idnits 2.17.1 draft-ietf-mile-jsoniodef-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 91 instances of too long lines in the document, the longest one being 49 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 18, 2018) is 2230 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: September 19, 2018 CERT 6 M. Suzuki 7 NICT 8 March 18, 2018 10 JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-03 13 Abstract 15 RFC7970 specified an information model and a corresponding XML data 16 model for exchanging incident and indicator information. This draft 17 provides an alternative data model implementation in JSON. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on September 19, 2018. 36 Copyright Notice 38 Copyright (c) 2018 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 57 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 4 58 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 4 59 2.2.2. Software . . . . . . . . . . . . . . . . . . . . . . 5 60 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 5 61 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 5 62 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 5 63 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 16 64 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 16 65 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 17 66 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 17 67 5. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 19 68 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 38 69 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 70 8. Security Considerations . . . . . . . . . . . . . . . . . . . 38 71 9. Normative References . . . . . . . . . . . . . . . . . . . . 38 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 74 1. Introduction 76 [RFC7970] defines a data representation for security incident reports 77 and indicators commonly exchanged by operational security teams. It 78 facilitates the automated exchange of this information to enable 79 mitigation and watch-and-warning. Section 3 of [RFC7970] defined an 80 information model using Unified Modeling Language (UML) and a 81 corresponding Extensible Markup Language (XML) schema data model in 82 Section 8. This UML-based information model and XML-based data model 83 are referred to as IODEF UML and IODEF XML, respectively in this 84 document. 86 This document defines an alternate implementation of the IODEF UML 87 information model by specifying a JavaScript Object Notation (JSON) 88 data model using JSON Schema [jsonschema]. This JSON data model is 89 referred to as IODEF JSON in this document. 91 IODEF JSON provides all of the expressivity of IODEF XML. It gives 92 implementers and operators an alternative format to exchange the same 93 information. 95 The normative IODEF JSON data model is found in Section 5. Section 2 96 and Section 3 describe the data types and elements of this data 97 model. Section 4 provides examples. 99 1.1. Requirements Language 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in RFC 2119 [RFC2119]. 105 2. IODEF Data Types 107 The abstract IODEF JSON implements the abstract data types specified 108 in Section 2 of [RFC7970]. 110 2.1. Abstract Data Type to JSON Data Type Mapping 112 IODEF JSON uses native and derived JSON data types. Figure 1 113 describes the mapping between the abstract data types in Section 2 of 114 [RFC7970] and their corresponding implementations in IODEF JSON. 116 +-----------------+-------------------+-------------------------------+ 117 | IODEF Data Type | [RFC7970] | JSON Data Type | 118 | | Reference | | 119 +-----------------+-------------------+-------------------------------+ 120 | INTEGER | Section 2.1 | "integer" per [jsonschema] | 121 | REAL | Section 2.2 | "number" per [jsonschema] | 122 | CHARACTER | Section 2.3 | "string" per [jsonschema] | 123 | STRING | Section 2.3 | "string" per [jsonschema] | 124 | ML_STRING | Section 2.4 | see Section 2.2.1 | 125 | BYTE | Section 2.5.1 | "string" per [jsonschema] | 126 | BYTE[] | Section 2.5.1 | "string" per [jsonschema] | 127 | HEXBIN | Section 2.5.2 | "string" per [jsonschema] | 128 | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | 129 | ENUM | Section 2.6 | "enum" array per [jsonschema] | 130 | DATETIME | Section 2.7 | "string" per [jsonschema] | 131 | TIMEZONE | Section 2.8 | "string" per [jsonschema] | 132 | PORTLIST | Section 2.9 | "string" per [jsonschema] | 133 | POSTAL | Section 2.10 | "string" per [jsonschema] | 134 | POSTAL_ML | Section 2.10 | see ML_STRING, Section 2.2.1 | 135 | PHONE | Section 2.11 | "string" per [jsonschema] | 136 | EMAIL | Section 2.12 | "string" per [jsonschema] | 137 | URL | Section 2.13 | "string" per [jsonschema] | 138 | IDREF | Section 2.14 | "string" per [jsonschema] | 139 | SOFTWARE | Section 2.15 | see Section 2.2.2 | 140 | STRUCTURED | N/A | see Section 2.2.3 | 141 +-----------------+-------------------+-------------------------------+ 143 Figure 1 145 2.2. Complex JSON Types 147 2.2.1. Multilingual Strings 149 A string that needs to be represented in a human-readable language 150 different than the default encoding of the document is represented in 151 the information model by the ML_STRING data type. This data type is 152 implemented as an object with "value", "lang", and "translation-id" 153 elements as defined in Section 5. Examples are shown below. 155 "MLStringType": { 156 "value": "free-form text", //STRING 157 "lang": "en", //ENUM 158 "translation-id": "jp2en0023" //STRING 159 } 161 2.2.2. Software 163 A particular version of software is represented in the information 164 model by the SOFTWARE data type. This software can be described by 165 using a reference, a URL, or with free-form text. The SOFTWARE data 166 type is implemented as an object with "SoftwareReference", "URL", 167 "Description", and "Description_ML" elements as defined in Section 5. 168 Examples are shown below. 170 "SoftwareType": { 171 "SoftwareReference": {...}, //SoftwareReference 172 "Description": ["MS Windows"] //STRING 173 } 175 2.2.3. StructuredInfo 177 Information provided in a form of structured string, such as ID, or 178 structured information, such as XML documents, is represented in the 179 information model by the StructuredInfo data type. Note that this 180 type was originally specified in RFC7203. The StructuredInfo data 181 type is implemented as an object with "SpecID", "ext-SpecID", 182 "ContentID", "RawData", "Reference" elements. An example for 183 embedding a structured ID is shown below. 185 "StructuredInformation": { 186 "SpecID": "cve", //ENUM 187 "ContentID": "CVE-2007-5000" //STRING 188 } 190 When embedding the raw data, base64 conversion should be used for 191 encoding the data, as shown below. 193 "StructuredInformation": { 194 "SpecID": "oval", //ENUM 195 "RawData": "<<>>" //BYTE 196 } 198 3. IODEF JSON Data Model 200 3.1. Classes and Elements 202 The following table shows the list of IODEF Classes, their elements, 203 and the corresponding section in [RFC7970]. Note that the complete 204 JSON schema is defined in Section 5. 