[IntelMQ-dev] IEP04: The choice of the UUID-format
Chris Horsley
chris.horsley at csirtfoundry.com
Wed Sep 8 07:13:39 CEST 2021
On 8/09/2021 1:34 am, Sebastian Wagner wrote:
>> But don't we need to have a timestamp in the meta-data ?
>> I mean something like this;
>>
>> {
>> "format": "intelmq",
>> "version": 1,
>> "type": "event",
>> "meta": {
>> "intelmq:uuid": "<event-uuid-1>",
>> "intelmq:uuid_org": "<org-uuid-1>",
>> "intelmq:timestamp": "<creation time of this message>", <== here
>> :
> Every IntelMQ message should already have a /time.source/ field in the
> payload, so I'm not sure if it's necessary to have it in the metadata
> as well explicitly. And that overlaps with the next topic:
Not specifically for IntelMQ, but I tend to break an event message into
at least three timestamps (but possibly more depending on event type):
* actual occurrence time of reported security event (time.source as I'd
understand it)
* event package original creation time (the suggested
meta.intelmq:timestamp here, which I'd possibly rename to
meta.intelmq:creation_timestamp or similar)
* event package system ingestion time (time.observation?)
Best regards,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210908/aa4b9c34/attachment.htm>
More information about the IntelMQ-dev
mailing list