Greylog Threat Intel Plugin Missing fields


(Nav) #1

Hi folks,

I have enabled threat intel plugin and setup OTX API key.

I have created rule for Global/combined threat feed lookup however, i only see threat_indicate field and no other fields like whois info etc.

Will those fields show up if threat_indicated is true?
Here is my rule
rule “OTX Lookup”
when
has_field(“EventID”) AND (to_string($message.EventID) == “4625”)
then
let src_addr_intel = threat_intel_lookup_ip(to_string($message.IpAddress), “IpAddress”);
set_fields(src_addr_intel);
end


(Jochen) #2

(Nav) #3

So i replace the threat intel plugin with the latest build. correct?


(Jochen) #4

No, you’ll have to wait for Graylog 2.4.4 or 3.0.0 which will include the fix.


(Nav) #5

Thanks for clarification.


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.