I have enabled threat intel plugin and setup OTX API key.
I have created rule for Global/combined threat feed lookup however, i only see threat_indicate field and no other fields like whois info etc.
Will those fields show up if threat_indicated is true?
Here is my rule
rule “OTX Lookup”
has_field(“EventID”) AND (to_string($message.EventID) == “4625”)
let src_addr_intel = threat_intel_lookup_ip(to_string($message.IpAddress), “IpAddress”);