Trying to get the Open Threat Exchange - Threat intel plugin working on a Graylog

Hey All
I’m trying to get the Open Threat Exchange - Threat intel plugin working on a graylog instance in my lab. I have installed the Content pack and added a a pipeline to a Squid Proxy stream to try to get some basic threat analysis on the field “_server_ip” … but it will not add fields to the stream. Below is my pipeline rule …


rule “Spamhaus Lookup”
when
has_field("_server_ip")
then
let intel = otx_lookup_ip(to_string($message._server_ip));
set_field(“threat_indicated”, intel.otx_threat_indicated);
set_field(“threat_ids”, intel.otx_threat_ids);
set_field(“threat_names”, intel.otx_threat_names);
end


The simulator works ok and looks up the IP but it will not enter anything in the stream.
Can anyone help.
Cheers
Steve

Hello, Stevewaha,

I noticed your post has not received a response. Your question is important to the community. After setting up the rules, did you add them to a pipeline stage?

Here’s the documentation. Please let me know if this helps.

Hey @stevewaha,

This is pretty much a guess, but since your pipeline logic looks correct the only thing I can think of is this:

Elasticsearch reserves field names beginning with _ for internal use. So, the leading underscore for “_server_ip” will be stripped. I’ve never tested this myself so I don’t know, but it’s possible Graylog is sanitizing the field name before the logic executes and so the field name you’re actually looking for will be “server_ip”.

Just an idea.

2 Likes

Thank you, @ttsandrew for stepping up to the plate for a fellow Graylogger! Your contribution is much appreciated in the community!