Hi I am using Graylog 6.0.1 with opensearch. I am trying to pull in an additional field into my email that was created by a pipeline; however, it is not coming through.
--- [Event Definition] ---------------------------
Title: ${event_definition_title}
Description: ${event_definition_description}
Type: ${event_definition_type}
--- [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
Key: ${event.key}
Priority: ${event.priority}
Alert: ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start: ${event.timerange_start}
Timerange End: ${event.timerange_end}
Fields:
${foreach event.fields field} ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
DST IP: ${message.fields.dst_ip} DST Port: ${message.fields.dest_port}
SOURCE IP: ${message.fields.src_ip} SOURCE Port: ${message.fields.src_port}
SOURCE Port: ${message.fields.PF_Interface}
RESON: ${message.fields.PF_Tracker_human}
Source Country: ${message.fields.src_ip_country_code}
Source City: ${message.fields.src_ip_city_name}
AbuseIPDB score: ${message.fields.abuseConfidenceScore}
${end}
${end}
All works except the abuseConfidenceScore. The main difference are that the other fields are extractors vs the abuseConfidenceScore is via a pipeline.
My Message Processors are:
Pipeline rule:
rule "AbuseIPDB Lookup"
when
has_field("Snort_source_IP")
then
let abuseipdb = lookup("AbuseIPDB_Lookup", to_string($message.Snort_source_IP));
set_field("abuseConfidenceScore", abuseipdb["abuseConfidenceScore"]);
end
Not sure what I have wrong here. Could anyone point me in the right direction?