Create a new pipeline for Threat Intel

MickGraylog1 · July 5, 2022, 3:52pm

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Hello,

I’ve created a new extractor to have a new field name as src_ip. So when I go through the streams, I see my new field, and everything seems fine.

I created the pipeline like the example.

github.com

Graylog2/graylog-plugin-threatintel/blob/master/README.md

# Threat Intelligence Plugin for Graylog

[![Github Downloads](https://img.shields.io/github/downloads/Graylog2/graylog-plugin-threatintel/total.svg)](https://github.com/Graylog2/graylog-plugin-threatintel/releases)
[![GitHub Release](https://img.shields.io/github/release/Graylog2/graylog-plugin-threatintel.svg)](https://github.com/Graylog2/graylog-plugin-threatintel/releases)
[![Build Status](https://travis-ci.org/Graylog2/graylog-plugin-threatintel.svg?branch=master)](https://travis-ci.org/Graylog2/graylog-plugin-threatintel)

**Required Graylog version:** 2.4.0

**This Plugin use external sources to enrich your data - read the documentation before you run this in production**

This plugin adds [Processing Pipeline](http://docs.graylog.org/en/latest/pages/pipelines.html) functions to enrich log messages with threat intelligence data.

## Supported data feeds

* [AlienVault Open Threat Exchange (OTX)](https://otx.alienvault.com/) (One API call per lookup but cached)
  * IP addresses
  * Hostnames
* Tor exit nodes (You'll need at least Java 8 (u101) to make this work. More information below.)
  * IP addresses
* [Spamhaus DROP/EDROP lists](https://www.spamhaus.org/drop/)

This file has been truncated. show original

I do not see the additional field and I do not see anything in the log file [ server.log]

2. Describe your environment:

OS Information:

Linux RedHat

Package Version:

I’m on the latest version of Graylog; 4.3.2-1

gsmith · July 5, 2022, 10:03pm

Hello && Welcome @MickGraylog1

Did you enable the plugin? System–> Content Packs show show if its installed.
Can you show the pipeline that was created?

MickGraylog1 · July 6, 2022, 12:39am

Hello!
I’m so sorry, that was a simple solution: Processor first was the Pipeline and not the Message filter.

I Couldn’t extract the field I want to put into my rule.

Thank you again!

system · July 20, 2022, 12:39am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trying to get the Open Threat Exchange - Threat intel plugin working on a Graylog Graylog Central (peer support) pipeline-rules	10	1339	June 25, 2021
Pipelines for create new fields Graylog Central (peer support) pipeline-rules	4	213	July 18, 2024
Threat Intel Setup Graylog Central (peer support)	6	902	June 6, 2022
Not able to understand Threat Intelligence plugin Graylog Central (peer support) pipeline-rules	4	2330	May 16, 2018
Threat Intelligence Plugin Help Graylog Central (peer support) pipeline-rules	2	811	May 27, 2021

Create a new pipeline for Threat Intel

Related topics