177687A6969ECD000C83826EA4C94E3F6B615A5091DA0CDBFE86D183CCE",
        "7CC8EF889A24D8BE46158ED9525EDB3EFE4B872709EDFE4C565FB562271969EE",
        "T102C59EE8D06B40D2FC076EC468287AD7073231B3DEE50438276E7A089F7BDA95549E5E",
        "24576:JILK2NYDAYN0O6PUCD65X8HVLTFBQICQT/UC/FVWG/X5YIEYBF1KMXMWLKRA:",
        "67274E089D17FCBDB0A31877D7155622",
        ""
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "ti_abusech.malwarebazaar"
    },
    "abusech": {
      "malwarebazaar": {
        "intelligence": {
          "downloads": 109,
          "uploads": 1
        },
        "tags": [
          "exe"
        ],
        "anonymous": 0,
        "code_sign": []
      }
    },
    "elastic_agent": {
      "id": "cdcd8072-1d30-414a-aa71-c96d2cb5e259",
      "version": "8.8.1",
      "snapshot": false
    },
    "threat": {
      "indicator": {
        "geo": {
          "country_iso_code": "NL"
        },
        "first_seen": "2023-06-22T07:31:33.000Z",
        "file": {
          "extension": "exe",
          "size": 2740224,
          "mime_type": "application/x-dosexec",
          "pe": {
            "imphash": ""
          },
          "name": "67274e089d17fcbdb0a31877d7155622.exe",
          "hash": {
            "sha1": "b9dafc265a8bfeaa7eb30a2ba415310235381e48",
            "sha384": "8e45f8b7642fa964fe628039040d5d77a7d3f177687a6969ecd000c83826ea4c94e3f6b615a5091da0cdbfe86d183cce",
            "sha256": "7cc8ef889a24d8be46158ed9525edb3efe4b872709edfe4c565fb562271969ee",
            "tlsh": "T102C59EE8D06B40D2FC076EC468287AD7073231B3DEE50438276E7A089F7BDA95549E5E",
            "ssdeep": "24576:jIlK2NYDaYn0o6PuCD65x8HvLtFBqicQT/UC/FVWg/X5YIEYBF1kmXmWLKRa:",
            "md5": "67274e089d17fcbdb0a31877d7155622"
          },
          "elf": {}
        },
        "provider": "abuse_ch",
        "type": "file"
      },
      "software": {}
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2023-06-22T07:35:43Z",
      "created": "2023-06-22T07:35:41.076Z",
      "kind": "enrichment",
      "category": "threat",
      "type": "indicator",
      "dataset": "ti_abusech.malwarebazaar"
    },
    "tags": [
      "forwarded",
      "abusech-malwarebazaar"
    ]
  }

[MakoWish]

I have been trying to exclude these indicator documents with the query, and I cannot seem to exclude empty strings. Querying threat.indicator.file.pe.imphash:* does include fields with empty strings (the problem here), but I also tried and not threat.indicator.file.pe.imphash:'' to no avail. Thinking more about this, it may need to be an update to the ingest pipeline for the TI integrations to remove the empty fields during ingest.

Thoughts?