idnits 2.17.1 draft-ietf-mile-jsoniodef-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 97 instances of too long lines in the document, the longest one being 49 characters in excess of 72. ** The abstract seems to contain references ([RFC7970]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 10, 2017) is 2360 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 244, but not defined == Missing Reference: '0-4' is mentioned on line 244, but not defined == Missing Reference: '0-5' is mentioned on line 244, but not defined == Missing Reference: 'RFC4519' is mentioned on line 262, but not defined == Missing Reference: 'RFC5322' is mentioned on line 277, but not defined == Missing Reference: 'RFC6531' is mentioned on line 277, but not defined == Missing Reference: 'RFC3986' is mentioned on line 285, but not defined == Unused Reference: 'DOMINATION' is defined on line 2614, but no explicit reference was found in the text == Unused Reference: 'RFC2629' is defined on line 2618, but no explicit reference was found in the text == Unused Reference: 'RFC3552' is defined on line 2622, but no explicit reference was found in the text == Unused Reference: 'RFC5226' is defined on line 2627, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 2 errors (**), 0 flaws (~~), 12 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft M. Suzuki 4 Intended status: Standards Track NICT 5 Expires: May 14, 2018 November 10, 2017 7 JSON binding of IODEF 8 draft-ietf-mile-jsoniodef-01 10 Abstract 12 RFC 7970 [RFC7970] provides XML-based data representation on incident 13 information, but the use of the IODEF data model is not limited to 14 XML. JSON representation is sometimes preferred since it is easy to 15 handle from certain programming environments. This draft represents 16 the IODEF data model in JSON. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on May 14, 2018. 35 Copyright Notice 37 Copyright (c) 2017 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 53 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 54 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 4 55 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 4 56 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 4 57 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 4 58 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 5 59 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 5 60 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 5 61 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 5 62 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 5 63 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 5 64 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 6 65 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 6 66 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 6 67 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 6 68 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 6 69 2.13. Uniform Resource Locator Strings . . . . . . . . . . . . 6 70 2.14. Identifiers and Identifier References . . . . . . . . . . 7 71 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 7 72 2.16. StructuredInfo . . . . . . . . . . . . . . . . . . . . . 7 73 3. The IODEF Information Model in JSON . . . . . . . . . . . . . 8 74 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 8 75 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 8 76 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 9 77 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 9 78 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 9 79 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 9 80 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 10 81 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 10 82 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 11 83 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 11 84 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 11 85 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 12 86 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 12 87 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 12 88 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 13 89 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 13 90 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 14 91 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 14 92 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 15 93 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 15 94 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 15 95 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 16 96 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 16 97 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 17 98 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 17 99 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 17 100 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 18 101 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 18 102 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 19 103 3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 19 104 3.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 20 105 3.17.1. Address Class . . . . . . . . . . . . . . . . . . . 20 106 3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 20 107 3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21 108 3.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 21 109 3.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 22 110 3.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 22 111 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 22 112 3.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 23 113 3.19.2. ApplicationHeader Class . . . . . . . . . . . . . . 23 114 3.20. EmailData Class . . . . . . . . . . . . . . . . . . . . . 23 115 3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 24 116 3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 24 117 3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 25 118 3.22. WindowsRegistryKeysModified Class . . . . . . . . . . . . 25 119 3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 25 120 3.23. CertificateData Class . . . . . . . . . . . . . . . . . . 26 121 3.23.1. Certificate Class . . . . . . . . . . . . . . . . . 26 122 3.24. FileData Class . . . . . . . . . . . . . . . . . . . . . 27 123 3.24.1. File Class . . . . . . . . . . . . . . . . . . . . . 27 124 3.25. HashData Class . . . . . . . . . . . . . . . . . . . . . 27 125 3.25.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 28 126 3.25.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 28 127 3.26. SignatureData Class . . . . . . . . . . . . . . . . . . . 28 128 3.27. Indicator Class . . . . . . . . . . . . . . . . . . . . . 29 129 3.27.1. IndicatorID Class . . . . . . . . . . . . . . . . . 30 130 3.27.2. AlternativeIndicatorID Class . . . . . . . . . . . . 30 131 3.27.3. Observable Class . . . . . . . . . . . . . . . . . . 30 132 3.27.4. BulkObservable Class . . . . . . . . . . . . . . . . 31 133 3.27.5. BulkObservableFormat Class . . . . . . . . . . . . . 31 134 3.27.6. IndicatorExpression Class . . . . . . . . . . . . . 32 135 3.27.7. ObservableReference Class . . . . . . . . . . . . . 32 136 3.27.8. IndicatorReference Class . . . . . . . . . . . . . . 32 137 3.27.9. AttackPhase Class . . . . . . . . . . . . . . . . . 33 138 4. Notable differences from RFC 7970 (to be deleted) . . . . . . 33 139 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 33 140 5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33 141 5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 34 142 6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 36 143 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 55 144 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 145 9. Security Considerations . . . . . . . . . . . . . . . . . . . 55 146 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 147 10.1. Normative References . . . . . . . . . . . . . . . . . . 55 148 10.2. Informative References . . . . . . . . . . . . . . . . . 56 149 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 151 1. Introduction 153 RFC 7970 [RFC7970] defines an data model for sharing incident 154 information. It facilitates automated exchange of information among 155 parties over networks. The data model can be implemented in a form 156 of XML, but it is not always suitable for implementation. JSON-based 157 representation is often useful. 159 Therefore, in this document, we provide a means to represent IODEF 160 data model in JSON. 162 1.1. Requirements Language 164 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 165 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 166 document are to be interpreted as described in RFC 2119 [RFC2119]. 168 2. IODEF Data Types 170 The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the 171 JSON IODEF, with some syntax changes for some of the types. 173 2.1. Integers 175 An integer is represented in the information model by the INTEGER 176 data type. Integer data MUST be encoded in Base 10, and is 177 implemented as an "integer" type per JSON schema [jsonschema]. 179 2.2. Real Numbers 181 A real (floating-point) number is represented in the information 182 model by the REAL data type. Real data MUST be encoded in Base 10, 183 and is implemented in the data model as an "number" type per JSON 184 schema [jsonschema]. 186 2.3. Characters and Strings 188 A single character is represented in the information model by the 189 CHARACTER data type. A string is represented by the STRING data 190 type. Special characters MUST be encoded using entity references.The 191 CHARACTER and STRING data types are implemented in the data model as 192 an "string" type per JSON schema [jsonschema]. 194 2.4. Multilingual Strings 196 A string that needs to be represented in a human-readable language 197 different than the default encoding of the document is represented in 198 the information model by the ML_STRING data type. This data type is 199 implemented as an object with "value", "lang", and "translation-id" 200 elements as defined in Section 6. Examples are shown below. 202 "MLStringType": { 203 "value": "free-form text", //STRING 204 "lang": "en", //ENUM 205 "translation-id": "jp2en0023" //STRING 206 } 208 2.5. Binary Strings 210 2.5.1. Base64 Bytes 212 A binary octet encoded with base64 is represented in the information 213 model by the BYTE data type. A sequence of these octets is of the 214 BYTE[] data type. The BYTE and BYTE[] data types are implemented in 215 the data model as an "string" type per JSON schema [jsonschema]. 217 2.5.2. Hexadecimal Bytes 219 A binary octet encoded as a character tuple consistent of two 220 hexadecimal digits is represented in the information model by the 221 HEXBIN data type. A sequence of these octets is of the HEXBIN[] data 222 type. The HEXBIN and HEXBIN[] data types are implemented in the data 223 model as an "string" type per JSON schema [jsonschema]. 