Integrating Alienvault OTX into Graylog Issues

Hello everyone,

Is there anyone here who is integrating Alienvault OTX into Graylog and using the associated rules?

I am currently at the point where I am enriching the log files with the following fields:

set_field(“threat_indicated”, intel.otx_threat_indicated);

set_field(“threat_ids”, intel.otx_threat_ids);

set_field(“threat_names”, intel.otx_threat_names);

However, I only see the field threat_indicated and not the IDs or names. The field threat_indicated shows as false. Does this mean that if it’s false, the IDs and names are not displayed? Or should the fields threat_ids and threat_names be displayed even if they are empty?

Additionally, I found the following error code in the server.log file:

2024-06-11T13:09:55.954+02:00 WARN [OTXDataAdapter] OTX IPv4 request for key <169.x.x.x> failed: Response{protocol=http/1.1, code=400, message=Bad Request, url=https://otx.alienvault.com//api/v1/indicators/IPv4/169.x.x.x/general}

if i go to the link with the IP Adress given in the server.log file i just get this:
{
“detail”: “IP is private.”
}

Does this error code correlate with the missing fields? How can I fix this issue? Does anyone have the error code 400 bad request error too?

Graylog Version:
Graylog 6.0.2

I Would appreciate it, if someone could help me please
Thank you very much in advance !

Hello @roaringkitty

If threat_indicated is false then nothing will be populated and those fields will not be generated, this is expected behaviour.

As for the 400 error, it seems you are attempting to lookup an ip from the reserved/private range. The error linked explicitly tells you this.

This rule should only be applied to public IP ranges apart from that you don’t appear to have any issues.

Hello @Wine_Merchant

I understand thank you very much

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.