Using Bro/Zeek to send traffic logs via FileBeat.
JSON decoder applied to input so that message breaks down to fields.
Message Processor configured as follows:
The stream shows message fields as expected:
And a couple of pipeline rules configured and linked to the stream to apply threat intelligence lookup on the filed “id_resp_h” shown above (the destination IP of the connection):
rule “Threat Intelligence Lookups: id_resp_h”
rule “OTX Lookup: id_resp_h”
let intel = otx_lookup_ip(to_string($message.id_resp_h));
The problem I’m facing is that I see no matches for these rules:
And as a consequence the threat intel plugin doesn’t trigger.
Any ideas please?