idnits 2.17.1 draft-ietf-mile-jsoniodef-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 92 instances of too long lines in the document, the longest one being 49 characters in excess of 72. ** The abstract seems to contain references ([RFC7970]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 11, 2018) is 2296 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 243, but not defined == Missing Reference: '0-4' is mentioned on line 243, but not defined == Missing Reference: '0-5' is mentioned on line 243, but not defined == Missing Reference: 'RFC4519' is mentioned on line 261, but not defined == Missing Reference: 'RFC5322' is mentioned on line 276, but not defined == Missing Reference: 'RFC6531' is mentioned on line 276, but not defined == Missing Reference: 'RFC3986' is mentioned on line 284, but not defined == Unused Reference: 'DOMINATION' is defined on line 2533, but no explicit reference was found in the text == Unused Reference: 'RFC2629' is defined on line 2537, but no explicit reference was found in the text == Unused Reference: 'RFC3552' is defined on line 2541, but no explicit reference was found in the text == Unused Reference: 'RFC5226' is defined on line 2546, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 2629 (Obsoleted by RFC 7749) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 2 errors (**), 0 flaws (~~), 12 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: July 15, 2018 CERT 6 M. Suzuki 7 NICT 8 January 11, 2018 10 JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-02 13 Abstract 15 RFC 7970 [RFC7970] provides XML-based data representation on incident 16 information, but the use of the IODEF data model is not limited to 17 XML. JSON representation is sometimes preferred since it is easy to 18 handle from certain programming environments. This draft represents 19 the IODEF data model in JSON. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on July 15, 2018. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 56 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 57 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 4 58 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 4 59 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 4 60 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 4 61 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 5 62 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 5 63 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 5 64 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 5 65 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 5 66 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 5 67 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 6 68 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 6 69 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 6 70 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 6 71 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 6 72 2.13. Uniform Resource Locator Strings . . . . . . . . . . . . 6 73 2.14. Identifiers and Identifier References . . . . . . . . . . 7 74 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 7 75 2.16. StructuredInfo . . . . . . . . . . . . . . . . . . . . . 7 76 3. The IODEF Information Model in JSON . . . . . . . . . . . . . 8 77 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 8 78 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 8 79 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 9 80 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 9 81 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 9 82 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 9 83 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 10 84 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 10 85 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 11 86 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 11 87 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 11 88 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 12 89 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 12 90 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 12 91 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 13 92 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 13 93 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 14 94 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 14 95 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 15 96 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 15 97 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 15 98 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 16 99 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 16 100 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 17 101 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 17 102 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 17 103 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 18 104 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 18 105 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 19 106 3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 19 107 3.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 20 108 3.17.1. Address Class . . . . . . . . . . . . . . . . . . . 20 109 3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 20 110 3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21 111 3.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 21 112 3.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 22 113 3.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 22 114 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 22 115 3.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 23 116 3.19.2. EmailData Class . . . . . . . . . . . . . . . . . . 23 117 3.19.3. RecordData Class . . . . . . . . . . . . . . . . . . 24 118 3.19.4. RecordPattern Class . . . . . . . . . . . . . . . . 24 119 3.20. WindowsRegistryKeysModified Class . . . . . . . . . . . . 24 120 3.20.1. Key Class . . . . . . . . . . . . . . . . . . . . . 25 121 3.21. CertificateData Class . . . . . . . . . . . . . . . . . . 25 122 3.21.1. Certificate Class . . . . . . . . . . . . . . . . . 26 123 3.22. FileData Class . . . . . . . . . . . . . . . . . . . . . 26 124 3.22.1. File Class . . . . . . . . . . . . . . . . . . . . . 26 125 3.23. HashData Class . . . . . . . . . . . . . . . . . . . . . 27 126 3.23.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 27 127 3.23.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 27 128 3.24. Indicator Class . . . . . . . . . . . . . . . . . . . . . 28 129 3.24.1. IndicatorID Class . . . . . . . . . . . . . . . . . 29 130 3.24.2. AlternativeIndicatorID Class . . . . . . . . . . . . 29 131 3.24.3. Observable Class . . . . . . . . . . . . . . . . . . 29 132 3.24.4. BulkObservable Class . . . . . . . . . . . . . . . . 30 133 3.24.5. BulkObservableFormat Class . . . . . . . . . . . . . 30 134 3.24.6. IndicatorExpression Class . . . . . . . . . . . . . 31 135 3.24.7. IndicatorReference Class . . . . . . . . . . . . . . 31 136 3.24.8. AttackPhase Class . . . . . . . . . . . . . . . . . 31 137 4. Notable differences from RFC 7970 . . . . . . . . . . . . . . 32 138 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 32 139 5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33 140 5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 33 141 6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 35 142 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 54 143 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 144 9. Security Considerations . . . . . . . . . . . . . . . . . . . 54 145 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 54 146 10.1. Normative References . . . . . . . . . . . . . . . . . . 54 147 10.2. Informative References . . . . . . . . . . . . . . . . . 54 148 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 150 1. Introduction 152 RFC 7970 [RFC7970] defines an data model for sharing incident 153 information. It facilitates automated exchange of information among 154 parties over networks. The data model can be implemented in a form 155 of XML, but it is not always suitable for implementation. JSON-based 156 representation is often useful. 158 Therefore, in this document, we provide a means to represent IODEF 159 data model in JSON. 161 1.1. Requirements Language 163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 165 document are to be interpreted as described in RFC 2119 [RFC2119]. 167 2. IODEF Data Types 169 The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the 170 JSON IODEF, with some syntax changes for some of the types. 172 2.1. Integers 174 An integer is represented in the information model by the INTEGER 175 data type. Integer data MUST be encoded in Base 10, and is 176 implemented as an "integer" type per JSON schema [jsonschema]. 178 2.2. Real Numbers 180 A real (floating-point) number is represented in the information 181 model by the REAL data type. Real data MUST be encoded in Base 10, 182 and is implemented in the data model as an "number" type per JSON 183 schema [jsonschema]. 185 2.3. Characters and Strings 187 A single character is represented in the information model by the 188 CHARACTER data type. A string is represented by the STRING data 189 type. Special characters MUST be encoded using entity references.The 190 CHARACTER and STRING data types are implemented in the data model as 191 an "string" type per JSON schema [jsonschema]. 193 2.4. Multilingual Strings 195 A string that needs to be represented in a human-readable language 196 different than the default encoding of the document is represented in 197 the information model by the ML_STRING data type. This data type is 198 implemented as an object with "value", "lang", and "translation-id" 199 elements as defined in Section 6. Examples are shown below. 201 "MLStringType": { 202 "value": "free-form text", //STRING 203 "lang": "en", //ENUM 204 "translation-id": "jp2en0023" //STRING 205 } 207 2.5. Binary Strings 209 2.5.1. Base64 Bytes 211 A binary octet encoded with base64 is represented in the information 212 model by the BYTE data type. A sequence of these octets is of the 213 BYTE[] data type. The BYTE and BYTE[] data types are implemented in 214 the data model as an "string" type per JSON schema [jsonschema]. 216 2.5.2. Hexadecimal Bytes 218 A binary octet encoded as a character tuple consistent of two 219 hexadecimal digits is represented in the information model by the 220 HEXBIN data type. A sequence of these octets is of the HEXBIN[] data 221 type. The HEXBIN and HEXBIN[] data types are implemented in the data 222 model as an "string" type per JSON schema [jsonschema]. 224 2.6. Enumerated Types 226 An enumerated type is represented in the information model by the 227 ENUM data type. It is an ordered list of acceptable string values. 