Am Mittwoch, 20. April 2016 09:41:06 schrieb Otmar Lendl:
Thus: on the output side there is not just the question of the transformation to cybox/csv/xml/xarf/..., but also the question of aggregation: Which set of events should be grouped together?
I am also seeing this challenge.
Another problem with the approach is: Some formats specify details of the transport level. For example xarf needs a special mail structure, e.g. some headers set and mime parts depending on the existance of some fields.
So it may not be possible to fully separate the "contents" part from the "transport" part.
One way to solve the design decision is to try to actually make parts of this work.
Another idea is to just have all mapping functions in one python module, which then could be imported by parsers, outputs and other bots.
Best Regards, Bernhard