I’m trying to get the Open Threat Exchange - Threat intel plugin working on a graylog instance in my lab. I have installed the Content pack and added a a pipeline to a Squid Proxy stream to try to get some basic threat analysis on the field “_server_ip” … but it will not add fields to the stream. Below is my pipeline rule …
rule “Spamhaus Lookup”
let intel = otx_lookup_ip(to_string($message._server_ip));
The simulator works ok and looks up the IP but it will not enter anything in the stream.
Can anyone help.