Greylog Threat Intel Plugin Missing fields

Hi folks,

I have enabled threat intel plugin and setup OTX API key.

I have created rule for Global/combined threat feed lookup however, i only see threat_indicate field and no other fields like whois info etc.

Will those fields show up if threat_indicated is true?
Here is my rule
rule “OTX Lookup”
when
has_field(“EventID”) AND (to_string($message.EventID) == “4625”)
then
let src_addr_intel = threat_intel_lookup_ip(to_string($message.IpAddress), “IpAddress”);
set_fields(src_addr_intel);
end

https://github.com/Graylog2/graylog-plugin-threatintel/pull/99

So i replace the threat intel plugin with the latest build. correct?

No, you’ll have to wait for Graylog 2.4.4 or 3.0.0 which will include the fix.

Thanks for clarification.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.