Infection will be just the name/family similar to the sinkhole feeds.
On 6/9/26 12:00 AM, Sebix wrote:
Hi Jason
On 09/06/2026 00:08, elsif via IntelMQ-dev wrote:
"optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], ... [ "extra.", "family", "validate_to_none" ],
The docs on the websites say, that "infection" is "Description of the malware/infection" and "family" is "Malware family or campaign associated with the event". But in the given example, both values are the same.
If infection is actually a description and not (only) the name/family, it could be mapped to event_description.text instead. (and family to both classification.identifier and malware.name)
best regards