225 2.6. Enumerated Types 227 An enumerated type is represented in the information model by the 228 ENUM data type. It is an ordered list of acceptable string values. 229 Each value has a representative keyword. The ENUM data type is 230 implemented in the data model as values of an enum array per JSON 231 schema [jsonschema]. 233 2.7. Date-Time String 235 A date-time string that describes a particular instant in time is 236 represented in the information model by the DATETIME data type. 237 Ranges are not supported. The DATETIME data type is implemented in 238 the data model as an "string" type per JSON schema [jsonschema]. 240 2.8. Timezone String 242 A timezone offset from UTC is represented in the information model by 243 the TIMEZONE data type. It is formatted according to the following 244 regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". The 245 TIMEZONE data type is implemented in the data model as an "string" 246 type per JSON schema [jsonschema]. 248 2.9. Port Lists 250 A list of network ports is represented in the information model by 251 the PORTLIST data type. A PORTLIST consists of a comma-separated 252 list of numbers and ranges (N-M means ports N through M, inclusive). 253 It is formatted according to the following regular expression: 254 "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, 255 "2,5-15,30,32,40-50,55-60". The PORTLIST data type is implemented in 256 the data model as an "string" type per JSON schema [jsonschema] 258 2.10. Postal Address 260 A postal address is represented in the information model by the 261 POSTAL data type. The format of the POSTAL data type is documented 262 in Section 2.23 of [RFC4519] as a free-form multi-line string 263 separated by the "$" character. The POSTAL data type is implemented 264 in the data model as the aforementioned ML_STRING type. 266 2.11. Telephone Number 268 A telephone number is represented in the information model by the 269 PHONE data type. The format of the PHONE data type is documented in 270 [E.164]. The PHONE data type is implemented in the data model as an 271 "string" type per JSON schema [jsonschema]. 273 2.12. Email String 275 An email address is represented in the information model by the EMAIL 276 data type. The format of the EMAIL data type is documented in 277 Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531]. The EMAIL 278 data type is implemented in the data model as an "string" type per 279 JSON schema [jsonschema]. 281 2.13. Uniform Resource Locator Strings 283 A uniform resource locator (URL) is represented in the information 284 model by the URL data type. The format of the URL data type is 285 documented in [RFC3986]. 287 The URL data type is implemented as an "string" type per JSON schema 288 [jsonschema]. 290 2.14. Identifiers and Identifier References 292 An identifier unique to the IODEF document is represented in the 293 information model by the ID data type. A reference to this 294 identifier is represented by the IDREF data type. These data types 295 are implemented in the model as an "string" type per JSON schema 296 [jsonschema]. 298 2.15. Software 300 A particular version of software is represented in the information 301 model by the SOFTWARE data type. This software can be described by 302 using a reference, a URL, or with free-form text. The SOFTWARE data 303 type is implemented as an object with "SoftwareReference", "URL", and 304 "Description" elements as defined in Section 6. Examples are shown 305 below. 307 "SoftwareType": { 308 "SoftwareReference": {...}, //SoftwareReference 309 "Description": {"value":"MS Windows"}, //ML_STRING 310 } 312 2.16. StructuredInfo 314 Information provided in a form of structured string, such as ID, or 315 structured information, such as XML documents, is represented in the 316 information model by the StructuredInfo data type. Note that this 317 type was originally specified in RFC7203. The StructuredInfo data 318 type is implemented as an object with "SpecID", "ext-SpecID", 319 "ContentID", "RawData", "Reference" elements. An example for 320 embedding a structured ID is shown below. 322 "StructuredInformation": { 323 "SpecID": "cve", //ENUM 324 "ContentID": "CVE-2007-5000", //STRING 325 } 327 When embedding the raw data, base64 conversion should be used for 328 encoding the data, as shown below. 330 "StructuredInformation": { 331 "SpecID": "oval", //ENUM 332 "RawData": "<<>>", //STRING 333 } 335 3. The IODEF Information Model in JSON 337 The data model of IODEF is defined in RFC 7970 [RFC7970], and this 338 section illustrates their representations in JSON. Note that the 339 complete JSON schema is defined in Section 6. 341 3.1. IODEF-Document Class 343 This class is the top level class in the IODEF data model. Its class 344 elements and an example are shown below. See Section 3.1 of RFC 7970 345 [RFC7970] for the intended meanings of these elements. 347 Class elements: 349 version, lang?, format-id?, private-enum-name?, private-enum-id?, 350 Incident+, AdditionalData* 352 Example: 354 "IODEF-Document": { 355 "version": "2.1", //STRING 356 "lang": "en", //ENUM 357 "format-id": "RFC7970-json", //STRING 358 "Incident": [ ... ] //Incident 359 } 361 3.2. Incident Class 363 The Incident class describes commonly exchanged information when 364 reporting or sharing derived analysis from security incidents. Its 365 class elements and an example are shown below. See Section 3.2 of 366 RFC 7970 [RFC7970] for the intended meanings of these elements. 368 Class elements: 370 purpose, ext-purpose?, status?, ext-status?, lang?, restriction?, 371 ext-restriction?, observable-id?, IncidentID, AlternativeID?, 372 RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, 373 ReportTime?, GenrationTime?, Description*, Discovery*, Assessment*, 374 Method*, Contact+, EventData*, IndicatorData?, History?, 375 AdditionalData* 377 Example: 379 "Incident": { 380 "purpose": "reporting", //ENUM 381 "lang": "en", //STRING 382 "restriction": "green", //ENUM 383 "IncidentID": { ... }, //IncidentID Class 384 "RelatedActivity": [ ... ], //RelatedActivity Class 385 "GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime 386 "Description": [{"value":"Incident in the HQ"}], //ML_STRING 387 "Assessment": [ ... ], //Assessment 388 "Method": [ ... ], //Method 389 "Contact": [ ... ] //Contact 390 "EventData": [ ... ], //EventData 391 "IndicatorData": { ... } //IndicatorData 392 "History": { ... }, //History 393 "AdditionalData": [ ... ], //AdditionalData 394 } 396 3.3. Common Attributes 398 There are a number of recurring attributes used in the information 399 model. They are documented in this section. 401 3.3.1. restriction Attribute 403 RFC 7970 [RFC7970] defines the restriction Attribute as one of common 404 attributes. It is defined as below: 406 "restriction":{"enum": ["public", "partner", "need-to-know", "private", 407 "default", "white", "green", "amber", "red", "ext-value"]} 409 Note that you must use "ext-restriction" field (STRING type) when the 410 value of "restriction" field is set to "ext-value". 412 3.3.2. observable-id Attribute 414 RFC 7970 [RFC7970] defines the observable-id attribute as one of 415 common attributes. The value of this attribute is a unique 416 identifier, in string type, in the scope of the document.It is 417 defined as below: 419 3.4. IncidentID Class 421 The class elements and an example are shown below. See Section 3.4 422 of RFC 7970 [RFC7970] for the intended meanings of these elements. 424 Class elements: 426 id, name, instance?, restriction?, ext-restriction? 427 Example: 429 "IncidentID": { 430 "id": "nict20150518-0001", // STRING 431 "name": "NICT_cert", // STRING 432 "instance": "cyberlab" // STRING 433 "restriction": "ext-value" // ENUM 434 "ext-restriction": "registration required" // STRING 435 } 437 3.5. AlternativeID Class 439 The class elements and an example are shown below. See Section 3.5 440 of RFC 7970 [RFC7970] for the intended meanings of these elements. 442 Class elements: 444 restriction?, ext-restriction?, IncidentID+ 446 Example: 448 "AltervativeID": { 449 "restriction": "private", //ENUM 450 "IncidentID": [<<>>] //IncidentID 451 } 453 3.6. RelatedActivity Class 455 The class elements and an example are shown below. See Section 3.6 456 of RFC 7970 [RFC7970] for the intended meanings of these elements. 458 Class elements: 460 restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*, 461 Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData* 463 Example: 465 "RelatedActivity": { 466 "restriction": "private", //ENUM 467 "ThreatActor": [{...}], //ThreatActor class 468 "Campaign": [{...}] //Campaign class 469 } 471 3.7. ThreatActor Class 473 The class elements and an example are shown below. See Section 3.7 474 of RFC 7970 [RFC7970] for the intended meanings of these elements. 476 Class elements: 478 restriction?, ext-restriction?, ThreatActorID*, URL*, Description*, 479 AdditionalData* 481 Example: 483 "ThreatActor": { 484 "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING 485 "Description": {"value":"Aggressive Butterfly"} //ML_STRING 486 } 488 3.8. Campaign Class 490 The class elements and an example are shown below. See Section 3.8 491 of RFC 7970 [RFC7970] for the intended meanings of these elements. 493 Class elements: 495 restriction?, ext-restriction?, CampaignID*, URL*, Description*, 496 AdditionalData* 498 Example: 500 "Campaign": { 501 "CampaignID": "C-2015-59405", //STRING 502 "Description": {"value":"Orange Giraffe"} //ML_STRING 503 } 505 3.9. Contact Class 507 The class elements and an example are shown below. See Section 3.9 508 of RFC 7970 [RFC7970] for the intended meanings of these elements. 510 Class elements: 512 role, ext-role?, type, ext-type?, restriction?, ext-restriction?, 513 ContactName*, ContactTitle*, Description*, RegistryHandle*, 514 PostalAddress*, Email*, Telephone*, Timezone?, Contact*, 515 AdditionalData* 517 Example: 519 "Contact": { 520 "role": "creator", //ENUM 521 "type": "organization", //ENUM 522 "ContactName": {"value":"CSIRT for example.com"}, //ML_STRING 523 "ContactTitle": {"value":"Senior Research Engineer"} //ML_STRING 524 "email": {...}, //Email Class 525 "Telephone": {...}, //Telephone Class 526 "Timezone": "+09:00" //TIMEZONE 527 } 529 3.9.1. RegistryHandle Class 531 The class elements and an example are shown below. See Section 3.9.1 532 of RFC 7970 [RFC7970] for the intended meanings of these elements. 534 Class elements: 536 handle, registry, ext-registry? 538 Example: 540 "RegistryHandle": { 541 "handle": "MyAPNIC", //STRING 542 "registry": "apnic", //ENUM 543 } 545 3.9.2. PostalAddress Class 547 The class elements and an example are shown below. See Section 3.9.2 548 of RFC 7970 [RFC7970] for the intended meanings of these elements. 