Every IntelMQ message should already have a time.source field in the payload, so I'm not sure if it's necessary to have it in the metadata as well explicitly. And that overlaps with the next topic:But don't we need to have a timestamp in the meta-data ? I mean something like this; { "format": "intelmq", "version": 1, "type": "event", "meta": { "intelmq:uuid": "<event-uuid-1>", "intelmq:uuid_org": "<org-uuid-1>", "intelmq:timestamp": "<creation time of this message>", <== here :
Not specifically for IntelMQ, but I tend to break an event
message into at least three timestamps (but possibly more
depending on event type):
* actual occurrence time of reported security event (time.source
as I'd understand it)
* event package original creation time (the suggested
meta.intelmq:timestamp here, which I'd possibly rename to
meta.intelmq:creation_timestamp or similar)
* event package system ingestion time (time.observation?)
Best regards,
Chris