Hey All
I’m trying to get the Open Threat Exchange - Threat intel plugin working on a graylog instance in my lab. I have installed the Content pack and added a a pipeline to a Squid Proxy stream to try to get some basic threat analysis on the field “_server_ip” … but it will not add fields to the stream. Below is my pipeline rule …
rule “Spamhaus Lookup”
when
has_field("_server_ip")
then
let intel = otx_lookup_ip(to_string($message._server_ip));
set_field(“threat_indicated”, intel.otx_threat_indicated);
set_field(“threat_ids”, intel.otx_threat_ids);
set_field(“threat_names”, intel.otx_threat_names);
end
The simulator works ok and looks up the IP but it will not enter anything in the stream.
Can anyone help.
Cheers
Steve