Open acruise opened 5 years ago
acruise
commented
5 years ago If the uuid/id really do refer to the presumed parent event, they should be described that way... If they are actually attributes of the attribute (meta-attribute?) the noun should be updated. :)
acruise
commented
5 years ago It would be good to clarify the relationship between id and uuid ... is the id locally unique within a given installation, but likely to change if an object is sent to a different org? Is the uuid expected to stay the same under such a situation?
Edit: I read a bit more, the answer is yes. :)
TTycho
commented
3 years ago Yup, clarification would be welcome. I get a lot of "Duplicate UUID found in attribute" in my logs. I think because I try to use the same UUID (for the same attribute) in a different event (from the same manifest.json). I would expect that if the attribute is the same (an IP address in this case) the UUID could stay the same. Maybe a hint could be added on how to best create an attribute UUID. Is it org UUID, event UUID and attribute value?
e.g. https://github.com/MISP/misp-rfc/blob/0d37c82b42e7ede979811a89e791a1628e75b4d2/misp-core-format/raw.md.txt#L476