Greylog Threat Intel Plugin Missing fields

v_2nas · March 19, 2018, 4:30am

Hi folks,

I have enabled threat intel plugin and setup OTX API key.

I have created rule for Global/combined threat feed lookup however, i only see threat_indicate field and no other fields like whois info etc.

github.com

Graylog2/graylog-plugin-threatintel/blob/master/README.md

# Threat Intelligence Plugin for Graylog

[![Github Downloads](https://img.shields.io/github/downloads/Graylog2/graylog-plugin-threatintel/total.svg)](https://github.com/Graylog2/graylog-plugin-threatintel/releases)
[![GitHub Release](https://img.shields.io/github/release/Graylog2/graylog-plugin-threatintel.svg)](https://github.com/Graylog2/graylog-plugin-threatintel/releases)
[![Build Status](https://travis-ci.org/Graylog2/graylog-plugin-threatintel.svg?branch=master)](https://travis-ci.org/Graylog2/graylog-plugin-threatintel)

**Required Graylog version:** 2.4.0

**This Plugin use external sources to enrich your data - read the documentation before you run this in production**

This plugin adds [Processing Pipeline](http://docs.graylog.org/en/latest/pages/pipelines.html) functions to enrich log messages with threat intelligence data.

## Supported data feeds

* [AlienVault Open Threat Exchange (OTX)](https://otx.alienvault.com/) (One API call per lookup but cached)
  * IP addresses
  * Hostnames
* Tor exit nodes (You'll need at least Java 8 (u101) to make this work. More information below.)
  * IP addresses
* [Spamhaus DROP/EDROP lists](https://www.spamhaus.org/drop/)

This file has been truncated. show original

Will those fields show up if threat_indicated is true?
Here is my rule
rule “OTX Lookup”
when
has_field(“EventID”) AND (to_string($message.EventID) == “4625”)
then
let src_addr_intel = threat_intel_lookup_ip(to_string($message.IpAddress), “IpAddress”);
set_fields(src_addr_intel);
end

jochen · March 19, 2018, 7:38am

https://github.com/Graylog2/graylog-plugin-threatintel/pull/99

v_2nas · March 19, 2018, 8:11am

So i replace the threat intel plugin with the latest build. correct?

jochen · March 19, 2018, 8:54am

No, you’ll have to wait for Graylog 2.4.4 or 3.0.0 which will include the fix.

v_2nas · March 19, 2018, 9:08am

Thanks for clarification.

system · April 2, 2018, 9:08am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
OTX threat fields empty in v2.4.4 Graylog Central (peer support)	5	615	June 8, 2018
Trying to get the Open Threat Exchange - Threat intel plugin working on a Graylog Graylog Central (peer support) pipeline-rules	10	1312	June 25, 2021
Alienvault OTX Missing - Threat Intel Plugin - Graylog 2.4.4 Graylog Central (peer support)	7	2844	May 22, 2018
Graylog Threat Intel Plugin Results - Stuck in Tail cave Graylog Central (peer support) pipeline-rules	6	1718	June 29, 2020
Threat Plugin output issues Graylog Central (peer support)	1	467	March 29, 2018

Greylog Threat Intel Plugin Missing fields

Related topics