206 +-----------------------------+--------------------+---------------+ 207 | IODEF Class | Class | Corresponding | 208 | | Elements and | Section | 209 | | Attribute | in [RFC7970] | 210 +-----------------------------+--------------------+---------------+ 211 | IODEF-Document | version | 3.1 | 212 | | lang? | | 213 | | format-id? | | 214 | | private-enum-name? | | 215 | | private-enum-id? | | 216 | | Incident+ | | 217 | | AdditionalData* | | 218 +-----------------------------+--------------------+---------------+ 219 | Incident | purpose | 3.2 | 220 | | ext-purpose? | | 221 | | status? | | 222 | | ext-status? | | 223 | | lang? | | 224 | | restriction? | | 225 | | ext-restriction? | | 226 | | observable-id? | | 227 | | IncidentID | | 228 | | AlternativeID? | | 229 | | RelatedActivity* | | 230 | | DetectTime? | | 231 | | StartTime? | | 232 | | EndTime? | | 233 | | RecoveryTime? | | 234 | | ReportTime? | | 235 | | GenrationTime? | | 236 | | Description* | | 237 | | Description_ML* | | 238 | | Discovery* | | 239 | | Assessment* | | 240 | | Method* | | 241 | | Contact+ | | 242 | | EventData* | | 243 | | Indicator* | | 244 | | History? | | 245 | | AdditionalData* | | 246 +-----------------------------+--------------------+---------------+ 247 | IncidentID | id | 3.4 | 248 | | name | | 249 | | instance? | | 250 | | restriction? | | 251 | | ext-restriction? | | 252 +-----------------------------+--------------------+---------------+ 253 | AlternativeID | restriction? | 3.5 | 254 | | ext-restriction? | | 255 | | IncidentID+ | | 256 +-----------------------------+--------------------+---------------+ 257 | RelatedActivity | restriction? | 3.6 | 258 | | ext-restriction? | | 259 | | IncidentID* | | 260 | | URL* | | 261 | | ThreatActor* | | 262 | | Campaign* | | 263 | | IndicatorID* | | 264 | | Confidence? | | 265 | | Description* | | 266 | | AdditionalData* | | 267 +-----------------------------+--------------------+---------------+ 268 | ThreatActor | restriction? | 3.7 | 269 | | ext-restriction? | | 270 | | ThreatActorID* | | 271 | | URL* | | 272 | | Description* | | 273 | | Description_ML* | | 274 | | AdditionalData* | | 275 +-----------------------------+--------------------+---------------+ 276 | Campaign | restriction? | | 277 | | ext-restriction? | | 278 | | CampaignID* | | 279 | | URL* | | 280 | | Description* | | 281 | | Description_ML* | | 282 | | AdditionalData* | 3.8 | 283 +-----------------------------+--------------------+---------------+ 284 | Contact | role | | 285 | | ext-role? | | 286 | | type | | 287 | | ext-type? | | 288 | | restriction? | | 289 | | ext-restriction? | | 290 | | ContactName*,ContactName_ML* | | 291 | | ContactTitle* | | 292 | | ContactTitle_ML* | | 293 | | Description* | | 294 | | Description_ML* | | 295 | | RegistryHandle* | | 296 | | PostalAddress* | | 297 | | Email* | | 298 | | Telephone* | | 299 | | Timezone? | | 300 | | Contact* | | 301 | | AdditionalData* | 3.9 | 302 +-----------------------------+--------------------+---------------+ 303 | RegistryHandle | handle| | | 304 | | registry| | | 305 | | ext-registry? | 3.9.1 | 306 +-----------------------------+--------------------+---------------+ 307 | PostalAddress | type?| | | 308 | | ext-type?| | | 309 | | PAddress| | | 310 | | Description*| | | 311 | | Description_ML* | 3.9.2 | 312 +-----------------------------+--------------------+---------------+ 313 | Email | type? | | 314 | | ext-type? | | 315 | | EmailTo | | 316 | | Description* | | 317 | | Description_ML* | 3.9.3 | 318 +-----------------------------+--------------------+---------------+ 319 | Telephone | type? | | 320 | | ext-type? | | 321 | | TelephoneNumber | | 322 | | Description* | | 323 | | Description_ML* | 3.9.4 | 324 +-----------------------------+--------------------+---------------+ 325 | Discovery | source? | | 326 | | ext-source? | | 327 | | restriction? | | 328 | | ext-restriction? | | 329 | | Description* | | 330 | | Description_ML* | | 331 | | Contact* | | 332 | | DetectionPattern* | 3.10 | 333 +-----------------------------+--------------------+---------------+ 334 | DetectionPattern | restriction? | 3.10.1 | 335 | | ext-restriction? | | 336 | | observable-id? | | 337 | | Application | | 338 | | Description* | | 339 | | Description_ML* | | 340 | | DetectionConfiguration* | | 341 +-----------------------------+--------------------+---------------+ 342 | Method | restriction? | | 343 | | ext-restriction? | | 344 | | Reference* | | 345 | | Description* | | 346 | | Description_ML* | | 347 | | AttackPattern* | | 348 | | Vulnerability* | | 349 | | Weakness* | 3.11 | 350 +-----------------------------+--------------------+---------------+ 351 | Reference | observable-id? | | 352 | | ReferenceName? | | 353 | | URL* | | 354 | | Description* | | 355 | | Description_ML* | 3.11.1 | 356 +-----------------------------+--------------------+---------------+ 357 | Assessment | occurence? | | 358 | | restriction? | | 359 | | ext-restriction? | | 360 | | observable-id? | | 361 | | IncidentCategory* | | 362 | | SystemImpact* | | 363 | | BusinessImpact* | | 364 | | TimeImpact* | | 365 | | MonetaryImpact* | | 366 | | IntendedImpact* | | 367 | | Counter* | | 368 | | MitigationFactor* | | 369 | | MitigationFactor_ML*| | 370 | | Cause* | | 371 | | Cause_ML* | | 372 | | Confidence? | | 373 | | AdditionalData* | 3.12 | 374 +-----------------------------+--------------------+---------------+ 375 | SystemImpact | severity? | | 376 | | completion? | | 377 | | type | | 378 | | ext-type? | | 379 | | Description* | | 380 | | Description_ML* | 3.12.1 | 381 +-----------------------------+--------------------+---------------+ 382 | BusinessImpact | severity? | | 383 | | ext-severity? | | 384 | | type | | 385 | | ext-type? | | 386 | | Description* | | 387 | | Description_ML* | 3.12.2 | 388 +-----------------------------+--------------------+---------------+ 389 | TimeImpact | value | | 390 | | severity? | | 391 | | metric | | 392 | | ext-metric? | | 393 | | duration? | | 394 | | ext-duration? | 3.12.3 | 395 +-----------------------------+--------------------+---------------+ 396 | MonetaryImpact | value | | 397 | | severity? | | 398 | | currency? | 3.12.4 | 399 +-----------------------------+--------------------+---------------+ 400 | Confidence | value | | 401 | | rating | | 402 | | ext-rating? | 3.12.5 | 403 +-----------------------------+--------------------+---------------+ 404 | History | restriction? | | 405 | | ext-restriction? | | 406 | | HistoryItem+ | 3.13 | 407 +-----------------------------+--------------------+---------------+ 408 | HistoryItem | action | | 409 | | ext-action? | | 410 | | restriction? | | 411 | | ext-restriction? | | 412 | | observable-id? | | 413 | | DateTime | | 414 | | IncidentID? | | 415 | | Contact? | | 416 | | Description* | | 417 | | Description_ML* | | 418 | | DefinedCOA* | | 419 | | AdditionalData* | 3.13.1 | 420 +-----------------------------+--------------------+---------------+ 421 | EventData | restriction? | | 422 | | ext-restriction? | | 423 | | observable-id? | | 424 | | Description* | | 425 | | Description_ML* | | 426 | | DetectTime? | | 427 | | StartTime? | | 428 | | EndTime? | | 429 | | RecoveryTime? | | 430 | | ReportTime? | | 431 | | Contact* | | 432 | | Discovery* | | 433 | | Assessment? | | 434 | | Method* | | 435 | | Expectation* | | 436 | | RecordData* | | 437 | | EventData* | | 438 | | AdditionalData* | 3.14 | 439 +-----------------------------+--------------------+---------------+ 440 | Expectation | action? | | 441 | | ext-action? | | 442 | | severity? | | 443 | | restriction? | | 444 | | ext-restriction? | | 445 | | Description* | | 446 | | Description_ML* | | 447 | | DefinedCOA* | | 448 | | StartTime? | | 449 | | EndTime? | | 450 | | Contact? | 3.15 | 451 +-----------------------------+--------------------+---------------+ 452 | System | category? | | 453 | | ext-category? | | 454 | | interface? | | 455 | | spoofed? | | 456 | | virtual? | | 457 | | ownership? | | 458 | | ext-ownership? | | 459 | | restriction? | | 460 | | ext-restriction? | | 461 | | Node | | 462 | | NodeRole* | | 463 | | Service* | | 464 | | OperatingSystem* | | 465 | | Counter* | | 466 | | AssetID* | | 467 | | Description* | | 468 | | Description_ML* | | 469 | | AdditionalData* | 3.16 | 470 +-----------------------------+--------------------+---------------+ 471 | Node | DomainData* | | 472 | | Address* | | 473 | | PostalAddress? | | 474 | | Location* | | 475 | | Location_ML* | | 476 | | Counter* | 3.17 | 477 +-----------------------------+--------------------+---------------+ 478 | Address | value | | 479 | | category | | 480 | | ext-category? | | 481 | | vlan-name? | | 482 | | vlan-num? | | 483 | | observable-id? | 3.17.1 | 484 +-----------------------------+--------------------+---------------+ 485 | NodeRole | category | | 486 | | ext-category? | | 487 | | Description* | | 488 | | Description_ML* | 3.17.2 | 489 +-----------------------------+--------------------+---------------+ 490 | Counter | value | | 491 | | type | | 492 | | ext-type? | | 493 | | unit | | 494 | | ext-unit? | | 495 | | meaning? | | 496 | | meaning_ML? | | 497 | | duration? | | 498 | | ext-duration? | 3.17.3 | 499 +-----------------------------+--------------------+---------------+ 500 | DomainData | system-status | | 501 | | ext-system-status? | | 502 | | domain-status | | 503 | | ext-domain-status? | | 504 | | observable-id? | | 505 | | Name | | 506 | | DateDomainWasChecked?| | 507 | | RegistrationDate? | | 508 | | ExpirationDate ?| | 509 | | RelatedDNS* | | 510 | | Nameservers* | | 511 | | DomainContacts? | 3.18 | 512 +-----------------------------+--------------------+---------------+ 513 | Nameserver | Server | | 514 | | Address* | 3.18.1 | 515 +-----------------------------+--------------------+---------------+ 516 | DomainContacts | SameDomainContact? | | 517 | | Contact+ | 3.18.2 | 518 +-----------------------------+--------------------+---------------+ 519 | Service | ip-protocol? | | 520 | | observable-id? | | 521 | | ServiceName? | | 522 | | Port? | | 523 | | Portlist? | | 524 | | ProtoCode? | | 525 | | ProtoType? | | 526 | | ProtoField? | | 527 | | ApplicationHeaderField+| | 528 | | EmailData? | | 529 | | Application? | 3.19 | 530 +-----------------------------+--------------------+---------------+ 531 | ServiceName | IANAService? | | 532 | | URL* | | 533 | | Description* | | 534 | | Description_ML* | 3.19.1 | 535 +-----------------------------+--------------------+---------------+ 536 | EmailData | observable-id? | | 537 | | EmailTo* | | 538 | | EmailFrom? | | 539 | | EmailSubject? | | 540 | | EmailX-Mailer? | | 541 | | EmailHeaderField* | | 542 | | EmailHeaders? | | 543 | | EmailBody? | | 544 | | EmailMessage? | | 545 | | HashData* | | 546 | | Signature* | 3.19.2 | 547 +-----------------------------+--------------------+---------------+ 548 | RecordData | restriction? | | 549 | | ext-restriction? | | 550 | | observable-id? | | 551 | | DateTime? | | 552 | | Description* | | 553 | | Description_ML* | | 554 | | Application? | | 555 | | RecordPattern* | | 556 | | RecordItem* | | 557 | | URL* | | 558 | | FileData* | | 559 | | WindowsRegistryKeysModified*| | 560 | | CertificateData* | | 561 | | AdditionalData* | 3.19.3 | 562 +-----------------------------+--------------------+---------------+ 563 | RecordPattern | type | | 564 | | ext-type? | | 565 | | offset? | | 566 | | offsetunit? | | 567 | | ext-offsetunit? | | 568 | | instance? | | 569 | | value | 3.19.4 | 570 +-----------------------------+--------------------+---------------+ 571 | WindowsRegistryKeysModified | observable-id? | 3.20 | 572 | | Key+ | | 573 +-----------------------------+--------------------+---------------+ 574 | Key | registryaction? | | 575 | | ext-registryaction?| | 576 | | observable-id? | | 577 | | KeyName | | 578 | | KeyValue? | 3.20.1 | 579 +-----------------------------+--------------------+---------------+ 580 | CertificateData | restriction? | | 581 | | ext-restriction? | | 582 | | observable-id? | | 583 | | Certificate+ | 3.21 | 584 +-----------------------------+--------------------+---------------+ 585 | Certificate | observable-id? | | 586 | | X509Data | | 587 | | Description* | | 588 | | Description_ML* | 3.21.1 | 589 +-----------------------------+--------------------+---------------+ 590 | FileData | restriction? | | 591 | | ext-restriction? | | 592 | | observable-id? | | 593 | | File+ | 3.22 | 594 +-----------------------------+--------------------+---------------+ 595 | File | observable-id? | | 596 | | FileName? | | 597 | | FileSize? | | 598 | | FileType? | | 599 | | URL* | | 600 | | HashData? | | 601 | | Signature* | | 602 | | AssociatedSoftware?| | 603 | | FileProperties* | 3.22.1 | 604 +-----------------------------+--------------------+---------------+ 605 | HashData | scope | | 606 | | HashTargetID? | | 607 | | Hash* | | 608 | | FuzzyHash* | 3.23 | 609 +-----------------------------+--------------------+---------------+ 610 | Hash | DigestMethod | | 611 | | DigestValue | | 612 | | CanonicalizationMethod?| | 613 | | Application? | 3.23.1 | 614 +-----------------------------+--------------------+---------------+ 615 | FuzzyHash | FuzzyHashValue+ | | 616 | | Application? | | 617 | | AdditionalData? | 3.23.2 | 618 +-----------------------------+--------------------+---------------+ 619 | Indicator | restriction? | | 620 | | ext-restriction? | | 621 | | IndicatorID | | 622 | | AlternativeIndicatorID*| | 623 | | Description* | | 624 | | Description_ML* | | 625 | | StartTime? | | 626 | | EndTime? | | 627 | | Confidence? | | 628 | | Contact* | | 629 | | Observable? | | 630 | | uid-ref? | | 631 | | IndicatorExpression?| | 632 | | IndicatorReference?| | 633 | | NodeRole* | | 634 | | AttackPhase* | | 635 | | Reference* | | 636 | | AdditionalData* | 3.24 | 637 +-----------------------------+--------------------+---------------+ 638 | IndicatorID | id | | 639 | | name | | 640 | | version | 3.24.1 | 641 +-----------------------------+--------------------+---------------+ 642 | AlternativeIndicatorID | restriction? | | 643 | | ext-restriction? | | 644 | | IndicatorReference+| 3.24.2 | 645 +-----------------------------+--------------------+---------------+ 646 | Observable | restriction? | | 647 | | ext-restriction? | | 648 | | System? | | 649 | | Address? | | 650 | | DomainData? | | 651 | | Service? | | 652 | | EmailData? | | 653 | | WindowsRegistryKeysModified?| | 654 | | FileData? | | 655 | | CertificateData? | | 656 | | RegistryHandle? | | 657 | | RecordData? | | 658 | | EventData? | | 659 | | Incident? | | 660 | | Expectation? | | 661 | | Reference? | | 662 | | Assessment? | | 663 | | DetectionPattern? | | 664 | | HistoryItem? | | 665 | | BulkObservable? | | 666 | | AdditionalData* | 3.24.3 | 667 +-----------------------------+--------------------+---------------+ 668 | BulkObservable | type? | | 669 | | ext-type? | | 670 | | BulkObservableFormat?| | 671 | | BulkObservableList | | 672 | | AdditionalData* | 3.24.4 | 673 +-----------------------------+--------------------+---------------+ 674 | BulkObservableFormat | Hash? | | 675 | | AdditionalData* | 3.24.5 | 676 +-----------------------------+--------------------+---------------+ 677 | IndicatorExpression | operator? | | 678 | | ext-operator? | | 679 | | IndicatorExpression*| | 680 | | Observable* | | 681 | | uid-ref* | | 682 | | IndicatorReference*| | 683 | | Confidence? | | 684 | | AdditionalData* | 3.24.6 | 685 +-----------------------------+--------------------+---------------+ 686 | IndicatorReference | uid-ref? | | 687 | | euid-ref? | | 688 | | version? | 3.24.7 | 689 +-----------------------------+--------------------+---------------+ 690 | AttackPhase | AttackPhaseID* | | 691 | | URL* | | 692 | | Description* | | 693 | | Description_ML* | | 694 | | AdditionalData* | 3.24.8 | 695 +-----------------------------+--------------------+---------------+ 697 3.2. Mapping between JSON and XML IODEF 699 o This document treats attributes and elements of each class defined 700 in [RFC7970] equally and is agnostic on the order of their 701 appearances. 703 o Flow class is deleted, and classes with its instances now directly 704 have instances of EventData class that used to belong to the Flow 705 classs. 707 o ApplicationHeader class is deleted, and classes with its instances 708 now directly have instances of ApplicationHeaderField class that 709 used to belong to the ApplicationHeader class. 711 o SignatureData class is deleted, and classes with its instances now 712 directly have instance of Signature class that used to belong to 713 the SignatureData class. 715 o IndicatorData class is deleted, and classes with its instances now 716 directly have the instances of Indicator class that used to belong 717 to the IndicatorData class. 719 o ObservableReference class is deleted, and classes with its 720 instances now directly have uid-ref as an element. 722 o Record class is deleted, and classes with its instances now 723 directly have the instances of RecordData class that used to 724 belong to the Record class. 