550 Class elements: 552 type?, ext-type?, PAddress, Description* 554 Example: 556 "PostalAddress": { 557 "type": "mailing", //ENUM 558 "PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan", //POSTAL 559 "Description": {"value":"Office address"} //ML_STRING 560 }, 562 3.9.3. Email Class 564 The class elements and an example are shown below. See Section 3.9.3 565 of RFC 7970 [RFC7970] for the intended meanings of these elements. 567 Class elements: 569 type?, ext-type?, EmailTo, Description* 571 Example: 573 "Email": { 574 "type": "direct", //ENUM 575 "emailTo": "contact@csirt.example.com", //EMAIL 576 "Description": {"value":"Administrator's address"} //ML_STRING 577 }, 579 3.9.4. Telephone Class 581 The class elements and an example are shown below. See Section 3.9.4 582 of RFC 7970 [RFC7970] for the intended meanings of these elements. 584 Class elements: 586 type?, ext-type?, TelephoneNumber, Description* 588 Example: 590 "Telephone": { 591 "type": "wired", //ENUM 592 "TelephoneNumber": "+818012345678", //PHONE 593 "Description": {"value":"Admin's moble"} //ML_STRING 594 }, 596 3.10. Discovery Class 598 The class elements and an example are shown below. See Section 3.10 599 of RFC 7970 [RFC7970] for the intended meanings of these elements. 601 Class elements: 603 source?, ext-source?, restriction?, ext-restriction?, Description*, 604 Contact*, DetectionPattern* 606 Example: 608 "Discovery": { 609 "source": "nidps", //ENUM 610 "restriction": "need-to-know" //ENUM 611 "Contact": {...}, //Contact class 612 "DetectionPattern": {...}, //DetectionPattern class 613 "Description":{"value":"IDS provided an alert"} //ML_STRING 614 } 615 } 617 3.10.1. DetectionPattern Class 619 The class elements and an example are shown below. See 620 Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of 621 these elements. 623 Class elements: 625 restriction?, ext-restriction?, observable-id?, Application, 626 Description*, DetectionConfiguration* 628 Example: 630 "DetectionPattern": { 631 "Application": {...}, //SOFTWARE 632 "Description": {"value":"The specified application 633 needs to be reviewed"}, //ML_STRING 634 } 635 } 637 3.11. Method Class 639 The class elements and an example are shown below. See Section 3.11 640 of RFC 7970 [RFC7970] for the intended meanings of these elements. 642 Class elements: 644 restriction?, ext-restriction?, Reference*, Description*, 645 AttackPattern*, Vulnerability*, Weakness* 647 Example: 649 "Method": { 650 "AttackPattern": {...} //StructuredInfo 651 "Vulnerability": {...} //StructuredInfo 652 } 654 3.11.1. Reference Class 656 The class elements and an example are shown below. See 657 Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of 658 these elements. 660 Class elements: 662 observable-id?, ReferenceName?, URL*, Description* 664 Example: 666 "Reference":{ 667 "URL":"http://www.nict.go.jp" //URL 668 } 670 3.12. Assessment Class 672 The class elements and an example are shown below. See Section 3.12 673 of RFC 7970 [RFC7970] for the intended meanings of these elements. 675 Class elements: 677 occurence?, restriction?, ext-restriction?, observable-id?, 678 IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*, 679 MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*, 680 Cause*, Confidence?, AdditionalData* 682 Example: 684 "Assessment": { 685 "SystemImpact": {...}, //SystemImpact class 686 "BusinessImpact": {...}, //BusinessImpact class 687 "TimeImpact": {...}, //TimeImpact class 688 "MonetaryImpact": {...}, //MonetaryImpact class 689 "IntendedImpact": {...}, //IntendedImpact class 690 "Counter": "5", //Counter class 691 "MitigationFactor": {"value":"Rebooting is required"}//ML_STRING 692 "Cause": {"value":"Malware Infection"} //ML_STRING 693 } 694 } 696 3.12.1. SystemImpact Class 698 The class elements and an example are shown below. See 699 Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of 700 these elements. 702 Class elements: 704 severity?, completion?, type, ext-type?, Description* 706 Example: 708 "SystemImpact":{ 709 "severity":"high", //ENUM 710 "completion": "successful" //ENUM 711 "type":"integrity-data" //ENUM 712 "Description":{"value":"The web page was falsified"} //ML_STRING 713 }, 715 3.12.2. BusinessImpact Class 717 The class elements and an example are shown below. See 718 Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of 719 these elements. 721 Class elements: 723 severity?, ext-severity?, type, ext-type?, Description* 725 Example: 727 "BusinessImpact": { 728 "severity":"medium", //ENUM 729 "completion": "successful" //ENUM 730 "type": "degraded-reputation" //ENUM 731 "Description":{"value":"The web page was falsified"} //ML_STRING 732 } 734 3.12.3. TimeImpact Class 736 The class elements and an example are shown below. See 737 Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of 738 these elements. 740 Class elements: 742 value, severity?, metric, ext-metric?, duration?, ext-duration? 744 Example: 746 "TimeImpact":{ 747 "time": "240" //REAL 748 "metric": "elapsed" //ENUM 749 "duration": "minutes" //ENUM 750 } 752 3.12.4. MonetaryImpact Class 754 The class elements and an example are shown below. See 755 Section 3.12.4 of RFC 7970 [RFC7970] for the intended meanings of 756 these elements. 758 Class elements: 760 value, severity?, currency? 762 Example: 764 "MonetaryImpact":{ 765 "money": "10000", //REAL 766 "severity": "medium", //ENUM 767 "currency": "USD", //STRING 768 } 770 3.12.5. Confidence Class 772 The class elements and an example are shown below. See 773 Section 3.12.5 of RFC 7970 [RFC7970] for the intended meanings of 774 these elements. 776 Class elements: 778 value, rating, ext-rating? 780 Example: 782 "Confidence": { 783 "value": "5" //REAL 784 "rating": "medium" //ENUM 785 } 787 3.13. History Class 789 The class elements and an example are shown below. See Section 3.13 790 of RFC 7970 [RFC7970] for the intended meanings of these elements. 792 Class elements: 794 restriction?, ext-restriction?, HistoryItem+ 796 Example: 798 "History": { 799 "restriction": "need-to-know" //ENUM 800 "HistoryItem": { ... } //HistoryItem class 801 }, 803 3.13.1. HistoryItem Class 805 The class elements and an example are shown below. See 806 Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of 807 these elements. 809 Class elements: 811 action, ext-action?, restriction?, ext-restriction?, observable-id?, 812 DateTime, IncidentID?, Contact?, Description*, DefinedCOA*, 813 AdditionalData* 815 Example: 817 "HistoryItem": { 818 "action": "investigate" //ENUM 819 "restriction": "need-to-know" //ENUM 820 "DateTime": "2015-10-15T11:18:00-05:00", //DateTime 821 "IncidentID" { ...}, //IncidentID class 822 } 824 3.14. EventData Class 826 The class elements and an example are shown below. See Section 3.14 827 of RFC 7970 [RFC7970] for the intended meanings of these elements. 829 Class elements: 831 restriction?, ext-restriction?, observable-id?, Description*, 832 DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?, 833 Contact*, Discovery*, Assessment?, Method*, Flow*, Expectation*, 834 Record?, EventData*, AdditionalData* 836 Example: 838 "EventData": { 839 "ReportTime": "2016-06-01 18:05:33", 840 "Contact": { ...}, //Contact class 841 "Assessment": { ...}, //Assessment class 842 "Method": { ...}, //Method class 843 "System": { ... }, //System class 844 "Expectation": { ...}, //Expectation class 846 3.15. Expectation Class 848 The class elements and an example are shown below. See Section 3.15 849 of RFC 7970 [RFC7970] for the intended meanings of these elements. 851 Class elements: 853 action?, ext-action?, severity?, restriction?, ext-restriction?, 854 Description*, DefinedCOA*, StartTime?, EndTime?, Contact? 856 Example: 858 "Expectation": { 859 "action": "investigate" //ENUM 860 "severity": "medium" //ENUM 861 "restriction": "need-to-know" //ENUM 862 }, 864 3.16. System Class 866 The class elements and an example are shown below. See Section 3.17 867 of RFC 7970 [RFC7970] for the intended meanings of these elements. 869 Class elements: 871 category?, ext-category?, interface?, spoofed?, virtual?, ownership?, 872 ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*, 873 Service*, OperatingSystem*, Counter*, AssetID*, Description*, 874 AdditionalData* 876 Example: 878 "System": { 879 "category": "source", //ENUM 880 "Node": { ... }, //Node class 881 "Service": { ... }, //Service class 882 }, 884 3.17. Node Class 886 The class elements and an example are shown below. See Section 3.18 887 of RFC 7970 [RFC7970] for the intended meanings of these elements. 889 Class elements: 891 DomainData*, Address*, PostalAddress?, Location*, Counter* 893 Example: 895 "Node": { 896 "Address": { ... }, //Address class 897 "Location": {"value":"OrgID=7"} //ML_STRING 898 } 900 3.17.1. Address Class 902 The class elements and an example are shown below. See 903 Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of 904 these elements. 906 Class elements: 908 value, category, ext-category?, vlan-name?, vlan-num?, observable-id? 910 Example: 912 "Address": { 913 "value": """192.228.139.118", //STRING 914 "category": "ipv4-addr", //ENUM 915 }, 917 3.17.2. NodeRole Class 919 The class elements and an example are shown below. See 920 Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of 921 these elements. 923 Class elements: 925 category, ext-category?, Description* 927 Example: 929 "NodeRole": { 930 "category": "client" //ENUM 931 "Description": {"value":"The computer at room A"} //ML_STRING 932 }, 934 3.17.3. Counter Class 936 The class elements and an example are shown below. See 937 Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of 938 these elements. 940 Class elements: 942 value, type, ext-type?, unit, ext-unit?, meaning?, duration?, ext- 943 duration? 945 Example: 947 "Counter": { 948 "value": "3", //REAL 949 "type": "count", //ENUM 950 "unit": "packet" //ENUM 951 "meaning": {"value":"The number of scan packets 952 are counted"}, //ML_STRING 953 } 955 3.18. DomainData Class 957 The class elements and an example are shown below. See Section 3.19 958 of RFC 7970 [RFC7970] for the intended meanings of these elements. 960 Class elements: 962 system-status, ext-system-status?, domain-status, ext-domain-status?, 963 observable-id?, Name, DateDomainWasChecked?, RegistrationDate?, 964 ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts? 966 Example: 968 "DomainData": { 969 "system-status": "innocent-hacked", //ENUM 970 "domain-status": "assignedAndInactive", //STRING 971 "Name": "temp1.nict.go.jp" //STRING 972 }, 974 3.18.1. Nameserver Class 976 This class is defined in Section 3.19.1 of RFC 7970 [RFC7970]. The 977 example below represents how to describe this class in JSON. 979 Class elements: 981 Server, Address* 983 Example: 985 "NameServers": { 986 "Server": "vgw.nict.go.jp", //STRING 987 "Address": { 988 "AddressValue": "133.243.18.5", //STRING 989 "category": "ipv4-addr" //ENUM 990 } 991 } 993 3.18.2. DomainContacts Class 995 This class is defined in Section 3.19.2 of RFC 7970 [RFC7970]. The 996 example below represents how to describe this class in JSON. 998 Class elements: 1000 SameDomainContact?, Contact+ 1002 Example: 1004 "DomainContacts": { 1005 "Contact": { 1006 "role": "user", //ENUM 1007 "type": "organization" //ENUM 1008 } 1009 } 1011 3.19. Service Class 1013 This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The 1014 example below represents how to describe this class in JSON. 1016 Class elements: 1018 ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?, 1019 ProtoCode?, ProtoType?, ProtoField?, ApplicationHeader?, EmailData?, 1020 Application? 1021 Example: 1023 "Service": { 1024 "ServiceName": { 1025 "Description": "It seems to be a scan from an infected machine." 1026 }, 1027 "ip-protocol": 6, //INTEGER 1028 "Port": 49183 //INTEGER 1029 } 1031 3.19.1. ServiceName Class 1033 This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The 1034 example below represents how to describe this class in JSON. 1036 Class elements: 1038 IANAService?, URL*, Description* 1040 Example: 1042 "ServiceName": { 1043 "IANAService": "telnet" //STRING 1044 "URL": "https://en.wikipedia.org/wiki/Telnet" //STRING 1045 "Description": "It seems to be a scan from an infected machine." //STRING 1046 }, 1048 3.19.2. ApplicationHeader Class 1050 This class is defined in Section 3.20.2 of RFC 7970 [RFC7970]. The 1051 example below represents how to describe this class in JSON. 1053 Class elements: 1055 ApplicationHeaderField+ 1057 Example: 1059 "ApplicationHeader": { 1060 "ApplicationHeaderField": {} 1061 } 1063 3.20. EmailData Class 1065 This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The 1066 example below represents how to describe this class in JSON. 1068 Class elements: 1070 observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?, 1071 EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?, 1072 HashData*, SignatureData* 1074 Example: 1076 "EmailData":{ 1077 "EmailTo": "user1@example.org" //EMAIL 1078 "EmailFrom": "user2@example.com" //EMAIL 1079 "EmailSubject": "example email" //STRING 1080 "EmailX-Mailer": "example mailer v1.1.0" //STRING 1081 "EmailBody": "example email" //STRING 1082 } 1084 3.21. Record Class 1086 This class is defined in Section 3.22 of RFC 7970 [RFC7970]. The 1087 example below represents how to describe this class in JSON. 1089 Class elements: 1091 restriction?, ext-restriction?, RecordData+ 1093 Example: 1095 "Record": { 1096 "RecordData": { 1097 "RecordPattern": { 1098 "type": "regex", //ENUM 1099 "value": "[0-9][A-Z]" 1100 } 1101 }, 1102 "RecordItem": {} 1103 }, 1105 3.21.1. RecordData Class 1107 This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The 1108 example below represents how to describe this class in JSON. 1110 Class elements: 1112 restriction?, ext-restriction?, observable-id?, DateTime?, 1113 Description*, Application?, RecordPattern*, RecordItem*, URL*, 1114 FileData*, WindowsRegistryKeysModified*, CertificateData*, 1115 AdditionalData* 1117 Example: 1119 "RecordData": { 1120 "RecordPattern": { 1121 "type": "regex", 1122 "value": "[0-9][A-Z]" 1123 } 1124 }, 1126 3.21.2. RecordPattern Class 1128 This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The 1129 example below represents how to describe this class in JSON. 1131 Class elements: 1133 type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?, 1134 value 1136 Example: 1138 "RecordPattern": { 1139 "type": "regex", 1140 "value": "[0-9][A-Z]" 1141 }, 1143 3.22. WindowsRegistryKeysModified Class 1145 This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The 1146 example below represents how to describe this class in JSON. 1148 Class elements: 1150 observable-id?, Key+ 1152 Example: 1154 "WindowsRegistryKeysModified": { 1155 "Key": { 1156 "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING 1157 "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING 1158 } 1159 } 1161 3.22.1. Key Class 1163 This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The 1164 example below represents how to describe this class in JSON. 1166 Class elements: 1168 registryaction?, ext-registryaction?, observable-id?, KeyName, 1169 KeyValue? 1171 Example: 1173 "Key": { 1174 "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING 1175 "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING 1176 } 1178 3.23. CertificateData Class 1180 This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The 1181 example below represents how to describe this class in JSON. 1183 Class elements: 1185 restriction?, ext-restriction?, observable-id?, Certificate+ 1187 Example: 1189 "CertificateData": { 1190 "Certificate": { 1191 "X509Data": "xxxxxxxx" //STRING 1192 } 1193 } 1195 3.23.1. Certificate Class 1197 This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The 1198 X509Data class contains base64 encoded form of X.509 certificate or 1199 chain as described in Section 4.4.4 of [W3C.XMLSIG]. The example 1200 below represents how to describe this class in JSON. 1202 Class elements: 1204 observable-id?, X509Data, Description* 1206 Example: 1208 "Certificate": { 1209 "X509Data": "xxxxxxxx" //STRING 1210 } 1212 3.24. FileData Class 1214 This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The 1215 example below represents how to describe this class in JSON. 1217 Class elements: 1219 restriction?, ext-restriction?, observable-id?, File+ 1221 Example: 1223 "FileData": { 1224 "File": { 1225 "FileName": "dummy.exe" //STRING 1226 } 1227 }, 1229 3.24.1. File Class 1231 This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The 1232 example below represents how to describe this class in JSON. 1234 Class elements: 1236 observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?, 1237 SignatureData?, AssociatedSoftware?, FileProperties* 1239 Example: 1241 "File": { 1242 "FileName": "dummy.exe" //STRING 1243 } 1245 3.25. HashData Class 1247 This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The 1248 example below represents how to describe this class in JSON. 1250 Class elements: 1252 scope, HashTargetID?, Hash*, FuzzyHash* 1254 Example: 1256 "HashData": { 1257 "scope": "file-contents", //ENUM 1258 "Hash": { 1259 "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING 1260 "DigestValue": "xxxxxxxxxxx" //STRING 1261 } 1262 } 1264 3.25.1. Hash Class 1266 This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The 1267 example below represents how to describe this class in JSON. 1269 Class elements: 1271 DigestMethod, DigestValue, CanonicalizationMethod?, Application? 1273 Example: 1275 "Hash": { 1276 "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING 1277 "DigestValue": "xxxxxxxxxxx" //STRING 1278 } 1280 3.25.2. FuzzyHash Class 1282 This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The 1283 example below represents how to describe this class in JSON. 1285 Class elements: 1287 FuzzyHashValue+, Application?, AdditionalData? 1289 Example: 1291 "FuzzyHash": { 1292 "FuzzyHashValue": {} 1293 } 1295 3.26. SignatureData Class 1297 This class is defined in Section 3.27 of RFC 7970 [RFC7970]. The 1298 Signature class contains base64 encoded form of signature as 1299 described in Section 4.2 of [W3C.XMLSIG]. The example below 1300 represents how to describe this class in JSON. 1302 Class elements: 1304 Signature+ 1306 Example: 1308 "SignatureData": { 1309 "Signature": "xxxxxxxx" //STRING 1310 } 1312 3.27. Indicator Class 1314 This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The 1315 example below represents how to describe this class in JSON. 1317 Class elements: 1319 restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*, 1320 Description*, StartTime?, EndTime?, Confidence?, Contact*, 1321 Observable?, ObservableReference?, IndicatorExpression?, 1322 IndicatorReference?, NodeRole*, AttackPhase*, Reference*, 1323 AdditionalData* 1325 Example: 1327 "Indicator": { 1328 "IndicatorID": { 1329 "id": "G90823490", //STRING 1330 "name": "csirt.example.com", //STRING 1331 "version": "1" //STRING 1332 }, 1333 "Description": "C2 domains", //ML_STRING 1334 "StartTime": "2014-12-02T11:18:00-05:00", //Datetime 1335 "Observable": { 1336 "BulkObservable": { 1337 "type": "fqdn" //ENUM 1338 }, 1339 "BulkObservableList": [ 1340 "kj290023j09r34.example.com", //STRING 1341 "09ijk23jfj0k8.example.net", //STRING 1342 "klknjwfjiowjefr923.example.org", //STRING 1343 "oimireik79msd.example.org" //STRIN 1344 ] 1345 } 1346 } 1348 3.27.1. IndicatorID Class 1350 This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The 1351 example below represents how to describe this class in JSON. 1353 Class elements: 1355 id, name, version 1357 Example: 1359 "IndicatorID": { 1360 "id": "G90823490", //STRING 1361 "name": "csirt.example.com", //STRING 1362 "version": "1" //STRING 1363 } 1365 3.27.2. AlternativeIndicatorID Class 1367 This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The 1368 example below represents how to describe this class in JSON. 1370 Class elements: 1372 restriction?, ext-restriction?, IndicatorReference+ 1374 Example: 1376 "AlternativeIndicatorID": { 1377 "IndicatorReference": { 1378 "uid-ref": "xxxxx" 1379 } 1380 }, 1382 3.27.3. Observable Class 1384 This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The 1385 example below represents how to describe this class in JSON. 1387 Class elements: 1389 restriction?, ext-restriction?, System?, Address?, DomainData?, 1390 Service?, EmailData?, WindowsRegistryKeysModified?, FileData?, 1391 CertificateData?, RegistryHandle?, RecordData?, EventData?, 1392 Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?, 1393 HistoryItem?, BulkObservable?, AdditionalData* 1395 Example: 1397 "Observable": { 1398 "BulkObservable": { 1399 "type": "fqdn" //ENUM 1400 }, 1401 "BulkObservableList": [ 1402 "kj290023j09r34.example.com", //STRING 1403 "09ijk23jfj0k8.example.net", //STRING 1404 "klknjwfjiowjefr923.example.org", //STRING 1405 "oimireik79msd.example.org" //STRING 1406 ] 1407 } 1409 3.27.4. BulkObservable Class 1411 This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The 1412 example below represents how to describe this class in JSON. 1414 Class elements: 1416 type?, ext-type?, BulkObservableFormat?, BulkObservableList, 1417 AdditionalData* 1419 Example: 1421 "BulkObservable": { 1422 "type": "fqdn" //ENUM 1423 }, 1424 "BulkObservableList": [ 1425 "kj290023j09r34.example.com", //STRING 1426 "09ijk23jfj0k8.example.net", //STRING 1427 "klknjwfjiowjefr923.example.org", //STRING 1428 "oimireik79msd.example.org" //STRING 1429 ] 1431 3.27.5. BulkObservableFormat Class 1433 This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970]. 1434 The example below represents how to describe this class in JSON. 1436 Class elements: 1438 Hash?, AdditionalData* 1440 Example: 1442 "BulkObservableFormat": { 1443 "Hash": { 1444 "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING 1445 "DigestValue": "xxxxxxxxxxx" //STRING 1446 } 1447 } 1449 3.27.6. IndicatorExpression Class 1451 This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The 1452 example below represents how to describe this class in JSON. 1454 Class elements: 1456 operator?, ext-operator?, IndicatorExpression*, Observable*, 1457 ObservableReference*, IndicatorReference*, Confidence?, 1458 AdditionalData* 1460 Example: 1462 "IndicatorExpression": { 1463 "ObservableReference": { 1464 "uid-ref": "xxxxx" 1465 } 1466 } 1468 3.27.7. ObservableReference Class 1470 This class is defined in Section 3.29.6 of RFC 7970 [RFC7970]. The 1471 example below represents how to describe this class in JSON. 1473 Class elements: 1475 uid-ref 1477 Example: 1479 "ObservableReference": { 1480 "uid-ref": "xxxxx" 1481 }, 1483 3.27.8. IndicatorReference Class 1485 This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The 1486 example below represents how to describe this class in JSON. 1488 Class elements: 1490 uid-ref?, euid-ref?, version? 1492 Example: 1494 "IndicatorReference": { 1495 "uid-ref": "xxxxx" 1496 } 1498 3.27.9. AttackPhase Class 1500 This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The 1501 example below represents how to describe this class in JSON. 1503 Class elements: 1505 AttackPhaseID*, URL*, Description*, AdditionalData* 1507 Example: 1509 "AttackPhase": { 1510 "Description": "Currently, the infected host is scanning arbitrary hosts to find next targets." //ML_STRING 1511 } 1513 4. Notable differences from RFC 7970 (to be deleted) 1515 o This document treats attributes and elements of each class defined 1516 in RFC 7970 [RFC7970] equally and is agnostic on the order of 1517 their appearances. 1519 o Flow class is deleted, and EventData class now has the instance of 1520 System class. 1522 o Record class is deleted, and the link to the Record class are 1523 directly connected to RecordData class, which is then renamed to 1524 Record class. 1526 5. Examples 1528 This section provides example of IODEF documents. These examples do 1529 not represent the full capabilities of the data model or the the only 1530 way to encode particular information. 1532 5.1. Minimal Example 1534 A document containing only the mandatory elements and attributes. 1536 { 1537 "version": "2.0", 1538 "lang": "en", 1539 "Incident": [ 1540 { 1541 "purpose": "reporting", 1542 "restriction": "private", 1543 "IncidentID": { 1544 "id": 492382, 1545 "name": "csirt.example.com" 1546 }, 1547 "GenerationTime": "2015-07-18T09:00:00-05:00", 1548 "Contact": [ 1549 { 1550 "type": "organization", 1551 "role": "creator", 1552 "email": { 1553 "emailTo": "contact@csirt.example.com" 1554 } 1555 } 1556 ] 1557 } 1558 ] 1559 } 1561 5.2. Indicators from a Campaign 1563 An example of C2 domains from a given campaign. 1565 { 1566 "version": "2.0", 1567 "lang": "en", 1568 "Incidents": [ 1569 { 1570 "purpose": "watch", 1571 "restriction": "green", 1572 "IncidentID": { 1573 "id": "897923", 1574 "name": "csirt.example.com" 1575 }, 1576 "RelatedActivity": [ 1577 { 1578 "ThreatActor": [ 1579 { 1580 "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", 1581 "Description": "Aggressive Butterfly" 1582 } 1583 ], 1584 "Campaign": [ 1585 { 1586 "CampaignID": "C-2015-59405", 1587 "Description": "Orange Giraffe" 1588 } 1589 ] 1590 } 1591 ], 1592 "GenerationTime": "2015-10-02T11:18:00-05:00", 1593 "Description": [ 1594 "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." 1595 ], 1596 "Assessment": [ 1597 { 1598 "BusinessImpact": { 1599 "type": "breach-proprietary" 1600 } 1601 } 1602 ], 1603 "Contacts": [ 1604 { 1605 "type": "organization", 1606 "role": "creator", 1607 "ContactName": "CSIRT for example.com", 1608 "Email": { 1609 "emailTo": "contact@csirt.example.com" 1610 } 1611 } 1612 ], 1613 "IndicatorList": [ 1614 { 1615 "IndicatorID": { 1616 "id": "G90823490", 1617 "name": "csirt.example.com", 1618 "version": "1" 1619 }, 1620 "Description": "C2 domains", 1621 "StartTime": "2014-12-02T11:18:00-05:00", 1622 "Observable": { 1623 "BulkObservable": { 1624 "type": "fqdn" 1625 }, 1626 "BulkObservableList": [ 1627 "kj290023j09r34.example.com", 1628 "09ijk23jfj0k8.example.net", 1629 "klknjwfjiowjefr923.example.org", 1630 "oimireik79msd.example.org" 1631 ] 1633 } 1634 } 1635 ] 1636 } 1637 ] 1638 } 1640 6. The IODEF Data Model (JSON Schema) 1642 { "$schema": "http://json-schema.org/draft-04/schema#", 1643 "definitions": { 1644 "action": {"enum": ["nothing","contact-source-site","contact-target-site", 1645 "contact-sender", "investigate","block-host","block-network", 1646 "block-port","rate-limit-host","rate-limit-network", 1647 "rate-limit-port","redirect-traffic","honeypot", 1648 "upgrade-software","rebuild-asset","harden-asset", 1649 "remediate-other","status-triage","status-new-info", 1650 "watch-and-report","training","defined-coa","ext-value"]}, 1651 "duration": {"enum": ["second","minute","hour","day","month","quarter", 1652 "year","ext-value"]}, 1653 "lang": {"enum": ["en","jp"]}, 1654 "purpose": {"enum": ["traceback","mitigation","reporting","watch","other", 1655 "ext-value"]}, 1656 "restriction": {"enum": ["public","partner","need-to-know","private", 1657 "default","white","green","amber","red","ext-value"]}, 1658 "status": {"enum": ["new","in-progress","forwarded","resolved","future", 1659 "ext-value"]}, 1660 "DATETIME": {"type": "string"}, 1661 "PORTLIST": {"type": "string"}, 1662 "URLtype": {"type": "string"}, 1663 "IDtype": {"type": "string"}, 1664 "ExtensionType": { 1665 "type": "object", 1666 "properties": { 1667 "name": {"type": "string"}, 1668 "dtype": {"enum": ["boolean","byte","bytes","character","date-time", 1669 "ntpstamp","integer","portlist","real","string","file", 1670 "path","frame","packet","ipv4-packet","ipv6-packet","url", 1671 "csv","winreg","xml","ext-value"]}, 1672 "ext-dtype": {"type": "string"}, 1673 "meaning": {"type": "string"}, 1674 "formatid": {"type": "string"}, 1675 "restriction": {"$ref": "#/definitions/restriction"}, 1676 "ext-restriction": {"type": "string"}, 1677 "observable-id": {"$ref": "#/definitions/IDtype"}}}, 1678 "ExtensionTypeList": { 1679 "type": "array", 1680 "items": {"$ref": "#/definitions/ExtensionType"}}, 1682 "SoftwareType": { 1683 "type": "object", 1684 "properties": { 1685 "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, 1686 "URL": {"$ref": "#/definitions/URLtype"}, 1687 "Description": {"type": "string"}}, 1688 "required": [], 1689 "additionalProperties": false}, 1690 "SoftwareReference": { 1691 "type": "object", 1692 "properties": { 1693 "value": {"type": "string"}, 1694 "spec-name": {"type": "string"}, 1695 "ext-spec-name": {"type": "string"}, 1696 "dtype": {"type": "string"}, 1697 "ext-dtype": {"type": "string"}}, 1698 "required": ["spec-name"], 1699 "additionalProperties": false}, 1700 "StructuredInfo": { 1701 "type": "object", 1702 "properties": { 1703 "specID": {"type": "string"}, 1704 "ext-specID": {"type": "string"}, 1705 "contentID": {"type": "string"}, 1706 "RawData": {"type": "string"}, 1707 "URL": {"$ref": "#/definitions/URLtype"}}, 1708 "required": ["specID"], 1709 "additionalProperties": false}, 1710 "Incident": { 1711 "title": "Incident", 1712 "description": "JSON schema for Incident class", 1713 "type": "object", 1714 "properties": { 1715 "purpose": {"$ref": "#/definitions/purpose"}, 1716 "ext-purpose": {"type": "string"}, 1717 "status": {"$ref": "#/definitions/status"}, 1718 "ext-status": {"type": "string"}, 1719 "lang": {"$ref": "#/definitions/lang"}, 1720 "restriction": {"$ref": "#/definitions/restriction"}, 1721 "ext-restriction": {"type": "string"}, 1722 "observable-id": {"$ref": "#/definitions/IDtype"}, 1723 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 1724 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 1725 "RelatedActivity": { 1726 "type": "array","items": {"$ref": "#/definitions/RelatedActivity"}}, 1727 "DetectTime": {"type": "string"}, 1728 "StartTime": {"type": "string"}, 1729 "EndTime": {"type": "string"}, 1730 "RecoveryTime": {"type": "string"}, 1731 "ReportTime": {"type": "string"}, 1732 "GenerationTime": {"type": "string"}, 1733 "Description": {"type": "array","items": {"type": "string"}}, 1734 "Discovery": { 1735 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 1736 "Assessment": { 1737 "type": "array","items": {"$ref": "#/definitions/Assessment"}}, 1738 "Methods": { 1739 "type": "array","items": {"$ref": "#/definitions/Method"}}, 1740 "Contacts": { 1741 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 1742 "EventData": { 1743 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 1744 "IndicatorList": { 1745 "type": "array","items": {"$ref": "#/definitions/Indicator"}}, 1746 "History": {"$ref": "#/definitions/History"}, 1747 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1748 "required": ["IncidentID","GenerationTime","Contacts","purpose"], 1749 "additionalProperties": false}, 1750 "IncidentID": { 1751 "title": "IncidentID", 1752 "description": "JSON schema for IncidentID class", 1753 "type": "object", 1754 "properties": { 1755 "id": {"type": "string"}, 1756 "name": {"type": "string"}, 1757 "instance": {"type": "string"}, 1758 "restriction": {"$ref": "#/definitions/restriction"}, 1759 "ext-restriction": {"type": "string"}}, 1760 "required": ["name"], 1761 "additionalProperties": false}, 1762 "AlternativeID": { 1763 "title": "AlternativeID", 1764 "description": "JSON schema for AlternativeID class", 1765 "type": "object", 1766 "properties": { 1767 "IncidentID": { 1768 "type": "array","items":{"$ref": "#/definitions/IncidentID"}}, 1769 "restriction": {"$ref": "#/definitions/restriction"}, 1770 "ext-restriction": {"type": "string"}}, 1771 "required": ["IncidentID"], 1772 "additionalProperties": false}, 1773 "RelatedActivity": { 1774 "properties": { 1775 "restriction": {"$ref": "#/definitions/restriction"}, 1776 "ext-restriction": {"type": "string"}, 1777 "IncidentID": { 1778 "type": "array","items": {"$ref": "#/definitions/IncidentID"}}, 1779 "URL": { 1780 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 1781 "ThreatActor": { 1782 "type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, 1783 "Campaign": { 1784 "type": "array","items": {"$ref": "#/definitions/Campaign"}}, 1785 "IndicatorID": { 1786 "type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, 1787 "Confidence": {"$ref": "#/definitions/Confidence"}, 1788 "Description": { "type": "array","items": {"type": "string"}}, 1789 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1790 "additionalProperties": false}, 1791 "ThreatActor": { 1792 "properties": { 1793 "restriction": {"$ref": "#/definitions/restriction"}, 1794 "ext-restriction": {"type": "string"}, 1795 "ThreatActorID": {"type": "array", "items": {"type": "string"}}, 1796 "Description": {"type": "array", "items": {"type": "string"}}, 1797 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1798 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1799 "additionalProperties": false}, 1800 "Campaign": { 1801 "properties": { 1802 "restriction": {"$ref": "#/definitions/restriction"}, 1803 "ext-restriction": {"type": "string"}, 1804 "CampaignID": {"type": "array", "items": {"type": "string"}}, 1805 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1806 "Description": {"type": "array", "items": {"type": "string"}}, 1807 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 1808 "Contact": { 1809 "type": "object", 1810 "properties": { 1811 "role": { 1812 "enum": ["creator","reporter","admin","tech","provider","user", 1813 "billing","legal","irt","abuse","cc","cc-irt","leo", 1814 "vendor","vendor-support","victim","victim-notified", 1815 "ext-value"]}, 1816 "ext-role": {"type": "string"}, 1817 "type": {"enum": ["person","organization","ext-value"]}, 1818 "ext-type": {"type": "string"}, 1819 "restriction": {"$ref": "#/definitions/restriction"}, 1820 "ext-restriction": {"type": "string"}, 1821 "ContactName": {"type": "array", "items": {"type": "string"}}, 1822 "ContactTitle": {"type": "array", "items": {"type": "string"}}, 1823 "Description": {"type": "array", "items": {"type": "string"}}, 1824 "RegistryHandle": { 1825 "type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}}, 1827 "PostalAddress": { 1828 "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}}, 1829 "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, 1830 "Telephone": { 1831 "type": "array", "items": {"$ref": "#/definitions/Telephone"}}, 1832 "Timezone": {"type": "string"}, 1833 "Contact": { 1834 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1835 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1836 "required": ["role","type"], 1837 "additionalProperties": false}, 1838 "RegistryHandle": { 1839 "type": "object", 1840 "properties": { 1841 "handle": {"type": "string"}, 1842 "registry": { 1843 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local", 1844 "ext-value"]}, 1845 "ext-registry": {"type": "string"}}, 1846 "required": ["registry"], 1847 "additionalProperties": false}, 1848 "PostalAddress": { 1849 "type": "object", 1850 "properties": { 1851 "type": {"type": "string"}, 1852 "ext-type": {"type": "string"}, 1853 "PAddress": {"type": "string"}, 1854 "Description": {"type": "array", "items": {"type": "string"}}}, 1855 "required": ["PAddress"], 1856 "additionalProperties": false}, 1857 "Email": { 1858 "type": "object", 1859 "properties": { 1860 "type": { 1861 "enum":["direct","hotline","ext-value"]}, 1862 "ext-type": {"type": "string"}, 1863 "EmailTo": {"type": "string"}, 1864 "Description": {"type": "array", "items": {"type": "string"}}}, 1865 "required": ["EmailTo"], 1866 "additionalProperties": false}, 1867 "Telephone": { 1868 "type": "object", 1869 "properties": { 1870 "type": { 1871 "enum":["wired","mobile","fax","hotline","ext-value"]}, 1872 "ext-type": {"type": "string"}, 1873 "TelephoneNumber": {"type": "string"}, 1874 "Description": {"type": "array", "items": {"type": "string"}}}, 1876 "required": ["TelephoneNumber"], 1877 "additionalProperties": false}, 1878 "Discovery": { 1879 "type": "object", 1880 "properties": { 1881 "source": { 1882 "enum":["nidps","hips","siem","av","third-party-monitoring", 1883 "incident","os-log","application-log","device-log", 1884 "network-flow","passive-dns","investigation","audit", 1885 "internal-notification","external-notification","leo", 1886 "partner","actor","unknown","ext-value"]}, 1887 "ext-source": {"type": "string"}, 1888 "restriction": {"$ref": "#/definitions/restriction"}, 1889 "ext-restriction": {"type": "string"}, 1890 "Description": {"type": "array", "items": {"type": "string"}}, 1891 "Contact": { 1892 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1893 "DetectionPattern": { 1894 "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}}, 1895 "required": [], 1896 "additionalProperties": false}, 1897 "DetectionPattern": { 1898 "type": "object", 1899 "properties": { 1900 "restriction": {"$ref": "#/definitions/restriction"}, 1901 "ext-restriction": {"type": "string"}, 1902 "observable-id": {"$ref": "#/definitions/IDtype"}, 1903 "Application": {"$ref": "#/definitions/SoftwareType"}, 1904 "Description": {"type": "array", "items": {"type": "string"}}, 1905 "DetectionConfiguration": { 1906 "type": "array", "items": {"type": "string"}}}, 1907 "required": ["Application"], 1908 "additionalProperties": false}, 1909 "Method": { 1910 "type": "object", 1911 "properties": { 1912 "restriction": {"$ref": "#/definitions/restriction"}, 1913 "ext-restriction": {"type": "string"}, 1914 "References": { 1915 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 1916 "Description": {"type": "array", "items": {"type": "string"}}, 1917 "AttackPattern": { 1918 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1919 "Vulnerability": { 1920 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1921 "Weakness": { 1922 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1923 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1925 "required": [], 1926 "additionalProperties": false}, 1927 "Reference": { 1928 "type": "object", 1929 "properties": { 1930 "observable-id": {"$ref": "#/definitions/IDtype"}, 1931 "ReferenceName": {"type": "string"}, 1932 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1933 "Description": {"type": "array", "items": {"type": "string"}}}, 1934 "required": [], 1935 "additionalProperties": false}, 1936 "Assessment": { 1937 "type": "object", 1938 "properties": { 1939 "occurrence": {"enum":["actual","potential"]}, 1940 "restriction": {"$ref": "#/definitions/restriction"}, 1941 "ext-restriction": {"type": "string"}, 1942 "observable-id": {"$ref": "#/definitions/IDtype"}, 1943 "IncidentCategory": {"type": "array", "items": {"type": "string"}}, 1944 "SystemImpact": { 1945 "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, 1946 "BusinessImpact": { 1947 "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, 1948 "TimeImpact": { 1949 "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, 1950 "MonetaryImpact": { 1951 "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}}, 1952 "IntendedImpact": { 1953 "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, 1954 "Counter": { 1955 "type": "array", "items": {"$ref": "#/definitions/Counter"}}, 1956 "MitigatingFactor": { 1957 "type": "array", "items": {"$type": "string"}}, 1958 "Cause": {"type": "array", "items": {"$type": "string"}}, 1959 "Confidence": {"$ref": "#/definitions/Confidence"}, 1960 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1961 "required": [], 1962 "additionalProperties": false}, 1963 "SystemImpact": { 1964 "type": "object", 1965 "properties": { 1966 "severity": { 1967 "enum":["low","medium","high"]}, 1968 "completion": {"enum":["failed","succeeded"]}, 1969 "type": { 1970 "enum":["takeover-account","takeover-service","takeover-system", 1971 "cps-manipulation","cps-damage","availability-data", 1972 "availability-account","availability-service", 1973 "availability-system","damaged-system","damaged-data", 1974 "breach-proprietary","breach-privacy","breach-credential", 1975 "breach-configuration","integrity-data", 1976 "integrity-configuration","integrity-hardware", 1977 "traffic-redirection","monitoring-traffic","monitoring-host", 1978 "policy","unknown","ext-value"]}, 1979 "ext-type": {"type": "string"}, 1980 "Description": {"type": "array","items": {"type": "string"}}}, 1981 "required": ["type"], 1982 "additionalProperties": false}, 1983 "BusinessImpact": { 1984 "type": "object", 1985 "properties": { 1986 "severity": { 1987 "enum":["none","low","medium","high","unknown","ext-value"]}, 1988 "ext-severity": {"type":"string"}, 1989 "type": { 1990 "enum":["breach-proprietary","breach-privacy","breach-credential", 1991 "loss-of-integrity","loss-of-service","theft-financial", 1992 "theft-service","degraded-reputation","asset-damage", 1993 "asset-manipulation","legal","extortion","unknown", 1994 "ext-value"]}, 1995 "ext-type": {"type": "string"}, 1996 "Description": {"type": "array","items": {"type": "string"}}}, 1997 "required": ["type"], 1998 "additionalProperties": false}, 1999 "TimeImpact": { 2000 "type": "object", 2001 "properties": { 2002 "value": {"type": "number"}, 2003 "severity": {"enum": ["low","medium","high"]}, 2004 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 2005 "ext-metric": {"type": "string"}, 2006 "duration": {"$ref":"#/definitions/duration"}, 2007 "ext-duration": {"type": "string"}}, 2008 "required": ["metric"], 2009 "additionalProperties": false}, 2010 "MonetaryImpact": { 2011 "type": "object", 2012 "properties": { 2013 "value": {"type": "number"}, 2014 "severity": {"enum":["low","medium","high"]}, 2015 "currency": {"type": "string"}}, 2016 "required": [], 2017 "additionalProperties": false}, 2018 "Confidence": { 2019 "type": "object", 2020 "properties": { 2021 "value": {"type": "number"}, 2022 "rating": { 2023 "enum": ["low","medium","high","numeric","unknown","ext-value"]}, 2024 "ext-rating": {"type":"string"}}, 2025 "required": ["rating"], 2026 "additionalProperties": false}, 2027 "History": { 2028 "type": "object", 2029 "properties": { 2030 "restriction": {"$ref": "#/definitions/restriction"}, 2031 "ext-restriction": {"type": "string"}, 2032 "HistoryItem": { 2033 "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, 2034 "required": ["HistoryItem"], 2035 "additionalProperties": false}, 2036 "HistoryItem": { 2037 "type": "object", 2038 "properties": { 2039 "action": {"$ref": "#/definitions/action"}, 2040 "ext-action": {"type": "string"}, 2041 "restriction": {"$ref": "#/definitions/restriction"}, 2042 "ext-restriction": {"type": "string"}, 2043 "observable-id": {"$ref": "#/definitions/IDtype"}, 2044 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2045 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2046 "Contact": {"$ref": "#/definitions/Contact"}, 2047 "Description": {"type": "array","items": {"type": "string"}}, 2048 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 2049 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2050 "required": ["DateTime","action"], 2051 "additionalProperties": false}, 2052 "EventData": { 2053 "type": "object", 2054 "properties": { 2055 "restriction": {"$ref": "#/definitions/restriction"}, 2056 "ext-restriction": {"type": "string"}, 2057 "observable-id": {"$ref": "#/definitions/IDtype"}, 2058 "Description": {"type": "array","items": {"type": "string"}}, 2059 "DetectTime": {"type": "string"}, 2060 "StartTime": {"type": "string"}, 2061 "EndTime": {"type": "string"}, 2062 "RecoveryTime": {"type": "string"}, 2063 "ReportTime": {"type": "string"}, 2064 "Contact": { 2065 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 2066 "Discovery": { 2067 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 2068 "Assessment": {"$ref": "#/definitions/Assessment"}, 2069 "Method": { 2070 "type": "array","items": {"$ref": "#/definitions/Method"}}, 2071 "System": { 2072 "type": "array","items": {"$ref": "#/definitions/System"}}, 2073 "Expectation": { 2074 "type": "array","items": {"$ref": "#/definitions/Expectation"}}, 2075 "Record": {"$ref": "#/definitions/Record"}, 2076 "EventData": { 2077 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 2078 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2079 "required": ["ReportTime"], 2080 "additionalProperties": false}, 2081 "Expectation": { 2082 "type": "object", 2083 "properties": { 2084 "action": {"$ref":"#/definitions/action"}, 2085 "ext-action": {"type": "string"}, 2086 "severity": {"enum": ["low","medium","high"]}, 2087 "restriction": {"$ref": "#/definitions/restriction"}, 2088 "ext-restriction": {"type": "string"}, 2089 "observable-id": {"$ref": "#/definitions/IDtype"}, 2090 "Description": {"type": "array","items": {"type": "string"}}, 2091 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 2092 "StartTime": {"type": "string"}, 2093 "EndTime": {"type": "string"}, 2094 "Contact": {"$ref": "#/definitions/Contact"}}, 2095 "required": [], 2096 "additionalProperties": false}, 2097 "System": { 2098 "type": "object", 2099 "properties": { 2100 "category": { 2101 "enum": ["source","target","intermediate","sensor","infrastructure", 2102 "ext-value"]}, 2103 "ext-category": {"type": "string"}, 2104 "interface": {"type": "string"}, 2105 "spoofed": {"enum": ["unknown","yes","no"]}, 2106 "virtual": {"enum": ["yes","no","unknown"]}, 2107 "ownership": { 2108 "enum":["organization","personal","partner","customer", 2109 "no-relationship","unknown","ext-value"]}, 2110 "ext-ownership": {"type": "string"}, 2111 "restriction": {"$ref": "#/definitions/restriction"}, 2112 "ext-restriction": {"type": "string"}, 2113 "observable-id": {"$ref": "#/definitions/IDtype"}, 2114 "Node": {"$ref": "#/definitions/Node"}, 2115 "NodeRole": { 2116 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 2118 "Service": { 2119 "type": "array","items": {"$ref": "#/definitions/Service"}}, 2120 "OperatingSystem": { 2121 "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, 2122 "Counter": { 2123 "type": "array","items": {"$ref": "#/definitions/Counter"}}, 2124 "AssetID": {"type": "array","items": {"type": "string"}}, 2125 "Description": {"type": "array","items": {"type": "string"}}, 2126 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2127 "required": ["Node"], 2128 "additionalProperties": false}, 2129 "Node": { 2130 "type": "object", 2131 "properties": { 2132 "DomainData": { 2133 "type": "array","items": {"$ref": "#/definitions/DomainData"}}, 2134 "Address": { 2135 "type": "array","items": {"$ref": "#/definitions/Address"}}, 2136 "PostalAddress": {"type": "string"}, 2137 "Location": {"type": "array","items": {"type": "string"}}, 2138 "Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}}, 2139 "required": [], 2140 "additionalProperties": false}, 2141 "Address": { 2142 "type": "object", 2143 "properties": { 2144 "value": {"type": "string"}, 2145 "category": { 2146 "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 2147 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 2148 "ipv6-net-masked","mac","site-url","ext-value"]}, 2149 "ext-category": {"type": "string"}, 2150 "vlan-name": {"type": "string"}, 2151 "vlan-num": {"type": "integer"}, 2152 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2153 "required": ["category"], 2154 "additionalProperties": false}, 2155 "NodeRole": { 2156 "type": "object", 2157 "properties": { 2158 "category": { 2159 "enum":["client","client-enterprise","clent-partner","client-remote", 2160 "client-kiosk","client-mobile","server-internal", 2161 "server-public","www","mail","webmail","messaging", 2162 "streaming","voice","file","ftp","p2p","name","directory", 2163 "credential","print","application","database","backup", 2164 "dhcp","assessment","source-control","config-management", 2165 "monitoring","infra","infra-firewall","infra-router", 2166 "infra-switch","camera","proxy","remote-access","log", 2167 "virtualization","pos", "scada", "scada-supervisory", 2168 "sinkhole","honeypot","anomyzation","c2-server", 2169 "malware-distribution","drop-server","hot-point","reflector", 2170 "phishing-site","spear-phishing-site","recruiting-site", 2171 "fraudulent-site","ext-value"]}, 2172 "ext-category": {"type": "string"}, 2173 "Description": {"type": "array","items": {"type": "string"}}}, 2174 "required": ["category"], 2175 "additionalProperties": false}, 2176 "Counter": { 2177 "type": "object", 2178 "properties": { 2179 "value": {"type": "string"}, 2180 "type": {"enum": ["count","peak","average","ext-value"]}, 2181 "ext-type": {"type": "string"}, 2182 "unit": {"enum": ["byte","mbit","packet","flow","session","alert", 2183 "message","event","host","site","organization","ext-value"]}, 2184 "ext-unit": {"type": "string"}, 2185 "meaning": {"type": "string"}, 2186 "duration": {"$ref":"#/definitions/duration"}, 2187 "ext-duration": {"type": "string"}}, 2188 "required": ["type","unit"], 2189 "additionalProperties": false}, 2190 "DomainData": { 2191 "type": "object", 2192 "properties": { 2193 "system-status": { 2194 "enum": ["spoofed","fraudulent","innocent-hacked", 2195 "innocent-hijacked","unknown","ext-value"]}, 2196 "ext-system-status": {"type": "string"}, 2197 "domain-status": { 2198 "enum": [ 2199 "reservedDelegation","assignedAndActive","assignedAndInactive", 2200 "assignedAndOnHold","revoked","transferPending","registryLock", 2201 "registrarLock","other","unknown","ext-value"]}, 2202 "ext-domain-status": {"type": "string"}, 2203 "observable-id": {"$ref": "#/definitions/IDtype"}, 2204 "Name": {"type": "string"}, 2205 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 2206 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 2207 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 2208 "RelatedDNS": { 2209 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2210 "NameServers": { 2211 "type": "array","items": {"$ref": "#/definitions/NameServers"}}, 2212 "DomainContacts": { 2213 "type": "array","items": {"$ref": "#/definitions/DomainContacts"}}}, 2215 "required": ["Name","system-status","domain-status"], 2216 "additionalProperties": false}, 2217 "NameServers": { 2218 "type": "object", 2219 "properties": { 2220 "Server": {"type": "string"}, 2221 "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}}, 2222 "required": ["Server","Address"], 2223 "additionalProperties": false}, 2224 "DomainContacts": { 2225 "type": "object", 2226 "properties": { 2227 "SameDomainContact": {"type": "string"}, 2228 "Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}}, 2229 "required": ["Contact"], 2230 "additionalProperties": false}, 2231 "Service": { 2232 "type": "object", 2233 "properties": { 2234 "ip-protocol": {"type": "integer"}, 2235 "observable-id": {"$ref": "#/definitions/IDtype"}, 2236 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 2237 "Port": {"type": "integer"}, 2238 "Portlist": {"$ref": "#/definitions/PORTLIST"}, 2239 "ProtoCode": {"type": "integer"}, 2240 "ProtoType": {"type": "integer"}, 2241 "ProtoField": {"type": "integer"}, 2242 "ApplicationHeader": {"$ref": "#/definitions/ApplicationHeader"}, 2243 "EmailData": {"$ref": "#/definitions/EmailData"}, 2244 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2245 "required": [], 2246 "additionalProperties": false}, 2247 "ServiceName": { 2248 "type": "object", 2249 "properties": { 2250 "IANAService": {"type": "string"}, 2251 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2252 "Description": {"type": "array","items": {"type": "string"}}}, 2253 "required": [], 2254 "additionalProperties": false}, 2255 "ApplicationHeader": { 2256 "type": "object", 2257 "properties": { 2258 "ApplicationHeaderField": { 2259 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, 2260 "required": ["ApplicationHeaderField"], 2261 "additionalProperties": false}, 2262 "EmailData": { 2263 "type": "object", 2264 "properties": { 2265 "observable-id": {"$ref": "#/definitions/IDtype"}, 2266 "EmailTo": {"type": "array","items": {"type": "string"}}, 2267 "EmailFrom": {"type": "string"}, 2268 "EmailSubject": {"type": "string"}, 2269 "EmailX-Mailer": {"type": "string"}, 2270 "EmailHeaderField": { 2271 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2272 "EmailHeaders": {"type": "string"}, 2273 "EmailBody": {"type": "string"}, 2274 "EmailMessage": {"type": "string"}, 2275 "HashData": { 2276 "type": "array","items": {"$ref": "#/definitions/HashData"}}, 2277 "SignatureData": { 2278 "type": "array","items": {"$ref": "#/definitions/SignatureData"}}}, 2279 "required": [], 2280 "additionalProperties": false}, 2281 "Record":{ 2282 "type": "object", 2283 "properties":{ 2284 "restriction": {"$ref": "#/definitions/restriction"}, 2285 "ext-restriction": {"type": "string"}, 2286 "RecordData": { 2287 "type": "array","items": {"$ref": "#/definitions/RecordData"}}}, 2288 "required":["RecordData"], 2289 "additionalProperties": false}, 2290 "RecordData": { 2291 "type": "object", 2292 "properties": { 2293 "restriction": {"$ref": "#/definitions/restriction"}, 2294 "ext-restriction": {"type": "string"}, 2295 "observable-id": {"$ref": "#/definitions/IDtype"}, 2296 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2297 "Description": {"type": "array","items": {"type": "string"}}, 2298 "Applicadtion": {"$ref": "#/definitions/SoftwareType"}, 2299 "RecordPattern": { 2300 "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, 2301 "RecordItem": { 2302 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2303 "URL": { 2304 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2305 "FileData": { 2306 "type": "array","items": {"$ref": "#/definitions/FileData"}}, 2307 "WindowsRegistryKeysModified": { 2308 "type": "array", 2309 "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, 2310 "CertificateData": { 2311 "type": "array","items": {"$ref": "#/definitions/CertificateData"}}, 2312 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2313 "required": [], 2314 "additionalProperties": false 2315 }, 2316 "RecordPattern": { 2317 "type": "object", 2318 "properties": { 2319 "value": {"type": "string"}, 2320 "type": {"enum": ["regex","binary","xpath","ext-value"]}, 2321 "ext-type": {"type": "string"}, 2322 "offset": {"type": "integer"}, 2323 "offsetunit": {"enum":["line","byte","ext-value"]}, 2324 "ext-offsetunit": {"type": "string"}, 2325 "instance": {"type": "integer"}}, 2326 "required": ["type"], 2327 "additionalProperties": false}, 2328 "WindowsRegistryKeysModified": { 2329 "type": "object", 2330 "properties": { 2331 "observabile-id": {"$ref": "#/definitions/IDtype"}, 2332 "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, 2333 "required": ["Key"], 2334 "additionalProperties": false}, 2335 "Key": { 2336 "type": "object", 2337 "properties": { 2338 "registryaction": {"enum": ["add-key","add-value","delete-key", 2339 "delete-value","modify-key","modify-value", 2340 "ext-value"]}, 2341 "ext-registryaction": {"type": "string"}, 2342 "observable-id": {"$ref": "#/definitions/IDtype"}, 