I went over the doc’s on Github, so looks like you installed the plugin, then restart Graylog service.
The Pipeline rule something liek this?
rule "alien vault "
let intel = otx_lookup_ip(to_string($message.src_addr));
// let intel = otx_lookup_domain(to_string($message.dns_question))
Add a second pipeline step that adds the field threat_indicated:tru
rule "inflate threat intel results"
to_bool($message.src_threat_indicated) || to_bool($message.dst_threat_indicated)
I woud suggest before making the pipeline rule you have the correct fields generated to ensure the pipline rule/s will work.
For something like this, perhaps use one pipeline with two different stages.