726 o The elements of ML_STRING type are prepared as two separate 727 elements: one of STRING type and another of ML_STRING type, in 728 order to maintain the simplicity of IODEF documents when writing 729 with only STRING type characters. 731 4. Examples 733 This section provides example of IODEF documents. These examples do 734 not represent the full capabilities of the data model or the the only 735 way to encode particular information. 737 4.1. Minimal Example 739 A document containing only the mandatory elements and attributes. 741 { 742 "version": "2.0", 743 "lang": "en", 744 "Incident": [ 745 { 746 "purpose": "reporting", 747 "restriction": "private", 748 "IncidentID": { 749 "id": 492382, 750 "name": "csirt.example.com" 751 }, 752 "GenerationTime": "2015-07-18T09:00:00-05:00", 753 "Contact": [ 754 { 755 "type": "organization", 756 "role": "creator", 757 "email": { 758 "emailTo": "contact@csirt.example.com" 759 } 760 } 761 ] 762 } 763 ] 764 } 766 4.2. Indicators from a Campaign 768 An example of C2 domains from a given campaign. 770 { 771 "version": "2.0", 772 "lang": "en", 773 "Incidents": [ 774 { 775 "purpose": "watch", 776 "restriction": "green", 777 "IncidentID": { 778 "id": "897923", 779 "name": "csirt.example.com" 780 }, 781 "RelatedActivity": [ 782 { 783 "ThreatActor": [ 784 { 785 "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", 786 "Description": "Aggressive Butterfly" 787 } 788 ], 789 "Campaign": [ 790 { 791 "CampaignID": "C-2015-59405", 792 "Description": "Orange Giraffe" 793 } 794 ] 795 } 796 ], 797 "GenerationTime": "2015-10-02T11:18:00-05:00", 798 "Description": [ 799 "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." 800 ], 801 "Assessment": [ 802 { 803 "BusinessImpact": { 804 "type": "breach-proprietary" 805 } 806 } 807 ], 808 "Contacts": [ 809 { 810 "type": "organization", 811 "role": "creator", 812 "ContactName": "CSIRT for example.com", 813 "Email": { 814 "emailTo": "contact@csirt.example.com" 815 } 816 } 817 ], 818 "IndicatorList": [ 819 { 820 "IndicatorID": { 821 "id": "G90823490", 822 "name": "csirt.example.com", 823 "version": "1" 824 }, 825 "Description": "C2 domains", 826 "StartTime": "2014-12-02T11:18:00-05:00", 827 "Observable": { 828 "BulkObservable": { 829 "type": "fqdn" 830 }, 831 "BulkObservableList": [ 832 "kj290023j09r34.example.com", 833 "09ijk23jfj0k8.example.net", 834 "klknjwfjiowjefr923.example.org", 835 "oimireik79msd.example.org" 836 ] 837 } 838 } 839 ] 840 } 841 ] 842 } 844 5. The IODEF Data Model (JSON Schema) 846 { "$schema": "http://json-schema.org/draft-04/schema#", 847 "definitions": { 848 "action": {"enum": ["nothing","contact-source-site","contact-target-site", 849 "contact-sender", "investigate","block-host","block-network", 850 "block-port","rate-limit-host","rate-limit-network", 851 "rate-limit-port","redirect-traffic","honeypot", 852 "upgrade-software","rebuild-asset","harden-asset", 853 "remediate-other","status-triage","status-new-info", 854 "watch-and-report","training","defined-coa","ext-value"]}, 855 "duration": {"enum": ["second","minute","hour","day","month","quarter", 856 "year","ext-value"]}, 857 "lang": {"enum": ["en","jp"]}, 858 "purpose": {"enum": ["traceback","mitigation","reporting","watch","other", 859 "ext-value"]}, 860 "restriction": {"enum": ["public","partner","need-to-know","private", 861 "default","white","green","amber","red","ext-value"]}, 862 "status": {"enum": ["new","in-progress","forwarded","resolved","future", 863 "ext-value"]}, 864 "DATETIME": {"type": "string"}, 865 "PORTLIST": {"type": "string"}, 866 "URLtype": {"type": "string"}, 867 "IDtype": {"type": "string"}, 868 "ExtensionType": { 869 "type": "object", 870 "properties": { 871 "name": {"type": "string"}, 872 "dtype": {"enum": ["boolean","byte","bytes","character","date-time", 873 "ntpstamp","integer","portlist","real","string","file", 874 "path","frame","packet","ipv4-packet","ipv6-packet","url", 875 "csv","winreg","xml","ext-value"]}, 876 "ext-dtype": {"type": "string"}, 877 "meaning": {"type": "string"}, 878 "formatid": {"type": "string"}, 879 "restriction": {"$ref": "#/definitions/restriction"}, 880 "ext-restriction": {"type": "string"}, 881 "observable-id": {"$ref": "#/definitions/IDtype"}}}, 882 "ExtensionTypeList": { 883 "type": "array", 884 "items": {"$ref": "#/definitions/ExtensionType"}}, 885 "SoftwareType": { 886 "type": "object", 887 "properties": { 888 "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, 889 "URL": {"$ref": "#/definitions/URLtype"}, 890 "Description": {"type": "array", "items": {"type":"string"}}}, 891 "required": [], 892 "additionalProperties": false}, 893 "SoftwareReference": { 894 "type": "object", 895 "properties": { 896 "value": {"type": "string"}, 897 "spec-name": {"type": "string"}, 898 "ext-spec-name": {"type": "string"}, 899 "dtype": {"type": "string"}, 900 "ext-dtype": {"type": "string"}}, 901 "required": ["spec-name"], 902 "additionalProperties": false}, 903 "StructuredInfo": { 904 "type": "object", 905 "properties": { 906 "specID": {"type": "string"}, 907 "ext-specID": {"type": "string"}, 908 "contentID": {"type": "string"}, 909 "RawData": {"type": "string"}, 910 "URL": {"$ref": "#/definitions/URLtype"}}, 911 "required": ["specID"], 912 "additionalProperties": false}, 913 "Incident": { 914 "title": "Incident", 915 "description": "JSON schema for Incident class", 916 "type": "object", 917 "properties": { 918 "purpose": {"$ref": "#/definitions/purpose"}, 919 "ext-purpose": {"type": "string"}, 920 "status": {"$ref": "#/definitions/status"}, 921 "ext-status": {"type": "string"}, 922 "lang": {"$ref": "#/definitions/lang"}, 923 "restriction": {"$ref": "#/definitions/restriction"}, 924 "ext-restriction": {"type": "string"}, 925 "observable-id": {"$ref": "#/definitions/IDtype"}, 926 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 927 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 928 "RelatedActivity": { 929 "type": "array","items": {"$ref": "#/definitions/RelatedActivity"}}, 930 "DetectTime": {"type": "string"}, 931 "StartTime": {"type": "string"}, 932 "EndTime": {"type": "string"}, 933 "RecoveryTime": {"type": "string"}, 934 "ReportTime": {"type": "string"}, 935 "GenerationTime": {"type": "string"}, 936 "Description": {"type": "array","items": {"type": "string"}}, 937 "Discovery": { 938 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 939 "Assessment": { 940 "type": "array","items": {"$ref": "#/definitions/Assessment"}}, 941 "Methods": { 942 "type": "array","items": {"$ref": "#/definitions/Method"}}, 943 "Contacts": { 944 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 945 "EventData": { 946 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 947 "IndicatorList": { 948 "type": "array","items": {"$ref": "#/definitions/Indicator"}}, 949 "History": {"$ref": "#/definitions/History"}, 950 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 951 "required": ["IncidentID","GenerationTime","Contacts","purpose"], 952 "additionalProperties": false}, 953 "IncidentID": { 954 "title": "IncidentID", 955 "description": "JSON schema for IncidentID class", 956 "type": "object", 957 "properties": { 958 "id": {"type": "string"}, 959 "name": {"type": "string"}, 960 "instance": {"type": "string"}, 961 "restriction": {"$ref": "#/definitions/restriction"}, 962 "ext-restriction": {"type": "string"}}, 963 "required": ["name"], 964 "additionalProperties": false}, 965 "AlternativeID": { 966 "title": "AlternativeID", 967 "description": "JSON schema for AlternativeID class", 968 "type": "object", 969 "properties": { 970 "IncidentID": { 971 "type": "array","items":{"$ref": "#/definitions/IncidentID"}}, 972 "restriction": {"$ref": "#/definitions/restriction"}, 973 "ext-restriction": {"type": "string"}}, 974 "required": ["IncidentID"], 975 "additionalProperties": false}, 976 "RelatedActivity": { 977 "properties": { 978 "restriction": {"$ref": "#/definitions/restriction"}, 979 "ext-restriction": {"type": "string"}, 980 "IncidentID": { 981 "type": "array","items": {"$ref": "#/definitions/IncidentID"}}, 982 "URL": { 983 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 984 "ThreatActor": { 