Hi Thomas
Thank you for the heads up. Then suggest that we remove these bots from IntelMQ as they then no longer serve a purpose:
Microsoft Interflow Collector Microsoft CTIP Parser
These can stay:
Microsoft Azure Collector Microsoft Bing Malicious URLs Parser
Best regards Sebastian
On 28/11/2025 14:04, Thomas Hungenberg wrote:
Hi Sebastian,
CTIP data is no longer provided via Interflow but through a new dedicated API now. The data format changed as well and no longer includes "severity".
We discussed adapting the collector and parser for CTIP in July. However, we then opted for a simpler solution with a script that fetches the data, converts it to CSV and feeds it into an IntelMQ Generic CSV parser.
- Thomas
On 21.11.25 09:04, Sebix via IntelMQ-dev wrote:
Dear all
Does anyone receive data from Microsoft Interflow?
It has a field called 'severity' which is currently mapped to the 'extra.severity' field: https://github.com/certtools/intelmq/blob/0342b7718050b1690d9e20f137b58c7693...
As in IntelMQ 3.5.0, we have a proper 'severity' field with standardized values; the CTIP parser should now use that one as well. However, what's unclear to me, without access to example data, is what possible values Microsoft uses, and thus whether we need to map their values to ours.
So if you have any example data, please let us know what values they use :)
Best regards Sebastian