[IntelMQ-dev] Shadowserver parser: Bad mapping for malware events

elsif elsif at shadowserver.org
Tue Jan 30 16:38:20 CET 2024


Hello,

The schema has been updated based on your feedback:

  * The 'malware.name' is now mapped to 'infection' for the
    event4_microsoft_sinkhole, event4_microsoft_sinkhole_http,
    event6_sinkhole, event6_sinkhole_http, event6_sinkhole_http_referer,
    event_sinkhole, event_sinkole_dns, event_sinkhole_http, and
    event_sinkhole_http_referer reports.
  * The 'classification.identifier' is now mapped to 'infection' for the
    event4_microsoft_sinkhole_http, event6_sinkhole_http,
    event6_sinkhole_http_referer, event_sinkhole_http, and
    event_sinkhole_http_referer reports.
  * The 'classification.taxonomy', 'classification.type', and
    'protocol.application' were changed for the
    event6_sinkhole_http_referer and event_sinkhole_http_referer reports.

Regards

On 1/30/24 12:10 AM, Kamil Mankowski via IntelMQ-dev wrote:
> Hi all,
>
> Thanks for the comments. I've forwarded the thread to ShadowServer, 
> and they also have just joined the list (represented by @elsif, who 
> works on the IntelMQ integration), so we can discuss the feedback 
> directly.
>
> @Thomas - answering the question about completed schema changes, I 
> spoke with elsif about that a few weeks ago, and schema changelog is 
> available at 
> https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
>
> Best regards
>
> // Kamil MaƄkowski <mankowski at cert.at> - T: +43 676 898 298 7204
> // CERT Austria - https://www.cert.at/
> // CERT.at GmbH, FB-Nr. 561772k, HG Wien
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20240130/e840c978/attachment.htm>


More information about the IntelMQ-dev mailing list