2343 "KeyName": {"type":"string"}, 2344 "KeyValue": {"type": "string"}}, 2345 "required": ["KeyName"], 2346 "additionalProperties": false}, 2347 "CertificateData": { 2348 "type": "object", 2349 "properties": { 2350 "restriction": {"$ref": "#/definitions/restriction"}, 2351 "ext-restriction": {"type": "string"}, 2352 "observable-id": {"$ref": "#/definitions/IDtype"}, 2353 "Certificate": { 2354 "type": "array","items": {"$ref": "#/definitions/Certificate"}}}, 2355 "required": ["Certificate"], 2356 "additionalProperties": false}, 2357 "Certificate": { 2358 "type": "object", 2359 "properties": { 2360 "observable-id": {"$ref": "#/definitions/IDtype"}, 2361 "X509Data": {type: "string"}, 2362 "Description": {"type": "array","items": {"type": "string"}}}, 2363 "required": ["X509Data"], 2364 "additionalProperties": false}, 2365 "FileData": { 2366 "type": "object", 2367 "properties": { 2368 "restriction": {"$ref": "#/definitions/restriction"}, 2369 "ext-restriction": {"type": "string"}, 2370 "observable-id": {"$ref": "#/definitions/IDtype"}, 2371 "File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, 2372 "required": ["File"], 2373 "additionalProperties": false}, 2374 "File": { 2375 "type": "object", 2376 "properties": { 2377 "FileName": {"type": "string"}, 2378 "FileSize": {"type": "integer"}, 2379 "FileType": {"type": "string"}, 2380 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2381 "HashData": {"$ref": "#/definitions/HashData"}, 2382 "SignatureData": {"$ref": "#/definitions/SignatureData"}, 2383 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 2384 "FileProperties": { 2385 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, 2386 "required": [], 2387 "additionalProperties": false}, 2388 "HashData": { 2389 "type": "object", 2390 "properties": { 2391 "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", 2392 "file-pe-resource","file-pdf-object","email-hash", 2393 "email-hash-header","email-hash-body"]}, 2394 "HashTargetID": {"type": "string"}, 2395 "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, 2396 "FuzzyHash": { 2397 "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, 2398 "required": ["scope"], 2399 "additionalProperties": false}, 2400 "Hash": { 2401 "type": "object", 2402 "properties": { 2403 "DigestMethod": {"type": "string"}, 2404 "DigestValue": {"type": "string"}, 2405 "CanonicalizationMethod": {}, 2406 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2408 "required": ["DigestMethod","DigestValue"], 2409 "additionalProperties": false}, 2410 "FuzzyHash": { 2411 "type": "object", 2412 "properties": { 2413 "FuzzyHashValue": { 2414 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2415 "Application": {"$ref": "#/definitions/SoftwareType"}, 2416 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2417 "required": ["FuzzyHashValue"], 2418 "additionalProperties": false}, 2419 "SignatureData": { 2420 "type": "object", 2421 "properties": { 2422 "Signature": {"type": "array","items": {"type": "string"}}}, 2423 "required": ["Signature"], 2424 "additionalProperties": false}, 2425 "Indicator": { 2426 "type": "object", 2427 "properties": { 2428 "restriction": {"$ref": "#/definitions/restriction"}, 2429 "ext-restriction": {"type": "string"}, 2430 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 2431 "AlternativeIndicatorID": { 2432 "type": "array", 2433 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, 2434 "Description": {"type": "array","items": {"type": "string"}}, 2435 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2436 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2437 "Confidence": {"$ref": "#/definitions/Confidence"}, 2438 "Contact": { 2439 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 2440 "Observable": {"$ref": "#/definitions/Observable"}, 2441 "ObservableReference": {"$ref": "#/definitions/ObservableReference"}, 2442 "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"}, 2443 "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, 2444 "NodeRole": { 2445 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 2446 "AttackPhase": { 2447 "type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, 2448 "Reference": { 2449 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 2450 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2451 "required": ["IndicatorID"], 2452 "additionalProperties": false}, 2453 "IndicatorID": { 2454 "type": "object", 2455 "properties": { 2456 "id": {"type": "string"}, 2457 "name": {"type": "string"}, 2458 "version": {"type": "string"}}, 2459 "required": ["name","version"], 2460 "additionalProperties": false}, 2461 "AlternativeIndicatorID": { 2462 "type": "object", 2463 "properties": { 2464 "restriction": {"$ref": "#/definitions/restriction"}, 2465 "ext-restriction": {"type": "string"}, 2466 "IndicatorReference": { 2467 "type": "array", 2468 "items": {"$ref": "#/definitions/IndicatorReference"}}}, 2469 "required": ["IndicatorReference"], 2470 "additionalProperties": false}, 2471 "Observable": { 2472 "type": "object", 2473 "properties": { 2474 "restriction": {"$ref": "#/definitions/restriction"}, 2475 "ext-restriction": {"type": "string"}, 2476 "System": {"$ref": "#/definitions/System"}, 2477 "Address": {"$ref": "#/definitions/Address"}, 2478 "DomainData": {"$ref": "#/definitions/DomainData"}, 2479 "EmailData": {"$ref": "#/definitions/EmailData"}, 2480 "Service": {"$ref": "#/definitions/Service"}, 2481 "WindowsRegistryKeysModified": { 2482 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 2483 "FileData": {"$ref": "#/definitions/FileData"}, 2484 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 2485 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 2486 "Record": {"$ref": "#/definitions/Record"}, 2487 "EventData": {"$ref": "#/definitions/EventData"}, 2488 "Incident": {"$ref": "#/definitions/Incident"}, 2489 "Expectation": {"$ref": "#/definitions/Expectation"}, 2490 "Reference": {"$ref": "#/definitions/Reference"}, 2491 "Assessment": {"$ref": "#/definitions/Assessment"}, 2492 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 2493 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 2494 "BulkObservable": {"type": "string"}, 2495 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2496 "required": [], 2497 "additionalProperties": false}, 2498 "BulkObservable": { 2499 "type": "object", 2500 "properties": { 2501 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 2502 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac", 2503 "site-url","domain-name","domain-to-ipv4","domain-to-ipv6", 2504 "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp", 2505 "ipv4-port","ipv6-port","windows-reg-key","file-hash", 2506 "email-x-mailer","email-subject","http-user-agent", 2507 "http-request-url","mutex","file-path","user-name", 2508 "ext-value"]}, 2509 "ext-type": {"type": "string"}, 2510 "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"}, 2511 "BulkObservableList": {"type": "string"}, 2512 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2513 "required": [], 2514 "additionalProperties": false}, 2515 "BulkObservableFormat": { 2516 "type": "object", 2517 "properties": { 2518 "Hash": {"$ref": "#/definitions/Hash"}, 2519 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2520 "required": [], 2521 "additionalProperties": false}, 2522 "IndicatorExpression": { 2523 "type": "object", 2524 "properties": { 2525 "operator": {"enum": ["not","and","or","xor"]}, 2526 "ext-operator": {"type": "string"}, 2527 "IndicatorExpression": { 2528 "type": "array", 2529 "items": {"$ref": "#/definitions/IndicatorExpression"}}, 2530 "Observable": { 2531 "type": "array","items": {"$ref": "#/definitions/Observable"}}, 2532 "ObservableReference": { 2533 "type": "array", 2534 "items": {"$ref": "#/definitions/ObservableReference"}}, 2535 "IndicatorReference": { 2536 "type": "array", 2537 "items": {"$ref": "#/definitions/IndicatorReference"}}, 2538 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2539 "required": [], 2540 "additionalProperties": false}, 2541 "ObservableReference": { 2542 "type": "object", 2543 "properties": {"uid-ref": {"type": "string"}}, 2544 "required": ["uid-ref"], 2545 "additionalProperties": false}, 2546 "IndicatorReference": { 2547 "type": "object", 2548 "properties": { 2549 "uid-ref": {"type": "string"}, 2550 "euid-ref": {"type": "string"}, 2551 "version": {"type": "string"}}, 2553 "required": [], 2554 "additionalProperties": false}, 2555 "AttackPhase": { 2556 "type": "object", 2557 "properties": { 2558 "AttackPhaseID": {"type": "array","items": {"type": "string"}}, 2559 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2560 "Description": {"type": "array","items": {"type": "string"}}, 2561 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2562 "required": [], 2563 "additionalProperties": false}}, 2564 "title": "IODEF-Document", 2565 "description": "JSON schema for IODEF-Document class", 2566 "type": "object", 2567 "properties": { 2568 "version": {"type": "string"}, 2569 "lang": {"$ref": "#/definitions/lang"}, 2570 "format-id": {"type": "string"}, 2571 "private-enum-name": {"type": "string"}, 2572 "private-enum-id": {"type": "string"}, 2573 "Incident": { 2574 "type": "array","items": {"$ref": "#/definitions/Incident"}}, 2575 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2576 "required": ["version","Incident"], 2577 "additionalProperties": false} 2579 Figure 1: JSON schema 2581 7. Acknowledgements 2583 TBD. 2585 8. IANA Considerations 2587 This memo includes no request to IANA. 2589 9. Security Considerations 2591 This memo does not provide any further security considerations than 2592 the one described in RFC 7970 [RFC7970]. 2594 10. References 2596 10.1. Normative References 2598 [jsonschema] 2599 "JSON Schema", 2006. 2601 http://json-schema.org/ 2603 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2604 Requirement Levels", BCP 14, RFC 2119, 2605 DOI 10.17487/RFC2119, March 1997, 2606 . 2608 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 2609 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 2610 November 2016, . 2612 10.2. Informative References 2614 [DOMINATION] 2615 Mad Dominators, Inc., "Ultimate Plan for Taking Over the 2616 World", 1984, . 2618 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 2619 DOI 10.17487/RFC2629, June 1999, 2620 . 2622 [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC 2623 Text on Security Considerations", BCP 72, RFC 3552, 2624 DOI 10.17487/RFC3552, July 2003, 2625 . 2627 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 2628 IANA Considerations Section in RFCs", RFC 5226, 2629 DOI 10.17487/RFC5226, May 2008, 2630 . 2632 Authors' Addresses 2634 Takeshi Takahashi 2635 NICT 2636 4-2-1 Nukui-Kitamachi 2637 Koganei, Tokyo 184-8795 2638 Japan 2640 Phone: +81 42 327 5862 2641 Email: takeshi_takahashi@nict.go.jp 2642 Mio Suzuki 2643 NICT 2644 4-2-1 Nukui-Kitamachi 2645 Koganei, Tokyo 184-8795 2646 Japan 2648 Email: mio@nict.go.jp