Hello,
Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/initial-access-bro...
Please let me know if you have any changes before June 15th.
Regards,
Jason
{ "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system" }, "feed_name" : "Initial-Access-Broker", "file_name" : "event4_initial_access_broker", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "product.vendor", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "product.name", "device_model", "validate_to_none" ], [ "severity", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "source.account", "account", "validate_to_none" ], [ "extra.", "detail", "validate_to_none" ], [ "extra.", "org_domain", "validate_to_none" ], [ "extra.", "machine_name", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/initial-access-bro..." }
Thanks! --- Mobile
On 09.06.2026, at 00:08, elsif via IntelMQ-dev intelmq-dev@lists.cert.at wrote:
Hello,
Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/initial-access-bro...
Please let me know if you have any changes before June 15th.
Regards,
Jason
{ "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system" }, "feed_name" : "Initial-Access-Broker", "file_name" : "event4_initial_access_broker", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "product.vendor", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "product.name", "device_model", "validate_to_none" ], [ "severity", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "source.account", "account", "validate_to_none" ], [ "extra.", "detail", "validate_to_none" ], [ "extra.", "org_domain", "validate_to_none" ], [ "extra.", "machine_name", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/initial-access-bro..." }
IntelMQ-dev mailing list -- intelmq-dev@lists.cert.at To unsubscribe send an email to intelmq-dev-leave@lists.cert.at
Hi Jason
On 09/06/2026 00:08, elsif via IntelMQ-dev wrote:
"optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], ... [ "extra.", "family", "validate_to_none" ],
The docs on the websites say, that "infection" is "Description of the malware/infection" and "family" is "Malware family or campaign associated with the event". But in the given example, both values are the same.
If infection is actually a description and not (only) the name/family, it could be mapped to event_description.text instead. (and family to both classification.identifier and malware.name)
best regards
Infection will be just the name/family similar to the sinkhole feeds.
On 6/9/26 12:00 AM, Sebix wrote:
Hi Jason
On 09/06/2026 00:08, elsif via IntelMQ-dev wrote:
"optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], ... [ "extra.", "family", "validate_to_none" ],
The docs on the websites say, that "infection" is "Description of the malware/infection" and "family" is "Malware family or campaign associated with the event". But in the given example, both values are the same.
If infection is actually a description and not (only) the name/family, it could be mapped to event_description.text instead. (and family to both classification.identifier and malware.name)
best regards