idnits 2.17.1 draft-ietf-mile-jsoniodef-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 78 instances of too long lines in the document, the longest one being 49 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 17, 2018) is 2110 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: January 18, 2019 CERT 6 M. Suzuki 7 NICT 8 July 17, 2018 10 JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-04 13 Abstract 15 RFC7970 specified an information model and a corresponding XML data 16 model for exchanging incident and indicator information. This draft 17 provides an alternative data model implementation in JSON. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on January 18, 2019. 36 Copyright Notice 38 Copyright (c) 2018 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 57 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 4 58 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 4 59 2.2.2. Software and SoftwareReference . . . . . . . . . . . 5 60 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 5 61 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 6 62 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 6 63 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 6 64 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 16 65 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 17 66 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 17 67 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 18 68 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 20 69 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 71 8. Security Considerations . . . . . . . . . . . . . . . . . . . 35 72 9. Normative References . . . . . . . . . . . . . . . . . . . . 35 73 Appendix A. The IODEF Data Model (JSON Schema) . . . . . . . . . 35 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 76 1. Introduction 78 [RFC7970] defines a data representation for security incident reports 79 and indicators commonly exchanged by operational security teams. It 80 facilitates the automated exchange of this information to enable 81 mitigation and watch-and-warning. Section 3 of [RFC7970] defined an 82 information model using Unified Modeling Language (UML) and a 83 corresponding Extensible Markup Language (XML) schema data model in 84 Section 8. This UML-based information model and XML-based data model 85 are referred to as IODEF UML and IODEF XML, respectively in this 86 document. 88 This document defines an alternate implementation of the IODEF UML 89 information model by specifying a JavaScript Object Notation (JSON) 90 data model using JSON Schema [jsonschema]. This JSON data model is 91 referred to as IODEF JSON in this document. 93 IODEF JSON provides all of the expressivity of IODEF XML. It gives 94 implementers and operators an alternative format to exchange the same 95 information. 97 The normative IODEF JSON data model is found in Section 5. Section 2 98 and Section 3 describe the data types and elements of this data 99 model. Section 4 provides examples. 101 1.1. Requirements Language 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 105 document are to be interpreted as described in RFC 2119 [RFC2119]. 107 2. IODEF Data Types 109 The abstract IODEF JSON implements the abstract data types specified 110 in Section 2 of [RFC7970]. 112 2.1. Abstract Data Type to JSON Data Type Mapping 114 IODEF JSON uses native and derived JSON data types. Figure 1 115 describes the mapping between the abstract data types in Section 2 of 116 [RFC7970] and their corresponding implementations in IODEF JSON. 118 +-----------------+-------------------+-------------------------------+ 119 | IODEF Data Type | [RFC7970] | JSON Data Type | 120 | | Reference | | 121 +-----------------+-------------------+-------------------------------+ 122 | INTEGER | Section 2.1 | "integer" per [jsonschema] | 123 | REAL | Section 2.2 | "number" per [jsonschema] | 124 | CHARACTER | Section 2.3 | "string" per [jsonschema] | 125 | STRING | Section 2.3 | "string" per [jsonschema] | 126 | ML_STRING | Section 2.4 | see Section 2.2.1 | 127 | BYTE | Section 2.5.1 | "string" per [jsonschema] | 128 | BYTE[] | Section 2.5.1 | "string" per [jsonschema] | 129 | HEXBIN | Section 2.5.2 | "string" per [jsonschema] | 130 | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | 131 | ENUM | Section 2.6 | "enum" array per [jsonschema] | 132 | DATETIME | Section 2.7 | "string" per [jsonschema] | 133 | TIMEZONE | Section 2.8 | "string" per [jsonschema] | 134 | PORTLIST | Section 2.9 | "string" per [jsonschema] | 135 | POSTAL | Section 2.10 | "string" per [jsonschema] | 136 | POSTAL_ML | Section 2.10 | see ML_STRING, Section 2.2.1 | 137 | PHONE | Section 2.11 | "string" per [jsonschema] | 138 | EMAIL | Section 2.12 | "string" per [jsonschema] | 139 | URL | Section 2.13 | "string" per [jsonschema] | 140 | ID | Section 2.14 | "string" per [jsonschema] | 141 | IDREF | Section 2.14 | "string" per [jsonschema] | 142 | SOFTWARE | Section 2.15 | see Section 2.2.2 | 143 | STRUCTURED | RFC 7213 | see Section 2.2.3 | 144 | EXTENSION | Section 2.16 | see Section 2.2.4 | 145 +-----------------+-------------------+-------------------------------+ 147 Figure 1 149 2.2. Complex JSON Types 151 2.2.1. Multilingual Strings 153 A string that needs to be represented in a human-readable language 154 different than the default encoding of the document is represented in 155 the information model by the ML_STRING data type. This data type is 156 implemented as an object with "value", "lang", and "translation-id" 157 elements as defined in Section 5. Examples are shown below. 159 "MLStringType": { 160 "value": "free-form text", //STRING 161 "lang": "en", //ENUM 162 "translation-id": "jp2en0023" //STRING 163 } 165 2.2.2. Software and SoftwareReference 167 A particular version of software is represented in the information 168 model by the SOFTWARE data type. This software can be described by 169 using a reference, a URL, or with free-form text. The SOFTWARE data 170 type is implemented as an object with "SoftwareReference", "URL", 171 "Description", and "Description_ML" elements as defined in Section 5. 172 Examples are shown below. 174 "SoftwareType": { 175 "SoftwareReference": {...}, //SoftwareReference 176 "Description": ["MS Windows"] //STRING 177 } 179 SoftwareReference class is a reference to a particular version of 180 software. Examples are shown below. 182 "SoftwareReference": { 183 "value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING 184 "spec-name": "cpe", //ENUM 185 "dtype": "string", //ENUM 186 } 188 2.2.3. StructuredInfo 190 Information provided in a form of structured string, such as ID, or 191 structured information, such as XML documents, is represented in the 192 information model by the StructuredInfo data type. Note that this 193 type was originally specified in RFC7203. The StructuredInfo data 194 type is implemented as an object with "SpecID", "ext-SpecID", 195 "ContentID", "RawData", "Reference" elements. An example for 196 embedding a structured ID is shown below. 198 "StructuredInformation": { 199 "SpecID": "cve", //ENUM 200 "ContentID": "CVE-2007-5000" //STRING 201 } 203 When embedding the raw data, base64 conversion should be used for 204 encoding the data, as shown below. 206 "StructuredInformation": { 207 "SpecID": "oval", //ENUM 208 "RawData": "<<>>" //BYTE 209 } 211 2.2.4. EXTENSION 213 Information not otherwise represented in the IODEF can be added using 214 the EXTENSION data type. This data type is a generic extension 215 mechanism. The EXTENSION data type is implemented as an 216 ExtensionType object with "value", "name", "dtype", "ext-dtype", 217 "meaning", "formatid", "restriction", "ext-restriction", and 218 "observable-id" elements. An example for embedding a structured ID 219 is shown below. 221 "ExtensionType": { 222 "value": "xxxxxxx", //String 223 "name": "Syslog", //String 224 "dtype": "string", //String 225 "meaning": "Syslog from the security appliance X", //String 226 } 228 3. IODEF JSON Data Model 230 3.1. Classes and Elements 232 The following table shows the list of IODEF Classes, their elements, 233 and the corresponding section in [RFC7970]. Note that the complete 234 JSON schema is defined in Section 5. 236 +-----------------------------+--------------------+---------------+ 237 | IODEF Class | Class | Corresponding | 238 | | Elements and | Section | 239 | | Attribute | in [RFC7970] | 240 +-----------------------------+--------------------+---------------+ 241 | IODEF-Document | version | 3.1 | 242 | | lang? | | 243 | | format-id? | | 244 | | private-enum-name? | | 245 | | private-enum-id? | | 246 | | Incident+ | | 247 | | AdditionalData* | | 248 +-----------------------------+--------------------+---------------+ 249 | Incident | purpose | 3.2 | 250 | | ext-purpose? | | 251 | | status? | | 252 | | ext-status? | | 253 | | lang? | | 254 | | restriction? | | 255 | | ext-restriction? | | 256 | | observable-id? | | 257 | | IncidentID | | 258 | | AlternativeID? | | 259 | | RelatedActivity* | | 260 | | DetectTime? | | 261 | | StartTime? | | 262 | | EndTime? | | 263 | | RecoveryTime? | | 264 | | ReportTime? | | 265 | | GenerationTime | | 266 | | Description* | | 267 | | Description_ML* | | 268 | | Discovery* | | 269 | | Assessment* | | 270 | | Method* | | 271 | | Contact+ | | 272 | | EventData* | | 273 | | Indicator* | | 274 | | History? | | 275 | | AdditionalData* | | 276 +-----------------------------+--------------------+---------------+ 277 | IncidentID | id | 3.4 | 278 | | name | | 279 | | instance? | | 280 | | restriction? | | 281 | | ext-restriction? | | 282 +-----------------------------+--------------------+---------------+ 283 | AlternativeID | restriction? | 3.5 | 284 | | ext-restriction? | | 285 | | IncidentID+ | | 286 +-----------------------------+--------------------+---------------+ 287 | RelatedActivity | restriction? | 3.6 | 288 | | ext-restriction? | | 289 | | IncidentID* | | 290 | | URL* | | 291 | | ThreatActor* | | 292 | | Campaign* | | 293 | | IndicatorID* | | 294 | | Confidence? | | 295 | | Description* | | 296 | | AdditionalData* | | 297 +-----------------------------+--------------------+---------------+ 298 | ThreatActor | restriction? | 3.7 | 299 | | ext-restriction? | | 300 | | ThreatActorID* | | 301 | | URL* | | 302 | | Description* | | 303 | | Description_ML* | | 304 | | AdditionalData* | | 305 +-----------------------------+--------------------+---------------+ 306 | Campaign | restriction? | | 307 | | ext-restriction? | | 308 | | CampaignID* | | 309 | | URL* | | 310 | | Description* | | 311 | | Description_ML* | | 312 | | AdditionalData* | 3.8 | 313 +-----------------------------+--------------------+---------------+ 314 | Contact | role | | 315 | | ext-role? | | 