I installed Graylog 2.4.3 version in ubuntu and I am started understanding how the threat intelligence plugin works. I read the documentation and this plugin add the pipeline function to enrich the log messages with threat intelligence data.
As I wanted to see how this plugin identifies the threat data, so for that I have pushed some sample IIS logs to graylog using collector-sidecar.
Below is the rule I have created for the pipeline,
rule "Threat_Intelligence_Lookups" when has_field("SourceAddress") then let src_addr_threatintel = threat_intel_lookup_ip(to_string($message.SourceAddress), "SourceAddress"); set_fields(src_addr_threatintel); end
Also I have the read the above blog where it mentioned
The lookup will be performed on those messages that contain the fields “domain”, “src_addr”, or “dst_addr”. For each message that matches, a new field will be added to the message, “X_threat_indicated”. (X represents the name of the field we compared against)
Yes after the message got routed to the pipeline I can able to see new field is added to the message
But here I am not understand I haven’t added any lookup for the messages then how the
threat_intel_lookup_ip will able to identify the threat data and also in the documentation I couldn’t find the related informations.
Below is the screenshot reference for lookup,
It would be very helpful if someone share your thoughts on this.