228 Each value has a representative keyword. The ENUM data type is 229 implemented in the data model as values of an enum array per JSON 230 schema [jsonschema]. 232 2.7. Date-Time String 234 A date-time string that describes a particular instant in time is 235 represented in the information model by the DATETIME data type. 236 Ranges are not supported. The DATETIME data type is implemented in 237 the data model as an "string" type per JSON schema [jsonschema]. 239 2.8. Timezone String 241 A timezone offset from UTC is represented in the information model by 242 the TIMEZONE data type. It is formatted according to the following 243 regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". The 244 TIMEZONE data type is implemented in the data model as an "string" 245 type per JSON schema [jsonschema]. 247 2.9. Port Lists 249 A list of network ports is represented in the information model by 250 the PORTLIST data type. A PORTLIST consists of a comma-separated 251 list of numbers and ranges (N-M means ports N through M, inclusive). 252 It is formatted according to the following regular expression: 253 "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, 254 "2,5-15,30,32,40-50,55-60". The PORTLIST data type is implemented in 255 the data model as an "string" type per JSON schema [jsonschema] 257 2.10. Postal Address 259 A postal address is represented in the information model by the 260 POSTAL data type. The format of the POSTAL data type is documented 261 in Section 2.23 of [RFC4519] as a free-form multi-line string 262 separated by the "$" character. The POSTAL data type is implemented 263 in the data model as the aforementioned ML_STRING type. 265 2.11. Telephone Number 267 A telephone number is represented in the information model by the 268 PHONE data type. The format of the PHONE data type is documented in 269 [E.164]. The PHONE data type is implemented in the data model as an 270 "string" type per JSON schema [jsonschema]. 272 2.12. Email String 274 An email address is represented in the information model by the EMAIL 275 data type. The format of the EMAIL data type is documented in 276 Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531]. The EMAIL 277 data type is implemented in the data model as an "string" type per 278 JSON schema [jsonschema]. 280 2.13. Uniform Resource Locator Strings 282 A uniform resource locator (URL) is represented in the information 283 model by the URL data type. The format of the URL data type is 284 documented in [RFC3986]. 286 The URL data type is implemented as an "string" type per JSON schema 287 [jsonschema]. 289 2.14. Identifiers and Identifier References 291 An identifier unique to the IODEF document is represented in the 292 information model by the ID data type. A reference to this 293 identifier is represented by the IDREF data type. These data types 294 are implemented in the model as an "string" type per JSON schema 295 [jsonschema]. 297 2.15. Software 299 A particular version of software is represented in the information 300 model by the SOFTWARE data type. This software can be described by 301 using a reference, a URL, or with free-form text. The SOFTWARE data 302 type is implemented as an object with "SoftwareReference", "URL", 303 "Description", and "Description_ML" elements as defined in Section 6. 304 Examples are shown below. 306 "SoftwareType": { 307 "SoftwareReference": {...}, //SoftwareReference 308 "Description": ["MS Windows"], //STRING 309 } 311 2.16. StructuredInfo 313 Information provided in a form of structured string, such as ID, or 314 structured information, such as XML documents, is represented in the 315 information model by the StructuredInfo data type. Note that this 316 type was originally specified in RFC7203. The StructuredInfo data 317 type is implemented as an object with "SpecID", "ext-SpecID", 318 "ContentID", "RawData", "Reference" elements. An example for 319 embedding a structured ID is shown below. 321 "StructuredInformation": { 322 "SpecID": "cve", //ENUM 323 "ContentID": "CVE-2007-5000", //STRING 324 } 326 When embedding the raw data, base64 conversion should be used for 327 encoding the data, as shown below. 329 "StructuredInformation": { 330 "SpecID": "oval", //ENUM 331 "RawData": "<<>>", //BYTE 332 } 334 3. The IODEF Information Model in JSON 336 The data model of IODEF is defined in RFC 7970 [RFC7970], and this 337 section illustrates their representations in JSON. Note that the 338 complete JSON schema is defined in Section 6. 340 3.1. IODEF-Document Class 342 This class is the top level class in the IODEF data model. Its class 343 elements and an example are shown below. See Section 3.1 of RFC 7970 344 [RFC7970] for the intended meanings of these elements. 346 Class elements: 348 version, lang?, format-id?, private-enum-name?, private-enum-id?, 349 Incident+, AdditionalData* 351 Example: 353 "IODEF-Document": { 354 "version": "2.1", //STRING 355 "lang": "en", //ENUM 356 "format-id": "RFC7970-json", //STRING 357 "Incident": [ ... ] //Incident 358 } 360 3.2. Incident Class 362 The Incident class describes commonly exchanged information when 363 reporting or sharing derived analysis from security incidents. Its 364 class elements and an example are shown below. See Section 3.2 of 365 RFC 7970 [RFC7970] for the intended meanings of these elements. 367 Class elements: 369 purpose, ext-purpose?, status?, ext-status?, lang?, restriction?, 370 ext-restriction?, observable-id?, IncidentID, AlternativeID?, 371 RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, 372 ReportTime?, GenrationTime?, Description*, Description_ML*, 373 Discovery*, Assessment*, Method*, Contact+, EventData*, Indicator*, 374 History?, AdditionalData* 376 Example: 378 "Incident": { 379 "purpose": "reporting", //ENUM 380 "lang": "en", //STRING 381 "restriction": "green", //ENUM 382 "IncidentID": { ... }, //IncidentID Class 383 "RelatedActivity": [ ... ], //RelatedActivity Class 384 "GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime 385 "Description": ["Incident in the HQ"], //STRING 386 "Assessment": [ ... ], //Assessment 387 "Method": [ ... ], //Method 388 "Contact": [ ... ] //Contact 389 "EventData": [ ... ], //EventData 390 "Indicator": { ... } //Indicator 391 "History": { ... }, //History 392 "AdditionalData": [ ... ], //AdditionalData 393 } 395 3.3. Common Attributes 397 There are a number of recurring attributes used in the information 398 model. They are documented in this section. 400 3.3.1. restriction Attribute 402 RFC 7970 [RFC7970] defines the restriction Attribute as one of common 403 attributes. It is defined as below: 405 "restriction":{"enum": ["public", "partner", "need-to-know", "private", 406 "default", "white", "green", "amber", "red", "ext-value"]} 408 Note that you must use "ext-restriction" field (STRING type) when the 409 value of "restriction" field is set to "ext-value". 411 3.3.2. observable-id Attribute 413 RFC 7970 [RFC7970] defines the observable-id attribute as one of 414 common attributes. The value of this attribute is a unique 415 identifier, in string type, in the scope of the document.It is 416 defined as below: 418 3.4. IncidentID Class 420 The class elements and an example are shown below. See Section 3.4 421 of RFC 7970 [RFC7970] for the intended meanings of these elements. 423 Class elements: 425 id, name, instance?, restriction?, ext-restriction? 426 Example: 428 "IncidentID": { 429 "id": "nict20150518-0001", // STRING 430 "name": "NICT_cert", // STRING 431 "instance": "cyberlab" // STRING 432 "restriction": "ext-value" // ENUM 433 "ext-restriction": "registration required" // STRING 434 } 436 3.5. AlternativeID Class 438 The class elements and an example are shown below. See Section 3.5 439 of RFC 7970 [RFC7970] for the intended meanings of these elements. 441 Class elements: 443 restriction?, ext-restriction?, IncidentID+ 445 Example: 447 "AltervativeID": { 448 "restriction": "private", //ENUM 449 "IncidentID": [<<>>] //IncidentID 450 } 452 3.6. RelatedActivity Class 454 The class elements and an example are shown below. See Section 3.6 455 of RFC 7970 [RFC7970] for the intended meanings of these elements. 457 Class elements: 459 restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*, 460 Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData* 462 Example: 464 "RelatedActivity": { 465 "restriction": "private", //ENUM 466 "ThreatActor": [{...}], //ThreatActor class 467 "Campaign": [{...}] //Campaign class 468 } 470 3.7. ThreatActor Class 472 The class elements and an example are shown below. See Section 3.7 473 of RFC 7970 [RFC7970] for the intended meanings of these elements. 475 Class elements: 477 restriction?, ext-restriction?, ThreatActorID*, URL*, Description*, 478 Description_ML*, AdditionalData* 480 Example: 482 "ThreatActor": { 483 "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING 484 "Description": ["Aggressive Butterfly"] //STRING 485 } 487 3.8. Campaign Class 489 The class elements and an example are shown below. See Section 3.8 490 of RFC 7970 [RFC7970] for the intended meanings of these elements. 492 Class elements: 494 restriction?, ext-restriction?, CampaignID*, URL*, Description*, 495 Description_ML*, AdditionalData* 497 Example: 499 "Campaign": { 500 "CampaignID": "C-2015-59405", //STRING 501 "Description": ["Orange Giraffe"] //STRING 502 } 504 3.9. Contact Class 506 The class elements and an example are shown below. See Section 3.9 507 of RFC 7970 [RFC7970] for the intended meanings of these elements. 509 Class elements: 511 role, ext-role?, type, ext-type?, restriction?, ext-restriction?, 512 ContactName*,ContactName_ML*, ContactTitle*, ContactTitle_ML*, 513 Description*, Description_ML*, RegistryHandle*, PostalAddress*, 514 Email*, Telephone*, Timezone?, Contact*, AdditionalData* 516 Example: 518 "Contact": { 519 "role": "creator", //ENUM 520 "type": "organization", //ENUM 521 "ContactName": {"value":"CSIRT for example.com"}, //STRING 522 "ContactTitle": {"value":"Senior Research Engineer"} //STRING 523 "email": {...}, //Email Class 524 "Telephone": {...}, //Telephone Class 525 "Timezone": "+09:00" //TIMEZONE 526 } 528 3.9.1. RegistryHandle Class 530 The class elements and an example are shown below. See Section 3.9.1 531 of RFC 7970 [RFC7970] for the intended meanings of these elements. 533 Class elements: 535 handle, registry, ext-registry? 537 Example: 539 "RegistryHandle": { 540 "handle": "MyAPNIC", //STRING 541 "registry": "apnic", //ENUM 542 } 544 3.9.2. PostalAddress Class 546 The class elements and an example are shown below. See Section 3.9.2 547 of RFC 7970 [RFC7970] for the intended meanings of these elements. 