OTX threat fields empty in v2.4.4


(Steve Applegate) #1

Just upgraded to Graylog 2.4.4 to get the new “Threat Intel Plugin”. When I run the otx_lookup_ip function, I sometimes receive a otx_threat_indicated:true returned, but the ids and names fields are blank. Is there something else I need to do after upgrading to fix this?

My pipeline rule code:
let otx_intel = otx_lookup_ip(to_string($message.client_ip));
set_field(“OTX_Intel”, otx_intel);

Sample returned info:
OTX_Intel
{“otx_threat_indicated”:true,“otx_threat_ids”:"",“otx_threat_names”:""}

My running version:
Graylog 2.4.4+4659dbe (Oracle Corporation 1.8.0_171 on Linux 3.10.0-862.3.2.el7.x86_64)


(Jochen) #2

Which exact version of the Threat Intel Plugin are you using?


(Steve Applegate) #3

From /usr/share/graylog-server/plugin/ directory:
4574712 May 2 09:41 graylog-plugin-threatintel-2.4.4.jar


(Jochen) #4

Which version is shown on the System / Nodes / Details page?


(Steve Applegate) #5

Details page shows v2.4.4

The problem is resolved now. I changed the rules code to look like this, and it’s working:

let otx_intel = otx_lookup_ip(to_string($message.client_ip));
set_fields(otx_intel);

(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.