[IntelMQ-dev] RFC new compromised_iot report
Kamil Mankowski
mankowski at cert.at
Tue Sep 24 15:28:01 CEST 2024
Hey,
sorry for the late reply. I've looked at the specification and the
report, and it looks good to me, thanks!
Best regards
// Kamil Mańkowski <mankowski at cert.at> - T: +43 676 898 298 7204
// CERT Austria - https://www.cert.at/
// CERT.at GmbH, FB-Nr. 561772k, HG Wien
On 9/23/24 16:07, elsif wrote:
> Hello,
>
> We have a new report that will begin tomorrow.
>
> https://www.shadowserver.org/what-we-do/network-reporting/compromised-iot-report/
>
> Please let me know if you have any recommended changes for the following
> mapping for the report.
>
> Regards,
>
> Jason
>
>
> "compromised_iot" : {
> "constant_fields" : {
> "classification.identifier" : "compromised-iot",
> "classification.taxonomy" : "intrusions",
> "classification.type" : "system-compromise"
> },
> "feed_name" : "Compromised-IoT-Device",
> "file_name" : "compromised_iot",
> "optional_fields" : [
> [
> "malware.name",
> "family",
> "validate_to_none"
> ],
> [
> "extra.",
> "severity",
> "validate_to_none"
> ],
> [
> "protocol.transport",
> "protocol"
> ],
> [
> "source.reverse_dns",
> "hostname"
> ],
> [
> "extra.",
> "tag"
> ],
> [
> "source.asn",
> "asn",
> "invalidate_zero"
> ],
> [
> "source.geolocation.cc",
> "geo"
> ],
> [
> "source.geolocation.region",
> "region"
> ],
> [
> "source.geolocation.city",
> "city"
> ],
> [
> "extra.source.naics",
> "naics",
> "invalidate_zero"
> ],
> [
> "extra.",
> "hostname_source",
> "validate_to_none"
> ],
> [
> "extra.source.sector",
> "sector",
> "validate_to_none"
> ],
> [
> "extra.",
> "device_vendor",
> "validate_to_none"
> ],
> [
> "extra.",
> "device_type",
> "validate_to_none"
> ],
> [
> "extra.",
> "device_model",
> "validate_to_none"
> ],
> [
> "extra.",
> "device_version",
> "validate_to_none"
> ],
> [
> "extra.",
> "source_type",
> "validate_to_none"
> ],
> [
> "event_description.text",
> "category",
> "validate_to_none"
> ],
> [
> "status",
> "status"
> ],
> [
> "extra.",
> "detail",
> "validate_to_none"
> ],
> [
> "extra.",
> "public_source",
> "validate_to_none"
> ],
> [
> "source.account",
> "account",
> "validate_to_none"
> ],
> [
> "extra.",
> "server_host_key",
> "validate_to_none"
> ],
> [
> "extra.",
> "malpubkey_sha256",
> "validate_to_none"
> ]
> ],
> "required_fields" : [
> [
> "time.source",
> "timestamp",
> "add_UTC_to_timestamp"
> ],
> [
> "source.ip",
> "ip",
> "validate_ip"
> ],
> [
> "source.port",
> "port",
> "convert_int"
> ]
> ],
> "url" :
> "https://www.shadowserver.org/what-we-do/network-reporting/compromised-iot-report/"
> },
>
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> https://docs.intelmq.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20240924/d7f427a6/attachment.sig>
More information about the IntelMQ-dev
mailing list