Frequently asked Questions
Report Data Format
By default the events are formatted in JSON. The reason this format is used is because it is a widely used format and many languages support JSON natively today. The key-value nature allows to contain events of different nature within one report or file. It also allows to include additional information where available, like the response header of a scan or the hostname. This benefit comes at the cost of increased file size, but this is nowadays a very small price to pay compared to the additional benefits.
Column based formats like CSV have the drawback that every event contained in the document must match the fields specified in the header. While it is theoretically possible to specify all the different keys in the header and leave most of the values empty, in reality this is not very practical. To include all the differnt information the header would have to specify several hundred columns.
Therefore, it is necessary to limit the number of columns to the most relevant and significant fields.
The following data formats for the reported events are currently supported:
- JSON (default) https://en.wikipedia.org/wiki/JSON
The events are contained in one compact JSON event.
To view these events in an Text Editor we recommend to use an editor that is JSON aware and is able to beautify the data, i.e. splitting up the JSON object into multiple lines.
- JSON-formatted https://en.wikipedia.org/wiki/JSON
The events are contained in one JSON event. However, to make it easier to read the data, it has been beautified, i.e. the JSON object has been split into multiple lines.
- CSV https://en.wikipedia.org/wiki/Comma-separated_values
The events are contained in multiple lines, where each line is an event.
CSV is a column based format, therefore it was necessary to select the most significant fields that will be included in the report.
SWITCH-CERT recommends to use the JSON format if possible.
Additionally, the following options are available
- Report location
- (default) attachment: The events are attached as a file to the email.
- inline: The events are written inline in the email message, no compression available.
- Report compression
- (default) compressed: The attachment is compressed using zip. Zip is used because it by default supported by most platforms.
- uncompressed: The attachment as is.
Contact SWITCH-CERT by replying on the report you received if you want to change your preference.
Feedback on how the reports can be improved is apprechiated. This is especially true for broken formats, wrong headers etc.
Regarding new features, like other formats, additional options or new distribution channels input is welcome. This does not guarantee that it will be implemented. There can be many different reasons for a feature request to be rejected, like requiring major changes or simply a niche demand.
If you have such a request please describe the feature, the use case and the benefits, making it easier to understand the need for it. Requests failing to show sufficient novelty might be dropped directly.