Just upgraded to Graylog 2.4.4 to get the new “Threat Intel Plugin”. When I run the otx_lookup_ip function, I sometimes receive a otx_threat_indicated:true returned, but the ids and names fields are blank. Is there something else I need to do after upgrading to fix this?
My pipeline rule code:
let otx_intel = otx_lookup_ip(to_string($message.client_ip));
set_field(“OTX_Intel”, otx_intel);
Sample returned info:
OTX_Intel
{“otx_threat_indicated”:true,“otx_threat_ids”:"",“otx_threat_names”:""}
My running version:
Graylog 2.4.4+4659dbe (Oracle Corporation 1.8.0_171 on Linux 3.10.0-862.3.2.el7.x86_64)