Hello,
The schema has been updated based on your feedback:
* The 'malware.name' is now mapped to 'infection' for the event4_microsoft_sinkhole, event4_microsoft_sinkhole_http, event6_sinkhole, event6_sinkhole_http, event6_sinkhole_http_referer, event_sinkhole, event_sinkole_dns, event_sinkhole_http, and event_sinkhole_http_referer reports. * The 'classification.identifier' is now mapped to 'infection' for the event4_microsoft_sinkhole_http, event6_sinkhole_http, event6_sinkhole_http_referer, event_sinkhole_http, and event_sinkhole_http_referer reports. * The 'classification.taxonomy', 'classification.type', and 'protocol.application' were changed for the event6_sinkhole_http_referer and event_sinkhole_http_referer reports.
Regards
On 1/30/24 12:10 AM, Kamil Mankowski via IntelMQ-dev wrote:
Hi all,
Thanks for the comments. I've forwarded the thread to ShadowServer, and they also have just joined the list (represented by @elsif, who works on the IntelMQ integration), so we can discuss the feedback directly.
@Thomas - answering the question about completed schema changes, I spoke with elsif about that a few weeks ago, and schema changelog is available at https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/compl...
Best regards
// Kamil Mańkowski mankowski@cert.at - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien