MILE T. Takahashi Internet-Draft NICT Intended status: Standards Track R. Danyliw Expires: July 6, 2019 CERT M. Suzuki NICT January 2, 2019 CBOR/JSON binding of IODEF draft-ietf-mile-jsoniodef-07 Abstract RFC7970 specified an information model and a corresponding XML data model for exchanging incident and indicator information. This draft provides an alternative data model implementation in CBOR/JSON. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 6, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Takahashi, et al. Expires July 6, 2019 [Page 1] Internet-Draft JSON-IODEF January 2019 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5 2.2.2. Software and Software Reference . . . . . . . . . . . 6 2.2.3. Structured Information . . . . . . . . . . . . . . . 6 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 3.2. Mapping between CBOR/JSON and XML IODEF . . . . . . . . . 17 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 25 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 40 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 9.1. Normative References . . . . . . . . . . . . . . . . . . 40 9.2. Informative References . . . . . . . . . . . . . . . . . 41 Appendix A. Data Types used in this document . . . . . . . . . . 41 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 41 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69 1. Introduction [RFC7970] defines a data representation for security incident reports and indicators commonly exchanged by operational security teams. It facilitates the automated exchange of this information to enable mitigation and watch-and-warning. Section 3 of [RFC7970] defined an information model using Unified Modeling Language (UML) and a corresponding Extensible Markup Language (XML) schema data model in Section 8. This UML-based information model and XML-based data model are referred to as IODEF UML and IODEF XML, respectively in this document. This document defines an alternate implementation of the IODEF UML information model by specifying a JavaScript Object Notation (JSON) data model using CDDL and JSON Schema [jsonschema]. This JSON data model is referred to as IODEF JSON in this document. Takahashi, et al. Expires July 6, 2019 [Page 2] Internet-Draft JSON-IODEF January 2019 IODEF JSON provides all of the expressivity of IODEF XML. It gives implementers and operators an alternative format to exchange the same information. The normative IODEF JSON data model is found in Section 5. Section 2 and Section 3 describe the data types and elements of this data model. Section 4 provides examples. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here. 2. IODEF Data Types The abstract IODEF JSON implements the abstract data types specified in Section 2 of [RFC7970]. 2.1. Abstract Data Type to JSON Data Type Mapping IODEF JSON uses native and derived JSON data types. Figure 1 describes the mapping between the abstract data types in Section 2 of [RFC7970] and their corresponding implementations in IODEF JSON. Takahashi, et al. Expires July 6, 2019 [Page 3] Internet-Draft JSON-IODEF January 2019 +-----------------+-------------------+-------------------------------+ | IODEF Data Type | [RFC7970] | JSON Data Type | | | Reference | | +-----------------+-------------------+-------------------------------+ | INTEGER | Section 2.1 | "integer" per [jsonschema] | | REAL | Section 2.2 | "number" per [jsonschema] | | CHARACTER | Section 2.3 | "string" per [jsonschema] | | STRING | Section 2.3 | "string" per [jsonschema] | | ML_STRING | Section 2.4 | see Section 2.2.1 | | BYTE | Section 2.5.1 | "string" per [jsonschema] | | BYTE[] | Section 2.5.1 | "string" per [jsonschema] | | HEXBIN | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | | ENUM | Section 2.6 | "enum" array per [jsonschema] | | DATETIME | Section 2.7 | "string" per [jsonschema] | | TIMEZONE | Section 2.8 | "string" per [jsonschema] | | PORTLIST | Section 2.9 | "string" per [jsonschema] | | POSTAL | Section 2.10 | ML_STRING, Section 2.2.1 | | PHONE | Section 2.11 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] | | ID | Section 2.14 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] | | SOFTWARE | Section 2.15 | see Section 2.2.2 | | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.3 | | EXTENSION | Section 2.16 | see Section 2.2.4 | +-----------------+-------------------+-------------------------------+ Figure 1: JSON Data Types Takahashi, et al. Expires July 6, 2019 [Page 4] Internet-Draft JSON-IODEF January 2019 +-----------------+------------------+---------------------------------+ | IODEF Data Type | CBOR Data Type | CDDL prelude | | | | [draft-ietf-cbor-cddl-05] | +-----------------+------------------+---------------------------------+ | INTEGER | 0, 1, 6 tag 2, | integer | | | 6 tag 3 | | | REAL | 7 bits 26 | float32 | | CHARACTER | 3 | text | | STRING | 3 | text | | ML_STRING | 5 | Maps/Structs (Section 3.5.1) | | BYTE | 6 tag 22 | eb64legacy | | BYTE[] | 6 tag 22 | eb64legacy | | HEXBIN | 2 | bytes | | HEXBIN[] | 2 | bytes | | ENUM | - | Choices (Section 2.2.2) | | DATETIME | 6 tag 0 | tdate | | TIMEZONE | 3 | text | | PORTLIST | 3 | text | | POSTAL | 3 | ML_STRING (Section 2.2.1) | | PHONE | 3 | text | | EMAIL | 3 | text | | URL | 6 tag 32 | uri | | ID | 3 | text | | IDREF | 3 | text | | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | | EXTENSION | 5 | Maps/Structs (Section 3.5.1) | +-----------------+------------------+---------------------------------+ Figure 2: CBOR Data Types 2.2. Complex JSON Types 2.2.1. Multilingual Strings A string that needs to be represented in a human-readable language different from the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as either an object with "value", "lang", and "translation-id" elements or a text string as defined in Section 5. Examples are shown below. "MLStringType": { "value": "free-form text", //STRING "lang": "en", //ENUM "translation-id": "jp2en0023" //STRING } Takahashi, et al. Expires July 6, 2019 [Page 5] Internet-Draft JSON-IODEF January 2019 2.2.2. Software and Software Reference A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a URL, or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined in Section 5. Examples are shown below. "SoftwareType": { "SoftwareReference": {...}, //SoftwareReference "Description": ["MS Windows"] //STRING } SoftwareReference class is a reference to a particular version of software. Examples are shown below. "SoftwareReference": { "value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING "spec-name": "cpe", //ENUM "dtype": "string" //ENUM } 2.2.3. Structured Information Information provided in a form of structured string, such as ID, or structured information, such as XML documents, is represented in the information model by the STRUCTUREDINFO data type. Note that this type was originally specified in [RFC7203]. The STRUCTUREDINFO data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "dtype", "RawData", "Reference" elements. An example for embedding a structured ID is shown below. "StructuredInfo": { "SpecID": "cve", //ENUM "ContentID": "CVE-2007-5000" //STRING } When embedding the raw data, base64 conversion should be used for encoding the data, as shown below. "StructuredInfo": { "SpecID": "oval", //ENUM "RawData": "<<>>" //BYTE } Takahashi, et al. Expires July 6, 2019 [Page 6] Internet-Draft JSON-IODEF January 2019 2.2.4. EXTENSION Information not otherwise represented in the IODEF can be added using the EXTENSION data type. This data type is a generic extension mechanism. The EXTENSION data type is implemented as an ExtensionType object with "value", "name", "dtype", "ext-dtype", "meaning", "formatid", "restriction", "ext-restriction", and "observable-id" elements. An example for embedding a structured ID is shown below. "ExtensionType": { "value": "xxxxxxx", //STRING "name": "Syslog", //STRING "dtype": "string", //ENUM "meaning": "Syslog from the security appliance X" //STRING } 3. IODEF JSON Data Model 3.1. Classes and Elements The following table shows the list of IODEF Classes, their elements, and the corresponding section in [RFC7970]. Note that the complete JSON schema is defined in Section 5 usind CDDL. +-----------------------------+--------------------+---------------+ | IODEF Class | Class | Corresponding | | | Elements and | Section | | | Attribute | in [RFC7970] | +-----------------------------+--------------------+---------------+ | IODEF-Document | version | 3.1 | | | lang? | | | | format-id? | | | | private-enum-name? | | | | private-enum-id? | | | | Incident+ | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Incident | purpose | 3.2 | | | ext-purpose? | | | | status? | | | | ext-status? | | | | lang? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentID | | | | AlternativeID? | | Takahashi, et al. Expires July 6, 2019 [Page 7] Internet-Draft JSON-IODEF January 2019 | | RelatedActivity* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | GenerationTime | | | | Description* | | | | Discovery* | | | | Assessment* | | | | Method* | | | | Contact+ | | | | EventData* | | | | Indicator* | | | | History? | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | IncidentID | id | 3.4 | | | name | | | | instance? | | | | restriction? | | | | ext-restriction? | | +-----------------------------+--------------------+---------------+ | AlternativeID | restriction? | 3.5 | | | ext-restriction? | | | | IncidentID+ | | +-----------------------------+--------------------+---------------+ | RelatedActivity | restriction? | 3.6 | | | ext-restriction? | | | | IncidentID* | | | | URL* | | | | ThreatActor* | | | | Campaign* | | | | IndicatorID* | | | | Confidence? | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | ThreatActor | restriction? | 3.7 | | | ext-restriction? | | | | ThreatActorID* | | | | URL* | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Campaign | restriction? | | | | ext-restriction? | | | | CampaignID* | | Takahashi, et al. Expires July 6, 2019 [Page 8] Internet-Draft JSON-IODEF January 2019 | | URL* | | | | Description* | | | | AdditionalData* | 3.8 | +-----------------------------+--------------------+---------------+ | Contact | role | | | | ext-role? | | | | type | | | | ext-type? | | | | restriction? | | | | ext-restriction? | | | | ContactName*, | | | | ContactTitle* | | | | Description* | | | | RegistryHandle* | | | | PostalAddress* | | | | Email* | | | | Telephone* | | | | Timezone? | | | | Contact* | | | | AdditionalData* | 3.9 | +-----------------------------+--------------------+---------------+ | RegistryHandle | handle | | | | registry | | | | ext-registry? | 3.9.1 | +-----------------------------+--------------------+---------------+ | PostalAddress | type? | | | | ext-type? | | | | PAddress | | | | Description* | 3.9.2 | +-----------------------------+--------------------+---------------+ | Email | type? | | | | ext-type? | | | | EmailTo | | | | Description* | 3.9.3 | +-----------------------------+--------------------+---------------+ | Telephone | type? | | | | ext-type? | | | | TelephoneNumber | | | | Description* | 3.9.4 | +-----------------------------+--------------------+---------------+ | Discovery | source? | | | | ext-source? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | Contact* | | | | DetectionPattern* | 3.10 | +-----------------------------+--------------------+---------------+ Takahashi, et al. Expires July 6, 2019 [Page 9] Internet-Draft JSON-IODEF January 2019 | DetectionPattern | restriction? | 3.10.1 | | | ext-restriction? | | | | observable-id? | | | | Application | | | | Description* | | | | DetectionConfiguration* | | +-----------------------------+--------------------+---------------+ | Method | restriction? | | | | ext-restriction? | | | | Reference* | | | | Description* | | | | AttackPattern* | | | | Vulnerability* | | | | Weakness* | | | | AdditionalData* | 3.11 | +-----------------------------+--------------------+---------------+ | Reference | observable-id? | | | | ReferenceName? | | | | URL* | | | | Description* | 3.11.1 | +-----------------------------+--------------------+---------------+ | Assessment | occurence? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentCategory* | | | | SystemImpact* | | | | BusinessImpact* | | | | TimeImpact* | | | | MonetaryImpact* | | | | IntendedImpact* | | | | Counter* | | | | MitigatingFactor* | | | | Cause* | | | | Confidence? | | | | AdditionalData* | 3.12 | +-----------------------------+--------------------+---------------+ | SystemImpact | severity? | | | | completion? | | | | type | | | | ext-type? | | | | Description* | 3.12.1 | +-----------------------------+--------------------+---------------+ | BusinessImpact | severity? | | | | ext-severity? | | | | type | | | | ext-type? | | | | Description* | 3.12.2 | Takahashi, et al. Expires July 6, 2019 [Page 10] Internet-Draft JSON-IODEF January 2019 +-----------------------------+--------------------+---------------+ | TimeImpact | value | | | | severity? | | | | metric | | | | ext-metric? | | | | duration? | | | | ext-duration? | 3.12.3 | +-----------------------------+--------------------+---------------+ | MonetaryImpact | value | | | | severity? | | | | currency? | 3.12.4 | +-----------------------------+--------------------+---------------+ | Confidence | value | | | | rating | | | | ext-rating? | 3.12.5 | +-----------------------------+--------------------+---------------+ | History | restriction? | | | | ext-restriction? | | | | HistoryItem+ | 3.13 | +-----------------------------+--------------------+---------------+ | HistoryItem | action | | | | ext-action? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime | | | | IncidentID? | | | | Contact? | | | | Description* | | | | DefinedCOA* | | | | AdditionalData* | 3.13.1 | +-----------------------------+--------------------+---------------+ | EventData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | Contact* | | | | Discovery* | | | | Assessment? | | | | Method* | | | | System* | | | | Expectation* | | | | RecordData* | | Takahashi, et al. Expires July 6, 2019 [Page 11] Internet-Draft JSON-IODEF January 2019 | | EventData* | | | | AdditionalData* | 3.14 | +-----------------------------+--------------------+---------------+ | Expectation | action? | | | | ext-action? | | | | severity? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | DefinedCOA* | | | | StartTime? | | | | EndTime? | | | | Contact? | 3.15 | +-----------------------------+--------------------+---------------+ | System | category? | | | | ext-category? | | | | interface? | | | | spoofed? | | | | virtual? | | | | ownership? | | | | ext-ownership? | | | | restriction? | | | | ext-restriction? | | | | Node | | | | NodeRole* | | | | Service* | | | | OperatingSystem* | | | | Counter* | | | | AssetID* | | | | Description* | | | | AdditionalData* | 3.17 | +-----------------------------+--------------------+---------------+ | Node | DomainData* | | | | Address* | | | | PostalAddress? | | | | Location* | | | | Counter* | 3.18 | +-----------------------------+--------------------+---------------+ | Address | value | | | | category | | | | ext-category? | | | | vlan-name? | | | | vlan-num? | | | | observable-id? | 3.18.1 | +-----------------------------+--------------------+---------------+ | NodeRole | category | | | | ext-category? | | Takahashi, et al. Expires July 6, 2019 [Page 12] Internet-Draft JSON-IODEF January 2019 | | Description* | 3.18.2 | +-----------------------------+--------------------+---------------+ | Counter | value | | | | type | | | | ext-type? | | | | unit | | | | ext-unit? | | | | meaning? | | | | duration? | | | | ext-duration? | 3.18.3 | +-----------------------------+--------------------+---------------+ | DomainData | system-status | | | | ext-system-status? | | | | domain-status | | | | ext-domain-status? | | | | observable-id? | | | | Name | | | | DateDomainWasChecked?| | | | RegistrationDate? | | | | ExpirationDate? | | | | RelatedDNS* | | | | Nameservers* | | | | DomainContacts? | 3.19 | +-----------------------------+--------------------+---------------+ | Nameserver | Server | | | | Address* | 3.19.1 | +-----------------------------+--------------------+---------------+ | DomainContacts | SameDomainContact? | | | | Contact+ | 3.19.2 | +-----------------------------+--------------------+---------------+ | Service | ip-protocol? | | | | observable-id? | | | | ServiceName? | | | | Port? | | | | Portlist? | | | | ProtoCode? | | | | ProtoType? | | | | ProtoField? | | | | ApplicationHeaderField*| | | | EmailData? | | | | Application? | 3.20 | +-----------------------------+--------------------+---------------+ | ServiceName | IANAService? | | | | URL* | | | | Description* | 3.20.1 | +-----------------------------+--------------------+---------------+ | EmailData | observable-id? | | | | EmailTo* | | Takahashi, et al. Expires July 6, 2019 [Page 13] Internet-Draft JSON-IODEF January 2019 | | EmailFrom? | | | | EmailSubject? | | | | EmailX-Mailer? | | | | EmailHeaderField* | | | | EmailHeaders? | | | | EmailBody? | | | | EmailMessage? | | | | HashData* | | | | Signature* | 3.21 | +-----------------------------+--------------------+---------------+ | RecordData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime? | | | | Description* | | | | Application? | | | | RecordPattern* | | | | RecordItem* | | | | URL* | | | | FileData* | | | | WindowsRegistryKeysModified*| | | | CertificateData* | | | | AdditionalData* | 3.22.1 | +-----------------------------+--------------------+---------------+ | RecordPattern | type | | | | ext-type? | | | | offset? | | | | offsetunit? | | | | ext-offsetunit? | | | | instance? | | | | value | 3.22.2 | +-----------------------------+--------------------+---------------+ | WindowsRegistryKeysModified | observable-id? | 3.23 | | | Key+ | | +-----------------------------+--------------------+---------------+ | Key | registryaction? | | | | ext-registryaction?| | | | observable-id? | | | | KeyName | | | | KeyValue? | 3.23.1 | +-----------------------------+--------------------+---------------+ | CertificateData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Certificate+ | 3.24 | +-----------------------------+--------------------+---------------+ | Certificate | observable-id? | | | | X509Data | | Takahashi, et al. Expires July 6, 2019 [Page 14] Internet-Draft JSON-IODEF January 2019 | | Description* | 3.24.1 | +-----------------------------+--------------------+---------------+ | FileData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | File+ | 3.25 | +-----------------------------+--------------------+---------------+ | File | observable-id? | | | | FileName? | | | | FileSize? | | | | FileType? | | | | URL* | | | | HashData? | | | | Signature* | | | | AssociatedSoftware?| | | | FileProperties* | 3.25.1 | +-----------------------------+--------------------+---------------+ | HashData | scope | | | | HashTargetID? | | | | Hash* | | | | FuzzyHash* | 3.26 | +-----------------------------+--------------------+---------------+ | Hash | DigestMethod | | | | DigestValue | | | | CanonicalizationMethod?| | | | Application? | 3.26.1 | +-----------------------------+--------------------+---------------+ | FuzzyHash | FuzzyHashValue+ | | | | Application? | | | | AdditionalData* | 3.26.2 | +-----------------------------+--------------------+---------------+ | Indicator | restriction? | | | | ext-restriction? | | | | IndicatorID | | | | AlternativeIndicatorID*| | | | Description* | | | | StartTime? | | | | EndTime? | | | | Confidence? | | | | Contact* | | | | Observable? | | | | uid-ref? | | | | IndicatorExpression?| | | | IndicatorReference?| | | | NodeRole* | | | | AttackPhase* | | | | Reference* | | | | AdditionalData* | 3.29 | Takahashi, et al. Expires July 6, 2019 [Page 15] Internet-Draft JSON-IODEF January 2019 +-----------------------------+--------------------+---------------+ | IndicatorID | id | | | | name | | | | version | 3.29.1 | +-----------------------------+--------------------+---------------+ | AlternativeIndicatorID | restriction? | | | | ext-restriction? | | | | IndicatorID+ | 3.29.2 | +-----------------------------+--------------------+---------------+ | Observable | restriction? | | | | ext-restriction? | | | | System? | | | | Address? | | | | DomainData? | | | | Service? | | | | EmailData? | | | | WindowsRegistryKeysModified?| | | | FileData? | | | | CertificateData? | | | | RegistryHandle? | | | | RecordData? | | | | EventData? | | | | Incident? | | | | Expectation? | | | | Reference? | | | | Assessment? | | | | DetectionPattern? | | | | HistoryItem? | | | | BulkObservable? | | | | AdditionalData* | 3.29.3 | +-----------------------------+--------------------+---------------+ | BulkObservable | type? | | | | ext-type? | | | | BulkObservableFormat?| | | | BulkObservableList | | | | AdditionalData* | 3.29.4 | +-----------------------------+--------------------+---------------+ | BulkObservableFormat | Hash? | | | | AdditionalData* | 3.29.5 | +-----------------------------+--------------------+---------------+ | IndicatorExpression | operator? | | | | ext-operator? | | | | IndicatorExpression*| | | | Observable* | | | | uid-ref* | | | | IndicatorReference*| | | | Confidence? | | | | AdditionalData* | 3.29.6 | Takahashi, et al. Expires July 6, 2019 [Page 16] Internet-Draft JSON-IODEF January 2019 +-----------------------------+--------------------+---------------+ | IndicatorReference | uid-ref? | | | | euid-ref? | | | | version? | 3.29.7 | +-----------------------------+--------------------+---------------+ | AttackPhase | AttackPhaseID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.29.8 | +-----------------------------+--------------------+---------------+ Figure 3: IODEF Classes 3.2. Mapping between CBOR/JSON and XML IODEF o This document treats attributes and elements of each class defined in [RFC7970] equally and is agnostic on the order of their appearances. o Flow class is deleted, and classes with its instances now directly have instances of EventData class that used to belong to the Flow classs. o ApplicationHeader class is deleted, and classes with its instances now directly have instances of ApplicationHeaderField class that used to belong to the ApplicationHeader class. o SignatureData class is deleted, and classes with its instances now directly have instance of Signature class that used to belong to the SignatureData class. o IndicatorData class is deleted, and classes with its instances now directly have the instances of Indicator class that used to belong to the IndicatorData class. o ObservableReference class is deleted, and classes with its instances now directly have uid-ref as an element. o Record class is replaced by RecordData class, and RecordData class is renamed to Record class. o Record class is deleted, and classes with its instances now directly have the instances of RecordData class that used to belong to the Record class. o The MLStringType were modified to support simple string by allowing the type to have not only a predefined object type but Takahashi, et al. Expires July 6, 2019 [Page 17] Internet-Draft JSON-IODEF January 2019 also text type, in order to allow simple descriptions of elements of the type. o The elements of ML_STRING type in XML IODEF document are presented as either STRING type or ML_STRING type in CBOR/JSON IODEF document. o Data models of the extension classes defined by [RFC7203] and referenced by [RFC7970] are represented by StructuredInfo class defined in this document. o Signature, X509Data, and RawData are encoded with base64 and are reprensetend as string (BYTE type) in CBOR/JSON IODEF documents. 4. Examples This section provides examples of IODEF documents. These examples do not represent the full capabilities of the data model or the only way to encode particular information. 4.1. Minimal Example A document containing only the mandatory elements and attributes is shown below in JSON and CBOR, respectively. { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "reporting", "restriction": "private", "IncidentID": { "id": "492382", "name": "csirt.example.com" }, "GenerationTime": "2015-07-18T09:00:00-05:00", "Contact": [{ "type": "organization", "role": "creator", "Email": [{"EmailTo": "contact@csirt.example.com"}] }] }] } Figure 4: A Minimal Example in JSON A3 # map(3) 67 # text(7) Takahashi, et al. Expires July 6, 2019 [Page 18] Internet-Draft JSON-IODEF January 2019 76657273696F6E # "version" 63 # text(3) 322E30 # "2.0" 64 # text(4) 6C616E67 # "lang" 62 # text(2) 656E # "en" 68 # text(8) 496E636964656E74 # "Incident" 81 # array(1) A5 # map(5) 67 # text(7) 707572706F7365 # "purpose" 69 # text(9) 7265706F7274696E67 # "reporting" 6B # text(11) 7265737472696374696F6E # "restriction" 67 # text(7) 70726976617465 # "private" 6A # text(10) 496E636964656E744944 # "IncidentID" A2 # map(2) 62 # text(2) 6964 # "id" 66 # text(6) 343932333832 # "492382" 64 # text(4) 6E616D65 # "name" 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 6E # text(14) 47656E65726174696F6E54696D65 # "GenerationTime" C0 # tag(0) 78 19 # text(25) 323031352D30372D31385430393A30303A30302D30353A3030 # "2015-07-18T09:00:00-05:00" 67 # text(7) 436F6E74616374 # "Contact" 81 # array(1) A3 # map(3) 64 # text(4) 74797065 # "type" 6C # text(12) 6F7267616E697A6174696F6E # "organization" 64 # text(4) 726F6C65 # "role" 67 # text(7) 63726561746F72 # "creator" Takahashi, et al. Expires July 6, 2019 [Page 19] Internet-Draft JSON-IODEF January 2019 65 # text(5) 456D61696C # "Email" 81 # array(1) A1 # map(1) 67 # text(7) 456D61696C546F # "EmailTo" 78 19 # text(25) 636F6E746163744063736972742E6578616D706C652E636F6D # "contact@csirt.example.com" Figure 5: A Minimal Example in CBOR 4.2. Indicators from a Campaign An example of C2 domains from a given campaign is shwon below in JSON and CBOR, respectively. { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "watch", "restriction": "green", "IncidentID": { "id": "897923", "name": "csirt.example.com" }, "RelatedActivity": [{ "ThreatActor": [{ "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], "Description": ["Aggressive Butterfly"]}], "Campaign": [{ "CampaignID": ["C-2015-59405"], "Description": ["Orange Giraffe"] }] }], "GenerationTime": "2015-10-02T11:18:00-05:00", "Description": ["Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."], "Assessment": [{ "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] }], "Contact": [{ "type": "organization", "role": "creator", "ContactName": ["CSIRT for example.com"], "Email": [{ Takahashi, et al. Expires July 6, 2019 [Page 20] Internet-Draft JSON-IODEF January 2019 "EmailTo": "contact@csirt.example.com" }] }], "Indicator": [{ "IndicatorID": { "id": "G90823490", "name": "csirt.example.com", "version": "1" }, "Description": ["C2 domains"], "StartTime": "2014-12-02T11:18:00-05:00", "Observable": { "BulkObservable": { "type": "ipv6-addr", "BulkObservableList": "kj290023j09r34.example.com"} } }] }] } Figure 6: Indicators from a Campaign in JSON A3 # map(3) 67 # text(7) 76657273696F6E # "version" 63 # text(3) 322E30 # "2.0" 64 # text(4) 6C616E67 # "lang" 62 # text(2) 656E # "en" 68 # text(8) 496E636964656E74 # "Incident" 81 # array(1) A9 # map(9) 67 # text(7) 707572706F7365 # "purpose" 65 # text(5) 7761746368 # "watch" 6B # text(11) 7265737472696374696F6E # "restriction" 65 # text(5) 677265656E # "green" 6A # text(10) 496E636964656E744944 # "IncidentID" A2 # map(2) 62 # text(2) 6964 # "id" Takahashi, et al. Expires July 6, 2019 [Page 21] Internet-Draft JSON-IODEF January 2019 66 # text(6) 383937393233 # "897923" 64 # text(4) 6E616D65 # "name" 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 6F # text(15) 52656C617465644163746976697479 # "RelatedActivity" 81 # array(1) A2 # map(2) 6B # text(11) 5468726561744163746F72 # "ThreatActor" 81 # array(1) A2 # map(2) 6D # text(13) 5468726561744163746F724944 # "ThreatActorID" 81 # array(1) 78 1A # text(26) 54412D31322D414747524553534956452D425554544552464 C59 # "TA-12-AGGRESSIVE-BUTTERFLY" 6B # text(11) 4465736372697074696F6E # "Description" 81 # array(1) 74 # text(20) 4167677265737369766520427574746572666C79 # "Aggressive Butterfly" 68 # text(8) 43616D706169676E # "Campaign" 81 # array(1) A2 # map(2) 6A # text(10) 43616D706169676E4944 # "CampaignID" 81 # array(1) 6C # text(12) 432D323031352D3539343035 # "C-2015-59405" 6B # text(11) 4465736372697074696F6E # "Description" 81 # array(1) 6E # text(14) 4F72616E67652047697261666665 # "Orange Giraffe" 6E # text(14) 47656E65726174696F6E54696D65 # "GenerationTime" C0 # tag(0) 78 19 # text(25) 323031352D31302D30325431313A31383A30302D30353A3030 # "2015-10-02T11:18:00-05:00" 6B # text(11) 4465736372697074696F6E # "Description" Takahashi, et al. Expires July 6, 2019 [Page 22] Internet-Draft JSON-IODEF January 2019 81 # array(1) 78 6F # text(111) 53756D6D6172697A65732074686520496E64696361746F7273206F6620436 F6D70726F6D69736520666F7220746865204F72616E676520476972616666 652063616D706169676E206F6620746865204167677265737369766520427 574746572666C79206372696D652067616E672E # "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." 6A # text(10) 4173736573736D656E74 # "Assessment" 81 # array(1) A1 # map(1) 66 # text(6) 496D70616374 # "Impact" 81 # array(1) A1 # map(1) 6E # text(14) 427573696E657373496D70616374 # "BusinessImpact" A1 # map(1) 64 # text(4) 74797065 # "type" 72 # text(18) 6272656163682D70726F7072696574617279 # "breach-proprietary" 67 # text(7) 436F6E74616374 # "Contact" 81 # array(1) A4 # map(4) 64 # text(4) 74797065 # "type" 6C # text(12) 6F7267616E697A6174696F6E # "organization" 64 # text(4) 726F6C65 # "role" 67 # text(7) 63726561746F72 # "creator" 6B # text(11) 436F6E746163744E616D65 # "ContactName" 81 # array(1) 75 # text(21) 435349525420666F72206578616D706C652E636F6D # "CSIRT for example.com" 65 # text(5) 456D61696C # "Email" 81 # array(1) A1 # map(1) 67 # text(7) 456D61696C546F # "EmailTo" Takahashi, et al. Expires July 6, 2019 [Page 23] Internet-Draft JSON-IODEF January 2019 78 19 # text(25) 636F6E746163744063736972742E6578616D706C652E636F6D # "contact@csirt.example.com" 69 # text(9) 496E64696361746F72 # "Indicator" 81 # array(1) A4 # map(4) 6B # text(11) 496E64696361746F724944 # "IndicatorID" A3 # map(3) 62 # text(2) 6964 # "id" 69 # text(9) 473930383233343930 # "G90823490" 64 # text(4) 6E616D65 # "name" 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 67 # text(7) 76657273696F6E # "version" 61 # text(1) 31 # "1" 6B # text(11) 4465736372697074696F6E # "Description" 81 # array(1) 6A # text(10) 433220646F6D61696E73 # "C2 domains" 69 # text(9) 537461727454696D65 # "StartTime" C0 # tag(0) 78 19 # text(25) 323031342D31322D30325431313A31383A30302D30353A3030 # "2014-12-02T11:18:00-05:00" 6A # text(10) 4F627365727661626C65 # "Observable" A1 # map(1) 6E # text(14) 42756C6B4F627365727661626C65 # "BulkObservable" A2 # map(2) 64 # text(4) 74797065 # "type" 69 # text(9) 697076362D61646472 # "ipv6-addr" 72 # text(18) 42756C6B4F627365727661626C654C697374 # "BulkObservableList" 78 1A # text(26) Takahashi, et al. Expires July 6, 2019 [Page 24] Internet-Draft JSON-IODEF January 2019 6B6A3239303032336A30397233342E6578616D706C652E636F6D # "kj290023j09r34.example.com" Figure 7: Indicators from a Campaign in CBOR 5. The IODEF Data Model (CDDL) start = iodef ;;; iodef.json: IODEF-Document iodef = { version: text ? lang: lang ? format-id: text ? private-enum-name: text ? private-enum-id: text Incident: [+ Incident] ? AdditionalData: [+ ExtensionType] } duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / "year" / "ext-value" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" restriction = "public" / "partner" / "need-to-know" / "private" / "default" / "white" / "green" / "amber" / "red" / "ext-value" SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" IDREFType = IDtype URLtype = uri TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*" action = "nothing" / "contact-source-site" / "contact-target-site" / "contact-sender" / "investigate" / "block-host" / "block-network" / "block-port" / "rate-limit-host" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "honeypot" / "upgrade-software" / "rebuild-asset" / "harden-asset" / "remediate-other" / "status-triage" / "status-new-info" / "watch-and-report" / "training" / "defined-coa" / "other" / "ext-value" DATETIME = tdate BYTE = eb64legacy MLStringType = { Takahashi, et al. Expires July 6, 2019 [Page 25] Internet-Draft JSON-IODEF January 2019 value: text ? lang: lang ? translation-id: text } / text PositiveFloatType = float32 .gt 0 PAddressType = MLStringType ExtensionType = { value: text ? name: text dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / "ntpstamp" / "integer" / "portlist" / "real" / "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/ "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string" ? ext-dtype: text ? meaning: text ? formatid: text ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype } SoftwareType = { ? SoftwareReference: SoftwareReference ? URL: [+ URLtype] ? Description: [+ MLStringType] } SoftwareReference = { ? value: text spec-name: "custom" / "cpe" / "swid" / "ext-value" ? ext-spec-name: text ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string" ? ext-dtype: text } Incident = { purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / "ext-value" ? ext-purpose: text ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / "ext-value" ? ext-status: text ? lang: lang Takahashi, et al. Expires July 6, 2019 [Page 26] Internet-Draft JSON-IODEF January 2019 ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype IncidentID: IncidentID ? AlternativeID: AlternativeID ? RelatedActivity: [+ RelatedActivity] ? DetectTime: DATETIME ? StartTime: DATETIME ? EndTime: DATETIME ? RecoveryTime: DATETIME ? ReportTime: DATETIME GenerationTime: DATETIME ? Description: [+ MLStringType] ? Discovery: [+ Discovery] ? Assessment: [+ Assessment] ? Method: [+ Method] Contact: [+ Contact] ? EventData: [+ EventData] ? Indicator: [+ Indicator] ? History: History ? AdditionalData: [+ ExtensionType] } IncidentID = { id: text name: text ? instance: text ? restriction: restriction .default "private" ? ext-restriction: text } AlternativeID = { ? restriction: restriction .default "private" ? ext-restriction: text IncidentID: [+ IncidentID] } RelatedActivity = { ? restriction: restriction .default "private" ? ext-restriction: text ? IncidentID: [+ IncidentID] ? URL: [+ URLtype] ? ThreatActor: [+ ThreatActor] ? Campaign: [+ Campaign] ? IndicatorID: [+ IndicatorID] ? Confidence: Confidence ? Description: [+ text] ? AdditionalData: [+ ExtensionType] Takahashi, et al. Expires July 6, 2019 [Page 27] Internet-Draft JSON-IODEF January 2019 } ThreatActor = { ? restriction: restriction .default "private" ? ext-restriction: text ? ThreatActorID: [+ text] ? URL: [+ URLtype] ? Description: [+ MLStringType] ? AdditionalData: [+ ExtensionType] } Campaign = { ? restriction: restriction .default "private" ? ext-restriction: text ? CampaignID: [+ text] ? URL: [+ URLtype] ? Description: [+ MLStringType] ? AdditionalData: [+ ExtensionType] } Contact = { role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" / "victim" / "victim-notified" / "ext-value" ? ext-role: text type: "person" / "organization" / "ext-value" ? ext-type: text ? restriction: restriction .default "private" ? ext-restriction: text ? ContactName: [+ MLStringType] ? ContactTitle: [+ MLStringType] ? Description: [+ MLStringType] ? RegistryHandle: [+ RegistryHandle] ? PostalAddress: [+ PostalAddress] ? Email: [+ Email] ? Telephone: [+ Telephone] ? Timezone: TimeZonetype ? Contact: [+ Contact] ? AdditionalData: [+ ExtensionType] } RegistryHandle = { handle: text registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / "local" / "ext-value" ? ext-registry: text } Takahashi, et al. Expires July 6, 2019 [Page 28] Internet-Draft JSON-IODEF January 2019 PostalAddress = { ? type: "street" / "mailing" / "ext-value" ? ext-type: text PAddress: PAddressType ? Description: [+ MLStringType] } Email = { ? type: "direct" / "hotline" / "ext-value" ? ext-type: text EmailTo: text ? Description: [+ MLStringType] } Telephone = { ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? ext-type: text TelephoneNumber: text ? Description: [+ MLStringType] } Discovery = { ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / "incident" / "os-log" / "application-log" / "device-log" / "network-flow" / "passive-dns" / "investigation" / "audit" / "internal-notification" / "external-notification" / "leo" / "partner" / "actor" / "unknown" / "ext-value" ? ext-source: text ? restriction: restriction .default "private" ? ext-restriction: text ? Description: [+ MLStringType] ? Contact: [+ Contact] ? DetectionPattern: [+ DetectionPattern] } DetectionPattern = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype (Description: [+ MLStringType] // DetectionConfiguration: [+ text]) Application: SoftwareType } Method = { ? restriction: restriction .default "private" ? ext-restriction: text ? Reference: [+ Reference] ? Description: [+ MLStringType] Takahashi, et al. Expires July 6, 2019 [Page 29] Internet-Draft JSON-IODEF January 2019 ? AttackPattern: [+ StructuredInfo] ? Vulnerability: [+ StructuredInfo] ? Weakness: [+ StructuredInfo] ? AdditionalData: [+ ExtensionType] } StructuredInfo = { SpecID: SpecID ? ext-SpecID: text ? ContentID: text ? (RawData: [+ BYTE] // Reference:[+ Reference]) ? Platform:[+ Platform] ? Scoring:[+ Scoring] } Platform = { SpecID: SpecID ? ext-SpecID: text ? ContentID: text ? RawData: [+ BYTE] ? Reference: [+ Reference] } Scoring = { SpecID: SpecID ? ext-SpecID: text ? ContentID: text ? RawData: [+ BYTE] ? Reference: [+ Reference] } Reference = { ? observable-id: IDtype ? ReferenceName: ReferenceName ? URL: [+ URLtype] ? Description: [+ MLStringType] } ReferenceName = { specIndex: integer ID: IDtype } Assessment = { ? occurrence: "actual" / "potential" ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype ? IncidentCategory: [+ MLStringType] Impact: [+ {SystemImpact: SystemImpact} / Takahashi, et al. Expires July 6, 2019 [Page 30] Internet-Draft JSON-IODEF January 2019 {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / {MonetaryImpact: MonetaryImpact} / {IntendedImpact: BusinessImpact}] ? Counter: [+ Counter] ? MitigatingFactor: [+ MLStringType] ? Cause: [+ MLStringType] ? Confidence: Confidence ? AdditionalData: [+ ExtensionType] } SystemImpact = { ? severity: "low" / "medium" / "high" ? completion: "failed" / "succeeded" type: "takeover-account" / "takeover-service" / "takeover-system" / "cps-manipulation" / "cps-damage" / "availability-data" / "availability-account" / "availability-service" / "availability-system" / "damaged-system" / "damaged-data" / "breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-configuration" / "integrity-data" / "integrity-configuration" / "integrity-hardware" / "traffic-redirection" / "monitoring-traffic" / "monitoring-host"/ "policy" / "unknown" / "ext-value" .default "unknown" ? ext-type: text ? Description: [+ MLStringType] } BusinessImpact = { ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown" ? ext-severity: text type: "breach-proprietary" / "breach-privacy" / "breach-credential" / "loss-of-integrity" / "loss-of-service" / "theft-financial" / "theft-service" / "degraded-reputation" / "asset-damage" / "asset-manipulation" / "legal" / "extortion" / "unknown" / "ext-value" .default "unknown" ? ext-type: text ? Description: [+ MLStringType] } TimeImpact = { value: PositiveFloatType ? severity: "low" / "medium" / "high" metric: "labor" / "elapsed" / "downtime" / "ext-value" ? ext-metric: text ? duration: duration .default "hour" ? ext-duration: text } Takahashi, et al. Expires July 6, 2019 [Page 31] Internet-Draft JSON-IODEF January 2019 MonetaryImpact = { value: PositiveFloatType ? severity: "low" / "medium" / "high" ? currency: text } Confidence = { value: float32 rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" ? ext-rating: text } History = { ? restriction: restriction .default "private" ? ext-restriction: text HistoryItem: [+ HistoryItem] } HistoryItem = { action: action .default "other" ? ext-action: text ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype DateTime: DATETIME ? IncidentID: IncidentID ? Contact: Contact ? Description: [+ MLStringType] ? DefinedCOA: [+ text] ? AdditionalData: [+ ExtensionType] } EventData = { ? restriction: restriction .default "default" ? ext-restriction: text ? observable-id: IDtype ? Description: [+ MLStringType] ? DetectTime: DATETIME ? StartTime: DATETIME ? EndTime: DATETIME ? RecoveryTime: DATETIME ? ReportTime: DATETIME ? Contact: [+ Contact] ? Discovery: [+ Discovery] ? Assessment: Assessment ? Method: [+ Method] ? System: [+ System] ? Expectation: [+ Expectation] Takahashi, et al. Expires July 6, 2019 [Page 32] Internet-Draft JSON-IODEF January 2019 ? RecordData: [+ RecordData] ? EventData: [+ EventData] ? AdditionalData: [+ ExtensionType] } Expectation = { ? action: action .default "other" ? ext-action: text ? severity: "low" / "medium" / "high" ? restriction: restriction .default "default" ? ext-restriction: text ? observable-id: IDtype ? Description: [+ MLStringType] ? DefinedCOA: [+ text] ? StartTime: DATETIME ? EndTime: DATETIME ? Contact: Contact } System = { ? category: "source" / "target" / "intermediate" / "sensor" / "infrastructure" / "ext-value" ? ext-category: text ? interface: text ? spoofed: "unknown" / "yes" / "no" .default "unknown" ? virtual: "yes" / "no" / "unknown" .default "unknown" ? ownership: "organization" / "personal" / "partner" / "customer" / "no-relationship" / "unknown" / "ext-value" ? ext-ownership: text ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype Node: Node ? NodeRole: [+ NodeRole] ? Service: [+ Service] ? OperatingSystem: [+ SoftwareType] ? Counter: [+ Counter] ? AssetID: [+ text] ? Description: [+ MLStringType] ? AdditionalData: [+ ExtensionType] } Node = { (DomainData:[+ DomainData] ? Address:[+ Address] // ? DomainData:[+ DomainData] Address:[+ Address]) ? PostalAddress: PostalAddress Takahashi, et al. Expires July 6, 2019 [Page 33] Internet-Draft JSON-IODEF January 2019 ? Location: [+ MLStringType] ? Counter: [+ Counter] } Address = { value: text category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / "ext-value" .default "ipv6-addr" ? ext-category: text ? vlan-name: text ? vlan-num: integer ? observable-id: IDtype } NodeRole = { category: "client" / "client-enterprise" / "client-partner" / "client-remote" / "client-kiosk" / "client-mobile" / "server-internal" / "server-public" / "www" / "mail" / "webmail" / "messaging" / "streaming" / "voice" / "file" / "ftp" / "p2p" / "name" / "directory" / "credential" / "print" / "application" / "database" / "backup" / "dhcp" / "assessment" / "source-control" / "config-management" / "monitoring" / "infra" / "infra-firewall" / "infra-router" / "infra-switch" / "camera" / "proxy" / "remote-access" / "log" / "virtualization" / "pos" / "scada" / "scada-supervisory" / "sinkhole" / "honeypot" / "anomyzation" / "c2-server" / "malware-distribution" / "drop-server" / "hop-point" / "reflector" / "phishing-site" / "spear-phishing-site" / "recruiting-site" / "fraudulent-site" / "ext-value" ? ext-category: text ? Description: [+ MLStringType] } Counter = { value: float32 type: "count" / "peak" / "average" / "ext-value" ? ext-type: text unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / "message" / "event" / "host" / "site" / "organization" / "ext-value" ? ext-unit: text ? meaning: text ? duration: duration .default "hour" ? ext-duration: text } Takahashi, et al. Expires July 6, 2019 [Page 34] Internet-Draft JSON-IODEF January 2019 DomainData = { system-status: "spoofed" / "fraudulent" / "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value" ? ext-system-status: text domain-status: "reservedDelegation" / "assignedAndActive" / "assignedAndInactive" / "assignedAndOnHold" / "revoked" / "transferPending" / "registryLock" / "registrarLock" / "other" / "unknown" / "ext-value" ? ext-domain-status: text ? observable-id: IDtype Name: text ? DateDomainWasChecked: DATETIME ? RegistrationDate: DATETIME ? ExpirationDate: DATETIME ? RelatedDNS: [+ ExtensionType] ? NameServers: [+ NameServers] ? DomainContacts: DomainContacts } NameServers = { Server: text Address: [+ Address] } DomainContacts = { (SameDomainContact: text // Contact: [+ Contact]) } Service = { ? ip-protocol: integer ? observable-id: IDtype ? ServiceName: ServiceName ? Port: integer ? Portlist: PortlistType ? ProtoCode: integer ? ProtoType: integer ? ProtoField: integer ? ApplicationHeaderField: [+ ExtensionType] ? EmailData: EmailData ? Application: SoftwareType } ServiceName = { ? IANAService: text ? URL: [+ URLtype] ? Description: [+ MLStringType] } Takahashi, et al. Expires July 6, 2019 [Page 35] Internet-Draft JSON-IODEF January 2019 EmailData = { ? observable-id: IDtype ? EmailTo: [+ text] ? EmailFrom: text ? EmailSubject: text ? EmailX-Mailer: text ? EmailHeaderField: [+ ExtensionType] ? EmailHeaders: text ? EmailBody: text ? EmailMessage: text ? HashData: [+ HashData] ? Signature: [+ BYTE] } RecordData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype ? DateTime: DATETIME ? Description: [+ MLStringType] ? Application: SoftwareType ? RecordPattern: [+ RecordPattern] ? RecordItem: [+ ExtensionType] ? URL: [+ URLtype] ? FileData: [+ FileData] ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] ? CertificateData: [+ CertificateData] ? AdditionalData: [+ ExtensionType] } RecordPattern = { value: text type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" ? ext-type: text ? offset: integer ? offsetunit: "line" / "byte" / "ext-value" .default "line" ? ext-offsetunit: text ? instance: integer } WindowsRegistryKeysModified = { ? observable-id: IDtype Key: [+ Key] } Key = { ? registryaction: "add-key" / "add-value" / "delete-key" / "delete-value" / "modify-key" / "modify-value" / Takahashi, et al. Expires July 6, 2019 [Page 36] Internet-Draft JSON-IODEF January 2019 "ext-value" ? ext-registryaction: text ? observable-id: IDtype KeyName: text ? KeyValue: text } CertificateData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype Certificate: [+ Certificate] } Certificate = { ? observable-id: IDtype X509Data: BYTE ? Description: [+ MLStringType] } FileData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype File: [+ File] } File = { ? observable-id: IDtype ? FileName: text ? FileSize: integer ? FileType: text ? URL: [+ URLtype] ? HashData: HashData ? Signature: [+ BYTE] ? AssociatedSoftware: SoftwareType ? FileProperties: [+ ExtensionType] } HashData = { scope: "file-contents" / "file-pe-section" / "file-pe-iat" / "file-pe-resource" / "file-pdf-object" / "email-hash" / "email-headers-hash" / "email-body-hash" / "ext-value" ? HashTargetID: text ? Hash: [+ Hash] ? FuzzyHash: [+ FuzzyHash] } Takahashi, et al. Expires July 6, 2019 [Page 37] Internet-Draft JSON-IODEF January 2019 Hash = { DigestMethod: BYTE DigestValue: BYTE ? CanonicalizationMethod: BYTE ? Application: SoftwareType } FuzzyHash = { FuzzyHashValue: [+ ExtensionType] ? Application: SoftwareType ? AdditionalData: [+ ExtensionType] } Indicator = { ? restriction: restriction .default "private" ? ext-restriction: text IndicatorID: IndicatorID ? AlternativeIndicatorID: [+ AlternativeIndicatorID] ? Description: [+ MLStringType] ? StartTime: DATETIME ? EndTime: DATETIME ? Confidence: Confidence ? Contact: [+ Contact] (Observable: Observable // uid-ref: IDREFType // IndicatorExpression: IndicatorExpression // IndicatorReference: IndicatorReference) ? NodeRole: [+ NodeRole] ? AttackPhase: [+ AttackPhase] ? Reference: [+ Reference] ? AdditionalData: [+ ExtensionType] } IndicatorID = { id: IDtype name: text version: text } AlternativeIndicatorID = { ? restriction: restriction .default "private" ? ext-restriction: text IndicatorID: [+ IndicatorID] } Observable = { ? restriction: restriction .default "private" ? ext-restriction: text ? (System: System // Address: Address // DomainData: DomainData // Takahashi, et al. Expires July 6, 2019 [Page 38] Internet-Draft JSON-IODEF January 2019 EmailData: EmailData // Service: Service // WindowsRegistryKeysModified: WindowsRegistryKeysModified // FileData: FileData // CertificateData: CertificateData // RegistryHandle: RegistryHandle // RecordData: RecordData // EventData: EventData // Incident: Incident // Expectation: Expectation // Reference: Reference // Assessment: Assessment // DetectionPattern: DetectionPattern // HistoryItem: HistoryItem // BulkObservable: BulkObservable // AdditionalData: [+ ExtensionType]) } BulkObservable = { ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / "domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" / "email-x-mailer" / "email-subject" / "http-user-agent" / "http-request-uri" / "mutex" / "file-path" / "user-name" / "ext-value" ? ext-type: text ? BulkObservableFormat: BulkObservableFormat BulkObservableList: text ? AdditionalData: [+ ExtensionType] } BulkObservableFormat = { (Hash: Hash // AdditionalData: [+ ExtensionType]) } IndicatorExpression = { ? operator: "not" / "and" / "or" / "xor" .default "and" ? ext-operator: text ? IndicatorExpression: [+ IndicatorExpression] ? Observable: [+ Observable] ? uid-ref: [+ IDREFType] ? IndicatorReference: [+ IndicatorReference] ? Confidence: Confidence ? AdditionalData: [+ ExtensionType] } IndicatorReference = { (uid-ref: IDREFType // euid-ref: text) ? version: text } AttackPhase = { ? AttackPhaseID: [+ text] Takahashi, et al. Expires July 6, 2019 [Page 39] Internet-Draft JSON-IODEF January 2019 ? URL: [+ URLtype] ? Description: [+ MLStringType] ? AdditionalData: [+ ExtensionType] } Figure 8: Data Model in CDDL 6. IANA Considerations This document registers an IODEF data model in CDDL. See Section 5. 7. Security Considerations This memo does not provide any further security considerations than the one described in [RFC7970]. 8. Acknowledgements We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki Morita, and Takahiko Nagata for their insightful comments on CDDL. 9. References 9.1. Normative References [cddlspec] Henk Birkholz, Christoph Vigano, and Carsten Bormann, "Concise data definition language (CDDL): a notational convention to express CBOR and JSON data structuresy", 2018. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information", RFC 7203, DOI 10.17487/RFC7203, April 2014, . [RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, . Takahashi, et al. Expires July 6, 2019 [Page 40] Internet-Draft JSON-IODEF January 2019 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 9.2. Informative References [jsonschema] Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: core definitions and terminology", 2013. Appendix A. Data Types used in this document The CDDL prelude used in this document is mapped to JSON as shown in the table below. +-----------------+-------------------+----------------------------+ | CDDL Prelude | Use of JSON | Instance | Validation | +-----------------+-------------------+----------------------------+ | bytes | n/a | string | tool available | | text | string | string | unnecessary | | tdate | n/a | string | 7.3.1 date-time | | integer | n/a | number | integer | | eb64legacy | n/a | string | tool available | | uri | n/a | string | 7.3.6 uri | | float32 | float32 | number | unnecessary | +-----------------+-------------------+----------------------------+ Figure 9: CDDL Prelude mapping in JSON Appendix B. The IODEF Data Model (JSON Schema) This section provides a JSON schema that defines the IODEF Data Model defined in this draft. { "$schema": "http://json-schema.org/draft-04/schema#", "definitions": { "action": {"enum": ["nothing","contact-source-site", "contact-target-site","contact-sender","investigate", "block-host","block-network","block-port","rate-limit-host", "rate-limit-network","rate-limit-port","redirect-traffic", "honeypot","upgrade-software","rebuild-asset","harden-asset", "remediate-other","status-triage","status-new-info", "watch-and-report","training","defined-coa","other", "ext-value"]}, "duration":{"enum":["second","minute","hour","day","month", "quarter","year","ext-value"]}, "SpecID":{ "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, Takahashi, et al. Expires July 6, 2019 [Page 41] Internet-Draft JSON-IODEF January 2019 "lang": { "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, "purpose": {"enum": ["traceback","mitigation","reporting","watch", "other","ext-value"]}, "restriction":{"enum":["public","partner","need-to-know","private", "default","white","green","amber","red","ext-value"]}, "status": {"enum": ["new","in-progress","forwarded","resolved", "future","ext-value"]}, "DATETIME": {"type": "string","format": "date-time"}, "BYTE": {"type": "string"}, "PortlistType": { "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"}, "TimeZonetype": { "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, "URLtype": { "type": "string", "pattern": "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, "IDREFType": {"$ref": "#/definitions/IDtype"}, "MLStringType": { "oneOf": [{"type": "string"}, {"type": "object", "properties": { "value": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "translation-id": {"type": "string"}}, "required": ["value"], "additionalProperties":false}]}, "PositiveFloatType": {"type": "number","minimum": 0}, "PAddressType": {"$ref": "#/definitions/MLStringType"}, "ExtensionType": { "type": "object", "properties": { "value": {"type": "string"}, "name": {"type": "string"}, "dtype":{"enum":["boolean","byte","bytes","character", "json", "date-time","ntpstamp","integer","portlist","real","string", "file","path","frame","packet","ipv4-packet","ipv6-packet", "url", "csv","winreg","xml","ext-value"],"default": "string"}, "ext-dtype": {"type": "string"}, "meaning": {"type": "string"}, "formatid": {"type": "string"}, "restriction": { "$ref": "#/definitions/restriction","default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required": ["value","dtype"], Takahashi, et al. Expires July 6, 2019 [Page 42] Internet-Draft JSON-IODEF January 2019 "additionalProperties":false}, "ExtensionTypeList": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "SoftwareType": { "type": "object", "properties": { "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype", "minItems": 1}}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1 }}, "required": [], "additionalProperties": false}, "SoftwareReference": { "type": "object", "properties": { "value": {"type": "string"}, "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, "ext-spec-name": {"type": "string"}, "dtype": {"enum": ["bytes","integer","real","string","xml", "ext-value"] , "default": "string"}, "ext-dtype": {"type": "string"}}, "required": ["spec-name"], "additionalProperties": false}, "StructuredInfo": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1 }, "Platform": { "type": "array", Takahashi, et al. Expires July 6, 2019 [Page 43] Internet-Draft JSON-IODEF January 2019 "items": {"$ref": "#/definitions/Platform"}, "minItems": 1 }, "Scoring": { "type": "array", "items": {"$ref": "#/definitions/Scoring"}, "minItems": 1}}, "allOf": [ {"required": ["SpecID"]}, {"anyOf": [ {"oneOf": [ {"required":["Reference"]}, {"required":["RawData"]}]}, { "not" : {"required":["Reference", "RawData"]}}]}], "additionalProperties": false}, "Platform": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}}, "required": ["SpecID"], "additionalProperties": false}, "Scoring": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}}, "required": ["SpecID"], Takahashi, et al. Expires July 6, 2019 [Page 44] Internet-Draft JSON-IODEF January 2019 "additionalProperties": false}, "Incident": { "title": "Incident", "description": "JSON schema for Incident class", "type": "object", "properties": { "purpose": {"$ref": "#/definitions/purpose"}, "ext-purpose": {"type": "string"}, "status": {"$ref": "#/definitions/status"}, "ext-status": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "RelatedActivity": { "type": "array", "items": {"$ref": "#/definitions/RelatedActivity"}, "minItems": 1}, "DetectTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"}, "GenerationTime": {"$ref": "#/definitions/DATETIME"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Discovery": { "type": "array", "items": {"$ref": "#/definitions/Discovery"}, "minItems": 1}, "Assessment": { "type": "array", "items": {"$ref": "#/definitions/Assessment"}, "minItems": 1}, "Method": { "type": "array", "items": {"$ref": "#/definitions/Method"}, "minItems": 1}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "EventData": { Takahashi, et al. Expires July 6, 2019 [Page 45] Internet-Draft JSON-IODEF January 2019 "type": "array", "items": {"$ref": "#/definitions/EventData"}, "minItems": 1}, "Indicator": { "type": "array", "items": {"$ref": "#/definitions/Indicator"}, "minItems": 1}, "History": {"$ref": "#/definitions/History"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IncidentID","GenerationTime","Contact","purpose"], "additionalProperties": false}, "IncidentID": { "title": "IncidentID", "description": "JSON schema for IncidentID class", "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "instance": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}}, "required": ["id","name"], "additionalProperties": false}, "AlternativeID": { "title": "AlternativeID", "description": "JSON schema for AlternativeID class", "type": "object", "properties": { "IncidentID": { "type": "array", "items":{"$ref": "#/definitions/IncidentID"}, "minItems": 1}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}}, "required": ["IncidentID"], "additionalProperties": false}, "RelatedActivity": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IncidentID": { "type": "array", "items": {"$ref": "#/definitions/IncidentID"}, "minItems": 1}, "URL": { Takahashi, et al. Expires July 6, 2019 [Page 46] Internet-Draft JSON-IODEF January 2019 "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "ThreatActor": { "type": "array", "items": {"$ref": "#/definitions/ThreatActor"}, "minItems": 1}, "Campaign": { "type": "array", "items": {"$ref": "#/definitions/Campaign"}, "minItems": 1}, "IndicatorID": { "type": "array", "items": {"$ref": "#/definitions/IndicatorID"}, "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Description": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "ThreatActor": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "ThreatActorID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "URL": { "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "Campaign": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "CampaignID": { "type": "array", Takahashi, et al. Expires July 6, 2019 [Page 47] Internet-Draft JSON-IODEF January 2019 "items": {"type": "string"}, "minItems": 1}, "URL": { "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "Contact": { "type": "object", "properties": { "role": { "enum":["creator","reporter","admin","tech","provider","user", "billing","legal","irt","abuse","cc","cc-irt","leo", "vendor","vendor-support","victim","victim-notified", "ext-value"]}, "ext-role": {"type": "string"}, "type": {"enum": ["person","organization","ext-value"]}, "ext-type": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "ContactName": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "ContactTitle": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "RegistryHandle": { "type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}, "minItems": 1}, "PostalAddress": { "type":"array", "items":{"$ref":"#/definitions/PostalAddress"}, "minItems": 1}, "Email": { "type": "array", "items": {"$ref": "#/definitions/Email"}, Takahashi, et al. Expires July 6, 2019 [Page 48] Internet-Draft JSON-IODEF January 2019 "minItems": 1}, "Telephone": { "type": "array", "items": {"$ref": "#/definitions/Telephone"}, "minItems": 1}, "Timezone": {"$ref": "#/definitions/TimeZonetype"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["role","type"], "additionalProperties": false}, "RegistryHandle": { "type": "object", "properties": { "handle": {"type": "string"}, "registry": { "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", "local","ext-value"]}, "ext-registry": {"type": "string"}}, "required": ["handle","registry"], "additionalProperties": false}, "PostalAddress": { "type": "object", "properties": { "type": { "enum": ["street","mailing","ext-value"]}, "ext-type": {"type": "string"}, "PAddress": {"$ref": "#/definitions/PAddressType"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["PAddress"], "additionalProperties": false}, "Email": { "type": "object", "properties": { "type": { "enum":["direct","hotline","ext-value"]}, "ext-type": {"type": "string"}, "EmailTo": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["EmailTo"], Takahashi, et al. Expires July 6, 2019 [Page 49] Internet-Draft JSON-IODEF January 2019 "additionalProperties": false}, "Telephone": { "type": "object", "properties": { "type": { "enum":["wired","mobile","fax","hotline","ext-value"]}, "ext-type": {"type": "string"}, "TelephoneNumber": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["TelephoneNumber"], "additionalProperties": false}, "Discovery": { "type": "object", "properties": { "source": { "enum":["nidps","hips","siem","av","third-party-monitoring", "incident","os-log","application-log","device-log", "network-flow","passive-dns","investigation","audit", "internal-notification","external-notification","leo", "partner","actor","unknown","ext-value"]}, "ext-source": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "DetectionPattern": { "type":"array", "items":{"$ref":"#/definitions/DetectionPattern"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "DetectionPattern": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, Takahashi, et al. Expires July 6, 2019 [Page 50] Internet-Draft JSON-IODEF January 2019 "Application": {"$ref": "#/definitions/SoftwareType"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DetectionConfiguration": { "type": "array", "items": {"type": "string"}, "minItems": 1}}, "allOf": [ {"required": ["Application"]}, {"oneOf": [ {"required":["Description"]}, {"required":["DetectionConfiguration"]}]}], "additionalProperties": false}, "Method": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AttackPattern": { "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}, "minItems": 1}, "Vulnerability": { "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}, "minItems": 1}, "Weakness": { "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Reference": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, Takahashi, et al. Expires July 6, 2019 [Page 51] Internet-Draft JSON-IODEF January 2019 "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, "URL":{ "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "ReferenceName" : { "type": "object", "properties": { "specIndex": {"type": "number"}, "ID": {"$ref":"#/definitions/IDtype"}}, "required": ["specIndex","ID"], "additionalProperties": false}, "Assessment": { "type": "object", "properties": { "occurrence": {"enum":["actual","potential"]}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentCategory": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Impact": { "type": "array", "items": { "properties": { "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, "additionalProperties":false}, "minItems" : 1 }, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}, "minItems": 1}, "MitigatingFactor": { "type": "array", Takahashi, et al. Expires July 6, 2019 [Page 52] Internet-Draft JSON-IODEF January 