Closed guillaume-philippon closed 1 year ago
4quarks
commented
1 year ago Hello Guillaume, Yesterday we added this change on the commit CERN-CERT/pDNSSOC/pull/11 . Can you take a look at it? It should be essencially the same but getting the URL from constants.
guillaume-philippon
commented
1 year ago Hi,
Yes it s the same thing. You are too quick to add new features :-)
I still have a question about ioc_provider to use the same opensearch index for multiple ioc detector. I think the best way is to use the same template to input data in opensearch and add a provider information (pdnssoc, my_ioc_detector, ...) but not 100% sure it s the good way.
arvchristos
commented
1 year ago Returning to this,
misp_event_url is added to the new alert formatioc_provider I would say this does not make sense to be added in the alerts output (another field that is quite obvious from the tool perspective). However, you can add or modify the fields (e.g. adding a source field per document) during your ingestion in Opensearch (e.g. via the log shipper)Indeed are making strides to develop functionality for the tool. In order to synchronize more and not duplicate efforts, we can discuss future functionality in Issues
Thank you for the contributions
Hi,
After our discussion, I moved from my specific opensearch publishing to something more generic (pdnssoc point of view). But i need to have two more parameters on alerts.log:
My PR is about this two point. Please, let me know if you have any questions / remark about this.