[IntelMQ-dev] regarding IEP03
Sebastian Wagner
wagner at cert.at
Thu Apr 22 11:59:43 CEST 2021
Hi Aaron & list,
On 4/22/21 11:48 AM, L. Aaron Kaplan wrote:
> If we have multiple values, instead of doing the n x m complexity explosion, we link different events (JSON rows) together via UUIDs this gives us what we need:
>
> * UUIDs help with deduplication! That's important when linking IntelMQ instances!
> * lower complexity / keep the KISS principle
> * consumers can ignore the UUID-linking if it's not relevant for them (f.ex enrichment processes/bots)
> * we can still represent linked events.
>
> I would like to add one little but important thing for the UUID linking idea: add a "link-type".
>
> Examples for link-types:
> * parent-child event
> * grouping types (all of these events belong to the same report)
> etc.
>
> With this triplet information , we are close to RDF (left-side, type, right-side) and thus we can (future-proof) represent any type of relation.
>
> A list of valid types needs to be documented in the IDF format page of course.
Thanks for the input. I think this is very similar to IEP04 (which we
presented as alternative to IEP03), so I propose to discuss this under
the IEP04-topic.
Sebastian
--
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210422/4abff61a/attachment.sig>
More information about the IntelMQ-dev
mailing list