I started testing threat plugin and using OTX to get the feeds. But when I checked the output, I am only seeing one field, wherein in pipeline I am processing three fields.
Pipeline rule is here:
rule "OTXTestLookup" when has_field("src_ip") then let intel = otx_lookup_ip(to_string($message.src_ip)); set_field("threat_indicated", intel.otx_threat_indicated); set_field("threat_ids", intel.otx_threat_ids); set_field("threat_names", intel.otx_threat_names); end
In which I am able to see “threat_indicated: false or true”. I am not seeing “threat_ids” and threat_names". Is there anything I am missing here. Please let me know. Thanks