misp-objects

History

aaronkaplan 7b4c9cd6df As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration.	2021-05-02 15:57:54 +02:00
..
definition.json	As discussed with @rafiot, we can't simply add rdata and rrname as	2021-05-02 15:57:54 +02:00

As discussed with @rafiot, we can't simply add rdata and rrname as

text only into MISP objects. Why? Because otherwise we can't use MISP's
correlation engine to correlate attributes (rrname, rdata) inside these
MISP objects with other events. Because "text" would not correlate with
other "ip-src" or "domain" types in other objects/attributes.

Kind of sucks to duplicate the rrname and rdata entries, but that's the
only solution we came up with.

The COF2MISP module will populate both the rrname,rdata as well as the
rrname_{domain,ip} and rdata_{domain,ip} attributes.

Checked with jq_all_the_things.sh.
Thanks for your consideration.

2021-05-02 15:57:54 +02:00

definition.json

As discussed with @rafiot, we can't simply add rdata and rrname as

2021-05-02 15:57:54 +02:00