OTX threat fields empty in v2.4.4

sapplega · May 24, 2018, 5:25pm

Just upgraded to Graylog 2.4.4 to get the new “Threat Intel Plugin”. When I run the otx_lookup_ip function, I sometimes receive a otx_threat_indicated:true returned, but the ids and names fields are blank. Is there something else I need to do after upgrading to fix this?

My pipeline rule code:
let otx_intel = otx_lookup_ip(to_string($message.client_ip));
set_field(“OTX_Intel”, otx_intel);

Sample returned info:
OTX_Intel
{“otx_threat_indicated”:true,“otx_threat_ids”:"",“otx_threat_names”:""}

My running version:
Graylog 2.4.4+4659dbe (Oracle Corporation 1.8.0_171 on Linux 3.10.0-862.3.2.el7.x86_64)

jochen · May 24, 2018, 5:32pm

Which exact version of the Threat Intel Plugin are you using?
https://github.com/Graylog2/graylog-plugin-threatintel/pull/99

sapplega · May 24, 2018, 6:33pm

From /usr/share/graylog-server/plugin/ directory:
4574712 May 2 09:41 graylog-plugin-threatintel-2.4.4.jar

jochen · May 25, 2018, 6:43am

Which version is shown on the System / Nodes / Details page?

sapplega · May 25, 2018, 11:57am

Details page shows v2.4.4

The problem is resolved now. I changed the rules code to look like this, and it’s working:

let otx_intel = otx_lookup_ip(to_string($message.client_ip));
set_fields(otx_intel);

system · June 8, 2018, 11:57am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Greylog Threat Intel Plugin Missing fields Graylog Central (peer support)	5	1282	April 2, 2018
Threat Plugin output issues Graylog Central (peer support)	1	467	March 29, 2018
Trying to get the Open Threat Exchange - Threat intel plugin working on a Graylog Graylog Central (peer support) pipeline-rules	10	1312	June 25, 2021
Graylog Threat Intel Plugin Results - Stuck in Tail cave Graylog Central (peer support) pipeline-rules	6	1717	June 29, 2020
OTX Threat Intel pegs Process Buffer Graylog Central (peer support)	2	403	June 3, 2019

OTX threat fields empty in v2.4.4

Related Topics