985 "type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, 986 "Campaign": { 987 "type": "array","items": {"$ref": "#/definitions/Campaign"}}, 988 "IndicatorID": { 989 "type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, 990 "Confidence": {"$ref": "#/definitions/Confidence"}, 991 "Description": { "type": "array","items": {"type": "string"}}, 992 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 993 "additionalProperties": false}, 994 "ThreatActor": { 995 "properties": { 996 "restriction": {"$ref": "#/definitions/restriction"}, 997 "ext-restriction": {"type": "string"}, 998 "ThreatActorID": {"type": "array", "items": {"type": "string"}}, 999 "Description": {"type": "array", "items": {"type": "string"}}, 1000 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1001 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1002 "additionalProperties": false}, 1003 "Campaign": { 1004 "properties": { 1005 "restriction": {"$ref": "#/definitions/restriction"}, 1006 "ext-restriction": {"type": "string"}, 1007 "CampaignID": {"type": "array", "items": {"type": "string"}}, 1008 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1009 "Description": {"type": "array", "items": {"type": "string"}}, 1010 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 1011 "Contact": { 1012 "type": "object", 1013 "properties": { 1014 "role": { 1015 "enum": ["creator","reporter","admin","tech","provider","user", 1016 "billing","legal","irt","abuse","cc","cc-irt","leo", 1017 "vendor","vendor-support","victim","victim-notified", 1018 "ext-value"]}, 1019 "ext-role": {"type": "string"}, 1020 "type": {"enum": ["person","organization","ext-value"]}, 1021 "ext-type": {"type": "string"}, 1022 "restriction": {"$ref": "#/definitions/restriction"}, 1023 "ext-restriction": {"type": "string"}, 1024 "ContactName": {"type": "array", "items": {"type": "string"}}, 1025 "ContactTitle": {"type": "array", "items": {"type": "string"}}, 1026 "Description": {"type": "array", "items": {"type": "string"}}, 1027 "RegistryHandle": { 1028 "type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}}, 1029 "PostalAddress": { 1030 "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}}, 1031 "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, 1032 "Telephone": { 1033 "type": "array", "items": {"$ref": "#/definitions/Telephone"}}, 1034 "Timezone": {"type": "string"}, 1035 "Contact": { 1036 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1037 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1038 "required": ["role","type"], 1039 "additionalProperties": false}, 1040 "RegistryHandle": { 1041 "type": "object", 1042 "properties": { 1043 "handle": {"type": "string"}, 1044 "registry": { 1045 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local", 1046 "ext-value"]}, 1047 "ext-registry": {"type": "string"}}, 1048 "required": ["registry"], 1049 "additionalProperties": false}, 1050 "PostalAddress": { 1051 "type": "object", 1052 "properties": { 1053 "type": {"type": "string"}, 1054 "ext-type": {"type": "string"}, 1055 "PAddress": {"type": "string"}, 1056 "Description": {"type": "array", "items": {"type": "string"}}}, 1057 "required": ["PAddress"], 1058 "additionalProperties": false}, 1059 "Email": { 1060 "type": "object", 1061 "properties": { 1062 "type": { 1063 "enum":["direct","hotline","ext-value"]}, 1064 "ext-type": {"type": "string"}, 1065 "EmailTo": {"type": "string"}, 1066 "Description": {"type": "array", "items": {"type": "string"}}}, 1067 "required": ["EmailTo"], 1068 "additionalProperties": false}, 1069 "Telephone": { 1070 "type": "object", 1071 "properties": { 1072 "type": { 1073 "enum":["wired","mobile","fax","hotline","ext-value"]}, 1074 "ext-type": {"type": "string"}, 1075 "TelephoneNumber": {"type": "string"}, 1076 "Description": {"type": "array", "items": {"type": "string"}}}, 1077 "required": ["TelephoneNumber"], 1078 "additionalProperties": false}, 1079 "Discovery": { 1080 "type": "object", 1081 "properties": { 1082 "source": { 1083 "enum":["nidps","hips","siem","av","third-party-monitoring", 1084 "incident","os-log","application-log","device-log", 1085 "network-flow","passive-dns","investigation","audit", 1086 "internal-notification","external-notification","leo", 1087 "partner","actor","unknown","ext-value"]}, 1088 "ext-source": {"type": "string"}, 1089 "restriction": {"$ref": "#/definitions/restriction"}, 1090 "ext-restriction": {"type": "string"}, 1091 "Description": {"type": "array", "items": {"type": "string"}}, 1092 "Contact": { 1093 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1094 "DetectionPattern": { 1095 "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}}, 1096 "required": [], 1097 "additionalProperties": false}, 1098 "DetectionPattern": { 1099 "type": "object", 1100 "properties": { 1101 "restriction": {"$ref": "#/definitions/restriction"}, 1102 "ext-restriction": {"type": "string"}, 1103 "observable-id": {"$ref": "#/definitions/IDtype"}, 1104 "Application": {"$ref": "#/definitions/SoftwareType"}, 1105 "Description": {"type": "array", "items": {"type": "string"}}, 1106 "DetectionConfiguration": { 1107 "type": "array", "items": {"type": "string"}}}, 1108 "required": ["Application"], 1109 "additionalProperties": false}, 1110 "Method": { 1111 "type": "object", 1112 "properties": { 1113 "restriction": {"$ref": "#/definitions/restriction"}, 1114 "ext-restriction": {"type": "string"}, 1115 "References": { 1116 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 1117 "Description": {"type": "array", "items": {"type": "string"}}, 1118 "AttackPattern": { 1119 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1120 "Vulnerability": { 1121 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1122 "Weakness": { 1123 "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, 1124 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1125 "required": [], 1126 "additionalProperties": false}, 1127 "Reference": { 1128 "type": "object", 1129 "properties": { 1130 "observable-id": {"$ref": "#/definitions/IDtype"}, 1131 "ReferenceName": {"type": "string"}, 1132 "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, 1133 "Description": {"type": "array", "items": {"type": "string"}}}, 1134 "required": [], 1135 "additionalProperties": false}, 1136 "Assessment": { 1137 "type": "object", 1138 "properties": { 1139 "occurrence": {"enum":["actual","potential"]}, 1140 "restriction": {"$ref": "#/definitions/restriction"}, 1141 "ext-restriction": {"type": "string"}, 1142 "observable-id": {"$ref": "#/definitions/IDtype"}, 1143 "IncidentCategory": {"type": "array", "items": {"type": "string"}}, 1144 "SystemImpact": { 1145 "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, 1146 "BusinessImpact": { 1147 "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, 1148 "TimeImpact": { 1149 "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, 1150 "MonetaryImpact": { 1151 "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}}, 1152 "IntendedImpact": { 1153 "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, 1154 "Counter": { 1155 "type": "array", "items": {"$ref": "#/definitions/Counter"}}, 1156 "MitigatingFactor": { 1157 "type": "array", "items": {"$type": "string"}}, 1158 "Cause": {"type": "array", "items": {"$type": "string"}}, 1159 "Confidence": {"$ref": "#/definitions/Confidence"}, 1160 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1161 "required": [], 1162 "additionalProperties": false}, 1163 "SystemImpact": { 1164 "type": "object", 1165 "properties": { 1166 "severity": { 1167 "enum":["low","medium","high"]}, 1168 "completion": {"enum":["failed","succeeded"]}, 1169 "type": { 1170 "enum":["takeover-account","takeover-service","takeover-system", 1171 "cps-manipulation","cps-damage","availability-data", 1172 "availability-account","availability-service", 1173 "availability-system","damaged-system","damaged-data", 1174 "breach-proprietary","breach-privacy","breach-credential", 1175 "breach-configuration","integrity-data", 1176 "integrity-configuration","integrity-hardware", 1177 "traffic-redirection","monitoring-traffic","monitoring-host", 