2019 "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Cause": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Impact"], "additionalProperties": false}, "SystemImpact": { "type": "object", "properties": { "severity": {"enum":["low","medium","high"]}, "completion": {"enum":["failed","succeeded"]}, "type": { "enum":["takeover-account","takeover-service", "takeover-system","cps-manipulation","cps-damage", "availability-data","availability-account", "availability-service","availability-system", "damaged-system","damaged-data","breach-proprietary", "breach-privacy","breach-credential", "breach-configuration","integrity-data", "integrity-configuration","integrity-hardware", "traffic-redirection","monitoring-traffic", "monitoring-host","policy","unknown","ext-value"]}, "ext-type": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "BusinessImpact": { "type": "object", "properties": { "severity": {"enum":["none","low","medium","high","unknown", "ext-value"],"default": "unknown"}, "ext-severity": {"type":"string"}, "type": {"enum":["breach-proprietary","breach-privacy", "breach-credential","loss-of-integrity","loss-of-service", "theft-financial","theft-service","degraded-reputation", "asset-damage","asset-manipulation","legal","extortion", "unknown","ext-value"]}, "ext-type": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, Takahashi, et al. Expires July 6, 2019 [Page 53] Internet-Draft JSON-IODEF January 2019 "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "TimeImpact": { "type": "object", "properties": { "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum": ["low","medium","high"]}, "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "ext-metric": {"type": "string"}, "duration": {"$ref":"#/definitions/duration","default": "hour"}, "ext-duration": {"type": "string"}}, "required": ["value","metric"], "additionalProperties": false}, "MonetaryImpact": { "type": "object", "properties": { "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum":["low","medium","high"]}, "currency": {"type": "string"}}, "required": ["value"], "additionalProperties": false}, "Confidence": { "type": "object", "properties": { "value": {"type": "number"}, "rating": {"enum": ["low","medium","high","numeric","unknown", "ext-value"]}, "ext-rating": {"type":"string"}}, "required": ["value","rating"], "additionalProperties": false}, "History": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "HistoryItem": { "type": "array", "items": {"$ref": "#/definitions/HistoryItem"}, "minItems": 1}}, "required": ["HistoryItem"], "additionalProperties": false}, "HistoryItem": { "type": "object", "properties": { "action": {"$ref": "#/definitions/action","default": "other"}, "ext-action": {"type": "string"}, Takahashi, et al. Expires July 6, 2019 [Page 54] Internet-Draft JSON-IODEF January 2019 "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "Contact": {"$ref": "#/definitions/Contact"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DefinedCOA": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["DateTime","action"], "additionalProperties": false}, "EventData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": {"type": "array", "items": { "$ref":"#/definitions/MLStringType"}}, "DetectTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "Discovery": { "type": "array", "items": {"$ref": "#/definitions/Discovery"}, "minItems": 1}, "Assessment": {"$ref": "#/definitions/Assessment"}, "Method": { "type": "array", "items": {"$ref": "#/definitions/Method"}, "minItems": 1}, "System": { "type": "array", "items": {"$ref": "#/definitions/System"}, Takahashi, et al. Expires July 6, 2019 [Page 55] Internet-Draft JSON-IODEF January 2019 "minItems": 1}, "Expectation": { "type": "array", "items": {"$ref": "#/definitions/Expectation"}, "minItems": 1}, "RecordData": { "type": "array", "items": {"$ref": "#/definitions/RecordData"}, "minItems": 1}, "EventData": { "type": "array", "items": {"$ref": "#/definitions/EventData"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Expectation": { "type": "object", "properties": { "action": {"$ref":"#/definitions/action","default": "other"}, "ext-action": {"type": "string"}, "severity": {"enum": ["low","medium","high"]}, "restriction": {"$ref": "#/definitions/restriction", "default": "default"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DefinedCOA": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Contact": {"$ref": "#/definitions/Contact"}}, "required": [], "additionalProperties": false}, "System": { "type": "object", "properties": { "category": { "enum": ["source","target","intermediate","sensor", "infrastructure","ext-value"]}, "ext-category": {"type": "string"}, "interface": {"type": "string"}, "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, Takahashi, et al. Expires July 6, 2019 [Page 56] Internet-Draft JSON-IODEF January 2019 "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, "ownership": { "enum":["organization","personal","partner","customer", "no-relationship","unknown","ext-value"]}, "ext-ownership": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Node": {"$ref": "#/definitions/Node"}, "NodeRole": { "type": "array", "items": {"$ref": "#/definitions/NodeRole"}, "minItems": 1}, "Service": { "type": "array", "items": {"$ref": "#/definitions/Service"}, "minItems": 1}, "OperatingSystem": { "type": "array", "items": {"$ref": "#/definitions/SoftwareType"}, "minItems": 1}, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}, "minItems": 1}, "AssetID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Node"], "additionalProperties": false}, "Node": { "type": "object", "properties": { "DomainData": { "type": "array", "items": {"$ref": "#/definitions/DomainData"}, "minItems": 1}, "Address": { "type": "array", "items": {"$ref": "#/definitions/Address"}, "minItems": 1}, Takahashi, et al. Expires July 6, 2019 [Page 57] Internet-Draft JSON-IODEF January 2019 "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, "Location": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Counter": { "type":"array", "items":{"$ref":"#/definitions/Counter"}, "minItems": 1}}, "anyOf": [ {"required": ["DomainData"]}, {"required": ["Address"]} ], "additionalProperties": false}, "Address": { "type": "object", "properties": { "value": {"type": "string"}, "category": { "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv6-net-masked","mac","site-uri","ext-value"], "default": "ipv6-addr"}, "ext-category": {"type": "string"}, "vlan-name": {"type": "string"}, "vlan-num": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required": ["value","category"], "additionalProperties": false}, "NodeRole": { "type": "object", "properties": { "category": { "enum":["client","client-enterprise","client-partner", "client-remote","client-kiosk","client-mobile", "server-internal","server-public","www","mail","webmail", "messaging","streaming","voice","file","ftp","p2p","name", "directory","credential","print","application","database", "backup","dhcp","assessment","source-control", "config-management","monitoring","infra","infra-firewall", "infra-router","infra-switch","camera","proxy", "remote-access","log","virtualization","pos", "scada", "scada-supervisory","sinkhole","honeypot","anomyzation", "c2-server","malware-distribution","drop-server", "hop-point","reflector","phishing-site", "spear-phishing-site","recruiting-site","fraudulent-site", "ext-value"]}, "ext-category": {"type": "string"}, Takahashi, et al. Expires July 6, 2019 [Page 58] Internet-Draft JSON-IODEF January 2019 "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["category"], "additionalProperties": false}, "Counter": { "type": "object", "properties": { "value": {"type": "number"}, "type": {"enum": ["count","peak","average","ext-value"]}, "ext-type": {"type": "string"}, "unit":{"enum":["byte","mbit","packet","flow","session","alert", "message","event","host","site","organization","ext-value"]}, "ext-unit": {"type": "string"}, "meaning": {"type": "string"}, "duration": {"$ref":"#/definitions/duration","default": "hour"}, "ext-duration": {"type": "string"}}, "required": ["value","type","unit"], "additionalProperties": false}, "DomainData": { "type": "object", "properties": { "system-status": { "enum": ["spoofed","fraudulent","innocent-hacked", "innocent-hijacked","unknown","ext-value"]}, "ext-system-status": {"type": "string"}, "domain-status": { "enum": [ "reservedDelegation","assignedAndActive", "assignedAndInactive","assignedAndOnHold","revoked", "transferPending","registryLock","registrarLock", "other","unknown","ext-value"]}, "ext-domain-status": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Name": {"type": "string"}, "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "RelatedDNS": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "NameServers": { "type": "array", "items": {"$ref": "#/definitions/NameServers"}, "minItems": 1}, "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, "required": ["Name","system-status","domain-status"], Takahashi, et al. Expires July 6, 2019 [Page 59] Internet-Draft JSON-IODEF January 2019 "additionalProperties": false}, "NameServers": { "type": "object", "properties": { "Server": {"type": "string"}, "Address": { "type":"array", "items":{"$ref":"#/definitions/Address"}, "minItems": 1}}, "required": ["Server","Address"], "additionalProperties": false}, "DomainContacts": { "type": "object", "properties": { "SameDomainContact": {"type": "string"}, "Contact": { "type":"array", "items":{"$ref":"#/definitions/Contact"}, "minItems": 1}}, "oneOf": [ {"required": ["SameDomainContact"]}, {"required": ["Contact"]}], "additionalProperties": false}, "Service": { "type": "object", "properties": { "ip-protocol": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "ServiceName": {"$ref": "#/definitions/ServiceName"}, "Port": {"type": "number"}, "Portlist": {"$ref": "#/definitions/PortlistType"}, "ProtoCode": {"type": "number"}, "ProtoType": {"type": "number"}, "ProtoField": {"type": "number"}, "ApplicationHeaderField":{ "$ref":"#/definitions/ExtensionTypeList"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": [], "additionalProperties": false}, "ServiceName": { "type": "object", "properties": { "IANAService": {"type": "string"}, "URL": { "type": "array","items": {"$ref": "#/definitions/URLtype"}}, "Description": { "type": "array", Takahashi, et al. Expires July 6, 2019 [Page 60] Internet-Draft JSON-IODEF January 2019 "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "EmailData": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "EmailTo": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "EmailFrom": {"type": "string"}, "EmailSubject": {"type": "string"}, "EmailX-Mailer": {"type": "string"}, "EmailHeaderField": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "EmailHeaders": {"type": "string"}, "EmailBody": {"type": "string"}, "EmailMessage": {"type": "string"}, "HashData": { "type": "array", "items": {"$ref": "#/definitions/HashData"}, "minItems": 1}, "Signature": { "type": "array", "items": {"$ref": "#/definitions/BYTE"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "RecordData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "RecordPattern": { "type": "array", "items": {"$ref": "#/definitions/RecordPattern"}, Takahashi, et al. Expires July 6, 2019 [Page 61] Internet-Draft JSON-IODEF January 2019 "minItems": 1}, "RecordItem": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "FileData": { "type": "array", "items": {"$ref": "#/definitions/FileData"}, "minItems": 1}, "WindowsRegistryKeysModified": { "type": "array", "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, "minItems": 1}, "CertificateData": { "type":"array", "items":{"$ref":"#/definitions/CertificateData"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "RecordPattern": { "type": "object", "properties": { "value": {"type": "string"}, "type": {"enum": ["regex","binary","xpath","ext-value"], "default": "regex"}, "ext-type": {"type": "string"}, "offset": {"type": "number"}, "offsetunit": {"enum":["line","byte","ext-value"] , "default": "line"}, "ext-offsetunit": {"type": "string"}, "instance": {"type": "number"}}, "required": ["value","type"], "additionalProperties": false}, "WindowsRegistryKeysModified": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "Key": { "type": "array", "items": {"$ref": "#/definitions/Key"}, "minItems": 1}}, "required": ["Key"], "additionalProperties": false}, Takahashi, et al. Expires July 6, 2019 [Page 62] Internet-Draft JSON-IODEF January 2019 "Key": { "type": "object", "properties": { "registryaction": {"enum": ["add-key","add-value","delete-key", "delete-value","modify-key","modify-value", "ext-value"]}, "ext-registryaction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "KeyName": {"type":"string"}, "KeyValue": {"type": "string"}}, "required": ["KeyName"], "additionalProperties": false}, "CertificateData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Certificate": { "type": "array", "items": {"$ref": "#/definitions/Certificate"}, "minItems": 1}}, "required": ["Certificate"], "additionalProperties": false}, "Certificate": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "X509Data": {"$ref": "#/definitions/BYTE"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["X509Data"], "additionalProperties": false}, "FileData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "File": { "type": "array", "items": {"$ref": "#/definitions/File"}, "minItems": 1}}, "required": ["File"], "additionalProperties": false}, Takahashi, et al. Expires July 6, 2019 [Page 63] Internet-Draft JSON-IODEF January 2019 "File": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "FileName": {"type": "string"}, "FileSize": {"type": "number"}, "FileType": {"type": "string"}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "HashData": {"$ref": "#/definitions/HashData"}, "Signature": { "type": "array", "items": {"$ref": "#/definitions/BYTE"}, "minItems": 1}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "FileProperties": { "type":"array", "items":{"$ref":"#/definitions/ExtensionType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "HashData": { "type": "object", "properties": { "scope": {"enum": ["file-contents","file-pe-section", "file-pe-iat","file-pe-resource","file-pdf-object", "email-hash","email-headers-hash","email-body-hash", "ext-value"]}, "HashTargetID": {"type": "string"}, "Hash": { "type": "array", "items": {"$ref": "#/definitions/Hash"}, "minItems": 1}, "FuzzyHash": { "type": "array", "items": {"$ref": "#/definitions/FuzzyHash"}, "minItems": 1}}, "required": ["scope"], "additionalProperties": false}, "Hash": { "type": "object", "properties": { "DigestMethod": {"$ref": "#/definitions/BYTE"}, "DigestValue": {"$ref": "#/definitions/BYTE"}, "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, Takahashi, et al. Expires July 6, 2019 [Page 64] Internet-Draft JSON-IODEF January 2019 "required": ["DigestMethod","DigestValue"], "additionalProperties": false}, "FuzzyHash": { "type": "object", "properties": { "FuzzyHashValue": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["FuzzyHashValue"], "additionalProperties": false}, "Indicator": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "AlternativeIndicatorID": { "type": "array", "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "Observable": {"$ref": "#/definitions/Observable"}, "uid-ref": {"$ref": "#/definitions/IDREFType"}, "IndicatorExpression":{ "$ref":"#/definitions/IndicatorExpression"}, "IndicatorReference":{ "$ref": "#/definitions/IndicatorReference"}, "NodeRole": { "type": "array", "items": {"$ref": "#/definitions/NodeRole"}, "minItems": 1}, "AttackPhase": { "type": "array", "items": {"$ref": "#/definitions/AttackPhase"}, Takahashi, et al. Expires July 6, 2019 [Page 65] Internet-Draft JSON-IODEF January 2019 "minItems": 1}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "allOf": [ {"required": ["IndicatorID"]}, {"oneOf": [ {"required":["Observable"]}, {"required":["uid-ref"]}, {"required":["IndicatorExpression"]}, {"required":["IndicatorReference"]}]}], "additionalProperties": false}, "IndicatorID": { "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "version": {"type": "string"}}, "required": ["id","name","version"], "additionalProperties": false}, "AlternativeIndicatorID": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorID": { "type": "array", "items": {"$ref": "#/definitions/IndicatorID"}, "minItems": 1}}, "required": ["IndicatorID"], "additionalProperties": false}, "Observable": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "System": {"$ref": "#/definitions/System"}, "Address": {"$ref": "#/definitions/Address"}, "DomainData": {"$ref": "#/definitions/DomainData"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Service": {"$ref": "#/definitions/Service"}, "WindowsRegistryKeysModified": { "$ref": "#/definitions/WindowsRegistryKeysModified"}, "FileData": {"$ref": "#/definitions/FileData"}, Takahashi, et al. Expires July 6, 2019 [Page 66] Internet-Draft JSON-IODEF January 2019 "CertificateData": {"$ref": "#/definitions/CertificateData"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "RecordData": {"$ref": "#/definitions/RecordData"}, "EventData": {"$ref": "#/definitions/EventData"}, "Incident": {"$ref": "#/definitions/Incident"}, "Expectation": {"$ref": "#/definitions/Expectation"}, "Reference": {"$ref": "#/definitions/Reference"}, "Assessment": {"$ref": "#/definitions/Assessment"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "oneOf": [ {"required":["System"]}, {"required":["Address"]}, {"required":["DomainData"]}, {"required":["EmailData"]}, {"required":["Service"]}, {"required":["WindowsRegistryKeysModified"]}, {"required":["FileData"]}, {"required":["CertificateData"]}, {"required":["RegistryHandle"]}, {"required":["RecordData"]}, {"required":["EventData"]}, {"required":["Incident"]}, {"required":["Expectation"]}, {"required":["Reference"]}, {"required":["Assessment"]}, {"required":["DetectionPattern"]}, {"required":["HistoryItem"]}, {"required":["BulkObservable"]}, {"required":["AdditionalData"]}], "additionalProperties": false}, "BulkObservable": { "type": "object", "properties": { "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", "mac","site-uri","domain-name","domain-to-ipv4", "domain-to-ipv6","domain-to-ipv4-timestamp", "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", "windows-reg-key","file-hash","email-x-mailer", "email-subject","http-user-agent","http-request-url", "mutex","file-path","user-name","ext-value"]}, "ext-type": {"type": "string"}, "BulkObservableFormat":{ "$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableList": {"type": "string"}, Takahashi, et al. Expires July 6, 2019 [Page 67] Internet-Draft JSON-IODEF January 2019 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["BulkObservableList"], "additionalProperties": false}, "BulkObservableFormat": { "type": "object", "properties": { "Hash": {"$ref": "#/definitions/Hash"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "oneOf": [ {"required": ["Hash"]}, {"required": ["AdditionalData"]} ], "additionalProperties": false}, "IndicatorExpression": { "type": "object", "properties": { "operator": {"enum": ["not","and","or","xor"],"default": "and"}, "ext-operator": {"type": "string"}, "IndicatorExpression": { "type": "array", "items": {"$ref": "#/definitions/IndicatorExpression"}, "minItems": 1}, "Observable": { "type": "array", "items": {"$ref": "#/definitions/Observable"}, "minItems": 1}, "uid-ref": { "type": "array", "items": {"$ref": "#/definitions/IDREFType"}, "minItems": 1}, "IndicatorReference": { "type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}, "minItems": 1}, "Confidence": {"$ref":"#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorReference": { "type": "object", "properties": { "uid-ref": {"$ref":"#/definitions/IDREFType"}, "euid-ref": {"type": "string"}, "version": {"type": "string"}}, "oneOf": [ {"required": ["uid-ref"]}, {"required": ["euid-ref"]} ], Takahashi, et al. Expires July 6, 2019 [Page 68] Internet-Draft JSON-IODEF January 2019 "additionalProperties": false}, "AttackPhase": { "type": "object", "properties": { "AttackPhaseID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}}, "title": "IODEF-Document", "description": "JSON schema for IODEF-Document class", "type": "object", "properties": { "version": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "format-id": {"type": "string"}, "private-enum-name": {"type": "string"}, "private-enum-id": {"type": "string"}, "Incident": { "type": "array", "items": {"$ref": "#/definitions/Incident"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["version","Incident"], "additionalProperties": false} Figure 10: JSON schema Authors' Addresses Takeshi Takahashi National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Phone: +81 42 327 5862 Email: takeshi_takahashi@nict.go.jp Takahashi, et al. Expires July 6, 2019 [Page 69] Internet-Draft JSON-IODEF January 2019 Roman Danyliw CERT, Software Engineering Institute, Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA USA Email: rdd@cert.org Mio Suzuki National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Email: mio@nict.go.jp Takahashi, et al. Expires July 6, 2019 [Page 70]