Validating Threat Intelligence in v3.2.4

Hi everyone,

I configured the threat intelligence following the guide below:


Q1: I can see extra fields are added as expected, but can everyone suggest a way for me to validate it is working properly?

Q2: I assume the v3.x version require no further configuration beyond those listed in the links above. If I am not wrong, do the intelligence sources update automatically? Or how can I check which sources they are using now?

Graylog Version: 3.2.4
Installed via Ubuntu package

I also followed the same article. I am running graylog v3.1 however. All IPs are returning threat_indicated “false” when I know some of these should be returning as true.

It’s interesting because I really can’t find any documentation on the threat intelligence plugin in the actual documentation. Instead there are these random links with instructions. I am wondering if this is geared more towards enterprise users only?

I’m definitely beginning to think this article is missing some critical instructions. In my logs I am seeing:

[LookupTableService] Lookup table does not exist

It makes sense actually. I remember setting this up thinking “how can this work without a lookup table”? I’ve previously setup the geoip MaxMind database before and I should have known this does not work without a lookup table. I think that is our problem @bbfunde

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.