316 | | type | | 317 | | ext-type? | | 318 | | restriction? | | 319 | | ext-restriction? | | 320 | | ContactName*, | | 321 | | ContactName_ML*, | | 322 | | ContactTitle* | | 323 | | ContactTitle_ML* | | 324 | | Description* | | 325 | | Description_ML* | | 326 | | RegistryHandle* | | 327 | | PostalAddress* | | 328 | | Email* | | 329 | | Telephone* | | 330 | | Timezone? | | 331 | | Contact* | | 332 | | AdditionalData* | 3.9 | 333 +-----------------------------+--------------------+---------------+ 334 | RegistryHandle | handle | | 335 | | registry | | 336 | | ext-registry? | 3.9.1 | 337 +-----------------------------+--------------------+---------------+ 338 | PostalAddress | type? | | 339 | | ext-type? | | 340 | | PAddress | | 341 | | Description* | | 342 | | Description_ML* | 3.9.2 | 343 +-----------------------------+--------------------+---------------+ 344 | Email | type? | | 345 | | ext-type? | | 346 | | EmailTo | | 347 | | Description* | | 348 | | Description_ML* | 3.9.3 | 349 +-----------------------------+--------------------+---------------+ 350 | Telephone | type? | | 351 | | ext-type? | | 352 | | TelephoneNumber | | 353 | | Description* | | 354 | | Description_ML* | 3.9.4 | 355 +-----------------------------+--------------------+---------------+ 356 | Discovery | source? | | 357 | | ext-source? | | 358 | | restriction? | | 359 | | ext-restriction? | | 360 | | Description* | | 361 | | Description_ML* | | 362 | | Contact* | | 363 | | DetectionPattern* | 3.10 | 364 +-----------------------------+--------------------+---------------+ 365 | DetectionPattern | restriction? | 3.10.1 | 366 | | ext-restriction? | | 367 | | observable-id? | | 368 | | Application | | 369 | | Description* | | 370 | | Description_ML* | | 371 | | DetectionConfiguration* | | 372 +-----------------------------+--------------------+---------------+ 373 | Method | restriction? | | 374 | | ext-restriction? | | 375 | | Reference* | | 376 | | Description* | | 377 | | Description_ML* | | 378 | | AttackPattern* | | 379 | | Vulnerability* | | 380 | | Weakness* | | 381 | | AdditionalData* | 3.11 | 382 +-----------------------------+--------------------+---------------+ 383 | Reference | observable-id? | | 384 | | ReferenceName? | | 385 | | URL* | | 386 | | Description* | | 387 | | Description_ML* | 3.11.1 | 388 +-----------------------------+--------------------+---------------+ 389 | Assessment | occurence? | | 390 | | restriction? | | 391 | | ext-restriction? | | 392 | | observable-id? | | 393 | | IncidentCategory* | | 394 | | SystemImpact* | | 395 | | BusinessImpact* | | 396 | | TimeImpact* | | 397 | | MonetaryImpact* | | 398 | | IntendedImpact* | | 399 | | Counter* | | 400 | | MitigatingFactor* | | 401 | | MitigatingFactor_ML*| | 402 | | Cause* | | 403 | | Cause_ML* | | 404 | | Confidence? | | 405 | | AdditionalData* | 3.12 | 406 +-----------------------------+--------------------+---------------+ 407 | SystemImpact | severity? | | 408 | | completion? | | 409 | | type | | 410 | | ext-type? | | 411 | | Description* | | 412 | | Description_ML* | 3.12.1 | 413 +-----------------------------+--------------------+---------------+ 414 | BusinessImpact | severity? | | 415 | | ext-severity? | | 416 | | type | | 417 | | ext-type? | | 418 | | Description* | | 419 | | Description_ML* | 3.12.2 | 420 +-----------------------------+--------------------+---------------+ 421 | TimeImpact | value | | 422 | | severity? | | 423 | | metric | | 424 | | ext-metric? | | 425 | | duration? | | 426 | | ext-duration? | 3.12.3 | 427 +-----------------------------+--------------------+---------------+ 428 | MonetaryImpact | value | | 429 | | severity? | | 430 | | currency? | 3.12.4 | 431 +-----------------------------+--------------------+---------------+ 432 | Confidence | value | | 433 | | rating | | 434 | | ext-rating? | 3.12.5 | 435 +-----------------------------+--------------------+---------------+ 436 | History | restriction? | | 437 | | ext-restriction? | | 438 | | HistoryItem+ | 3.13 | 439 +-----------------------------+--------------------+---------------+ 440 | HistoryItem | action | | 441 | | ext-action? | | 442 | | restriction? | | 443 | | ext-restriction? | | 444 | | observable-id? | | 445 | | DateTime | | 446 | | IncidentID? | | 447 | | Contact? | | 448 | | Description* | | 449 | | Description_ML* | | 450 | | DefinedCOA* | | 451 | | AdditionalData* | 3.13.1 | 452 +-----------------------------+--------------------+---------------+ 453 | EventData | restriction? | | 454 | | ext-restriction? | | 455 | | observable-id? | | 456 | | Description* | | 457 | | Description_ML* | | 458 | | DetectTime? | | 459 | | StartTime? | | 460 | | EndTime? | | 461 | | RecoveryTime? | | 462 | | ReportTime? | | 463 | | Contact* | | 464 | | Discovery* | | 465 | | Assessment? | | 466 | | Method* | | 467 | | System* | | 468 | | Expectation* | | 469 | | RecordData* | | 470 | | EventData* | | 471 | | AdditionalData* | 3.14 | 472 +-----------------------------+--------------------+---------------+ 473 | Expectation | action? | | 474 | | ext-action? | | 475 | | severity? | | 476 | | restriction? | | 477 | | ext-restriction? | | 478 | | Description* | | 479 | | Description_ML* | | 480 | | DefinedCOA* | | 481 | | StartTime? | | 482 | | EndTime? | | 483 | | Contact? | 3.15 | 484 +-----------------------------+--------------------+---------------+ 485 | System | category? | | 486 | | ext-category? | | 487 | | interface? | | 488 | | spoofed? | | 489 | | virtual? | | 490 | | ownership? | | 491 | | ext-ownership? | | 492 | | restriction? | | 493 | | ext-restriction? | | 494 | | Node | | 495 | | NodeRole* | | 496 | | Service* | | 497 | | OperatingSystem* | | 498 | | Counter* | | 499 | | AssetID* | | 500 | | Description* | | 501 | | Description_ML* | | 502 | | AdditionalData* | 3.16 | 503 +-----------------------------+--------------------+---------------+ 504 | Node | DomainData* | | 505 | | Address* | | 506 | | PostalAddress? | | 507 | | Location* | | 508 | | Location_ML* | | 509 | | Counter* | 3.17 | 510 +-----------------------------+--------------------+---------------+ 511 | Address | value | | 512 | | category | | 513 | | ext-category? | | 514 | | vlan-name? | | 515 | | vlan-num? | | 516 | | observable-id? | 3.17.1 | 517 +-----------------------------+--------------------+---------------+ 518 | NodeRole | category | | 519 | | ext-category? | | 520 | | Description* | | 521 | | Description_ML* | 3.17.2 | 522 +-----------------------------+--------------------+---------------+ 523 | Counter | value | | 524 | | type | | 525 | | ext-type? | | 526 | | unit | | 527 | | ext-unit? | | 528 | | meaning? | | 529 | | meaning_ML? | | 530 | | duration? | | 531 | | ext-duration? | 3.17.3 | 532 +-----------------------------+--------------------+---------------+ 533 | DomainData | system-status | | 534 | | ext-system-status? | | 535 | | domain-status | | 536 | | ext-domain-status? | | 537 | | observable-id? | | 538 | | Name | | 539 | | DateDomainWasChecked?| | 540 | | RegistrationDate? | | 541 | | ExpirationDate? | | 542 | | RelatedDNS* | | 543 | | Nameservers* | | 544 | | DomainContacts? | 3.18 | 545 +-----------------------------+--------------------+---------------+ 546 | Nameserver | Server | | 547 | | Address* | 3.18.1 | 548 +-----------------------------+--------------------+---------------+ 549 | DomainContacts | SameDomainContact? | | 550 | | Contact+ | 3.18.2 | 551 +-----------------------------+--------------------+---------------+ 552 | Service | ip-protocol? | | 553 | | observable-id? | | 554 | | ServiceName? | | 555 | | Port? | | 556 | | Portlist? | | 557 | | ProtoCode? | | 558 | | ProtoType? | | 559 | | ProtoField? | | 560 | | ApplicationHeaderField*| | 561 | | EmailData? | | 562 | | Application? | 3.19 | 563 +-----------------------------+--------------------+---------------+ 564 | ServiceName | IANAService? | | 565 | | URL* | | 566 | | Description* | | 567 | | Description_ML* | 3.19.1 | 568 +-----------------------------+--------------------+---------------+ 569 | EmailData | observable-id? | | 570 | | EmailTo* | | 571 | | EmailFrom? | | 572 | | EmailSubject? | | 573 | | EmailX-Mailer? | | 574 | | EmailHeaderField* | | 575 | | EmailHeaders? | | 576 | | EmailBody? | | 577 | | EmailMessage? | | 578 | | HashData* | | 579 | | Signature* | 3.19.2 | 580 +-----------------------------+--------------------+---------------+ 581 | RecordData | restriction? | | 582 | | ext-restriction? | | 583 | | observable-id? | | 584 | | DateTime? | | 585 | | Description* | | 586 | | Description_ML* | | 587 | | Application? | | 588 | | RecordPattern* | | 589 | | RecordItem* | | 590 | | URL* | | 591 | | FileData* | | 592 | | WindowsRegistryKeysModified*| | 593 | | CertificateData* | | 594 | | AdditionalData* | 3.19.3 | 595 +-----------------------------+--------------------+---------------+ 596 | RecordPattern | type | | 597 | | ext-type? | | 598 | | offset? | | 599 | | offsetunit? | | 600 | | ext-offsetunit? | | 601 | | instance? | | 602 | | value | 3.19.4 | 603 +-----------------------------+--------------------+---------------+ 604 | WindowsRegistryKeysModified | observable-id? | 3.20 | 605 | | Key+ | | 606 +-----------------------------+--------------------+---------------+ 607 | Key | registryaction? | | 608 | | ext-registryaction?| | 609 | | observable-id? | | 610 | | KeyName | | 611 | | KeyValue? | 3.20.1 | 612 +-----------------------------+--------------------+---------------+ 613 | CertificateData | restriction? | | 614 | | ext-restriction? | | 615 | | observable-id? | | 616 | | Certificate+ | 3.21 | 617 +-----------------------------+--------------------+---------------+ 618 | Certificate | observable-id? | | 619 | | X509Data | | 620 | | Description* | | 621 | | Description_ML* | 3.21.1 | 622 +-----------------------------+--------------------+---------------+ 623 | FileData | restriction? | | 624 | | ext-restriction? | | 625 | | observable-id? | | 626 | | File+ | 3.22 | 627 +-----------------------------+--------------------+---------------+ 628 | File | observable-id? | | 629 | | FileName? | | 630 | | FileSize? | | 631 | | FileType? | | 632 | | URL* | | 633 | | HashData? | | 634 | | Signature* | | 635 | | AssociatedSoftware?| | 636 | | FileProperties* | 3.22.1 | 637 +-----------------------------+--------------------+---------------+ 638 | HashData | scope | | 639 | | HashTargetID? | | 640 | | Hash* | | 641 | | FuzzyHash* | 3.23 | 642 +-----------------------------+--------------------+---------------+ 643 | Hash | DigestMethod | | 644 | | DigestValue | | 645 | | CanonicalizationMethod?| | 646 | | Application? | 3.23.1 | 647 +-----------------------------+--------------------+---------------+ 648 | FuzzyHash | FuzzyHashValue+ | | 649 | | Application? | | 650 | | AdditionalData* | 3.23.2 | 651 +-----------------------------+--------------------+---------------+ 652 | Indicator | restriction? | | 653 | | ext-restriction? | | 654 | | IndicatorID | | 655 | | AlternativeIndicatorID*| | 656 | | Description* | | 657 | | Description_ML* | | 658 | | StartTime? | | 659 | | EndTime? | | 660 | | Confidence? | | 661 | | Contact* | | 662 | | Observable? | | 663 | | uid-ref? | | 664 | | IndicatorExpression?| | 665 | | IndicatorReference?| | 666 | | NodeRole* | | 667 | | AttackPhase* | | 668 | | Reference* | | 669 | | AdditionalData* | 3.24 | 670 +-----------------------------+--------------------+---------------+ 671 | IndicatorID | id | | 672 | | name | | 673 | | version | 3.24.1 | 674 +-----------------------------+--------------------+---------------+ 675 | AlternativeIndicatorID | restriction? | | 676 | | ext-restriction? | | 677 | | IndicatorReference+| 3.24.2 | 678 +-----------------------------+--------------------+---------------+ 679 | Observable | restriction? | | 680 | | ext-restriction? | | 681 | | System? | | 682 | | Address? | | 683 | | DomainData? | | 684 | | Service? | | 685 | | EmailData? | | 686 | | WindowsRegistryKeysModified?| | 687 | | FileData? | | 688 | | CertificateData? | | 689 | | RegistryHandle? | | 690 | | RecordData? | | 691 | | EventData? | | 692 | | Incident? | | 693 | | Expectation? | | 694 | | Reference? | | 695 | | Assessment? | | 696 | | DetectionPattern? | | 697 | | HistoryItem? | | 698 | | BulkObservable? | | 699 | | AdditionalData* | 3.24.3 | 700 +-----------------------------+--------------------+---------------+ 701 | BulkObservable | type? | | 702 | | ext-type? | | 703 | | BulkObservableFormat?| | 704 | | BulkObservableList | | 705 | | AdditionalData* | 3.24.4 | 706 +-----------------------------+--------------------+---------------+ 707 | BulkObservableFormat | Hash? | | 708 | | AdditionalData* | 3.24.5 | 709 +-----------------------------+--------------------+---------------+ 710 | IndicatorExpression | operator? | | 711 | | ext-operator? | | 712 | | IndicatorExpression*| | 713 | | Observable* | | 714 | | uid-ref* | | 715 | | IndicatorReference*| | 716 | | Confidence? | | 717 | | AdditionalData* | 3.24.6 | 718 +-----------------------------+--------------------+---------------+ 719 | IndicatorReference | uid-ref? | | 720 | | euid-ref? | | 721 | | version? | 3.24.7 | 722 +-----------------------------+--------------------+---------------+ 723 | AttackPhase | AttackPhaseID* | | 724 | | URL* | | 725 | | Description* | | 726 | | Description_ML* | | 727 | | AdditionalData* | 3.24.8 | 728 +-----------------------------+--------------------+---------------+ 730 3.2. Mapping between JSON and XML IODEF 732 o This document treats attributes and elements of each class defined 733 in [RFC7970] equally and is agnostic on the order of their 734 appearances. 736 o Flow class is deleted, and classes with its instances now directly 737 have instances of EventData class that used to belong to the Flow 738 classs. 740 o ApplicationHeader class is deleted, and classes with its instances 741 now directly have instances of ApplicationHeaderField class that 742 used to belong to the ApplicationHeader class. 744 o SignatureData class is deleted, and classes with its instances now 745 directly have instance of Signature class that used to belong to 746 the SignatureData class. 748 o IndicatorData class is deleted, and classes with its instances now 749 directly have the instances of Indicator class that used to belong 750 to the IndicatorData class. 752 o ObservableReference class is deleted, and classes with its 753 instances now directly have uid-ref as an element. 755 o Record class is replaced by RecordData class, and RecordData class 756 is renamed to Record class. 758 o Record class is deleted, and classes with its instances now 759 directly have the instances of RecordData class that used to 760 belong to the Record class. 762 o The elements of ML_STRING type are prepared as two separate 763 elements: one of STRING type and another of ML_STRING type, in 764 order to maintain the simplicity of IODEF documents when writing 765 with only STRING type characters. 767 4. Examples 769 This section provides example of IODEF documents. These examples do 770 not represent the full capabilities of the data model or the the only 771 way to encode particular information. 773 4.1. Minimal Example 775 A document containing only the mandatory elements and attributes. 777 { 778 "version": "2.0", 779 "lang": "en", 780 "Incident": [{ 781 "purpose": "reporting", 782 "restriction": "private", 783 "IncidentID": { 784 "id": "492382", 785 "name": "csirt.example.com" 786 }, 787 "GenerationTime": "2015-07-18T09:00:00-05:00", 788 "Contact": [{ 789 "type": "organization", 790 "role": "creator", 791 "Email": [{ 792 "EmailTo": "contact@csirt.example.com" 793 }] 794 }] 795 }] 796 } 798 4.2. Indicators from a Campaign 800 An example of C2 domains from a given campaign. 802 { 803 "version": "2.0", 804 "lang": "en", 805 "Incidents": [ 806 { 807 "purpose": "watch", 808 "restriction": "green", 809 "IncidentID": { 810 "id": "897923", 811 "name": "csirt.example.com" 812 }, 813 "RelatedActivity": [ 814 { 815 "ThreatActor": [ 816 { 817 "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", 818 "Description": "Aggressive Butterfly" 819 } 820 ], 821 "Campaign": [ 822 { 823 "CampaignID": "C-2015-59405", 824 "Description": "Orange Giraffe" 826 } 827 ] 828 } 829 ], 830 "GenerationTime": "2015-10-02T11:18:00-05:00", 831 "Description": [ 832 "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." 833 ], 834 "Assessment": [ 835 { 836 "BusinessImpact": { 837 "type": "breach-proprietary" 838 } 839 } 840 ], 841 "Contacts": [ 842 { 843 "type": "organization", 844 "role": "creator", 845 "ContactName": "CSIRT for example.com", 846 "Email": { 847 "emailTo": "contact@csirt.example.com" 848 } 849 } 850 ], 851 "IndicatorList": [ 852 { 853 "IndicatorID": { 854 "id": "G90823490", 855 "name": "csirt.example.com", 856 "version": "1" 857 }, 858 "Description": "C2 domains", 859 "StartTime": "2014-12-02T11:18:00-05:00", 860 "Observable": { 861 "BulkObservable": { 862 "type": "fqdn" 863 }, 864 "BulkObservableList": [ 865 "kj290023j09r34.example.com", 866 "09ijk23jfj0k8.example.net", 867 "klknjwfjiowjefr923.example.org", 868 "oimireik79msd.example.org" 869 ] 870 } 871 } 872 ] 873 } 875 ] 876 } 878 5. The IODEF Data Model (CDDL) 880 start = iodef 882 ;;; iodef.json: IODEF-Document 884 iodef = { 885 version: text 886 ? lang: lang 887 ? format-id: text 888 ? private-enum-name: text 889 ? private-enum-id: text 890 Incident: [+ Incident] 891 ? AdditionalData: [+ ExtensionType] 892 } 894 duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / 895 "year" / "ext-value" 896 lang = "en" / "jp" 897 restriction = "public" / "partner" / "need-to-know" / "private" / 898 "default" / "white" / "green" / "amber" / "red" / 899 "ext-value" 900 DATETIME = text 901 URLtype = text 902 IDtype = text 904 action = "nothing" / "contact-source-site" / "cotact-target-site" / 905 "contact-sender" / "investigate" / "block-host" / 906 "block-network" / "block-port" / "rate-limit-host" / 907 "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / 908 "honeypot" / "upgrade-software" / "rebuild-asset" / 909 "harden-asset" / "remediate-other" / "status-triage" / 910 "status-new-info" / "watch-and-report" / "training" / 911 "defined-coa" / "other" / "ext-value" 913 ExtensionType = { 914 ? Name: text 915 ? dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / 916 "ntpstamp" / "integer" / "portlist" / "real" / "string" / 917 "file" / "path" / "frame" / "packet" / "ipv4-packet" / 918 "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" 919 ? ext-dtype: text 920 ? meaning: text 921 ? formatid: text 922 ? restriction: restriction 923 ? ext-restriction: text 924 ? observable-id: IDtype 925 } 927 SoftwareType = { 928 ? SoftwareReference: SoftwareReference 929 ? URL: URLtype 930 ? Description: text 931 } 933 SoftwareReference = { 934 ? value: text 935 spec-name: "custom" / "cpe" / "swid" / "ext-value" 936 ? ext-spec-name: text 937 ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" 938 ? ext-dtype: text 939 } 941 Incident = { 942 purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / 943 "ext-value" 944 ? ext-purpose: text 945 ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / 946 "ext-value" 947 ? ext-status: text 948 ? lang: lang 949 ? restriction: restriction 950 ? ext-restriction: text 951 ? observable-id: IDtype 952 IncidentID: IncidentID 953 ? AlternativeID: AlternativeID 954 ? RelatedActivity: [+ RelatedActivity] 955 ? DetectTime: text 956 ? StartTime: text 957 ? EndTime: text 958 ? RecoveryTime: text 959 ? ReportTime: text 960 GenerationTime: text 961 ? Description: [+ text] 962 ? Description_ML: [+ text] 963 ? Discovery: [+ Discovery] 964 ? Assessment: [+ Assessment] 965 ? Method: [+ Method] 966 Contact: [+ Contact] 967 ? EventData: [+ EventData] 968 ? Indicator: [+ Indicator] 969 ? History: History 970 ? AdditionalData: [+ ExtensionType] 972 } 974 IncidentID = { 975 id: text 976 name: text 977 ? instance: text 978 ? restriction: restriction 979 ? ext-restriction: text 980 } 982 AlternativeID = { 983 ? restriction: restriction 984 ? ext-restriction: text 985 IncidentID: [+ IncidentID] 986 } 988 RelatedActivity = { 989 ? restriction: restriction 990 ? ext-restriction: text 991 ? IncidentID: [+ IncidentID] 992 ? URL: [+ URLtype] 993 ? ThreatActor: [+ ThreatActor] 994 ? Campaign: [+ Campaign] 995 ? IndicatorID: [+ IndicatorID] 996 ? Confidence: Confidence 997 ? Description: [+ text] 998 ? AdditionalData: [+ ExtensionType] 999 } 1001 ThreatActor = { 1002 ? restriction: restriction 1003 ? ext-restriction: text 1004 ? ThreatActorID: [+ text] 1005 ? URL: [+ URLtype] 1006 ? Description: [+ text] 1007 ? Description_ML: [+ text] 1008 ? AdditionalData: [+ ExtensionType] 1009 } 1011 Campaign = { 1012 ? restriction: restriction 1013 ? ext-restriction: text 1014 ? CampaignID: [+ text] 1015 ? URL: [+ URLtype] 1016 ? Description: [+ text] 1017 ? Description_ML: [+ text] 1018 ? AdditionalData: [+ ExtensionType] 1019 } 1020 Contact = { 1021 role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / 1022 "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / 1023 "vendor" / "vendor-support" / "victim" / "victim-notified" / 1024 "ext-value" 1025 ? ext-role: text 1026 type: "person" / "organization" / "ext-value" 1027 ? ext-type: text 1028 ? restriction: restriction 1029 ? ext-restriction: text 1030 ? ContactName: [+ text] 1031 ? ContactName_ML: [+ text] 1032 ? ContactTitle: [+ text] 1033 ? ContactTitle_ML: [+ text] 1034 ? Description: [+ text] 1035 ? Description_ML: [+ text] 1036 ? RegistryHandle: [+ RegistryHandle] 1037 ? PostalAddress: [+ PostalAddress] 1038 ? Email: [+ Email] 1039 ? Telephone: [+ Telephone] 1040 ? Timezone: text 1041 ? Contact: [+ Contact] 1042 ? AdditionalData: [+ ExtensionType] 1043 } 1045 RegistryHandle = { 1046 handle: text 1047 registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / 1048 "local" / "ext-value" 1049 ? ext-registry: text 1050 } 1052 PostalAddress = { 1053 ? type: text 1054 ? ext-type: text 1055 PAddress: text 1056 ? Description: [+ text] 1057 ? Description_ML: [+ text] 1058 } 1060 Email = { 1061 ? type: "direct" / "hotline" / "ext-value" 1062 ? ext-type: text 1063 EmailTo: text 1064 ? Description: [+ text] 1065 ? Description_ML: [+ text] 1066 } 1067 Telephone = { 1068 ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" 1069 ? ext-type: text 1070 TelephoneNumber: text 1071 ? Description: [+ text] 1072 ? Description_ML: [+ text] 1073 } 1075 Discovery = { 1076 ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / 1077 "incident" / "os-log" / "application-log" / "device-log" / 1078 "network-flow" / "passive-dns" / "investiation" / "audit" / 1079 "international-notification" / "external-notification" / 1080 "leo" / "partner" / "actor" / "unknown" / "ext-value" 1081 ? ext-source: text 1082 ? restriction: restriction 1083 ? ext-restriction: text 1084 ? Description: [+ text] 1085 ? Description_ML: [+ text] 1086 ? Contact: [+ Contact] 1087 ? DetectionPattern: [+ DetectionPattern] 1088 } 1090 DetectionPattern = { 1091 ? restriction: restriction 1092 ? ext-restriction: text 1093 ? observable-id: IDtype 1094 Application: SoftwareType 1095 ? Description: [+ text] 1096 ? Description_ML: [+ text] 1097 ? DetectionConfiguration: [+ text] 1098 } 1100 Method = { 1101 ? restriction: restriction 1102 ? ext-restriction: text 1103 ? Reference: [+ Reference] 1104 ? Description: [+ text] 1105 ? Description_ML: [+ text] 1106 ? AttackPattern: [+ StructuredInformation] 1107 ? Vulnerability: [+ StructuredInformation] 1108 ? Weakness: [+ StructuredInformation] 1109 ? AdditionalData: [+ ExtensionType] 1110 } 1112 StructuredInformation = { 1113 specID: text 1114 ? ext-specID: text 1115 ? contentID: text 1116 ? RawData: any 1117 ? URL: URLtype 1118 } 1120 Reference = { 1121 ? observable-id: IDtype 1122 ? ReferenceName: ReferenceName 1123 ? URL: [+ URLtype] 1124 ? Description: [+ text] 1125 ? Description_ML: [+ text] 1126 } 1128 ReferenceName = { 1129 specIndex: int 1130 ID: text 1131 } 1133 Assessment = { 1134 ? occurrence: "actual" / "potential" 1135 ? restriction: restriction 1136 ? ext-restriction: text 1137 ? observable-id: IDtype 1138 ? IncidentCategory: [+ text] 1139 ? SystemImpact: [+ SystemImpact] 1140 ? BusinessImpact: [+ BusinessImpact] 1141 ? TimeImpact: [+ TimeImpact] 1142 ? MonetaryImpact: [+ MonetaryImpact] 1143 ? IntendedImpact: [+ BusinessImpact] 1144 ? Counter: [+ Counter] 1145 ? MitigatingFactor: [+ text] 1146 ? MitigatingFactor_ML: [+ text] 1147 ? Cause: [+ text] 1148 ? Cause_ML: [+ text] 1149 ? Confidence: Confidence 1150 ? AdditionalData: [+ ExtensionType] 1151 } 1153 SystemImpact = { 1154 ? severity: "low" / "medium" / "high" 1155 ? completion: "failed" / "succeeded" 1156 type: "takeover-account" / "takeover-service" / "takeover-system" / 1157 "cps-manipulation" / "cps-damage" / "availability-data" / 1158 "availability-account" / "availability-service" / 1159 "availability-system" / "damaged-system" / "damaged-data" / 1160 "breach-proprietary" / "breach-privacy" / "breach-credential" / 1161 "breack-configuration" / "integrity-data" / 1162 "integrity-configuration" / "integrity-hardware" / 1163 "traffic-redirection" / "monitoring-traffic" / "monitoring-host" / 1164 "policy" / "unknown" / "ext-value" 1165 ? ext-type: text 1166 ? Description: [+ text] 1167 ? Description_ML: [+ text] 1168 } 1170 BusinessImpact = { 1171 ? severity: "none" / "low" / "medium" / "high" / "unknown" / "ext-value" 1172 ? ext-severity: text 1173 type: "breach-proprietary" / "breach-privacy" / "breach-credential" / 1174 "loss-of-integrity" / "loss-of-service" / "theft-financial" / 1175 "theft-service" / "degraded-reputation" / "asset-damage" / 1176 "asset-manipulation" / "legal" / "extortion" / "unknown" / 1177 "ext-value" 1178 ? ext-type: text 1179 ? Description: [+ text] 1180 ? Description_ML: [+ text] 1181 } 1183 TimeImpact = { 1184 value: int 1185 ? severity: "low" / "medium" / "high" 1186 metric: "labor" / "elapsed" / "downtime" / "ext-value" 1187 ? ext-metric: text 1188 ? duration: duration 1189 ? ext-duration: text 1190 } 1192 MonetaryImpact = { 1193 value: int 1194 ? severity: "low" / "medium" / "high" 1195 ? currency: text 1196 } 1198 Confidence = { 1199 value: int 1200 rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" 1201 ? ext-rating: text 1202 } 1204 History = { 1205 ? restriction: restriction 1206 ? ext-restriction: text 1207 HistoryItem: [+ HistoryItem] 1208 } 1210 HistoryItem = { 1211 action: action 1212 ? ext-action: text 1213 ? restriction: restriction 1214 ? ext-restriction: text 1215 ? observable-id: IDtype 1216 DateTime: DATETIME 1217 ? IncidentID: IncidentID 1218 ? Contact: Contact 1219 ? Description: [+ text] 1220 ? Description_ML: [+ text] 1221 ? DefinedCOA: [+ text] 1222 ? AdditionalData: [+ ExtensionType] 1223 } 1225 EventData = { 1226 ? restriction: restriction 1227 ? ext-restriction: text 1228 ? observable-id: IDtype 1229 ? Description: [+ text] 1230 ? Description_ML: [+ text] 1231 ? DetectTime: DATETIME 1232 ? StartTime: DATETIME 1233 ? EndTime: DATETIME 1234 ? RecoveryTime: DATETIME 1235 ? ReportTime: DATETIME 1236 ? Contact: [+ Contact] 1237 ? Discovery: [+ Discovery] 1238 ? Assessment: Assessment 1239 ? Method: [+ Method] 1240 ? System: [+ System] 1241 ? Expectation: [+ Expectation] 1242 ? RecordData: [+ RecordData] 1243 ? EventData: [+ EventData] 1244 ? AdditionalData: [+ ExtensionType] 1245 } 1247 Expectation = { 1248 ? action: action 1249 ? ext-action: text 1250 ? severity: "low" / "medium" / "high" 1251 ? restriction: restriction 1252 ? ext-restriction: text 1253 ? observable-id: IDtype 1254 ? Description: [+ text] 1255 ? Description_ML: [+ text] 1256 ? DefinedCOA: [+ text] 1257 ? StartTime: DATETIME 1258 ? EndTime: DATETIME 1259 ? Contact: Contact 1260 } 1262 System = { 1263 ? category: "source" / "target" / "intermediate" / "sensor" / 1264 "infrastructure" / "ext-value" 1265 ? ext-category: text 1266 ? interface: text 1267 ? spoofed: "unknown" / "yes" / "no" 1268 ? virtual: "yes" / "no" / "unknown" 1269 ? ownership: "organization" / "personal" / "partner" / "customer" / 1270 "no-relationship" / "unknown" / "ext-value" 1271 ? ext-ownership: text 1272 ? restriction: restriction 1273 ? ext-restriction: text 1274 ? observable-id: IDtype 1275 Node: Node 1276 ? NodeRole: [+ NodeRole] 1277 ? Service: [+ Service] 1278 ? OperatingSystem: [+ SoftwareType] 1279 ? Counter: [+ Counter] 1280 ? AssetID: [+ text] 1281 ? Description: [+ text] 1282 ? Description_ML: [+ text] 1283 ? AdditionalData: [+ ExtensionType] 1284 } 1286 Node = { 1287 ? DomainData: [+ DomainData] 1288 ? Address: [+ Address] 1289 ? PostalAddress: PostalAddress 1290 ? Location: [+ text] 1291 ? Location_ML: [+ text] 1292 ? Counter: [+ Counter] 1293 } 1295 Address = { 1296 value: text 1297 category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1298 "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / 1299 "ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" / 1300 "ext-value" 1301 ? ext-category: text 1302 ? vlan-name: text 1303 ? vlan-num: int 1304 ? observable-id: IDtype 1305 } 1306 NodeRole = { 1307 category: "client" / "client-enterprise" / "clent-partner" / 1308 "client-remote" / "client-kiosk" / "client-mobile" / 1309 "server-internal" / "server-public" / "www" / "mail" / 1310 "webmail" / "messaging" / "streaming" / "voice" / "file" / 1311 "ftp" / "p2p" / "name" / "directory" / "credential" / 1312 "print" / "application" / "database" / "backup" / "dhcp" / 1313 "assessment" / "source-control" / "config-management" / 1314 "monitoring" / "infra" / "infra-firewall" / "infra-router" / 1315 "infra-switch" / "camera" / "proxy" / "remote-access" / 1316 "log" / "virtualization" / "pos" / "scada" / 1317 "scada-supervisory" / "sinkhole" / "honeypot" / 1318 "anomyzation" / "c2-server" / "malware-distribution" / 1319 "drop-server" / "hot-point" / "reflector" / 1320 "phishing-site" / "spear-phishing-site" / "recruiting-site" / 1321 "fraudulent-site" / "ext-value" 1322 ? ext-category: text 1323 ? Description: [+ text] 1324 ? Description_ML: [+ text] 1325 } 1327 Counter = { 1328 value: text 1329 type: "count" / "peak" / "average" / "ext-value" 1330 ? ext-type: text 1331 unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / 1332 "message" / "event" / "host" / "site" / "organization" / 1333 "ext-value" 1334 ? ext-unit: text 1335 ? meaning: text 1336 ? meaning_ML: text 1337 ? duration: duration 1338 ? ext-duration: text 1339 } 1341 DomainData = { 1342 system-status: "spoofed" / "fraudulent" / "innocent-hacked" / 1343 "innocent-hijacked" / "unknown" / "ext-value" 1344 ? ext-system-status: text 1345 domain-status: "reservedDelegation" / "assignedAndActive" / 1346 "assignedAndInactive" / "assignedAndOnHold" / 1347 "revoked" / "transferPending" / "registryLock" / 1348 "registrarLock" / "other" / "unknown" / "ext-value" 1349 ? ext-domain-status: text 1350 ? observable-id: IDtype 1351 Name: text 1352 ? DateDomainWasChecked: DATETIME 1353 ? RegistrationDate: DATETIME 1354 ? ExpirationDate: DATETIME 1355 ? RelatedDNS: [+ ExtensionType] 1356 ? NameServers: [+ NameServers] 1357 ? DomainContacts: DomainContacts 1358 } 1360 NameServers = { 1361 Server: text 1362 ? Address: [+ Address] 1363 } 1365 DomainContacts = { 1366 ? SameDomainContact: text 1367 Contact: [+ Contact] 1368 } 1370 Service = { 1371 ? ip-protocol: int 1372 ? observable-id: IDtype 1373 ? ServiceName: ServiceName 1374 ? Port: int 1375 ? Portlist: text 1376 ? ProtoCode: int 1377 ? ProtoType: int 1378 ? ProtoField: int 1379 ? ApplicationHeaderField: [+ ExtensionType] 1380 ? EmailData: EmailData 1381 ? Application: SoftwareType 1382 } 1384 ServiceName = { 1385 ? IANAService: text 1386 ? URL: [+ URLtype] 1387 ? Description: [+ text] 1388 ? Description_ML: [+ text] 1389 } 1391 EmailData = { 1392 ? observable-id: IDtype 1393 ? EmailTo: [+ text] 1394 ? EmailFrom: text 1395 ? EmailSubject: text 1396 ? EmailX-Mailer: text 1397 ? EmailHeaderField: [+ ExtensionType] 1398 ? EmailHeaders: text 1399 ? EmailBody: text 1400 ? EmailMessage: text 1401 ? HashData: [+ HashData] 1402 ? Signature: [+ text] 1403 } 1405 RecordData = { 1406 ? restriction: restriction 1407 ? ext-restriction: text 1408 ? observable-id: IDtype 1409 ? DateTime: DATETIME 1410 ? Description: [+ text] 1411 ? Description_ML: [+ text] 1412 ? Applicadtion: SoftwareType 