I have setup a pipeline with this rule , cache is showing data but I can’t see enriched data in my logs
rule “GreyNoise Lookup on data_srcip”
when
has_field(“data_srcip”)
then
let ldata = lookup(
lookup_table: “greynoise”,
key: to_string($message.data_srcip)
);
set_fields(
fields: ldata,
prefix: “greynoise_”
);
end
Did you configure an API token in the GreyNoise data adapter?
Then you’ll just need to go through the statements one by one, since the rule is obviously being executed. Use debug() or create fields with intermediate results to validate expected results.
You could also use the simulator to run through a test message.
I have Graynoise working OK on my setup. Here is my pipeline rule:
rule "GreyNoise Lookup: SrcIP"
when
has_field("SrcIP") &&
is_ip(to_ip($message.SrcIP)) &&
!grok_exists("%{IPV6:$message.SrcIP}") &&
!in_private_net(to_string($message.SrcIP)) &&
//Do not look up my public IP
!contains(to_string($message.SrcIP),"X.X.X.X") &&
!cidr_match("169.254.0.0/16",to_ip($message.SrcIP))
then
let ldata = lookup(
lookup_table: "GreyNoise",
key: to_string($message.SrcIP)
);
set_fields(
fields: ldata,
prefix: "greynoise_"
);
end
Thanks for the reply, I don’t know why my set_fields is not enriching my logs
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.