<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 10pt; color: #000000"><div>Hi Jonathan.</div><div><br data-mce-bogus="1"></div><div> A report is a JSON document that is emitted by a collector bot. <span style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 13.3333px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;" data-mce-style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 13.3333px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">This document contains fields listed in the "report" section of harmonization.conf. Packed inside the report there is</span> information about 1-N security events. Once the collector has the report ready, it sends it to a parser bot. The parser bot then splits the report document into events. An event is a JSON document describing a single security event. The fields in an event are listed in the "event" section of harmonization.conf. After the split, the parser bot sends the events one by one to the next configured expert bot in the bot chain. Eventually, the last expert bot in the chain passes the event to an output bot. The output bots could be considered as the components that provide the "reporting capability" you mention as they typically forward/store the processed event into a system outside of intelmq.</div><div><br data-mce-bogus="1"></div><div> Harmonized fields are in other words, "standardised" over all reports and events intelmq processes because there are rules as to what values they are allowed to contain. Beyond these we have many non-harmonised fields that may contain (almost) arbitrary values.</div><div>These non-harmonised fields are typically named "extra.*" describing the event of the corresponding security feed in more detail. Basically, these contain data that is specific to feeds, not data common to all feeds and thus not "harmonizable".</div><div><br data-mce-bogus="1"></div><div> I'll stop here in the hope the above helps. More seasoned developers may continue from hereon (and correct me along the way if necessary).</div><div><br data-mce-bogus="1"></div><div>Br, Mika</div><div><br data-mce-bogus="1"></div><div><br></div><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"intelmq-users" <intelmq-users@lists.cert.at><br><b>To: </b>"intelmq-users" <intelmq-users@lists.cert.at><br><b>Sent: </b>Friday, 17 December, 2021 14:12:50<br><b>Subject: </b>[IntelMQ-users] [IntelMQ] Question about harmonization.conf<br></div><div><br><style>/*<![CDATA[*/p.MsoNormal, li.MsoNormal, div.MsoNormal {
margin: 0.0cm;
font-size: 11.0pt;
font-family: Calibri , sans-serif;
}
span.EmailStyle17 {
font-family: Calibri , sans-serif;
color: windowtext;
}
*.MsoChpDefault {
font-family: Calibri , sans-serif;
}
div.WordSection1 {
page: WordSection1;
}
/*]]>*/</style></div><div data-marker="__QUOTED_TEXT__">
<div class="WordSection1">
<p class="MsoNormal">Greetings IntelMQ community,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’m looking for information about the harmonization.conf file located in /etc. In this file I see two sections: «event», and «report».</p>
<p class="MsoNormal">Could you please tell me the difference? Unfortunately, I was not able to find hints in the current documentation.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="FR-BE">Also, as I see «report», does that mean IntelMQ has a reporting capability ? As far as I know IntelMQ doesn’t provide a reporting capability, hence my doubt. </span><span lang="FR-BE" style="font-family:'segoe ui emoji' , sans-serif">😊</span><span lang="FR-BE"></span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks,</p>
<p class="MsoNormal">Jonathan</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="FR-BE">--</span></p>
<p class="MsoNormal"><b>Jonathan
</b><b><span lang="FR-BE">SCOUPREMAN</span></b> |
<a href="mailto:jscoupreman@excellium-services.lu" target="_blank" rel="nofollow noopener noreferrer"><span style="color:blue">jscoupreman@excellium-services.</span><span lang="FR-BE" style="color:blue">lu</span></a><span lang="FR-BE"> |
</span>PGP Key ID: <a href="http://pgp.circl.lu/pks/lookup?op=vindex&fingerprint=on&search=0x6802c48ead971c07" target="_blank" rel="nofollow noopener noreferrer">
<span style="color:blue">0xAD971C07</span></a></p>
<p class="MsoNormal"><b><span lang="FR-BE">CERT-XLM</span></b><span lang="FR-BE"> |
<a href="mailto:cert@excellium-services.com" target="_blank" rel="nofollow noopener noreferrer"><span style="color:blue">cert@excellium-services.com</span></a> | PGP Key ID:
<a href="http://pgp.circl.lu/pks/lookup?op=vindex&fingerprint=on&search=0x67B311E5D74E5AC0" target="_blank" rel="nofollow noopener noreferrer">
<span style="color:blue">0xD74E5AC0</span></a></span></p>
<p class="MsoNormal"><b>CERT-XLM Incident Handler</b><span lang="FR-BE"> @
<a href="https://excellium-services.com/" target="_blank" rel="nofollow noopener noreferrer"><span style="color:blue">excellium-services.com</span></a></span></p>
<p class="MsoNormal">Excellium Services S.A. | 5 rue Goell L-5326 Contern</p>
<p class="MsoNormal">Mobile: +352 691 982 790</p>
<p class="MsoNormal"><span lang="FR-BE">Emergency: +352 262 039 64 708 |
<a href="mailto:emergency@excellium-services.com" target="_blank" rel="nofollow noopener noreferrer"><span style="color:blue">emergency@excellium-services.com</span></a> | PGP Key ID:
<a href="https://excellium-services.com/assets/EMERGENCY_PKEY.asc" target="_blank" rel="nofollow noopener noreferrer"><span style="color:blue">0x42662EFE</span></a></span></p>
<p class="MsoNormal"> </p>
</div>
This email is confidential and may contain legally privileged information. If you are not the intended recipient, you should not copy, distribute, disclose or use the information it contains, please e-mail the sender immediately and delete this message from
your system. Note: e-mails are susceptible to corruption, interception and unauthorised amendment; we do not accept liability for any such changes, or for their consequences. You should be aware that we may monitor your e-mails and their content. Excellium
Services SA.
<br>-- <br>List settings:<br> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-users<br>IntelMQ Documentation: https://intelmq.readthedocs.io/<br></div></div></body></html>