1178 "policy","unknown","ext-value"]}, 1179 "ext-type": {"type": "string"}, 1180 "Description": {"type": "array","items": {"type": "string"}}}, 1181 "required": ["type"], 1182 "additionalProperties": false}, 1183 "BusinessImpact": { 1184 "type": "object", 1185 "properties": { 1186 "severity": { 1187 "enum":["none","low","medium","high","unknown","ext-value"]}, 1188 "ext-severity": {"type":"string"}, 1189 "type": { 1190 "enum":["breach-proprietary","breach-privacy","breach-credential", 1191 "loss-of-integrity","loss-of-service","theft-financial", 1192 "theft-service","degraded-reputation","asset-damage", 1193 "asset-manipulation","legal","extortion","unknown", 1194 "ext-value"]}, 1195 "ext-type": {"type": "string"}, 1196 "Description": {"type": "array","items": {"type": "string"}}}, 1197 "required": ["type"], 1198 "additionalProperties": false}, 1199 "TimeImpact": { 1200 "type": "object", 1201 "properties": { 1202 "value": {"type": "number"}, 1203 "severity": {"enum": ["low","medium","high"]}, 1204 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 1205 "ext-metric": {"type": "string"}, 1206 "duration": {"$ref":"#/definitions/duration"}, 1207 "ext-duration": {"type": "string"}}, 1208 "required": ["metric"], 1209 "additionalProperties": false}, 1210 "MonetaryImpact": { 1211 "type": "object", 1212 "properties": { 1213 "value": {"type": "number"}, 1214 "severity": {"enum":["low","medium","high"]}, 1215 "currency": {"type": "string"}}, 1216 "required": [], 1217 "additionalProperties": false}, 1218 "Confidence": { 1219 "type": "object", 1220 "properties": { 1221 "value": {"type": "number"}, 1222 "rating": { 1223 "enum": ["low","medium","high","numeric","unknown","ext-value"]}, 1224 "ext-rating": {"type":"string"}}, 1225 "required": ["rating"], 1226 "additionalProperties": false}, 1227 "History": { 1228 "type": "object", 1229 "properties": { 1230 "restriction": {"$ref": "#/definitions/restriction"}, 1231 "ext-restriction": {"type": "string"}, 1232 "HistoryItem": { 1233 "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, 1234 "required": ["HistoryItem"], 1235 "additionalProperties": false}, 1236 "HistoryItem": { 1237 "type": "object", 1238 "properties": { 1239 "action": {"$ref": "#/definitions/action"}, 1240 "ext-action": {"type": "string"}, 1241 "restriction": {"$ref": "#/definitions/restriction"}, 1242 "ext-restriction": {"type": "string"}, 1243 "observable-id": {"$ref": "#/definitions/IDtype"}, 1244 "DateTime": {"$ref": "#/definitions/DATETIME"}, 1245 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 1246 "Contact": {"$ref": "#/definitions/Contact"}, 1247 "Description": {"type": "array","items": {"type": "string"}}, 1248 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 1249 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1250 "required": ["DateTime","action"], 1251 "additionalProperties": false}, 1252 "EventData": { 1253 "type": "object", 1254 "properties": { 1255 "restriction": {"$ref": "#/definitions/restriction"}, 1256 "ext-restriction": {"type": "string"}, 1257 "observable-id": {"$ref": "#/definitions/IDtype"}, 1258 "Description": {"type": "array","items": {"type": "string"}}, 1259 "DetectTime": {"type": "string"}, 1260 "StartTime": {"type": "string"}, 1261 "EndTime": {"type": "string"}, 1262 "RecoveryTime": {"type": "string"}, 1263 "ReportTime": {"type": "string"}, 1264 "Contact": { 1265 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 1266 "Discovery": { 1267 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 1268 "Assessment": {"$ref": "#/definitions/Assessment"}, 1269 "Method": { 1270 "type": "array","items": {"$ref": "#/definitions/Method"}}, 1271 "System": { 1272 "type": "array","items": {"$ref": "#/definitions/System"}}, 1273 "Expectation": { 1274 "type": "array","items": {"$ref": "#/definitions/Expectation"}}, 1275 "RecordData": {"type": "array", "items": {"$ref": "#/definitions/RecordData"}}, 1276 "EventData": { 1277 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 1278 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1279 "required": ["ReportTime"], 1280 "additionalProperties": false}, 1281 "Expectation": { 1282 "type": "object", 1283 "properties": { 1284 "action": {"$ref":"#/definitions/action"}, 1285 "ext-action": {"type": "string"}, 1286 "severity": {"enum": ["low","medium","high"]}, 1287 "restriction": {"$ref": "#/definitions/restriction"}, 1288 "ext-restriction": {"type": "string"}, 1289 "observable-id": {"$ref": "#/definitions/IDtype"}, 1290 "Description": {"type": "array","items": {"type": "string"}}, 1291 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 1292 "StartTime": {"type": "string"}, 1293 "EndTime": {"type": "string"}, 1294 "Contact": {"$ref": "#/definitions/Contact"}}, 1295 "required": [], 1296 "additionalProperties": false}, 1297 "System": { 1298 "type": "object", 1299 "properties": { 1300 "category": { 1301 "enum": ["source","target","intermediate","sensor","infrastructure", 1302 "ext-value"]}, 1303 "ext-category": {"type": "string"}, 1304 "interface": {"type": "string"}, 1305 "spoofed": {"enum": ["unknown","yes","no"]}, 1306 "virtual": {"enum": ["yes","no","unknown"]}, 1307 "ownership": { 1308 "enum":["organization","personal","partner","customer", 1309 "no-relationship","unknown","ext-value"]}, 1310 "ext-ownership": {"type": "string"}, 1311 "restriction": {"$ref": "#/definitions/restriction"}, 1312 "ext-restriction": {"type": "string"}, 1313 "observable-id": {"$ref": "#/definitions/IDtype"}, 1314 "Node": {"$ref": "#/definitions/Node"}, 1315 "NodeRole": { 1316 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 1317 "Service": { 1318 "type": "array","items": {"$ref": "#/definitions/Service"}}, 1319 "OperatingSystem": { 1320 "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, 1321 "Counter": { 1322 "type": "array","items": {"$ref": "#/definitions/Counter"}}, 1323 "AssetID": {"type": "array","items": {"type": "string"}}, 1324 "Description": {"type": "array","items": {"type": "string"}}, 1325 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1326 "required": ["Node"], 1327 "additionalProperties": false}, 1328 "Node": { 1329 "type": "object", 1330 "properties": { 1331 "DomainData": { 1332 "type": "array","items": {"$ref": "#/definitions/DomainData"}}, 1333 "Address": { 1334 "type": "array","items": {"$ref": "#/definitions/Address"}}, 1335 "PostalAddress": {"type": "string"}, 1336 "Location": {"type": "array","items": {"type": "string"}}, 1337 "Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}}, 1338 "required": [], 1339 "additionalProperties": false}, 1340 "Address": { 1341 "type": "object", 1342 "properties": { 1343 "value": {"type": "string"}, 1344 "category": { 1345 "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 1346 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 1347 "ipv6-net-masked","mac","site-url","ext-value"]}, 1348 "ext-category": {"type": "string"}, 1349 "vlan-name": {"type": "string"}, 1350 "vlan-num": {"type": "integer"}, 1351 "observable-id": {"$ref": "#/definitions/IDtype"}}, 1352 "required": ["category"], 1353 "additionalProperties": false}, 1354 "NodeRole": { 1355 "type": "object", 1356 "properties": { 1357 "category": { 1358 "enum":["client","client-enterprise","clent-partner","client-remote", 1359 "client-kiosk","client-mobile","server-internal", 1360 "server-public","www","mail","webmail","messaging", 1361 "streaming","voice","file","ftp","p2p","name","directory", 1362 "credential","print","application","database","backup", 1363 "dhcp","assessment","source-control","config-management", 1364 "monitoring","infra","infra-firewall","infra-router", 1365 "infra-switch","camera","proxy","remote-access","log", 1366 "virtualization","pos", "scada", "scada-supervisory", 1367 "sinkhole","honeypot","anomyzation","c2-server", 1368 "malware-distribution","drop-server","hot-point","reflector", 1369 "phishing-site","spear-phishing-site","recruiting-site", 1370 "fraudulent-site","ext-value"]}, 1371 "ext-category": {"type": "string"}, 1372 "Description": {"type": "array","items": {"type": "string"}}}, 1373 "required": ["category"], 