Hello,
Thank you for your answer. Regarding the details:
1) Version 4.12.0-1
2) <ruleset>
<!-- Default ruleset -->
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<list>etc/lists/badnets</list>
<!-- User-defined ruleset -->
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
<decoder_exclude>ruleset/decoders/0085-dovecot_decoders.xml</decoder_exclude>
<!--<decoder_exclude>ruleset/decoders/0140-kernel_decoders.xml</decoder_exclude>-->
</ruleset>
3) It's not a rule or group I made, there are a lot of predefined rules within that group, such as the dovecot rules for instance
4) Within the check_value= , I tried matching in different ways, like just "abuseipdb-s100-1d" or with an anchor at the beggining like "^abuseipdb-s100-1d", but to no avail.
Yes, I closed the quotation marks, but missed them when pasting the rule here and editing out an extra group that could be sensitive.