1413 ? RecordPattern: [+ RecordPattern] 1414 ? RecordItem: [+ ExtensionType] 1415 ? URL: [+ URLtype] 1416 ? FileData: [+ FileData] 1417 ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] 1418 ? CertificateData: [+ CertificateData] 1419 ? AdditionalData: [+ ExtensionType] 1420 } 1422 RecordPattern = { 1423 value: text 1424 type: "regex" / "binary" / "xpath" / "ext-value" 1425 ? ext-type: text 1426 ? offset: int 1427 ? offsetunit: "line" / "byte" / "ext-value" 1428 ? ext-offsetunit: text 1429 ? instance: int 1430 } 1432 WindowsRegistryKeysModified = { 1433 ? observable-id: IDtype 1434 Key: [+ Key] 1435 } 1437 Key = { 1438 ? registryaction: "add-key" / "add-value" / "delete-key" / 1439 "delete-value" / "modify-key" / "modify-value" / 1440 "ext-value" 1441 ? ext-registryaction: text 1442 ? observable-id: IDtype 1443 KeyName: text 1444 ? KeyValue: text 1445 } 1447 CertificateData = { 1448 ? restriction: restriction 1449 ? ext-restriction: text 1450 ? observable-id: IDtype 1451 Certificate: [+ Certificate] 1452 } 1454 Certificate = { 1455 ? observable-id: IDtype 1456 X509Data: text 1457 ? Description: [+ text] 1458 ? Description_ML: [+ text] 1459 } 1461 FileData = { 1462 ? restriction: restriction 1463 ? ext-restriction: text 1464 ? observable-id: IDtype 1465 File: [+ File] 1466 } 1468 File = { 1469 ? observable-id: IDtype 1470 ? FileName: text 1471 ? FileSize: int 1472 ? FileType: text 1473 ? URL: [+ URLtype] 1474 ? HashData: HashData 1475 ? Signature: [+ text] 1476 ? AssociatedSoftware: SoftwareType 1477 ? FileProperties: [+ ExtensionType] 1478 } 1480 HashData = { 1481 scope: "file-contents" / "file-pe-section" / "file-pe-iat" / 1482 "file-pe-resource" / "file-pdf-object" / "email-hash" / 1483 "email-hash-header" / "email-hash-body" 1484 ? HashTargetID: text 1485 ? Hash: [+ Hash] 1486 ? FuzzyHash: [+ FuzzyHash] 1487 } 1489 Hash = { 1490 DigestMethod: text 1491 DigestValue: text 1492 ? CanonicalizationMethod: any 1493 ? Application: SoftwareType 1494 } 1496 FuzzyHash = { 1497 FuzzyHashValue: [+ ExtensionType] 1498 ? Application: SoftwareType 1499 ? AdditionalData: [+ ExtensionType] 1500 } 1502 Indicator = { 1503 ? restriction: restriction 1504 ? ext-restriction: text 1505 IndicatorID: IndicatorID 1506 ? AlternativeIndicatorID: [+ AlternativeIndicatorID] 1507 ? Description: [+ text] 1508 ? Description_ML: [+ text] 1509 ? StartTime: DATETIME 1510 ? EndTime: DATETIME 1511 ? Confidence: Confidence 1512 ? Contact: [+ Contact] 1513 ? Observable: Observable 1514 ? uid-ref: text 1515 ? IndicatorExpression: IndicatorExpression 1516 ? IndicatorReference: IndicatorReference 1517 ? NodeRole: [+ NodeRole] 1518 ? AttackPhase: [+ AttackPhase] 1519 ? Reference: [+ Reference] 1520 ? AdditionalData: [+ ExtensionType] 1521 } 1523 IndicatorID = { 1524 id: IDtype 1525 name: text 1526 version: text 1527 } 1529 AlternativeIndicatorID = { 1530 ? restriction: restriction 1531 ? ext-restriction: text 1532 IndicatorReference: [+ IndicatorReference] 1533 } 1535 Observable = { 1536 ? restriction: restriction 1537 ? ext-restriction: text 1538 ? System: System 1539 ? Address: Address 1540 ? DomainData: DomainData 1541 ? EmailData: EmailData 1542 ? Service: Service 1543 ? WindowsRegistryKeysModified: WindowsRegistryKeysModified 1544 ? FileData: FileData 1545 ? CertificateData: CertificateData 1546 ? RegistryHandle: RegistryHandle 1547 ? RecordData: RecordData 1548 ? EventData: EventData 1549 ? Incident: Incident 1550 ? Expectation: Expectation 1551 ? Reference: Reference 1552 ? Assessment: Assessment 1553 ? DetectionPattern: DetectionPattern 1554 ? HistoryItem: HistoryItem 1555 ? BulkObservable: BulkObservable 1556 ? AdditionalData: [+ ExtensionType] 1557 } 1559 BulkObservable = { 1560 ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1561 "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / 1562 "mac" / "site-url" / "domain-name" / "domain-to-ipv4" / 1563 "domain-to-ipv6" / "domain-to-ipv4-timestamp" / 1564 "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / 1565 "windows-reg-key" / "file-hash" / "email-x-mailer" / 1566 "email-subject" / "http-user-agent" / "http-request-uri" / 1567 "mutex" / "file-path" / "user-name" / "ext-value" 1568 ? ext-type: text 1569 ? BulkObservableFormat: BulkObservableFormat 1570 BulkObservableList: [+ text] 1571 ? AdditionalData: [+ ExtensionType] 1572 } 1574 BulkObservableFormat = { 1575 ? Hash: Hash 1576 ? AdditionalData: [+ ExtensionType] 1577 } 1579 IndicatorExpression = { 1580 ? operator: "not" / "and" / "or" / "xor" 1581 ? ext-operator: text 1582 ? IndicatorExpression: [+ IndicatorExpression] 1583 ? Observable: [+ Observable] 1584 ? uid-ref: [+ text] 1585 ? IndicatorReference: [+ IndicatorReference] 1586 ? Confidence: Confidence 1587 ? AdditionalData: [+ ExtensionType] 1588 } 1590 IndicatorReference = { 1591 ? uid-ref: text 1592 ? euid-ref: text 1593 ? version: text 1595 } 1597 AttackPhase = { 1598 ? AttackPhaseID: [+ text] 1599 ? URL: [+ URLtype] 1600 ? Description: [+ text] 1601 ? Description_ML: [+ text] 1602 ? AdditionalData: [+ ExtensionType] 1603 } 1605 Figure 2: Data Model in CDDL 1607 6. Acknowledgements 1609 We would like to thank Henk Birkholz and Carsten Bormann for their 1610 insightful comments on CDDL. 1612 7. IANA Considerations 1614 This document registers a JSON schema. 1616 8. Security Considerations 1618 This memo does not provide any further security considerations than 1619 the one described in [RFC7970]. 1621 9. Normative References 1623 [jsonschema] 1624 "JSON Schema", 2006. 1626 http://json-schema.org/ 1628 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1629 Requirement Levels", BCP 14, RFC 2119, 1630 DOI 10.17487/RFC2119, March 1997, 1631 . 1633 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 1634 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 1635 November 2016, . 1637 Appendix A. The IODEF Data Model (JSON Schema) 1639 This section provides a JSON schema that defines the IODEF Data Model 1640 defined in this draft. 1642 { "$schema": "http://json-schema.org/draft-04/schema#", 1643 "definitions": { 1644 "action": {"enum": ["nothing","contact-source-site", 1645 "contact-target-site","contact-sender","investigate", 1646 "block-host","block-network","block-port","rate-limit-host", 1647 "rate-limit-network","rate-limit-port","redirect-traffic", 1648 "honeypot","upgrade-software","rebuild-asset","harden-asset", 1649 "remediate-other","status-triage","status-new-info", 1650 "watch-and-report","training","defined-coa","ext-value"]}, 1651 "duration": {"enum": ["second","minute","hour","day","month","quarter", 1652 "year","ext-value"]}, 1653 "lang": {"enum": ["en","jp"]}, 1654 "purpose": {"enum": ["traceback","mitigation","reporting","watch", 1655 "other","ext-value"]}, 1656 "restriction": {"enum": ["public","partner","need-to-know","private", 1657 "default","white","green","amber","red","ext-value"]}, 1658 "status": {"enum": ["new","in-progress","forwarded","resolved", 1659 "future","ext-value"]}, 1660 "DATETIME": {"type": "string"}, 1661 "PORTLIST": {"type": "string"}, 1662 "URLtype": {"type": "string"}, 1663 "IDtype": {"type": "string"}, 1664 "ExtensionType": { 1665 "type": "object", 1666 "properties": { 1667 "name": {"type": "string"}, 1668 "dtype": {"enum": ["boolean","byte","bytes","character","date-time", 1669 "ntpstamp","integer","portlist","real","string","file", 1670 "path","frame","packet","ipv4-packet","ipv6-packet","url", 1671 "csv","winreg","xml","ext-value"]}, 1672 "ext-dtype": {"type": "string"}, 1673 "meaning": {"type": "string"}, 1674 "formatid": {"type": "string"}, 1675 "restriction": {"$ref": "#/definitions/restriction"}, 1676 "ext-restriction": {"type": "string"}, 1677 "observable-id": {"$ref": "#/definitions/IDtype"}}}, 1678 "ExtensionTypeList": { 1679 "type": "array", 1680 "items": {"$ref": "#/definitions/ExtensionType"}}, 1681 "SoftwareType": { 1682 "type": "object", 1683 "properties": { 1684 "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, 1685 "URL": {"$ref": "#/definitions/URLtype"}, 1686 "Description": {"type": "array", "items": {"type":"string"}}}, 1687 "required": [], 1688 "additionalProperties": false}, 1689 "SoftwareReference": { 1690 "type": "object", 1691 "properties": { 1692 "value": {"type": "string"}, 1693 "spec-name": {"type": "string"}, 1694 "ext-spec-name": {"type": "string"}, 1695 "dtype": {"type": "string"}, 1696 "ext-dtype": {"type": "string"}}, 1697 "required": ["spec-name"], 1698 "additionalProperties": false}, 1699 "StructuredInfo": { 1700 "type": "object", 1701 "properties": { 1702 "specID": {"type": "string"}, 1703 "ext-specID": {"type": "string"}, 1704 "contentID": {"type": "string"}, 1705 "RawData": {"type": "string"}, 1706 "URL": {"$ref": "#/definitions/URLtype"}}, 1707 "required": ["specID"], 1708 "additionalProperties": false}, 1709 "Incident": { 1710 "title": "Incident", 1711 "description": "JSON schema for Incident class", 1712 "type": "object", 1713 "properties": { 1714 "purpose": {"$ref": "#/definitions/purpose"}, 1715 "ext-purpose": {"type": "string"}, 1716 "status": {"$ref": "#/definitions/status"}, 1717 "ext-status": {"type": "string"}, 1718 "lang": {"$ref": "#/definitions/lang"}, 1719 "restriction": {"$ref": "#/definitions/restriction"}, 1720 "ext-restriction": {"type": "string"}, 1721 "observable-id": {"$ref": "#/definitions/IDtype"}, 1722 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 1723 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 1724 "RelatedActivity": { 1725 "type": "array", 1726 "items": {"$ref": "#/definitions/RelatedActivity"}}, 1727 "DetectTime": {"type": "string"}, 1728 "StartTime": {"type": "string"}, 1729 "EndTime": {"type": "string"}, 1730 "RecoveryTime": {"type": "string"}, 1731 "ReportTime": {"type": "string"}, 1732 "GenerationTime": {"type": "string"}, 1733 "Description": {"type": "array","items": {"type": "string"}}, 1734 "Discovery": { 1735 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 1736 "Assessment": { 1737 "type": "array","items": {"$ref": "#/definitions/Assessment"}}, 1738 "Methods": { 1739 "type": "array","items": {"$ref": "#/definitions/Method"}}, 1740 "Contacts": { 1741 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 1742 "EventData": { 1743 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 1744 "IndicatorList": { 1745 "type": "array","items": {"$ref": "#/definitions/Indicator"}}, 1746 "History": {"$ref": "#/definitions/History"}, 1747 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1748 "required": ["IncidentID","GenerationTime","Contacts","purpose"], 1749 "additionalProperties": false}, 1750 "IncidentID": { 1751 "title": "IncidentID", 1752 "description": "JSON schema for IncidentID class", 1753 "type": "object", 1754 "properties": { 1755 "id": {"type": "string"}, 1756 "name": {"type": "string"}, 1757 "instance": {"type": "string"}, 1758 "restriction": {"$ref": "#/definitions/restriction"}, 1759 "ext-restriction": {"type": "string"}}, 1760 "required": ["name"], 1761 "additionalProperties": false}, 1762 "AlternativeID": { 1763 "title": "AlternativeID", 1764 "description": "JSON schema for AlternativeID class", 1765 "type": "object", 1766 "properties": { 1767 "IncidentID": { 1768 "type": "array","items":{"$ref": "#/definitions/IncidentID"}}, 1769 "restriction": {"$ref": "#/definitions/restriction"}, 1770 "ext-restriction": {"type": "string"}}, 1771 "required": ["IncidentID"], 1772 "additionalProperties": false}, 1773 "RelatedActivity": { 1774 "properties": { 1775 "restriction": {"$ref": "#/definitions/restriction"}, 1776 "ext-restriction": {"type": "string"}, 1777 "IncidentID": { 1778 "type": "array","items": {"$ref": "#/definitions/IncidentID"}}, 1779 "URL": { 1780 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 1781 "ThreatActor": { 1782 "type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, 1783 "Campaign": { 1784 "type": "array","items": {"$ref": "#/definitions/Campaign"}}, 1785 "IndicatorID": { 1786 "type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, 1788 "Confidence": {"$ref": "#/definitions/Confidence"}, 1789 "Description": { "type": "array","items": {"type": "string"}}, 1790 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1791 "additionalProperties": false}, 1792 "ThreatActor": { 1793 "properties": { 1794 "restriction": {"$ref": "#/definitions/restriction"}, 1795 "ext-restriction": {"type": "string"}, 1796 "ThreatActorID": {"type": "array", "items": {"type": "string"}}, 1797 "Description": {"type": "array", "items": {"type": "string"}}, 1798 "URL": {"type":"array","items":{"$ref":"#/definitions/URLtype"}}, 1799 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1800 "additionalProperties": false}, 1801 "Campaign": { 1802 "properties": { 1803 "restriction": {"$ref": "#/definitions/restriction"}, 1804 "ext-restriction": {"type": "string"}, 1805 "CampaignID": {"type": "array", "items": {"type": "string"}}, 1806 "URL": {"type":"array", "items":{"$ref":"#/definitions/URLtype"}}, 1807 "Description": {"type": "array", "items": {"type": "string"}}, 1808 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 1809 "Contact": { 1810 "type": "object", 1811 "properties": { 1812 "role": { 1813 "enum": ["creator","reporter","admin","tech","provider","user", 1814 "billing","legal","irt","abuse","cc","cc-irt","leo", 1815 "vendor","vendor-support","victim","victim-notified", 1816 "ext-value"]}, 1817 "ext-role": {"type": "string"}, 1818 "type": {"enum": ["person","organization","ext-value"]}, 1819 "ext-type": {"type": "string"}, 1820 "restriction": {"$ref": "#/definitions/restriction"}, 1821 "ext-restriction": {"type": "string"}, 1822 "ContactName": {"type": "array", "items": {"type": "string"}}, 1823 "ContactTitle": {"type": "array", "items": {"type": "string"}}, 1824 "Description": {"type": "array", "items": {"type": "string"}}, 1825 "RegistryHandle": { 1826 "type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}}, 1827 "PostalAddress": { 1828 "type":"array", "items":{"$ref":"#/definitions/PostalAddress"}}, 1829 "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, 1830 "Telephone": { 1831 "type": "array", "items": {"$ref": "#/definitions/Telephone"}}, 1832 "Timezone": {"type": "string"}, 1833 "Contact": { 1834 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1835 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1837 "required": ["role","type"], 1838 "additionalProperties": false}, 1839 "RegistryHandle": { 1840 "type": "object", 1841 "properties": { 1842 "handle": {"type": "string"}, 1843 "registry": { 1844 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", 1845 "local","ext-value"]}, 1846 "ext-registry": {"type": "string"}}, 1847 "required": ["registry"], 1848 "additionalProperties": false}, 1849 "PostalAddress": { 1850 "type": "object", 1851 "properties": { 1852 "type": {"type": "string"}, 1853 "ext-type": {"type": "string"}, 1854 "PAddress": {"type": "string"}, 1855 "Description": {"type": "array", "items": {"type": "string"}}}, 1856 "required": ["PAddress"], 1857 "additionalProperties": false}, 1858 "Email": { 1859 "type": "object", 1860 "properties": { 1861 "type": { 1862 "enum":["direct","hotline","ext-value"]}, 1863 "ext-type": {"type": "string"}, 1864 "EmailTo": {"type": "string"}, 1865 "Description": {"type": "array", "items": {"type": "string"}}}, 1866 "required": ["EmailTo"], 1867 "additionalProperties": false}, 1868 "Telephone": { 1869 "type": "object", 1870 "properties": { 1871 "type": { 1872 "enum":["wired","mobile","fax","hotline","ext-value"]}, 1873 "ext-type": {"type": "string"}, 1874 "TelephoneNumber": {"type": "string"}, 1875 "Description": {"type": "array", "items": {"type": "string"}}}, 1876 "required": ["TelephoneNumber"], 1877 "additionalProperties": false}, 1878 "Discovery": { 1879 "type": "object", 1880 "properties": { 1881 "source": { 1882 "enum":["nidps","hips","siem","av","third-party-monitoring", 1883 "incident","os-log","application-log","device-log", 1884 "network-flow","passive-dns","investigation","audit", 1885 "internal-notification","external-notification","leo", 1886 "partner","actor","unknown","ext-value"]}, 1887 "ext-source": {"type": "string"}, 1888 "restriction": {"$ref": "#/definitions/restriction"}, 1889 "ext-restriction": {"type": "string"}, 1890 "Description": {"type": "array", "items": {"type": "string"}}, 1891 "Contact": { 1892 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1893 "DetectionPattern": { 1894 "type":"array", 1895 "items":{"$ref":"#/definitions/DetectionPattern"}}}, 1896 "required": [], 1897 "additionalProperties": false}, 1898 "DetectionPattern": { 1899 "type": "object", 1900 "properties": { 1901 "restriction": {"$ref": "#/definitions/restriction"}, 1902 "ext-restriction": {"type": "string"}, 1903 "observable-id": {"$ref": "#/definitions/IDtype"}, 1904 "Application": {"$ref": "#/definitions/SoftwareType"}, 1905 "Description": {"type": "array", "items": {"type": "string"}}, 1906 "DetectionConfiguration": { 1907 "type": "array", "items": {"type": "string"}}}, 1908 "required": ["Application"], 1909 "additionalProperties": false}, 1910 "Method": { 1911 "type": "object", 1912 "properties": { 1913 "restriction": {"$ref": "#/definitions/restriction"}, 1914 "ext-restriction": {"type": "string"}, 1915 "References": { 1916 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 1917 "Description": {"type": "array", "items": {"type": "string"}}, 1918 "AttackPattern": { 1919 "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, 1920 "Vulnerability": { 1921 "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, 1922 "Weakness": { 1923 "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, 1924 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1925 "required": [], 1926 "additionalProperties": false}, 1927 "Reference": { 1928 "type": "object", 1929 "properties": { 1930 "observable-id": {"$ref": "#/definitions/IDtype"}, 1931 "ReferenceName": {"type": "string"}, 1932 "URL":{"type":"array", "items":{"$ref":"#/definitions/URLtype"}}, 1933 "Description": {"type": "array", "items": {"type": "string"}}}, 1934 "required": [], 1935 "additionalProperties": false}, 1936 "Assessment": { 1937 "type": "object", 1938 "properties": { 1939 "occurrence": {"enum":["actual","potential"]}, 1940 "restriction": {"$ref": "#/definitions/restriction"}, 1941 "ext-restriction": {"type": "string"}, 1942 "observable-id": {"$ref": "#/definitions/IDtype"}, 1943 "IncidentCategory": {"type": "array", "items": {"type": "string"}}, 1944 "SystemImpact": { 1945 "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, 1946 "BusinessImpact": { 1947 "type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}}, 1948 "TimeImpact": { 1949 "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, 1950 "MonetaryImpact": { 1951 "type":"array", "items":{"$ref":"#/definitions/MonetaryImpact"}}, 1952 "IntendedImpact": { 1953 "type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}}, 1954 "Counter": { 1955 "type": "array", "items": {"$ref": "#/definitions/Counter"}}, 1956 "MitigatingFactor": { 1957 "type": "array", "items": {"$type": "string"}}, 1958 "Cause": {"type": "array", "items": {"$type": "string"}}, 1959 "Confidence": {"$ref": "#/definitions/Confidence"}, 1960 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1961 "required": [], 1962 "additionalProperties": false}, 1963 "SystemImpact": { 1964 "type": "object", 1965 "properties": { 1966 "severity": { 1967 "enum":["low","medium","high"]}, 1968 "completion": {"enum":["failed","succeeded"]}, 1969 "type": { 1970 "enum":["takeover-account","takeover-service","takeover-system", 1971 "cps-manipulation","cps-damage","availability-data", 1972 "availability-account","availability-service", 1973 "availability-system","damaged-system","damaged-data", 1974 "breach-proprietary","breach-privacy","breach-credential", 1975 "breach-configuration","integrity-data", 1976 "integrity-configuration","integrity-hardware", 1977 "traffic-redirection","monitoring-traffic", 1978 "monitoring-host","policy","unknown","ext-value"]}, 1979 "ext-type": {"type": "string"}, 1980 "Description": {"type": "array","items": {"type": "string"}}}, 1982 "required": ["type"], 1983 "additionalProperties": false}, 1984 "BusinessImpact": { 1985 "type": "object", 1986 "properties": { 1987 "severity": { 1988 "enum":["none","low","medium","high","unknown","ext-value"]}, 1989 "ext-severity": {"type":"string"}, 1990 "type": { 1991 "enum":["breach-proprietary","breach-privacy","breach-credential", 1992 "loss-of-integrity","loss-of-service","theft-financial", 1993 "theft-service","degraded-reputation","asset-damage", 1994 "asset-manipulation","legal","extortion","unknown", 1995 "ext-value"]}, 1996 "ext-type": {"type": "string"}, 1997 "Description": {"type": "array","items": {"type": "string"}}}, 1998 "required": ["type"], 1999 "additionalProperties": false}, 2000 "TimeImpact": { 2001 "type": "object", 2002 "properties": { 2003 "value": {"type": "number"}, 2004 "severity": {"enum": ["low","medium","high"]}, 2005 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 2006 "ext-metric": {"type": "string"}, 2007 "duration": {"$ref":"#/definitions/duration"}, 2008 "ext-duration": {"type": "string"}}, 2009 "required": ["metric"], 2010 "additionalProperties": false}, 2011 "MonetaryImpact": { 2012 "type": "object", 2013 "properties": { 2014 "value": {"type": "number"}, 2015 "severity": {"enum":["low","medium","high"]}, 2016 "currency": {"type": "string"}}, 2017 "required": [], 2018 "additionalProperties": false}, 2019 "Confidence": { 2020 "type": "object", 2021 "properties": { 2022 "value": {"type": "number"}, 2023 "rating": { 2024 "enum": ["low","medium","high","numeric","unknown","ext-value"]}, 2025 "ext-rating": {"type":"string"}}, 2026 "required": ["rating"], 2027 "additionalProperties": false}, 2028 "History": { 2029 "type": "object", 2030 "properties": { 2031 "restriction": {"$ref": "#/definitions/restriction"}, 2032 "ext-restriction": {"type": "string"}, 2033 "HistoryItem": { 2034 "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, 2035 "required": ["HistoryItem"], 2036 "additionalProperties": false}, 2037 "HistoryItem": { 2038 "type": "object", 2039 "properties": { 2040 "action": {"$ref": "#/definitions/action"}, 2041 "ext-action": {"type": "string"}, 2042 "restriction": {"$ref": "#/definitions/restriction"}, 2043 "ext-restriction": {"type": "string"}, 2044 "observable-id": {"$ref": "#/definitions/IDtype"}, 2045 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2046 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2047 "Contact": {"$ref": "#/definitions/Contact"}, 2048 "Description": {"type": "array","items": {"type": "string"}}, 2049 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 2050 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2051 "required": ["DateTime","action"], 2052 "additionalProperties": false}, 2053 "EventData": { 2054 "type": "object", 2055 "properties": { 2056 "restriction": {"$ref": "#/definitions/restriction"}, 2057 "ext-restriction": {"type": "string"}, 2058 "observable-id": {"$ref": "#/definitions/IDtype"}, 2059 "Description": {"type": "array","items": {"type": "string"}}, 2060 "DetectTime": {"type": "string"}, 2061 "StartTime": {"type": "string"}, 2062 "EndTime": {"type": "string"}, 2063 "RecoveryTime": {"type": "string"}, 2064 "ReportTime": {"type": "string"}, 2065 "Contact": { 2066 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 2067 "Discovery": { 2068 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 2069 "Assessment": {"$ref": "#/definitions/Assessment"}, 2070 "Method": { 2071 "type": "array","items": {"$ref": "#/definitions/Method"}}, 2072 "System": { 2073 "type": "array","items": {"$ref": "#/definitions/System"}}, 2074 "Expectation": { 2075 "type": "array","items": {"$ref": "#/definitions/Expectation"}}, 2076 "RecordData": {"type": "array", 2077 "items": {"$ref": "#/definitions/RecordData"}}, 2079 "EventData": { 2080 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 2081 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2082 "required": ["ReportTime"], 2083 "additionalProperties": false}, 2084 "Expectation": { 2085 "type": "object", 2086 "properties": { 2087 "action": {"$ref":"#/definitions/action"}, 2088 "ext-action": {"type": "string"}, 2089 "severity": {"enum": ["low","medium","high"]}, 2090 "restriction": {"$ref": "#/definitions/restriction"}, 2091 "ext-restriction": {"type": "string"}, 2092 "observable-id": {"$ref": "#/definitions/IDtype"}, 2093 "Description": {"type": "array","items": {"type": "string"}}, 2094 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 2095 "StartTime": {"type": "string"}, 2096 "EndTime": {"type": "string"}, 2097 "Contact": {"$ref": "#/definitions/Contact"}}, 2098 "required": [], 2099 "additionalProperties": false}, 2100 "System": { 2101 "type": "object", 2102 "properties": { 2103 "category": { 2104 "enum": ["source","target","intermediate","sensor", 2105 "infrastructure","ext-value"]}, 2106 "ext-category": {"type": "string"}, 2107 "interface": {"type": "string"}, 2108 "spoofed": {"enum": ["unknown","yes","no"]}, 2109 "virtual": {"enum": ["yes","no","unknown"]}, 2110 "ownership": { 2111 "enum":["organization","personal","partner","customer", 2112 "no-relationship","unknown","ext-value"]}, 2113 "ext-ownership": {"type": "string"}, 2114 "restriction": {"$ref": "#/definitions/restriction"}, 2115 "ext-restriction": {"type": "string"}, 2116 "observable-id": {"$ref": "#/definitions/IDtype"}, 2117 "Node": {"$ref": "#/definitions/Node"}, 2118 "NodeRole": { 2119 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 2120 "Service": { 2121 "type": "array","items": {"$ref": "#/definitions/Service"}}, 2122 "OperatingSystem": { 2123 "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, 2124 "Counter": { 2125 "type": "array","items": {"$ref": "#/definitions/Counter"}}, 2126 "AssetID": {"type": "array","items": {"type": "string"}}, 2127 "Description": {"type": "array","items": {"type": "string"}}, 2128 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2129 "required": ["Node"], 2130 "additionalProperties": false}, 2131 "Node": { 2132 "type": "object", 2133 "properties": { 2134 "DomainData": { 2135 "type": "array","items": {"$ref": "#/definitions/DomainData"}}, 2136 "Address": { 2137 "type": "array","items": {"$ref": "#/definitions/Address"}}, 2138 "PostalAddress": {"type": "string"}, 2139 "Location": {"type": "array","items": {"type": "string"}}, 2140 "Counter": {"type":"array", 2141 "items":{"$ref":"#/definitions/Counter"}}}, 2142 "required": [], 2143 "additionalProperties": false}, 2144 "Address": { 2145 "type": "object", 2146 "properties": { 2147 "value": {"type": "string"}, 2148 "category": { 2149 "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", 2150 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 2151 "ipv6-net-masked","mac","site-url","ext-value"]}, 2152 "ext-category": {"type": "string"}, 2153 "vlan-name": {"type": "string"}, 2154 "vlan-num": {"type": "integer"}, 2155 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2156 "required": ["category"], 2157 "additionalProperties": false}, 2158 "NodeRole": { 2159 "type": "object", 2160 "properties": { 2161 "category": { 2162 "enum":["client","client-enterprise","clent-partner", 2163 "client-remote","client-kiosk","client-mobile", 2164 "server-internal","server-public","www","mail","webmail", 2165 "messaging","streaming","voice","file","ftp","p2p","name", 2166 "directory","credential","print","application","database", 2167 "backup","dhcp","assessment","source-control", 2168 "config-management","monitoring","infra","infra-firewall", 2169 "infra-router","infra-switch","camera","proxy", 2170 "remote-access","log","virtualization","pos", "scada", 2171 "scada-supervisory","sinkhole","honeypot","anomyzation", 2172 "c2-server","malware-distribution","drop-server", 2173 "hot-point","reflector","phishing-site", 2174 "spear-phishing-site","recruiting-site", 2175 "fraudulent-site","ext-value"]}, 2176 "ext-category": {"type": "string"}, 2177 "Description": {"type": "array","items": {"type": "string"}}}, 2178 "required": ["category"], 2179 "additionalProperties": false}, 2180 "Counter": { 2181 "type": "object", 2182 "properties": { 2183 "value": {"type": "string"}, 2184 "type": {"enum": ["count","peak","average","ext-value"]}, 2185 "ext-type": {"type": "string"}, 2186 "unit": {"enum": ["byte","mbit","packet","flow","session","alert", 2187 "message","event","host","site","organization", 2188 "ext-value"]}, 2189 "ext-unit": {"type": "string"}, 2190 "meaning": {"type": "string"}, 2191 "duration": {"$ref":"#/definitions/duration"}, 2192 "ext-duration": {"type": "string"}}, 2193 "required": ["type","unit"], 2194 "additionalProperties": false}, 2195 "DomainData": { 2196 "type": "object", 2197 "properties": { 2198 "system-status": { 2199 "enum": ["spoofed","fraudulent","innocent-hacked", 2200 "innocent-hijacked","unknown","ext-value"]}, 2201 "ext-system-status": {"type": "string"}, 2202 "domain-status": { 2203 "enum": [ 2204 "reservedDelegation","assignedAndActive","assignedAndInactive", 2205 "assignedAndOnHold","revoked","transferPending","registryLock", 2206 "registrarLock","other","unknown","ext-value"]}, 2207 "ext-domain-status": {"type": "string"}, 2208 "observable-id": {"$ref": "#/definitions/IDtype"}, 2209 "Name": {"type": "string"}, 2210 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 2211 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 2212 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 2213 "RelatedDNS": { 2214 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2215 "NameServers": { 2216 "type": "array","items": {"$ref": "#/definitions/NameServers"}}, 2217 "DomainContacts": { 2218 "$ref": "#/definitions/DomainContacts"}}, 2219 "required": ["Name","system-status","domain-status"], 2220 "additionalProperties": false}, 2221 "NameServers": { 2222 "type": "object", 2223 "properties": { 2224 "Server": {"type": "string"}, 2225 "Address": {"type":"array", 2226 "items":{"$ref":"#/definitions/Address"}}}, 2227 "required": ["Server","Address"], 2228 "additionalProperties": false}, 2229 "DomainContacts": { 2230 "type": "object", 2231 "properties": { 2232 "SameDomainContact": {"type": "string"}, 2233 "Contact": {"type":"array", 2234 "items":{"$ref":"#/definitions/Contact"}}}, 2235 "required": ["Contact"], 2236 "additionalProperties": false}, 2237 "Service": { 2238 "type": "object", 2239 "properties": { 2240 "ip-protocol": {"type": "integer"}, 2241 "observable-id": {"$ref": "#/definitions/IDtype"}, 2242 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 2243 "Port": {"type": "integer"}, 2244 "Portlist": {"$ref": "#/definitions/PORTLIST"}, 2245 "ProtoCode": {"type": "integer"}, 2246 "ProtoType": {"type": "integer"}, 2247 "ProtoField": {"type": "integer"}, 2248 "ApplicationHeaderField":{"$ref":"#/definitions/ExtensionTypeList"}, 2249 "EmailData": {"$ref": "#/definitions/EmailData"}, 2250 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2251 "required": [], 2252 "additionalProperties": false}, 2253 "ServiceName": { 2254 "type": "object", 2255 "properties": { 2256 "IANAService": {"type": "string"}, 2257 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2258 "Description": {"type": "array","items": {"type": "string"}}}, 2259 "required": [], 2260 "additionalProperties": false}, 2261 "EmailData": { 2262 "type": "object", 2263 "properties": { 2264 "observable-id": {"$ref": "#/definitions/IDtype"}, 2265 "EmailTo": {"type": "array","items": {"type": "string"}}, 2266 "EmailFrom": {"type": "string"}, 2267 "EmailSubject": {"type": "string"}, 2268 "EmailX-Mailer": {"type": "string"}, 2269 "EmailHeaderField": { 2270 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2272 "EmailHeaders": {"type": "string"}, 2273 "EmailBody": {"type": "string"}, 2274 "EmailMessage": {"type": "string"}, 2275 "HashData": { 2276 "type": "array","items": {"$ref": "#/definitions/HashData"}}, 2277 "Signature": {"type": "array","items": {"type": "string"}}}, 2278 "required": [], 2279 "additionalProperties": false}, 2280 "RecordData": { 2281 "type": "object", 2282 "properties": { 2283 "restriction": {"$ref": "#/definitions/restriction"}, 2284 "ext-restriction": {"type": "string"}, 2285 "observable-id": {"$ref": "#/definitions/IDtype"}, 2286 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2287 "Description": {"type": "array","items": {"type": "string"}}, 