549 Class elements: 551 type?, ext-type?, PAddress, Description*, Description_ML* 553 Example: 555 "PostalAddress": { 556 "type": "mailing", //ENUM 557 "PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan", //POSTAL 558 "Description": ["Office address"] //STRING 559 }, 561 3.9.3. Email Class 563 The class elements and an example are shown below. See Section 3.9.3 564 of RFC 7970 [RFC7970] for the intended meanings of these elements. 566 Class elements: 568 type?, ext-type?, EmailTo, Description*, Description_ML* 570 Example: 572 "Email": { 573 "type": "direct", //ENUM 574 "emailTo": "contact@csirt.example.com", //EMAIL 575 "Description": ["Administrator's address"] //STRING 576 }, 578 3.9.4. Telephone Class 580 The class elements and an example are shown below. See Section 3.9.4 581 of RFC 7970 [RFC7970] for the intended meanings of these elements. 583 Class elements: 585 type?, ext-type?, TelephoneNumber, Description*, Description_ML* 587 Example: 589 "Telephone": { 590 "type": "wired", //ENUM 591 "TelephoneNumber": "+818012345678", //PHONE 592 "Description": ["Admin's moble"] //STRING 593 }, 595 3.10. Discovery Class 597 The class elements and an example are shown below. See Section 3.10 598 of RFC 7970 [RFC7970] for the intended meanings of these elements. 600 Class elements: 602 source?, ext-source?, restriction?, ext-restriction?, Description*, 603 Description_ML*, Contact*, DetectionPattern* 605 Example: 607 "Discovery": { 608 "source": "nidps", //ENUM 609 "restriction": "need-to-know" //ENUM 610 "Contact": {...}, //Contact class 611 "DetectionPattern": {...}, //DetectionPattern class 612 "Description":["IDS provided an alert"] //STRING 613 } 614 } 616 3.10.1. DetectionPattern Class 618 The class elements and an example are shown below. See 619 Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of 620 these elements. 622 Class elements: 624 restriction?, ext-restriction?, observable-id?, Application, 625 Description*, Description_ML*, DetectionConfiguration* 627 Example: 629 "DetectionPattern": { 630 "Application": {...}, //SOFTWARE 631 "Description": ["The specified application 632 needs to be reviewed"], //STRING 633 } 634 } 636 3.11. Method Class 638 The class elements and an example are shown below. See Section 3.11 639 of RFC 7970 [RFC7970] for the intended meanings of these elements. 641 Class elements: 643 restriction?, ext-restriction?, Reference*, Description*, 644 Description_ML*, AttackPattern*, Vulnerability*, Weakness* 646 Example: 648 "Method": { 649 "AttackPattern": {...} //StructuredInfo 650 "Vulnerability": {...} //StructuredInfo 651 } 653 3.11.1. Reference Class 655 The class elements and an example are shown below. See 656 Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of 657 these elements. 659 Class elements: 661 observable-id?, ReferenceName?, URL*, Description*, Description_ML* 663 Example: 665 "Reference":{ 666 "URL":"http://www.nict.go.jp" //URL 667 } 669 3.12. Assessment Class 671 The class elements and an example are shown below. See Section 3.12 672 of RFC 7970 [RFC7970] for the intended meanings of these elements. 674 Class elements: 676 occurence?, restriction?, ext-restriction?, observable-id?, 677 IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*, 678 MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*, 679 MitigationFactor_ML*, Cause*, Cause_ML*, Confidence?, AdditionalData* 681 Example: 683 "Assessment": { 684 "SystemImpact": {...}, //SystemImpact class 685 "BusinessImpact": {...}, //BusinessImpact class 686 "TimeImpact": {...}, //TimeImpact class 687 "MonetaryImpact": {...}, //MonetaryImpact class 688 "IntendedImpact": {...}, //IntendedImpact class 689 "Counter": "5", //Counter class 690 "MitigationFactor": ["Rebooting is required"] //STRING 691 "Cause": ["Malware Infection"] //STRING 692 } 693 } 695 3.12.1. SystemImpact Class 697 The class elements and an example are shown below. See 698 Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of 699 these elements. 701 Class elements: 703 severity?, completion?, type, ext-type?, Description*, 704 Description_ML* 706 Example: 708 "SystemImpact":{ 709 "severity":"high", //ENUM 710 "completion": "successful" //ENUM 711 "type":"integrity-data" //ENUM 712 "Description": ["The web page was falsified"] //STRING 713 }, 715 3.12.2. BusinessImpact Class 717 The class elements and an example are shown below. See 718 Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of 719 these elements. 721 Class elements: 723 severity?, ext-severity?, type, ext-type?, Description*, 724 Description_ML* 726 Example: 728 "BusinessImpact": { 729 "severity":"medium", //ENUM 730 "completion": "successful" //ENUM 731 "type": "degraded-reputation" //ENUM 732 "Description": ["The web page was falsified"] //STRING 733 } 735 3.12.3. TimeImpact Class 737 The class elements and an example are shown below. See 738 Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of 739 these elements. 741 Class elements: 743 value, severity?, metric, ext-metric?, duration?, ext-duration? 745 Example: 747 "TimeImpact":{ 748 "time": "240" //REAL 749 "metric": "elapsed" //ENUM 750 "duration": "minutes" //ENUM 751 } 753 3.12.4. MonetaryImpact Class 755 The class elements and an example are shown below. See 756 Section 3.12.4 of RFC 7970 [RFC7970] for the intended meanings of 757 these elements. 759 Class elements: 761 value, severity?, currency? 763 Example: 765 "MonetaryImpact":{ 766 "money": "10000", //REAL 767 "severity": "medium", //ENUM 768 "currency": "USD", //STRING 769 } 771 3.12.5. Confidence Class 773 The class elements and an example are shown below. See 774 Section 3.12.5 of RFC 7970 [RFC7970] for the intended meanings of 775 these elements. 777 Class elements: 779 value, rating, ext-rating? 781 Example: 783 "Confidence": { 784 "value": "5" //REAL 785 "rating": "medium" //ENUM 786 } 788 3.13. History Class 790 The class elements and an example are shown below. See Section 3.13 791 of RFC 7970 [RFC7970] for the intended meanings of these elements. 793 Class elements: 795 restriction?, ext-restriction?, HistoryItem+ 797 Example: 799 "History": { 800 "restriction": "need-to-know" //ENUM 801 "HistoryItem": { ... } //HistoryItem class 802 }, 804 3.13.1. HistoryItem Class 806 The class elements and an example are shown below. See 807 Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of 808 these elements. 810 Class elements: 812 action, ext-action?, restriction?, ext-restriction?, observable-id?, 813 DateTime, IncidentID?, Contact?, Description*, Description_ML*, 814 DefinedCOA*, AdditionalData* 816 Example: 818 "HistoryItem": { 819 "action": "investigate" //ENUM 820 "restriction": "need-to-know" //ENUM 821 "DateTime": "2015-10-15T11:18:00-05:00", //DateTime 822 "IncidentID" { ...}, //IncidentID class 823 } 825 3.14. EventData Class 827 The class elements and an example are shown below. See Section 3.14 828 of RFC 7970 [RFC7970] for the intended meanings of these elements. 830 Class elements: 832 restriction?, ext-restriction?, observable-id?, Description*, 833 Description_ML*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, 834 ReportTime?, Contact*, Discovery*, Assessment?, Method*, 835 Expectation*, RecordData*, EventData*, AdditionalData* 837 Example: 839 "EventData": { 840 "ReportTime": "2016-06-01 18:05:33", 841 "Contact": { ...}, //Contact class 842 "Assessment": { ...}, //Assessment class 843 "Method": { ...}, //Method class 844 "System": { ... }, //System class 845 "Expectation": { ...}, //Expectation class 847 3.15. Expectation Class 849 The class elements and an example are shown below. See Section 3.15 850 of RFC 7970 [RFC7970] for the intended meanings of these elements. 852 Class elements: 854 action?, ext-action?, severity?, restriction?, ext-restriction?, 855 Description*, Description_ML*, DefinedCOA*, StartTime?, EndTime?, 856 Contact? 858 Example: 860 "Expectation": { 861 "action": "investigate" //ENUM 862 "severity": "medium" //ENUM 863 "restriction": "need-to-know" //ENUM 864 }, 866 3.16. System Class 868 The class elements and an example are shown below. See Section 3.17 869 of RFC 7970 [RFC7970] for the intended meanings of these elements. 871 Class elements: 873 category?, ext-category?, interface?, spoofed?, virtual?, ownership?, 874 ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*, 875 Service*, OperatingSystem*, Counter*, AssetID*, Description*, 876 Description_ML*, AdditionalData* 878 Example: 880 "System": { 881 "category": "source", //ENUM 882 "Node": { ... }, //Node class 883 "Service": { ... }, //Service class 884 }, 886 3.17. Node Class 888 The class elements and an example are shown below. See Section 3.18 889 of RFC 7970 [RFC7970] for the intended meanings of these elements. 891 Class elements: 893 DomainData*, Address*, PostalAddress?, Location*, Location_ML*, 894 Counter* 896 Example: 898 "Node": { 899 "Address": { ... }, //Address class 900 "Location": ["OrgID=7"] //STRING 901 } 903 3.17.1. Address Class 905 The class elements and an example are shown below. See 906 Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of 907 these elements. 909 Class elements: 911 value, category, ext-category?, vlan-name?, vlan-num?, observable-id? 913 Example: 915 "Address": { 916 "value": """192.228.139.118", //STRING 917 "category": "ipv4-addr", //ENUM 918 }, 920 3.17.2. NodeRole Class 922 The class elements and an example are shown below. See 923 Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of 924 these elements. 926 Class elements: 928 category, ext-category?, Description*, Description_ML* 930 Example: 932 "NodeRole": { 933 "category": "client" //ENUM 934 "Description": ["The computer at room A"] //STRING 935 }, 937 3.17.3. Counter Class 939 The class elements and an example are shown below. See 940 Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of 941 these elements. 943 Class elements: 945 value, type, ext-type?, unit, ext-unit?, meaning?, meaning_ML?, 946 duration?, ext-duration? 948 Example: 950 "Counter": { 951 "value": "3", //REAL 952 "type": "count", //ENUM 953 "unit": "packet", //ENUM 954 "meaning": "The number of scan packets are counted" //STRING 955 } 957 3.18. DomainData Class 959 The class elements and an example are shown below. See Section 3.19 960 of RFC 7970 [RFC7970] for the intended meanings of these elements. 962 Class elements: 964 system-status, ext-system-status?, domain-status, ext-domain-status?, 965 observable-id?, Name, DateDomainWasChecked?, RegistrationDate?, 966 ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts? 968 Example: 970 "DomainData": { 971 "system-status": "innocent-hacked", //ENUM 972 "domain-status": "assignedAndInactive", //STRING 973 "Name": "temp1.nict.go.jp" //STRING 974 }, 976 3.18.1. Nameserver Class 978 This class is defined in Section 3.19.1 of RFC 7970 [RFC7970]. The 979 example below represents how to describe this class in JSON. 981 Class elements: 983 Server, Address* 985 Example: 987 "NameServers": { 988 "Server": "vgw.nict.go.jp", //STRING 989 "Address": { 990 "AddressValue": "133.243.18.5", //STRING 991 "category": "ipv4-addr" //ENUM 992 } 993 } 995 3.18.2. DomainContacts Class 997 This class is defined in Section 3.19.2 of RFC 7970 [RFC7970]. The 998 example below represents how to describe this class in JSON. 1000 Class elements: 1002 SameDomainContact?, Contact+ 1004 Example: 1006 "DomainContacts": { 1007 "Contact": { 1008 "role": "user", //ENUM 1009 "type": "organization" //ENUM 1010 } 1011 } 1013 3.19. Service Class 1015 This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The 1016 example below represents how to describe this class in JSON. 1018 Class elements: 1020 ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?, 1021 ProtoCode?, ProtoType?, ProtoField?, ApplicationHeaderField+, 1022 EmailData?, Application? 1023 Example: 1025 "Service": { 1026 "ServiceName": { 1027 "Description": ["It seems to be a scan from an infected machine."] 1028 }, 1029 "ip-protocol": 6, //INTEGER 1030 "Port": 49183 //INTEGER 1031 } 1033 3.19.1. ServiceName Class 1035 This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The 1036 example below represents how to describe this class in JSON. 1038 Class elements: 1040 IANAService?, URL*, Description*, Description_ML* 1042 Example: 1044 "ServiceName": { 1045 "IANAService": "telnet" //STRING 1046 "URL": "https://en.wikipedia.org/wiki/Telnet" //STRING 1047 "Description":["It is a scan from an infected machine."]//STRING 1048 }, 1050 3.19.2. EmailData Class 1052 This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The 1053 example below represents how to describe this class in JSON. 1055 Class elements: 1057 observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?, 1058 EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?, 1059 HashData*, Signature* 1061 Example: 1063 "EmailData":{ 1064 "EmailTo": "user1@example.org" //EMAIL 1065 "EmailFrom": "user2@example.com" //EMAIL 1066 "EmailSubject": "example email" //STRING 1067 "EmailX-Mailer": "example mailer v1.1.0" //STRING 1068 "EmailBody": "example email" //STRING 1069 } 1070 Note that Signature element in this class contains base64 encoded 1071 form of signature as described in Section 4.2 of [W3C.XMLSIG]. 1073 3.19.3. RecordData Class 1075 This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The 1076 example below represents how to describe this class in JSON. 1078 Class elements: 1080 restriction?, ext-restriction?, observable-id?, DateTime?, 1081 Description*, Description_ML*, Application?, RecordPattern*, 1082 RecordItem*, URL*, FileData*, WindowsRegistryKeysModified*, 1083 CertificateData*, AdditionalData* 1085 Example: 1087 "RecordData": { 1088 "RecordPattern": { 1089 "type": "regex", 1090 "value": "[0-9][A-Z]" 1091 } 1092 }, 1094 3.19.4. RecordPattern Class 1096 This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The 1097 example below represents how to describe this class in JSON. 1099 Class elements: 1101 type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?, 1102 value 1104 Example: 1106 "RecordPattern": { 1107 "type": "regex", 1108 "value": "[0-9][A-Z]" 1109 }, 1111 3.20. WindowsRegistryKeysModified Class 1113 This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The 1114 example below represents how to describe this class in JSON. 1116 Class elements: 1118 observable-id?, Key+ 1120 Example: 1122 "WindowsRegistryKeysModified": { 1123 "Key": { 1124 "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING 1125 "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING 1126 } 1127 } 1129 3.20.1. Key Class 1131 This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The 1132 example below represents how to describe this class in JSON. 1134 Class elements: 1136 registryaction?, ext-registryaction?, observable-id?, KeyName, 1137 KeyValue? 1139 Example: 1141 "Key": { 1142 "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING 1143 "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING 1144 } 1146 3.21. CertificateData Class 1148 This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The 1149 example below represents how to describe this class in JSON. 1151 Class elements: 1153 restriction?, ext-restriction?, observable-id?, Certificate+ 1155 Example: 1157 "CertificateData": { 1158 "Certificate": { 1159 "X509Data": "xxxxxxxx" //STRING 1160 } 1161 } 1163 3.21.1. Certificate Class 1165 This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The 1166 X509Data class contains base64 encoded form of X.509 certificate or 1167 chain as described in Section 4.4.4 of [W3C.XMLSIG]. The example 1168 below represents how to describe this class in JSON. 1170 Class elements: 1172 observable-id?, X509Data, Description*, Description_ML* 1174 Example: 1176 "Certificate": { 1177 "X509Data": "xxxxxxxx" //STRING 1178 } 1180 3.22. FileData Class 1182 This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The 1183 example below represents how to describe this class in JSON. 1185 Class elements: 1187 restriction?, ext-restriction?, observable-id?, File+ 1189 Example: 1191 "FileData": { 1192 "File": { 1193 "FileName": "dummy.exe" //STRING 1194 } 1195 }, 1197 3.22.1. File Class 1199 This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The 1200 example below represents how to describe this class in JSON. 1202 Class elements: 1204 observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?, 1205 Signature*, AssociatedSoftware?, FileProperties* 1207 Example: 1209 "File": { 1210 "FileName": "dummy.exe" //STRING 1211 } 1213 Note that Signature element in this class contains base64 encoded 1214 form of signature as described in Section 4.2 of [W3C.XMLSIG]. 1216 3.23. HashData Class 1218 This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The 1219 example below represents how to describe this class in JSON. 1221 Class elements: 1223 scope, HashTargetID?, Hash*, FuzzyHash* 1225 Example: 1227 "HashData": { 1228 "scope": "file-contents", //ENUM 1229 "Hash": { 1230 "DigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1", //STRING 1231 "DigestValue": "xxxxxxxxxxx" //STRING 1232 } 1233 } 1235 3.23.1. Hash Class 1237 This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The 1238 example below represents how to describe this class in JSON. 1240 Class elements: 1242 DigestMethod, DigestValue, CanonicalizationMethod?, Application? 1244 Example: 1246 "Hash": { 1247 "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING 1248 "DigestValue": "xxxxxxxxxxx" //STRING 1249 } 1251 3.23.2. FuzzyHash Class 1253 This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The 1254 example below represents how to describe this class in JSON. 1256 Class elements: 1258 FuzzyHashValue+, Application?, AdditionalData? 1260 Example: 1262 "FuzzyHash": { 1263 "FuzzyHashValue": {} 1264 } 1266 3.24. Indicator Class 1268 This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The 1269 example below represents how to describe this class in JSON. 1271 Class elements: 1273 restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*, 1274 Description*, Description_ML*, StartTime?, EndTime?, Confidence?, 1275 Contact*, Observable?, uid-ref?, IndicatorExpression?, 1276 IndicatorReference?, NodeRole*, AttackPhase*, Reference*, 1277 AdditionalData* 1279 Example: 1281 "Indicator": { 1282 "IndicatorID": { 1283 "id": "G90823490", //STRING 1284 "name": "csirt.example.com", //STRING 1285 "version": "1" //STRING 1286 }, 1287 "Description": ["C2 domains"], //STRING 1288 "StartTime": "2014-12-02T11:18:00-05:00", //Datetime 1289 "Observable": { 1290 "BulkObservable": { 1291 "type": "fqdn" //ENUM 1292 }, 1293 "BulkObservableList": [ 1294 "kj290023j09r34.example.com", //STRING 1295 "09ijk23jfj0k8.example.net", //STRING 1296 "klknjwfjiowjefr923.example.org", //STRING 1297 "oimireik79msd.example.org" //STRING 1298 ] 1299 } 1300 } 1302 3.24.1. IndicatorID Class 1304 This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The 1305 example below represents how to describe this class in JSON. 1307 Class elements: 1309 id, name, version 1311 Example: 1313 "IndicatorID": { 1314 "id": "G90823490", //STRING 1315 "name": "csirt.example.com", //STRING 1316 "version": "1" //STRING 1317 } 1319 3.24.2. AlternativeIndicatorID Class 1321 This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The 1322 example below represents how to describe this class in JSON. 1324 Class elements: 1326 restriction?, ext-restriction?, IndicatorReference+ 1328 Example: 1330 "AlternativeIndicatorID": { 1331 "IndicatorReference": { 1332 "uid-ref": "xxxxx" 1333 } 1334 }, 1336 3.24.3. Observable Class 1338 This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The 1339 example below represents how to describe this class in JSON. 1341 Class elements: 1343 restriction?, ext-restriction?, System?, Address?, DomainData?, 1344 Service?, EmailData?, WindowsRegistryKeysModified?, FileData?, 1345 CertificateData?, RegistryHandle?, RecordData?, EventData?, 1346 Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?, 1347 HistoryItem?, BulkObservable?, AdditionalData* 1349 Example: 1351 "Observable": { 1352 "BulkObservable": { 1353 "type": "fqdn" //ENUM 1354 }, 1355 "BulkObservableList": [ 1356 "kj290023j09r34.example.com", //STRING 1357 "09ijk23jfj0k8.example.net", //STRING 1358 "klknjwfjiowjefr923.example.org", //STRING 1359 "oimireik79msd.example.org" //STRING 1360 ] 1361 } 1363 3.24.4. BulkObservable Class 1365 This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The 1366 example below represents how to describe this class in JSON. 1368 Class elements: 1370 type?, ext-type?, BulkObservableFormat?, BulkObservableList, 1371 AdditionalData* 1373 Example: 1375 "BulkObservable": { 1376 "type": "fqdn" //ENUM 1377 }, 1378 "BulkObservableList": [ 1379 "kj290023j09r34.example.com", //STRING 1380 "09ijk23jfj0k8.example.net", //STRING 1381 "klknjwfjiowjefr923.example.org", //STRING 1382 "oimireik79msd.example.org" //STRING 1383 ] 1385 3.24.5. BulkObservableFormat Class 1387 This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970]. 1388 The example below represents how to describe this class in JSON. 1390 Class elements: 1392 Hash?, AdditionalData* 1394 Example: 1396 "BulkObservableFormat": { 1397 "Hash": { 1398 "DigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1",//STRING 1399 "DigestValue": "xxxxxxxxxxx" //STRING 1400 } 1401 } 1403 3.24.6. IndicatorExpression Class 1405 This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The 1406 example below represents how to describe this class in JSON. 1408 Class elements: 1410 operator?, ext-operator?, IndicatorExpression*, Observable*, uid- 1411 ref*, IndicatorReference*, Confidence?, AdditionalData* 1413 Example: 1415 "IndicatorExpression": { 1416 "uid-ref": "xxxxx" 1417 } 1419 3.24.7. IndicatorReference Class 1421 This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The 1422 example below represents how to describe this class in JSON. 1424 Class elements: 1426 uid-ref?, euid-ref?, version? 1428 Example: 1430 "IndicatorReference": { 1431 "uid-ref": "xxxxx" 1432 } 1434 3.24.8. AttackPhase Class 1436 This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The 1437 example below represents how to describe this class in JSON. 1439 Class elements: 1441 AttackPhaseID*, URL*, Description*, Description_ML*, AdditionalData* 1443 Example: 1445 "AttackPhase": { 1446 "Description": ["Currently, the infected host is scanning arbitrary hosts to find next targets."] //STRING 1447 } 1449 4. Notable differences from RFC 7970 1451 o This document treats attributes and elements of each class defined 1452 in RFC 7970 [RFC7970] equally and is agnostic on the order of 1453 their appearances. 1455 o Flow class is deleted, and classes with its instances now directly 1456 have instances of EventData class that used to belong to the Flow 1457 classs. 1459 o ApplicationHeader class is deleted, and classes with its instances 1460 now directly have instances of ApplicationHeaderField class that 1461 used to belong to the ApplicationHeader class. 1463 o SignatureData class is deleted, and classes with its instances now 1464 directly have instance of Signature class that used to belong to 1465 the SignatureData class. 1467 o IndicatorData class is deleted, and classes with its instances now 1468 directly have the instances of Indicator class that used to belong 1469 to the IndicatorData class. 1471 o ObservableReference class is deleted, and classes with its 1472 instances now directly have uid-ref as an element. 1474 o Record class is deleted, and classes with its instances now 1475 directly have the instances of RecordData class that used to 1476 belong to the Record class. 1478 o The elements of ML_STRING type are prepared as two separatem 1479 elements: one of STRING type and another of ML_STRING type, in 1480 order to maintain the simplicity of IODEF docuemnts when writing 1481 with only STRING type characters. 1483 5. Examples 1485 This section provides example of IODEF documents. These examples do 1486 not represent the full capabilities of the data model or the the only 1487 way to encode particular information. 1489 5.1. Minimal Example 1491 A document containing only the mandatory elements and attributes. 1493 { 1494 "version": "2.0", 1495 "lang": "en", 1496 "Incident": [ 1497 { 1498 "purpose": "reporting", 1499 "restriction": "private", 1500 "IncidentID": { 1501 "id": 492382, 1502 "name": "csirt.example.com" 1503 }, 1504 "GenerationTime": "2015-07-18T09:00:00-05:00", 1505 "Contact": [ 1506 { 1507 "type": "organization", 1508 "role": "creator", 1509 "email": { 1510 "emailTo": "contact@csirt.example.com" 1511 } 1512 } 1513 ] 1514 } 1515 ] 1516 } 1518 5.2. Indicators from a Campaign 1520 An example of C2 domains from a given campaign. 1522 { 1523 "version": "2.0", 1524 "lang": "en", 1525 "Incidents": [ 1526 { 1527 "purpose": "watch", 1528 "restriction": "green", 1529 "IncidentID": { 1530 "id": "897923", 1531 "name": "csirt.example.com" 1532 }, 1533 "RelatedActivity": [ 1534 { 1535 "ThreatActor": [ 1536 { 1537 "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", 1538 "Description": "Aggressive Butterfly" 1539 } 1540 ], 1541 "Campaign": [ 1542 { 1543 "CampaignID": "C-2015-59405", 1544 "Description": "Orange Giraffe" 1545 } 1546 ] 1547 } 1548 ], 1549 "GenerationTime": "2015-10-02T11:18:00-05:00", 1550 "Description": [ 1551 "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." 1552 ], 1553 "Assessment": [ 1554 { 1555 "BusinessImpact": { 1556 "type": "breach-proprietary" 1557 } 1558 } 1559 ], 1560 "Contacts": [ 1561 { 1562 "type": "organization", 1563 "role": "creator", 1564 "ContactName": "CSIRT for example.com", 1565 "Email": { 1566 "emailTo": "contact@csirt.example.com" 1567 } 1568 } 1569 ], 1570 "IndicatorList": [ 1571 { 1572 "IndicatorID": { 1573 "id": "G90823490", 1574 "name": "csirt.example.com", 1575 "version": "1" 1576 }, 1577 "Description": "C2 domains", 1578 "StartTime": "2014-12-02T11:18:00-05:00", 1579 "Observable": { 1580 "BulkObservable": { 1581 "type": "fqdn" 1582 }, 1583 "BulkObservableList": [ 1584 "kj290023j09r34.example.com", 1585 "09ijk23jfj0k8.example.net", 1586 "klknjwfjiowjefr923.example.org", 1587 "oimireik79msd.example.org" 1588 ] 1589 } 1590 } 1591 ] 1592 } 1593 ] 1594 } 1596 6. The IODEF Data Model (JSON Schema) 1598 { "$schema": "http://json-schema.org/draft-04/schema#", 1599 "definitions": { 1600 "action": {"enum": ["nothing","contact-source-site","contact-target-site", 1601 "contact-sender", "investigate","block-host","block-network", 1602 "block-port","rate-limit-host","rate-limit-network", 1603 "rate-limit-port","redirect-traffic","honeypot", 1604 "upgrade-software","rebuild-asset","harden-asset", 1605 "remediate-other","status-triage","status-new-info", 1606 "watch-and-report","training","defined-coa","ext-value"]}, 1607 "duration": {"enum": ["second","minute","hour","day","month","quarter", 1608 "year","ext-value"]}, 1609 "lang": {"enum": ["en","jp"]}, 1610 "purpose": {"enum": ["traceback","mitigation","reporting","watch","other", 1611 "ext-value"]}, 1612 "restriction": {"enum": ["public","partner","need-to-know","private", 1613 "default","white","green","amber","red","ext-value"]}, 1614 "status": {"enum": ["new","in-progress","forwarded","resolved","future", 1615 "ext-value"]}, 1616 "DATETIME": {"type": "string"}, 1617 "PORTLIST": {"type": "string"}, 1618 "URLtype": {"type": "string"}, 1619 "IDtype": {"type": "string"}, 1620 "ExtensionType": { 1621 "type": "object", 1622 "properties": { 1623 "name": {"type": "string"}, 1624 "dtype": {"enum": ["boolean","byte","bytes","character","date-time", 1625 "ntpstamp","integer","portlist","real","string","file", 1626 "path","frame","packet","ipv4-packet","ipv6-packet","url", 1627 "csv","winreg","xml","ext-value"]}, 1628 "ext-dtype": {"type": "string"}, 1629 "meaning": {"type": "string"}, 1630 "formatid": {"type": "string"}, 1631 "restriction": {"$ref": "#/definitions/restriction"}, 1632 "ext-restriction": {"type": "string"}, 1633 "observable-id": {"$ref": "#/definitions/IDtype"}}}, 1634 "ExtensionTypeList": { 1635 "type": "array", 1636 "items": {"$ref": "#/definitions/ExtensionType"}}, 1637 "SoftwareType": { 1638 "type": "object", 1639 "properties": { 1640 "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, 1641 "URL": {"$ref": "#/definitions/URLtype"}, 1642 "Description": {"type": "array", "items": {"type":"string"}}}, 1643 "required": [], 1644 "additionalProperties": false}, 1645 "SoftwareReference": { 1646 "type": "object", 1647 "properties": { 1648 "value": {"type": "string"}, 1649 "spec-name": {"type": "string"}, 1650 "ext-spec-name": {"type": "string"}, 1651 "dtype": {"type": "string"}, 1652 "ext-dtype": {"type": "string"}}, 1653 "required": ["spec-name"], 1654 "additionalProperties": false}, 1655 "StructuredInfo": { 1656 "type": "object", 1657 "properties": { 1658 "specID": {"type": "string"}, 1659 "ext-specID": {"type": "string"}, 1660 "contentID": {"type": "string"}, 1661 "RawData": {"type": "string"}, 1662 "URL": {"$ref": "#/definitions/URLtype"}}, 1663 "required": ["specID"], 1664 "additionalProperties": false}, 1665 "Incident": { 1666 "title": "Incident", 1667 "description": "JSON schema for Incident class", 1668 "type": "object", 1669 "properties": { 1670 "purpose": {"$ref": "#/definitions/purpose"}, 1671 "ext-purpose": {"type": "string"}, 1672 "status": {"$ref": "#/definitions/status"}, 1673 "ext-status": {"type": "string"}, 1674 "lang": {"$ref": "#/definitions/lang"}, 1675 "restriction": {"$ref": "#/definitions/restriction"}, 1676 "ext-restriction": {"type": "string"}, 1677 "observable-id": {"$ref": "#/definitions/IDtype"}, 1678 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 1679 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 1680 "RelatedActivity": { 1681 "type": "array","items": {"$ref": "#/definitions/RelatedActivity"}}, 1682 "DetectTime": {"type": "string"}, 1683 "StartTime": {"type": "string"}, 1684 "EndTime": {"type": "string"}, 1685 "RecoveryTime": {"type": "string"}, 1686 "ReportTime": {"type": "string"}, 1687 "GenerationTime": {"type": "string"}, 1688 "Description": {"type": "array","items": {"type": "string"}}, 1689 "Discovery": { 1690 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 1691 "Assessment": { 1692 "type": "array","items": {"$ref": "#/definitions/Assessment"}}, 1693 "Methods": { 1694 "type": "array","items": {"$ref": "#/definitions/Method"}}, 1695 "Contacts": { 1696 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 1697 "EventData": { 1698 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 1699 "IndicatorList": { 1700 "type": "array","items": {"$ref": "#/definitions/Indicator"}}, 1701 "History": {"$ref": "#/definitions/History"}, 1702 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1703 "required": ["IncidentID","GenerationTime","Contacts","purpose"], 1704 "additionalProperties": false}, 1705 "IncidentID": { 1706 "title": "IncidentID", 1707 "description": "JSON schema for IncidentID class", 1708 "type": "object", 1709 "properties": { 1710 "id": {"type": "string"}, 1711 "name": {"type": "string"}, 1712 "instance": {"type": "string"}, 1713 "restriction": {"$ref": "#/definitions/restriction"}, 1714 "ext-restriction": {"type": "string"}}, 1715 "required": ["name"], 1716 "additionalProperties": false}, 1717 "AlternativeID": { 1718 "title": "AlternativeID", 1719 "description": "JSON schema for AlternativeID class", 1720 "type": "object", 1721 "properties": { 1722 "IncidentID": { 1723 "type": "array","items":{"$ref": "#/definitions/IncidentID"}}, 1724 "restriction": {"$ref": "#/definitions/restriction"}, 1725 "ext-restriction": {"type": "string"}}, 1726 "required": ["IncidentID"], 1727 "additionalProperties": false}, 1728 "RelatedActivity": { 1729 "properties": { 1730 "restriction": {"$ref": "#/definitions/restriction"}, 1731 "ext-restriction": {"type": "string"}, 1732 "IncidentID": { 1733 "type": "array","items": {"$ref": "#/definitions/IncidentID"}}, 1734 "URL": { 1735 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 1736 "ThreatActor": { 1737 "type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, 1738 "Campaign": { 1739 "type": "array","items": {"$ref": "#/definitions/Campaign"}}, 1740 "IndicatorID": { 1741 "type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, 1742 "Confidence": {"$ref": "#/definitions/Confidence"}, 1743 "Description": { "type": "array","items": {"type": "string"}}, 1744 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1745 "additionalProperties": false}, 1746 "ThreatActor": { 1747 "properties": { 1748 "restriction": {"$ref": "#/definitions/restriction"}, 1749 "ext-restriction": {"type": "string"}, 1750 "ThreatActorID": {"type": "array", "items": {"type": "string"}}, 1751 "Description": {"type": "array", "items": {"type": "string"}}, 1752 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1753 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1754 "additionalProperties": false}, 1755 "Campaign": { 1756 "properties": { 1757 "restriction": {"$ref": "#/definitions/restriction"}, 1758 "ext-restriction": {"type": "string"}, 1759 "CampaignID": {"type": "array", "items": {"type": "string"}}, 1760 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1761 "Description": {"type": "array", "items": {"type": "string"}}, 1762 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 1763 "Contact": { 1764 "type": "object", 1765 "properties": { 1766 "role": { 1767 "enum": ["creator","reporter","admin","tech","provider","user", 1768 "billing","legal","irt","abuse","cc","cc-irt","leo", 1769 "vendor","vendor-support","victim","victim-notified", 1770 "ext-value"]}, 1771 "ext-role": {"type": "string"}, 1772 "type": {"enum": ["person","organization","ext-value"]}, 1773 "ext-type": {"type": "string"}, 1774 "restriction": {"$ref": "#/definitions/restriction"}, 1775 "ext-restriction": {"type": "string"}, 1776 "ContactName": {"type": "array", "items": {"type": "string"}}, 1777 "ContactTitle": {"type": "array", "items": {"type": "string"}}, 1778 "Description": {"type": "array", "items": {"type": "string"}}, 1779 "RegistryHandle": { 1780 "type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}}, 1781 "PostalAddress": { 1782 "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}}, 1783 "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, 1784 "Telephone": { 1785 "type": "array", "items": {"$ref": "#/definitions/Telephone"}}, 1786 "Timezone": {"type": "string"}, 1787 "Contact": { 1788 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1789 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1790 "required": ["role","type"], 1791 "additionalProperties": false}, 1792 "RegistryHandle": { 1793 "type": "object", 1794 "properties": { 1795 "handle": {"type": "string"}, 1796 "registry": { 1797 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local", 1798 "ext-value"]}, 1799 "ext-registry": {"type": "string"}}, 1800 "required": ["registry"], 1801 "additionalProperties": false}, 1802 "PostalAddress": { 1803 "type": "object", 1804 "properties": { 1805 "type": {"type": "string"}, 1806 "ext-type": {"type": "string"}, 1807 "PAddress": {"type": "string"}, 1808 "Description": {"type": "array", "items": {"type": "string"}}}, 1809 "required": ["PAddress"], 1810 "additionalProperties": false}, 1811 "Email": { 1812 "type": "object", 1813 "properties": { 1814 "type": { 1815 "enum":["direct","hotline","ext-value"]}, 1816 "ext-type": {"type": "string"}, 1817 "EmailTo": {"type": "string"}, 1818 "Description": {"type": "array", "items": {"type": "string"}}}, 1819 "required": ["EmailTo"], 1820 "additionalProperties": false}, 1821 "Telephone": { 1822 "type": "object", 1823 "properties": { 1824 "type": { 1825 "enum":["wired","mobile","fax","hotline","ext-value"]}, 1826 "ext-type": {"type": "string"}, 1827 "TelephoneNumber": {"type": "string"}, 1828 "Description": {"type": "array", "items": {"type": "string"}}}, 1829 "required": ["TelephoneNumber"], 1830 "additionalProperties": false}, 1831 "Discovery": { 1832 "type": "object", 1833 "properties": { 1834 "source": { 1835 "enum":["nidps","hips","siem","av","third-party-monitoring", 1836 "incident","os-log","application-log","device-log", 1837 "network-flow","passive-dns","investigation","audit", 1838 "internal-notification","external-notification","leo", 1839 "partner","actor","unknown","ext-value"]}, 1840 "ext-source": {"type": "string"}, 1841 "restriction": {"$ref": "#/definitions/restriction"}, 1842 "ext-restriction": {"type": "string"}, 1843 "Description": {"type": "array", "items": {"type": "string"}}, 1844 "Contact": { 1845 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1846 "DetectionPattern": { 1847 "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}}, 1848 "required": [], 1849 "additionalProperties": false}, 1850 "DetectionPattern": { 1851 "type": "object", 1852 "properties": { 1853 "restriction": {"$ref": "#/definitions/restriction"}, 1854 "ext-restriction": {"type": "string"}, 1855 "observable-id": {"$ref": "#/definitions/IDtype"}, 1856 "Application": {"$ref": "#/definitions/SoftwareType"}, 1857 "Description": {"type": "array", "items": {"type": "string"}}, 1858 "DetectionConfiguration": { 1859 "type": "array", "items": {"type": "string"}}}, 1860 "required": ["Application"], 1861 "additionalProperties": false}, 1862 "Method": { 1863 "type": "object", 1864 "properties": { 1865 "restriction": {"$ref": "#/definitions/restriction"}, 1866 "ext-restriction": {"type": "string"}, 1867 "References": { 1868 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 1869 "Description": {"type": "array", "items": {"type": "string"}}, 1870 "AttackPattern": { 1871 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1872 "Vulnerability": { 1873 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1874 "Weakness": { 1875 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1876 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1877 "required": [], 1878 "additionalProperties": false}, 1879 "Reference": { 1880 "type": "object", 1881 "properties": { 1882 "observable-id": {"$ref": "#/definitions/IDtype"}, 1883 "ReferenceName": {"type": "string"}, 1884 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1885 "Description": {"type": "array", "items": {"type": "string"}}}, 1886 "required": [], 1887 "additionalProperties": false}, 1888 "Assessment": { 1889 "type": "object", 1890 "properties": { 1891 "occurrence": {"enum":["actual","potential"]}, 1892 "restriction": {"$ref": "#/definitions/restriction"}, 1893 "ext-restriction": {"type": "string"}, 1894 "observable-id": {"$ref": "#/definitions/IDtype"}, 1895 "IncidentCategory": {"type": "array", "items": {"type": "string"}}, 1896 "SystemImpact": { 1897 "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, 1898 "BusinessImpact": { 1899 "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, 1900 "TimeImpact": { 1901 "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, 1902 "MonetaryImpact": { 1903 "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}}, 1904 "IntendedImpact": { 1905 "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, 1906 "Counter": { 1907 "type": "array", "items": {"$ref": "#/definitions/Counter"}}, 1908 "MitigatingFactor": { 1909 "type": "array", "items": {"$type": "string"}}, 1910 "Cause": {"type": "array", "items": {"$type": "string"}}, 1911 "Confidence": {"$ref": "#/definitions/Confidence"}, 1912 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1913 "required": [], 1914 "additionalProperties": false}, 1915 "SystemImpact": { 1916 "type": "object", 1917 "properties": { 1918 "severity": { 1919 "enum":["low","medium","high"]}, 1920 "completion": {"enum":["failed","succeeded"]}, 1921 "type": { 1922 "enum":["takeover-account","takeover-service","takeover-system", 1923 "cps-manipulation","cps-damage","availability-data", 1924 "availability-account","availability-service", 1925 "availability-system","damaged-system","damaged-data", 1926 "breach-proprietary","breach-privacy","breach-credential", 1927 "breach-configuration","integrity-data", 1928 "integrity-configuration","integrity-hardware", 1929 "traffic-redirection","monitoring-traffic","monitoring-host", 1930 "policy","unknown","ext-value"]}, 1931 "ext-type": {"type": "string"}, 1932 "Description": {"type": "array","items": {"type": "string"}}}, 1933 "required": ["type"], 1934 "additionalProperties": false}, 1935 "BusinessImpact": { 1936 "type": "object", 1937 "properties": { 1938 "severity": { 1939 "enum":["none","low","medium","high","unknown","ext-value"]}, 1940 "ext-severity": {"type":"string"}, 1941 "type": { 1942 "enum":["breach-proprietary","breach-privacy","breach-credential", 1943 "loss-of-integrity","loss-of-service","theft-financial", 1944 "theft-service","degraded-reputation","asset-damage", 1945 "asset-manipulation","legal","extortion","unknown", 1946 "ext-value"]}, 1947 "ext-type": {"type": "string"}, 1948 "Description": {"type": "array","items": {"type": "string"}}}, 1949 "required": ["type"], 1950 "additionalProperties": false}, 1951 "TimeImpact": { 1952 "type": "object", 1953 "properties": { 1954 "value": {"type": "number"}, 1955 "severity": {"enum": ["low","medium","high"]}, 1956 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 1957 "ext-metric": {"type": "string"}, 1958 "duration": {"$ref":"#/definitions/duration"}, 1959 "ext-duration": {"type": "string"}}, 1960 "required": ["metric"], 1961 "additionalProperties": false}, 1962 "MonetaryImpact": { 1963 "type": "object", 1964 "properties": { 1965 "value": {"type": "number"}, 1966 "severity": {"enum":["low","medium","high"]}, 1967 "currency": {"type": "string"}}, 1968 "required": [], 1969 "additionalProperties": false}, 1970 "Confidence": { 1971 "type": "object", 1972 "properties": { 1973 "value": {"type": "number"}, 1974 "rating": { 1975 "enum": ["low","medium","high","numeric","unknown","ext-value"]}, 1976 "ext-rating": {"type":"string"}}, 1977 "required": ["rating"], 1978 "additionalProperties": false}, 1979 "History": { 1980 "type": "object", 1981 "properties": { 1982 "restriction": {"$ref": "#/definitions/restriction"}, 1983 "ext-restriction": {"type": "string"}, 1984 "HistoryItem": { 1985 "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, 1986 "required": ["HistoryItem"], 1987 "additionalProperties": false}, 1988 "HistoryItem": { 1989 "type": "object", 1990 "properties": { 1991 "action": {"$ref": "#/definitions/action"}, 1992 "ext-action": {"type": "string"}, 1993 "restriction": {"$ref": "#/definitions/restriction"}, 1994 "ext-restriction": {"type": "string"}, 1995 "observable-id": {"$ref": "#/definitions/IDtype"}, 1996 "DateTime": {"$ref": "#/definitions/DATETIME"}, 1997 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 1998 "Contact": {"$ref": "#/definitions/Contact"}, 1999 "Description": {"type": "array","items": {"type": "string"}}, 2000 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 2001 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2002 "required": ["DateTime","action"], 2003 "additionalProperties": false}, 2004 "EventData": { 2005 "type": "object", 2006 "properties": { 2007 "restriction": {"$ref": "#/definitions/restriction"}, 2008 "ext-restriction": {"type": "string"}, 2009 "observable-id": {"$ref": "#/definitions/IDtype"}, 2010 "Description": {"type": "array","items": {"type": "string"}}, 2011 "DetectTime": {"type": "string"}, 2012 "StartTime": {"type": "string"}, 2013 "EndTime": {"type": "string"}, 2014 "RecoveryTime": {"type": "string"}, 2015 "ReportTime": {"type": "string"}, 2016 "Contact": { 2017 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 2018 "Discovery": { 2019 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 2020 "Assessment": {"$ref": "#/definitions/Assessment"}, 2021 "Method": { 2022 "type": "array","items": {"$ref": "#/definitions/Method"}}, 2023 "System": { 2024 "type": "array","items": {"$ref": "#/definitions/System"}}, 2025 "Expectation": { 2026 "type": "array","items": {"$ref": "#/definitions/Expectation"}}, 2027 "RecordData": {"type": "array", "items": {"$ref": "#/definitions/RecordData"}}, 2028 "EventData": { 2029 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 2030 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2031 "required": ["ReportTime"], 2032 "additionalProperties": false}, 2033 "Expectation": { 2034 "type": "object", 2035 "properties": { 2036 "action": {"$ref":"#/definitions/action"}, 2037 "ext-action": {"type": "string"}, 2038 "severity": {"enum": ["low","medium","high"]}, 2039 "restriction": {"$ref": "#/definitions/restriction"}, 2040 "ext-restriction": {"type": "string"}, 2041 "observable-id": {"$ref": "#/definitions/IDtype"}, 2042 "Description": {"type": "array","items": {"type": "string"}}, 2043 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 2044 "StartTime": {"type": "string"}, 2045 "EndTime": {"type": "string"}, 2046 "Contact": {"$ref": "#/definitions/Contact"}}, 2047 "required": [], 2048 "additionalProperties": false}, 2049 "System": { 2050 "type": "object", 2051 "properties": { 2052 "category": { 2053 "enum": ["source","target","intermediate","sensor","infrastructure", 2054 "ext-value"]}, 2055 "ext-category": {"type": "string"}, 2056 "interface": {"type": "string"}, 2057 "spoofed": {"enum": ["unknown","yes","no"]}, 2058 "virtual": {"enum": ["yes","no","unknown"]}, 2059 "ownership": { 2060 "enum":["organization","personal","partner","customer", 2061 "no-relationship","unknown","ext-value"]}, 2062 "ext-ownership": {"type": "string"}, 2063 "restriction": {"$ref": "#/definitions/restriction"}, 2064 "ext-restriction": {"type": "string"}, 2065 "observable-id": {"$ref": "#/definitions/IDtype"}, 2066 "Node": {"$ref": "#/definitions/Node"}, 2067 "NodeRole": { 2068 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 2069 "Service": { 2070 "type": "array","items": {"$ref": "#/definitions/Service"}}, 2071 "OperatingSystem": { 2072 "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, 2073 "Counter": { 2074 "type": "array","items": {"$ref": "#/definitions/Counter"}}, 2075 "AssetID": {"type": "array","items": {"type": "string"}}, 2076 "Description": {"type": "array","items": {"type": "string"}}, 2077 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2078 "required": ["Node"], 2079 "additionalProperties": false}, 2080 "Node": { 2081 "type": "object", 2082 "properties": { 2083 "DomainData": { 2084 "type": "array","items": {"$ref": "#/definitions/DomainData"}}, 2085 "Address": { 2086 "type": "array","items": {"$ref": "#/definitions/Address"}}, 2087 "PostalAddress": {"type": "string"}, 2088 "Location": {"type": "array","items": {"type": "string"}}, 2089 "Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}}, 2090 "required": [], 2091 "additionalProperties": false}, 2092 "Address": { 2093 "type": "object", 2094 "properties": { 2095 "value": {"type": "string"}, 2096 "category": { 2097 "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 2098 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 2099 "ipv6-net-masked","mac","site-url","ext-value"]}, 2100 "ext-category": {"type": "string"}, 2101 "vlan-name": {"type": "string"}, 2102 "vlan-num": {"type": "integer"}, 2103 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2104 "required": ["category"], 2105 "additionalProperties": false}, 2106 "NodeRole": { 2107 "type": "object", 2108 "properties": { 2109 "category": { 2110 "enum":["client","client-enterprise","clent-partner","client-remote", 2111 "client-kiosk","client-mobile","server-internal", 2112 "server-public","www","mail","webmail","messaging", 2113 "streaming","voice","file","ftp","p2p","name","directory", 2114 "credential","print","application","database","backup", 2115 "dhcp","assessment","source-control","config-management", 2116 "monitoring","infra","infra-firewall","infra-router", 2117 "infra-switch","camera","proxy","remote-access","log", 2118 "virtualization","pos", "scada", "scada-supervisory", 2119 "sinkhole","honeypot","anomyzation","c2-server", 2120 "malware-distribution","drop-server","hot-point","reflector", 2121 "phishing-site","spear-phishing-site","recruiting-site", 2122 "fraudulent-site","ext-value"]}, 2123 "ext-category": {"type": "string"}, 2124 "Description": {"type": "array","items": {"type": "string"}}}, 2125 "required": ["category"], 2126 "additionalProperties": false}, 2127 "Counter": { 2128 "type": "object", 2129 "properties": { 2130 "value": {"type": "string"}, 2131 "type": {"enum": ["count","peak","average","ext-value"]}, 2132 "ext-type": {"type": "string"}, 2133 "unit": {"enum": ["byte","mbit","packet","flow","session","alert", 2134 "message","event","host","site","organization","ext-value"]}, 2135 "ext-unit": {"type": "string"}, 2136 "meaning": {"type": "string"}, 2137 "duration": {"$ref":"#/definitions/duration"}, 2138 "ext-duration": {"type": "string"}}, 2139 "required": ["type","unit"], 2140 "additionalProperties": false}, 2141 "DomainData": { 2142 "type": "object", 2143 "properties": { 2144 "system-status": { 2145 "enum": ["spoofed","fraudulent","innocent-hacked", 2146 "innocent-hijacked","unknown","ext-value"]}, 2147 "ext-system-status": {"type": "string"}, 2148 "domain-status": { 2149 "enum": [ 2150 "reservedDelegation","assignedAndActive","assignedAndInactive", 2151 "assignedAndOnHold","revoked","transferPending","registryLock", 2152 "registrarLock","other","unknown","ext-value"]}, 2153 "ext-domain-status": {"type": "string"}, 2154 "observable-id": {"$ref": "#/definitions/IDtype"}, 2155 "Name": {"type": "string"}, 2156 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 2157 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 2158 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 2159 "RelatedDNS": { 2160 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2162 "NameServers": { 2163 "type": "array","items": {"$ref": "#/definitions/NameServers"}}, 2164 "DomainContacts": { 2165 "$ref": "#/definitions/DomainContacts"}}, 2166 "required": ["Name","system-status","domain-status"], 2167 "additionalProperties": false}, 2168 "NameServers": { 2169 "type": "object", 2170 "properties": { 2171 "Server": {"type": "string"}, 2172 "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}}, 2173 "required": ["Server","Address"], 2174 "additionalProperties": false}, 2175 "DomainContacts": { 2176 "type": "object", 2177 "properties": { 2178 "SameDomainContact": {"type": "string"}, 2179 "Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}}, 2180 "required": ["Contact"], 2181 "additionalProperties": false}, 2182 "Service": { 2183 "type": "object", 2184 "properties": { 2185 "ip-protocol": {"type": "integer"}, 2186 "observable-id": {"$ref": "#/definitions/IDtype"}, 2187 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 2188 "Port": {"type": "integer"}, 2189 "Portlist": {"$ref": "#/definitions/PORTLIST"}, 2190 "ProtoCode": {"type": "integer"}, 2191 "ProtoType": {"type": "integer"}, 2192 "ProtoField": {"type": "integer"}, 2193 "ApplicationHeaderField": {"$ref":"#/definitions/ExtensionTypeList"}, 2194 "EmailData": {"$ref": "#/definitions/EmailData"}, 2195 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2196 "required": [], 2197 "additionalProperties": false}, 2198 "ServiceName": { 2199 "type": "object", 2200 "properties": { 2201 "IANAService": {"type": "string"}, 2202 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2203 "Description": {"type": "array","items": {"type": "string"}}}, 2204 "required": [], 2205 "additionalProperties": false}, 2206 "EmailData": { 2207 "type": "object", 2208 "properties": { 2209 "observable-id": {"$ref": "#/definitions/IDtype"}, 2210 "EmailTo": {"type": "array","items": {"type": "string"}}, 2211 "EmailFrom": {"type": "string"}, 2212 "EmailSubject": {"type": "string"}, 2213 "EmailX-Mailer": {"type": "string"}, 2214 "EmailHeaderField": { 2215 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2216 "EmailHeaders": {"type": "string"}, 2217 "EmailBody": {"type": "string"}, 2218 "EmailMessage": {"type": "string"}, 2219 "HashData": { 2220 "type": "array","items": {"$ref": "#/definitions/HashData"}}, 2221 "Signature": {"type": "array","items": {"type": "string"}}}, 2222 "required": [], 2223 "additionalProperties": false}, 2224 "RecordData": { 2225 "type": "object", 2226 "properties": { 2227 "restriction": {"$ref": "#/definitions/restriction"}, 2228 "ext-restriction": {"type": "string"}, 2229 "observable-id": {"$ref": "#/definitions/IDtype"}, 2230 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2231 "Description": {"type": "array","items": {"type": "string"}}, 2232 "Applicadtion": {"$ref": "#/definitions/SoftwareType"}, 2233 "RecordPattern": { 2234 "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, 2235 "RecordItem": { 2236 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2237 "URL": { 2238 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2239 "FileData": { 2240 "type": "array","items": {"$ref": "#/definitions/FileData"}}, 2241 "WindowsRegistryKeysModified": { 2242 "type": "array", 2243 "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, 2244 "CertificateData": { 2245 "type": "array","items": {"$ref": "#/definitions/CertificateData"}}, 2246 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2247 "required": [], 2248 "additionalProperties": false 2249 }, 2250 "RecordPattern": { 2251 "type": "object", 2252 "properties": { 2253 "value": {"type": "string"}, 2254 "type": {"enum": ["regex","binary","xpath","ext-value"]}, 2255 "ext-type": {"type": "string"}, 2256 "offset": {"type": "integer"}, 2257 "offsetunit": {"enum":["line","byte","ext-value"]}, 2258 "ext-offsetunit": {"type": "string"}, 2259 "instance": {"type": "integer"}}, 2260 "required": ["type"], 2261 "additionalProperties": false}, 2262 "WindowsRegistryKeysModified": { 2263 "type": "object", 2264 "properties": { 2265 "observabile-id": {"$ref": "#/definitions/IDtype"}, 2266 "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, 2267 "required": ["Key"], 2268 "additionalProperties": false}, 2269 "Key": { 2270 "type": "object", 2271 "properties": { 2272 "registryaction": {"enum": ["add-key","add-value","delete-key", 2273 "delete-value","modify-key","modify-value", 2274 "ext-value"]}, 2275 "ext-registryaction": {"type": "string"}, 2276 "observable-id": {"$ref": "#/definitions/IDtype"}, 