[IntelMQ-dev] Shadowserver parser: Bad mapping for malware events
elsif
elsif at shadowserver.org
Tue Jan 30 16:38:20 CET 2024
Hello,
The schema has been updated based on your feedback:
* The 'malware.name' is now mapped to 'infection' for the
event4_microsoft_sinkhole, event4_microsoft_sinkhole_http,
event6_sinkhole, event6_sinkhole_http, event6_sinkhole_http_referer,
event_sinkhole, event_sinkole_dns, event_sinkhole_http, and
event_sinkhole_http_referer reports.
* The 'classification.identifier' is now mapped to 'infection' for the
event4_microsoft_sinkhole_http, event6_sinkhole_http,
event6_sinkhole_http_referer, event_sinkhole_http, and
event_sinkhole_http_referer reports.
* The 'classification.taxonomy', 'classification.type', and
'protocol.application' were changed for the
event6_sinkhole_http_referer and event_sinkhole_http_referer reports.
Regards
On 1/30/24 12:10 AM, Kamil Mankowski via IntelMQ-dev wrote:
> Hi all,
>
> Thanks for the comments. I've forwarded the thread to ShadowServer,
> and they also have just joined the list (represented by @elsif, who
> works on the IntelMQ integration), so we can discuss the feedback
> directly.
>
> @Thomas - answering the question about completed schema changes, I
> spoke with elsif about that a few weeks ago, and schema changelog is
> available at
> https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
>
> Best regards
>
> // Kamil MaĆkowski <mankowski at cert.at> - T: +43 676 898 298 7204
> // CERT Austria - https://www.cert.at/
> // CERT.at GmbH, FB-Nr. 561772k, HG Wien
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20240130/e840c978/attachment.htm>
More information about the IntelMQ-dev
mailing list