1374 "additionalProperties": false}, 1375 "Counter": { 1376 "type": "object", 1377 "properties": { 1378 "value": {"type": "string"}, 1379 "type": {"enum": ["count","peak","average","ext-value"]}, 1380 "ext-type": {"type": "string"}, 1381 "unit": {"enum": ["byte","mbit","packet","flow","session","alert", 1382 "message","event","host","site","organization","ext-value"]}, 1383 "ext-unit": {"type": "string"}, 1384 "meaning": {"type": "string"}, 1385 "duration": {"$ref":"#/definitions/duration"}, 1386 "ext-duration": {"type": "string"}}, 1387 "required": ["type","unit"], 1388 "additionalProperties": false}, 1389 "DomainData": { 1390 "type": "object", 1391 "properties": { 1392 "system-status": { 1393 "enum": ["spoofed","fraudulent","innocent-hacked", 1394 "innocent-hijacked","unknown","ext-value"]}, 1395 "ext-system-status": {"type": "string"}, 1396 "domain-status": { 1397 "enum": [ 1398 "reservedDelegation","assignedAndActive","assignedAndInactive", 1399 "assignedAndOnHold","revoked","transferPending","registryLock", 1400 "registrarLock","other","unknown","ext-value"]}, 1401 "ext-domain-status": {"type": "string"}, 1402 "observable-id": {"$ref": "#/definitions/IDtype"}, 1403 "Name": {"type": "string"}, 1404 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 1405 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 1406 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 1407 "RelatedDNS": { 1408 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 1410 "NameServers": { 1411 "type": "array","items": {"$ref": "#/definitions/NameServers"}}, 1412 "DomainContacts": { 1413 "$ref": "#/definitions/DomainContacts"}}, 1414 "required": ["Name","system-status","domain-status"], 1415 "additionalProperties": false}, 1416 "NameServers": { 1417 "type": "object", 1418 "properties": { 1419 "Server": {"type": "string"}, 1420 "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}}, 1421 "required": ["Server","Address"], 1422 "additionalProperties": false}, 1423 "DomainContacts": { 1424 "type": "object", 1425 "properties": { 1426 "SameDomainContact": {"type": "string"}, 1427 "Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}}, 1428 "required": ["Contact"], 1429 "additionalProperties": false}, 1430 "Service": { 1431 "type": "object", 1432 "properties": { 1433 "ip-protocol": {"type": "integer"}, 1434 "observable-id": {"$ref": "#/definitions/IDtype"}, 1435 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 1436 "Port": {"type": "integer"}, 1437 "Portlist": {"$ref": "#/definitions/PORTLIST"}, 1438 "ProtoCode": {"type": "integer"}, 1439 "ProtoType": {"type": "integer"}, 1440 "ProtoField": {"type": "integer"}, 1441 "ApplicationHeaderField": {"$ref":"#/definitions/ExtensionTypeList"}, 1442 "EmailData": {"$ref": "#/definitions/EmailData"}, 1443 "Application": {"$ref": "#/definitions/SoftwareType"}}, 1444 "required": [], 1445 "additionalProperties": false}, 1446 "ServiceName": { 1447 "type": "object", 1448 "properties": { 1449 "IANAService": {"type": "string"}, 1450 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 1451 "Description": {"type": "array","items": {"type": "string"}}}, 1452 "required": [], 1453 "additionalProperties": false}, 1454 "EmailData": { 1455 "type": "object", 1456 "properties": { 1457 "observable-id": {"$ref": "#/definitions/IDtype"}, 1458 "EmailTo": {"type": "array","items": {"type": "string"}}, 1459 "EmailFrom": {"type": "string"}, 1460 "EmailSubject": {"type": "string"}, 1461 "EmailX-Mailer": {"type": "string"}, 1462 "EmailHeaderField": { 1463 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 1464 "EmailHeaders": {"type": "string"}, 1465 "EmailBody": {"type": "string"}, 1466 "EmailMessage": {"type": "string"}, 1467 "HashData": { 1468 "type": "array","items": {"$ref": "#/definitions/HashData"}}, 1469 "Signature": {"type": "array","items": {"type": "string"}}}, 1470 "required": [], 1471 "additionalProperties": false}, 1472 "RecordData": { 1473 "type": "object", 1474 "properties": { 1475 "restriction": {"$ref": "#/definitions/restriction"}, 1476 "ext-restriction": {"type": "string"}, 1477 "observable-id": {"$ref": "#/definitions/IDtype"}, 1478 "DateTime": {"$ref": "#/definitions/DATETIME"}, 1479 "Description": {"type": "array","items": {"type": "string"}}, 1480 "Applicadtion": {"$ref": "#/definitions/SoftwareType"}, 1481 "RecordPattern": { 1482 "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, 1483 "RecordItem": { 1484 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 1485 "URL": { 1486 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 1487 "FileData": { 1488 "type": "array","items": {"$ref": "#/definitions/FileData"}}, 1489 "WindowsRegistryKeysModified": { 1490 "type": "array", 1491 "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, 1492 "CertificateData": { 1493 "type": "array","items": {"$ref": "#/definitions/CertificateData"}}, 1494 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1495 "required": [], 1496 "additionalProperties": false 1497 }, 1498 "RecordPattern": { 1499 "type": "object", 1500 "properties": { 1501 "value": {"type": "string"}, 1502 "type": {"enum": ["regex","binary","xpath","ext-value"]}, 1503 "ext-type": {"type": "string"}, 1504 "offset": {"type": "integer"}, 1505 "offsetunit": {"enum":["line","byte","ext-value"]}, 1506 "ext-offsetunit": {"type": "string"}, 1507 "instance": {"type": "integer"}}, 1508 "required": ["type"], 1509 "additionalProperties": false}, 1510 "WindowsRegistryKeysModified": { 1511 "type": "object", 1512 "properties": { 1513 "observabile-id": {"$ref": "#/definitions/IDtype"}, 1514 "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, 1515 "required": ["Key"], 1516 "additionalProperties": false}, 1517 "Key": { 1518 "type": "object", 1519 "properties": { 1520 "registryaction": {"enum": ["add-key","add-value","delete-key", 1521 "delete-value","modify-key","modify-value", 1522 "ext-value"]}, 1523 "ext-registryaction": {"type": "string"}, 1524 "observable-id": {"$ref": "#/definitions/IDtype"}, 1525 "KeyName": {"type":"string"}, 1526 "KeyValue": {"type": "string"}}, 1527 "required": ["KeyName"], 1528 "additionalProperties": false}, 1529 "CertificateData": { 1530 "type": "object", 1531 "properties": { 1532 "restriction": {"$ref": "#/definitions/restriction"}, 1533 "ext-restriction": {"type": "string"}, 1534 "observable-id": {"$ref": "#/definitions/IDtype"}, 1535 "Certificate": { 1536 "type": "array","items": {"$ref": "#/definitions/Certificate"}}}, 1537 "required": ["Certificate"], 1538 "additionalProperties": false}, 1539 "Certificate": { 1540 "type": "object", 1541 "properties": { 1542 "observable-id": {"$ref": "#/definitions/IDtype"}, 1543 "X509Data": {type: "string"}, 1544 "Description": {"type": "array","items": {"type": "string"}}}, 1545 "required": ["X509Data"], 1546 "additionalProperties": false}, 1547 "FileData": { 1548 "type": "object", 1549 "properties": { 1550 "restriction": {"$ref": "#/definitions/restriction"}, 1551 "ext-restriction": {"type": "string"}, 1552 "observable-id": {"$ref": "#/definitions/IDtype"}, 1553 "File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, 1555 "required": ["File"], 1556 "additionalProperties": false}, 1557 "File": { 1558 "type": "object", 1559 "properties": { 1560 "FileName": {"type": "string"}, 1561 "FileSize": {"type": "integer"}, 1562 "FileType": {"type": "string"}, 1563 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 1564 "HashData": {"$ref": "#/definitions/HashData"}, 1565 "Signature": {"type": "array","items": {"type": "string"}}, 1566 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 1567 "FileProperties": { 1568 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, 1569 "required": [], 1570 "additionalProperties": false}, 1571 "HashData": { 1572 "type": "object", 1573 "properties": { 1574 "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", 1575 "file-pe-resource","file-pdf-object","email-hash", 1576 "email-hash-header","email-hash-body"]}, 1577 "HashTargetID": {"type": "string"}, 1578 "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, 1579 "FuzzyHash": { 1580 "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, 1581 "required": ["scope"], 1582 "additionalProperties": false}, 1583 "Hash": { 1584 "type": "object", 1585 "properties": { 1586 "DigestMethod": {"type": "string"}, 1587 "DigestValue": {"type": "string"}, 1588 "CanonicalizationMethod": {}, 1589 "Application": {"$ref": "#/definitions/SoftwareType"}}, 1590 "required": ["DigestMethod","DigestValue"], 1591 "additionalProperties": false}, 1592 "FuzzyHash": { 1593 "type": "object", 1594 "properties": { 1595 "FuzzyHashValue": { 1596 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 1597 "Application": {"$ref": "#/definitions/SoftwareType"}, 1598 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1599 "required": ["FuzzyHashValue"], 1600 "additionalProperties": false}, 1601 "Indicator": { 1602 "type": "object", 1603 "properties": { 1604 "restriction": {"$ref": "#/definitions/restriction"}, 1605 "ext-restriction": {"type": "string"}, 1606 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 1607 "AlternativeIndicatorID": { 1608 "type": "array", 1609 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, 1610 "Description": {"type": "array","items": {"type": "string"}}, 1611 "StartTime": {"$ref": "#/definitions/DATETIME"}, 1612 "EndTime": {"$ref": "#/definitions/DATETIME"}, 1613 "Confidence": {"$ref": "#/definitions/Confidence"}, 1614 "Contact": { 1615 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 1616 "Observable": {"$ref": "#/definitions/Observable"}, 1617 "uid-ref": {"type": "string"}, 1618 "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"}, 1619 "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, 1620 "NodeRole": { 1621 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 1622 "AttackPhase": { 1623 "type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, 1624 "Reference": { 1625 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 1626 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1627 "required": ["IndicatorID"], 1628 "additionalProperties": false}, 1629 "IndicatorID": { 1630 "type": "object", 1631 "properties": { 1632 "id": {"type": "string"}, 1633 "name": {"type": "string"}, 1634 "version": {"type": "string"}}, 1635 "required": ["name","version"], 1636 "additionalProperties": false}, 1637 "AlternativeIndicatorID": { 1638 "type": "object", 1639 "properties": { 1640 "restriction": {"$ref": "#/definitions/restriction"}, 1641 "ext-restriction": {"type": "string"}, 1642 "IndicatorReference": { 1643 "type": "array", 1644 "items": {"$ref": "#/definitions/IndicatorReference"}}}, 1645 "required": ["IndicatorReference"], 1646 "additionalProperties": false}, 1647 "Observable": { 1648 "type": "object", 1649 "properties": { 1650 "restriction": {"$ref": "#/definitions/restriction"}, 1651 "ext-restriction": {"type": "string"}, 1652 "System": {"$ref": "#/definitions/System"}, 1653 "Address": {"$ref": "#/definitions/Address"}, 1654 "DomainData": {"$ref": "#/definitions/DomainData"}, 1655 "EmailData": {"$ref": "#/definitions/EmailData"}, 1656 "Service": {"$ref": "#/definitions/Service"}, 1657 "WindowsRegistryKeysModified": { 1658 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 1659 "FileData": {"$ref": "#/definitions/FileData"}, 1660 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 1661 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 1662 "RecordData": {"type": "array", "item": {"$ref": "#/definitions/Record"}}, 1663 "EventData": {"$ref": "#/definitions/EventData"}, 1664 "Incident": {"$ref": "#/definitions/Incident"}, 1665 "Expectation": {"$ref": "#/definitions/Expectation"}, 1666 "Reference": {"$ref": "#/definitions/Reference"}, 1667 "Assessment": {"$ref": "#/definitions/Assessment"}, 1668 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 1669 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 1670 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 1671 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1672 "required": [], 1673 "additionalProperties": false}, 1674 "BulkObservable": { 1675 "type": "object", 1676 "properties": { 1677 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 1678 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac", 1679 "site-url","domain-name","domain-to-ipv4","domain-to-ipv6", 1680 "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp", 1681 "ipv4-port","ipv6-port","windows-reg-key","file-hash", 1682 "email-x-mailer","email-subject","http-user-agent", 1683 "http-request-url","mutex","file-path","user-name", 1684 "ext-value"]}, 1685 "ext-type": {"type": "string"}, 1686 "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"}, 1687 "BulkObservableList": {"type": "array", "item":{"type": "string"}}, 1688 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1689 "required": [], 1690 "additionalProperties": false}, 1691 "BulkObservableFormat": { 1692 "type": "object", 1693 "properties": { 1694 "Hash": {"$ref": "#/definitions/Hash"}, 1695 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1696 "required": [], 1697 "additionalProperties": false}, 1698 "IndicatorExpression": { 1699 "type": "object", 1700 "properties": { 1701 "operator": {"enum": ["not","and","or","xor"]}, 1702 "ext-operator": {"type": "string"}, 1703 "IndicatorExpression": { 1704 "type": "array", 1705 "items": {"$ref": "#/definitions/IndicatorExpression"}}, 1706 "Observable": { 1707 "type": "array","items": {"$ref": "#/definitions/Observable"}}, 1708 "uid-ref": {"type": "string"}, 1709 "IndicatorReference": { 1710 "type": "array", 1711 "items": {"$ref": "#/definitions/IndicatorReference"}}, 1712 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1713 "required": [], 1714 "additionalProperties": false}, 1715 "IndicatorReference": { 1716 "type": "object", 1717 "properties": { 1718 "uid-ref": {"type": "string"}, 1719 "euid-ref": {"type": "string"}, 1720 "version": {"type": "string"}}, 1721 "required": [], 1722 "additionalProperties": false}, 1723 "AttackPhase": { 1724 "type": "object", 1725 "properties": { 1726 "AttackPhaseID": {"type": "array","items": {"type": "string"}}, 1727 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 1728 "Description": {"type": "array","items": {"type": "string"}}, 1729 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1730 "required": [], 1731 "additionalProperties": false}}, 1732 "title": "IODEF-Document", 1733 "description": "JSON schema for IODEF-Document class", 1734 "type": "object", 1735 "properties": { 1736 "version": {"type": "string"}, 1737 "lang": {"$ref": "#/definitions/lang"}, 1738 "format-id": {"type": "string"}, 1739 "private-enum-name": {"type": "string"}, 1740 "private-enum-id": {"type": "string"}, 1741 "Incident": { 1742 "type": "array","items": {"$ref": "#/definitions/Incident"}}, 1743 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1744 "required": ["version","Incident"], 1745 "additionalProperties": false} 1746 Figure 2: JSON schema 1748 6. Acknowledgements 1750 TBD. 1752 7. IANA Considerations 1754 This memo includes no request to IANA. 1756 8. Security Considerations 1758 This memo does not provide any further security considerations than 1759 the one described in [RFC7970]. 1761 9. Normative References 1763 [jsonschema] 1764 "JSON Schema", 2006. 1766 http://json-schema.org/ 1768 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1769 Requirement Levels", BCP 14, RFC 2119, 1770 DOI 10.17487/RFC2119, March 1997, 1771 . 1773 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 1774 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 1775 November 2016, . 1777 Authors' Addresses 1779 Takeshi Takahashi 1780 National Institute of Information and Communications Technology 1781 4-2-1 Nukui-Kitamachi 1782 Koganei, Tokyo 184-8795 1783 Japan 1785 Phone: +81 42 327 5862 1786 Email: takeshi_takahashi@nict.go.jp 1787 Roman Danyliw 1788 CERT, Software Engineering Institute, Carnegie Mellon University 1789 4500 Fifth Avenue 1790 Pittsburgh, PA 1791 USA 1793 Email: rdd@cert.org 1795 Mio Suzuki 1796 National Institute of Information and Communications Technology 1797 4-2-1 Nukui-Kitamachi 1798 Koganei, Tokyo 184-8795 1799 Japan 1801 Email: mio@nict.go.jp