2277 "KeyName": {"type":"string"}, 2278 "KeyValue": {"type": "string"}}, 2279 "required": ["KeyName"], 2280 "additionalProperties": false}, 2281 "CertificateData": { 2282 "type": "object", 2283 "properties": { 2284 "restriction": {"$ref": "#/definitions/restriction"}, 2285 "ext-restriction": {"type": "string"}, 2286 "observable-id": {"$ref": "#/definitions/IDtype"}, 2287 "Certificate": { 2288 "type": "array","items": {"$ref": "#/definitions/Certificate"}}}, 2289 "required": ["Certificate"], 2290 "additionalProperties": false}, 2291 "Certificate": { 2292 "type": "object", 2293 "properties": { 2294 "observable-id": {"$ref": "#/definitions/IDtype"}, 2295 "X509Data": {type: "string"}, 2296 "Description": {"type": "array","items": {"type": "string"}}}, 2297 "required": ["X509Data"], 2298 "additionalProperties": false}, 2299 "FileData": { 2300 "type": "object", 2301 "properties": { 2302 "restriction": {"$ref": "#/definitions/restriction"}, 2303 "ext-restriction": {"type": "string"}, 2304 "observable-id": {"$ref": "#/definitions/IDtype"}, 2305 "File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, 2307 "required": ["File"], 2308 "additionalProperties": false}, 2309 "File": { 2310 "type": "object", 2311 "properties": { 2312 "FileName": {"type": "string"}, 2313 "FileSize": {"type": "integer"}, 2314 "FileType": {"type": "string"}, 2315 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2316 "HashData": {"$ref": "#/definitions/HashData"}, 2317 "Signature": {"type": "array","items": {"type": "string"}}, 2318 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 2319 "FileProperties": { 2320 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, 2321 "required": [], 2322 "additionalProperties": false}, 2323 "HashData": { 2324 "type": "object", 2325 "properties": { 2326 "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", 2327 "file-pe-resource","file-pdf-object","email-hash", 2328 "email-hash-header","email-hash-body"]}, 2329 "HashTargetID": {"type": "string"}, 2330 "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, 2331 "FuzzyHash": { 2332 "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, 2333 "required": ["scope"], 2334 "additionalProperties": false}, 2335 "Hash": { 2336 "type": "object", 2337 "properties": { 2338 "DigestMethod": {"type": "string"}, 2339 "DigestValue": {"type": "string"}, 2340 "CanonicalizationMethod": {}, 2341 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2342 "required": ["DigestMethod","DigestValue"], 2343 "additionalProperties": false}, 2344 "FuzzyHash": { 2345 "type": "object", 2346 "properties": { 2347 "FuzzyHashValue": { 2348 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2349 "Application": {"$ref": "#/definitions/SoftwareType"}, 2350 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2351 "required": ["FuzzyHashValue"], 2352 "additionalProperties": false}, 2353 "Indicator": { 2354 "type": "object", 2355 "properties": { 2356 "restriction": {"$ref": "#/definitions/restriction"}, 2357 "ext-restriction": {"type": "string"}, 2358 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 2359 "AlternativeIndicatorID": { 2360 "type": "array", 2361 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, 2362 "Description": {"type": "array","items": {"type": "string"}}, 2363 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2364 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2365 "Confidence": {"$ref": "#/definitions/Confidence"}, 2366 "Contact": { 2367 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 2368 "Observable": {"$ref": "#/definitions/Observable"}, 2369 "uid-ref": {"type": "string"}, 2370 "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"}, 2371 "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, 2372 "NodeRole": { 2373 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 2374 "AttackPhase": { 2375 "type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, 2376 "Reference": { 2377 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 2378 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2379 "required": ["IndicatorID"], 2380 "additionalProperties": false}, 2381 "IndicatorID": { 2382 "type": "object", 2383 "properties": { 2384 "id": {"type": "string"}, 2385 "name": {"type": "string"}, 2386 "version": {"type": "string"}}, 2387 "required": ["name","version"], 2388 "additionalProperties": false}, 2389 "AlternativeIndicatorID": { 2390 "type": "object", 2391 "properties": { 2392 "restriction": {"$ref": "#/definitions/restriction"}, 2393 "ext-restriction": {"type": "string"}, 2394 "IndicatorReference": { 2395 "type": "array", 2396 "items": {"$ref": "#/definitions/IndicatorReference"}}}, 2397 "required": ["IndicatorReference"], 2398 "additionalProperties": false}, 2399 "Observable": { 2400 "type": "object", 2401 "properties": { 2402 "restriction": {"$ref": "#/definitions/restriction"}, 2403 "ext-restriction": {"type": "string"}, 2404 "System": {"$ref": "#/definitions/System"}, 2405 "Address": {"$ref": "#/definitions/Address"}, 2406 "DomainData": {"$ref": "#/definitions/DomainData"}, 2407 "EmailData": {"$ref": "#/definitions/EmailData"}, 2408 "Service": {"$ref": "#/definitions/Service"}, 2409 "WindowsRegistryKeysModified": { 2410 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 2411 "FileData": {"$ref": "#/definitions/FileData"}, 2412 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 2413 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 2414 "RecordData": {"type": "array", "item": {"$ref": "#/definitions/Record"}}, 2415 "EventData": {"$ref": "#/definitions/EventData"}, 2416 "Incident": {"$ref": "#/definitions/Incident"}, 2417 "Expectation": {"$ref": "#/definitions/Expectation"}, 2418 "Reference": {"$ref": "#/definitions/Reference"}, 2419 "Assessment": {"$ref": "#/definitions/Assessment"}, 2420 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 2421 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 2422 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 2423 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2424 "required": [], 2425 "additionalProperties": false}, 2426 "BulkObservable": { 2427 "type": "object", 2428 "properties": { 2429 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 2430 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac", 2431 "site-url","domain-name","domain-to-ipv4","domain-to-ipv6", 2432 "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp", 2433 "ipv4-port","ipv6-port","windows-reg-key","file-hash", 2434 "email-x-mailer","email-subject","http-user-agent", 2435 "http-request-url","mutex","file-path","user-name", 2436 "ext-value"]}, 2437 "ext-type": {"type": "string"}, 2438 "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"}, 2439 "BulkObservableList": {"type": "array", "item":{"type": "string"}}, 2440 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2441 "required": [], 2442 "additionalProperties": false}, 2443 "BulkObservableFormat": { 2444 "type": "object", 2445 "properties": { 2446 "Hash": {"$ref": "#/definitions/Hash"}, 2447 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2448 "required": [], 2449 "additionalProperties": false}, 2450 "IndicatorExpression": { 2451 "type": "object", 2452 "properties": { 2453 "operator": {"enum": ["not","and","or","xor"]}, 2454 "ext-operator": {"type": "string"}, 2455 "IndicatorExpression": { 2456 "type": "array", 2457 "items": {"$ref": "#/definitions/IndicatorExpression"}}, 2458 "Observable": { 2459 "type": "array","items": {"$ref": "#/definitions/Observable"}}, 2460 "uid-ref": {"type": "string"}, 2461 "IndicatorReference": { 2462 "type": "array", 2463 "items": {"$ref": "#/definitions/IndicatorReference"}}, 2464 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2465 "required": [], 2466 "additionalProperties": false}, 2467 "IndicatorReference": { 2468 "type": "object", 2469 "properties": { 2470 "uid-ref": {"type": "string"}, 2471 "euid-ref": {"type": "string"}, 2472 "version": {"type": "string"}}, 2473 "required": [], 2474 "additionalProperties": false}, 2475 "AttackPhase": { 2476 "type": "object", 2477 "properties": { 2478 "AttackPhaseID": {"type": "array","items": {"type": "string"}}, 2479 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2480 "Description": {"type": "array","items": {"type": "string"}}, 2481 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2482 "required": [], 2483 "additionalProperties": false}}, 2484 "title": "IODEF-Document", 2485 "description": "JSON schema for IODEF-Document class", 2486 "type": "object", 2487 "properties": { 2488 "version": {"type": "string"}, 2489 "lang": {"$ref": "#/definitions/lang"}, 2490 "format-id": {"type": "string"}, 2491 "private-enum-name": {"type": "string"}, 2492 "private-enum-id": {"type": "string"}, 2493 "Incident": { 2494 "type": "array","items": {"$ref": "#/definitions/Incident"}}, 2495 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2496 "required": ["version","Incident"], 2497 "additionalProperties": false} 2498 Figure 1: JSON schema 2500 7. Acknowledgements 2502 TBD. 2504 8. IANA Considerations 2506 This memo includes no request to IANA. 2508 9. Security Considerations 2510 This memo does not provide any further security considerations than 2511 the one described in RFC 7970 [RFC7970]. 2513 10. References 2515 10.1. Normative References 2517 [jsonschema] 2518 "JSON Schema", 2006. 2520 http://json-schema.org/ 2522 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2523 Requirement Levels", BCP 14, RFC 2119, 2524 DOI 10.17487/RFC2119, March 1997, 2525 . 2527 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 2528 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 2529 November 2016, . 2531 10.2. Informative References 2533 [DOMINATION] 2534 Mad Dominators, Inc., "Ultimate Plan for Taking Over the 2535 World", 1984, . 2537 [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, 2538 DOI 10.17487/RFC2629, June 1999, 2539 . 2541 [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC 2542 Text on Security Considerations", BCP 72, RFC 3552, 2543 DOI 10.17487/RFC3552, July 2003, 2544 . 2546 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 2547 IANA Considerations Section in RFCs", RFC 5226, 2548 DOI 10.17487/RFC5226, May 2008, 2549 . 2551 Authors' Addresses 2553 Takeshi Takahashi 2554 National Institute of Information and Communications Technology 2555 4-2-1 Nukui-Kitamachi 2556 Koganei, Tokyo 184-8795 2557 Japan 2559 Phone: +81 42 327 5862 2560 Email: takeshi_takahashi@nict.go.jp 2562 Roman Danyliw 2563 CERT, Software Engineering Institute, Carnegie Mellon University 2564 4500 Fifth Avenue 2565 Pittsburgh, PA 2566 USA 2568 Email: rdd@cert.org 2570 Mio Suzuki 2571 National Institute of Information and Communications Technology 2572 4-2-1 Nukui-Kitamachi 2573 Koganei, Tokyo 184-8795 2574 Japan 2576 Email: mio@nict.go.jp