Hello,
The schema has been updated based on your feedback:
- The 'malware.name' is now mapped to 'infection' for the
event4_microsoft_sinkhole, event4_microsoft_sinkhole_http,
event6_sinkhole, event6_sinkhole_http,
event6_sinkhole_http_referer, event_sinkhole, event_sinkole_dns,
event_sinkhole_http, and event_sinkhole_http_referer reports.
- The 'classification.identifier' is now mapped to 'infection'
for the event4_microsoft_sinkhole_http, event6_sinkhole_http,
event6_sinkhole_http_referer, event_sinkhole_http, and
event_sinkhole_http_referer reports.
- The 'classification.taxonomy', 'classification.type', and
'protocol.application' were changed for the
event6_sinkhole_http_referer and event_sinkhole_http_referer
reports.
Regards
On 1/30/24 12:10 AM, Kamil Mankowski
via IntelMQ-dev wrote:
Hi all,
Thanks for the comments. I've forwarded the thread to
ShadowServer, and they also have just joined the list (represented
by @elsif, who works on the IntelMQ integration), so we can
discuss the feedback directly.
@Thomas - answering the question about completed schema changes, I
spoke with elsif about that a few weeks ago, and schema changelog
is available at
https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
Best regards
// Kamil MaĆkowski <mankowski@cert.at> - T: +43 676 898 298
7204
// CERT Austria - https://www.cert.at/
// CERT.at GmbH, FB-Nr. 561772k, HG Wien