-
Notifications
You must be signed in to change notification settings - Fork 4
Timestamp
CIF supports three separate timestamps per record or indicator: (reporttime, lasttime, firsttime). A record should have at least one timestamp associated with it and could have up to three timestamps.
This is the timestamp of when the record or indicator was given to you.
This is a machine generated timestamp of the last time the source observed the behavior. This would be the most recent timestamp found in machine generated logs where the host is leveraging clock synchronization (NTP).
This is a machine generated timestamp of the first time the source observed the behavior. This would be the earliest timestamp found in machine generated logs where the host is leveraging clock synchronization (NTP).
An information sharing partner may give you the following intelligence:
address portlist protocol firsttime lasttime description
192.168.1.1 22 tcp 2016-06-18T00:00:00Z 2016-06-18T10:10:00Z scanner
If you were to ingest this record into CIF at 2016-06-18T12:00:00Z, you could associate these three timestamps with this single indicator:
firsttime: 2016-06-18T00:00:00Z
lasttime: 2016-06-18T10:10:00Z
reporttime: 2016-06-18T12:00:00Z
When using csirtg-fm to ingest intelligence into CIF, cif-smrt will automatically fill in lasttime, reporttime and firsttime if those values are not specified. It's not uncommon to see the exact same timestamp when dealing with a feed that does not give any timestamps. Here's an example of the alienvault feed:
{
"lasttime" : "2016-05-24T13:01:52Z",
"firsttime" : "2016-05-24T13:01:52Z",
"reporttime" : "2016-05-24T13:01:51Z",
"tlp" : "white",
"tags" : ["suspicious"],
"altid" : "https://reputation.alienvault.com/reputation.data",
"description" : "Scanning Host",
"altid_tlp" : "white",
"asn" : "8075",
"confidence" : 6,
"group" : ["everyone"],
"provider" : "reputation.alienvault.com",
"indicator" : "13.84.219.191",
"itype" : "ipv4",
}