2288 "Applicadtion": {"$ref": "#/definitions/SoftwareType"}, 2289 "RecordPattern": { 2290 "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, 2291 "RecordItem": { 2292 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2293 "URL": { 2294 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2295 "FileData": { 2296 "type": "array","items": {"$ref": "#/definitions/FileData"}}, 2297 "WindowsRegistryKeysModified": { 2298 "type": "array", 2299 "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, 2300 "CertificateData": { 2301 "type":"array","items":{"$ref":"#/definitions/CertificateData"}}, 2302 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2303 "required": [], 2304 "additionalProperties": false 2305 }, 2306 "RecordPattern": { 2307 "type": "object", 2308 "properties": { 2309 "value": {"type": "string"}, 2310 "type": {"enum": ["regex","binary","xpath","ext-value"]}, 2311 "ext-type": {"type": "string"}, 2312 "offset": {"type": "integer"}, 2313 "offsetunit": {"enum":["line","byte","ext-value"]}, 2314 "ext-offsetunit": {"type": "string"}, 2315 "instance": {"type": "integer"}}, 2316 "required": ["type"], 2317 "additionalProperties": false}, 2318 "WindowsRegistryKeysModified": { 2319 "type": "object", 2320 "properties": { 2321 "observabile-id": {"$ref": "#/definitions/IDtype"}, 2322 "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, 2323 "required": ["Key"], 2324 "additionalProperties": false}, 2325 "Key": { 2326 "type": "object", 2327 "properties": { 2328 "registryaction": {"enum": ["add-key","add-value","delete-key", 2329 "delete-value","modify-key","modify-value", 2330 "ext-value"]}, 2331 "ext-registryaction": {"type": "string"}, 2332 "observable-id": {"$ref": "#/definitions/IDtype"}, 2333 "KeyName": {"type":"string"}, 2334 "KeyValue": {"type": "string"}}, 2335 "required": ["KeyName"], 2336 "additionalProperties": false}, 2337 "CertificateData": { 2338 "type": "object", 2339 "properties": { 2340 "restriction": {"$ref": "#/definitions/restriction"}, 2341 "ext-restriction": {"type": "string"}, 2342 "observable-id": {"$ref": "#/definitions/IDtype"}, 2343 "Certificate": { 2344 "type": "array","items": {"$ref": "#/definitions/Certificate"}}}, 2345 "required": ["Certificate"], 2346 "additionalProperties": false}, 2347 "Certificate": { 2348 "type": "object", 2349 "properties": { 2350 "observable-id": {"$ref": "#/definitions/IDtype"}, 2351 "X509Data": {type: "string"}, 2352 "Description": {"type": "array","items": {"type": "string"}}}, 2353 "required": ["X509Data"], 2354 "additionalProperties": false}, 2355 "FileData": { 2356 "type": "object", 2357 "properties": { 2358 "restriction": {"$ref": "#/definitions/restriction"}, 2359 "ext-restriction": {"type": "string"}, 2360 "observable-id": {"$ref": "#/definitions/IDtype"}, 2361 "File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, 2362 "required": ["File"], 2363 "additionalProperties": false}, 2364 "File": { 2365 "type": "object", 2366 "properties": { 2367 "FileName": {"type": "string"}, 2368 "FileSize": {"type": "integer"}, 2369 "FileType": {"type": "string"}, 2370 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2371 "HashData": {"$ref": "#/definitions/HashData"}, 2372 "Signature": {"type": "array","items": {"type": "string"}}, 2373 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 2374 "FileProperties": { 2375 "type":"array","items":{"$ref":"#/definitions/ExtensionType"}}}, 2376 "required": [], 2377 "additionalProperties": false}, 2378 "HashData": { 2379 "type": "object", 2380 "properties": { 2381 "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", 2382 "file-pe-resource","file-pdf-object","email-hash", 2383 "email-hash-header","email-hash-body"]}, 2384 "HashTargetID": {"type": "string"}, 2385 "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, 2386 "FuzzyHash": { 2387 "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, 2388 "required": ["scope"], 2389 "additionalProperties": false}, 2390 "Hash": { 2391 "type": "object", 2392 "properties": { 2393 "DigestMethod": {"type": "string"}, 2394 "DigestValue": {"type": "string"}, 2395 "CanonicalizationMethod": {}, 2396 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2397 "required": ["DigestMethod","DigestValue"], 2398 "additionalProperties": false}, 2399 "FuzzyHash": { 2400 "type": "object", 2401 "properties": { 2402 "FuzzyHashValue": { 2403 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2404 "Application": {"$ref": "#/definitions/SoftwareType"}, 2405 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2406 "required": ["FuzzyHashValue"], 2407 "additionalProperties": false}, 2408 "Indicator": { 2409 "type": "object", 2410 "properties": { 2411 "restriction": {"$ref": "#/definitions/restriction"}, 2412 "ext-restriction": {"type": "string"}, 2413 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 2414 "AlternativeIndicatorID": { 2415 "type": "array", 2416 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, 2417 "Description": {"type": "array","items": {"type": "string"}}, 2418 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2419 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2420 "Confidence": {"$ref": "#/definitions/Confidence"}, 2421 "Contact": { 2422 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 2423 "Observable": {"$ref": "#/definitions/Observable"}, 2424 "uid-ref": {"type": "string"}, 2425 "IndicatorExpression":{"$ref":"#/definitions/IndicatorExpression"}, 2426 "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, 2427 "NodeRole": { 2428 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 2429 "AttackPhase": { 2430 "type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, 2431 "Reference": { 2432 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 2433 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2434 "required": ["IndicatorID"], 2435 "additionalProperties": false}, 2436 "IndicatorID": { 2437 "type": "object", 2438 "properties": { 2439 "id": {"type": "string"}, 2440 "name": {"type": "string"}, 2441 "version": {"type": "string"}}, 2442 "required": ["name","version"], 2443 "additionalProperties": false}, 2444 "AlternativeIndicatorID": { 2445 "type": "object", 2446 "properties": { 2447 "restriction": {"$ref": "#/definitions/restriction"}, 2448 "ext-restriction": {"type": "string"}, 2449 "IndicatorReference": { 2450 "type": "array", 2451 "items": {"$ref": "#/definitions/IndicatorReference"}}}, 2452 "required": ["IndicatorReference"], 2453 "additionalProperties": false}, 2454 "Observable": { 2455 "type": "object", 2456 "properties": { 2457 "restriction": {"$ref": "#/definitions/restriction"}, 2458 "ext-restriction": {"type": "string"}, 2459 "System": {"$ref": "#/definitions/System"}, 2460 "Address": {"$ref": "#/definitions/Address"}, 2461 "DomainData": {"$ref": "#/definitions/DomainData"}, 2462 "EmailData": {"$ref": "#/definitions/EmailData"}, 2463 "Service": {"$ref": "#/definitions/Service"}, 2464 "WindowsRegistryKeysModified": { 2465 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 2466 "FileData": {"$ref": "#/definitions/FileData"}, 2467 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 2468 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 2469 "RecordData": {"type": "array", 2470 "item": {"$ref": "#/definitions/Record"}}, 2471 "EventData": {"$ref": "#/definitions/EventData"}, 2472 "Incident": {"$ref": "#/definitions/Incident"}, 2473 "Expectation": {"$ref": "#/definitions/Expectation"}, 2474 "Reference": {"$ref": "#/definitions/Reference"}, 2475 "Assessment": {"$ref": "#/definitions/Assessment"}, 2476 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 2477 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 2478 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 2479 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2480 "required": [], 2481 "additionalProperties": false}, 2482 "BulkObservable": { 2483 "type": "object", 2484 "properties": { 2485 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 2486 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", 2487 "mac","site-url","domain-name","domain-to-ipv4", 2488 "domain-to-ipv6","domain-to-ipv4-timestamp", 2489 "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", 2490 "windows-reg-key","file-hash","email-x-mailer", 2491 "email-subject","http-user-agent","http-request-url", 2492 "mutex","file-path","user-name","ext-value"]}, 2493 "ext-type": {"type": "string"}, 2494 "BulkObservableFormant":{ 2495 "$ref": "#/definitions/BulkObservableFormat"}, 2496 "BulkObservableList": {"type": "array", "item":{"type": "string"}}, 2497 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2498 "required": [], 2499 "additionalProperties": false}, 2500 "BulkObservableFormat": { 2501 "type": "object", 2502 "properties": { 2503 "Hash": {"$ref": "#/definitions/Hash"}, 2504 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2505 "required": [], 2506 "additionalProperties": false}, 2507 "IndicatorExpression": { 2508 "type": "object", 2509 "properties": { 2510 "operator": {"enum": ["not","and","or","xor"]}, 2511 "ext-operator": {"type": "string"}, 2512 "IndicatorExpression": { 2513 "type": "array", 2514 "items": {"$ref": "#/definitions/IndicatorExpression"}}, 2515 "Observable": { 2516 "type": "array","items": {"$ref": "#/definitions/Observable"}}, 2517 "uid-ref": {"type": "string"}, 2518 "IndicatorReference": { 2519 "type": "array", 2520 "items": {"$ref": "#/definitions/IndicatorReference"}}, 2521 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2522 "required": [], 2523 "additionalProperties": false}, 2524 "IndicatorReference": { 2525 "type": "object", 2526 "properties": { 2527 "uid-ref": {"type": "string"}, 2528 "euid-ref": {"type": "string"}, 2529 "version": {"type": "string"}}, 2530 "required": [], 2531 "additionalProperties": false}, 2532 "AttackPhase": { 2533 "type": "object", 2534 "properties": { 2535 "AttackPhaseID": {"type": "array","items": {"type": "string"}}, 2536 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2537 "Description": {"type": "array","items": {"type": "string"}}, 2538 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2539 "required": [], 2540 "additionalProperties": false}}, 2541 "title": "IODEF-Document", 2542 "description": "JSON schema for IODEF-Document class", 2543 "type": "object", 2544 "properties": { 2545 "version": {"type": "string"}, 2546 "lang": {"$ref": "#/definitions/lang"}, 2547 "format-id": {"type": "string"}, 2548 "private-enum-name": {"type": "string"}, 2549 "private-enum-id": {"type": "string"}, 2550 "Incident": { 2551 "type": "array","items": {"$ref": "#/definitions/Incident"}}, 2552 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2553 "required": ["version","Incident"], 2554 "additionalProperties": false} 2556 Figure 3: JSON schema 2558 Authors' Addresses 2560 Takeshi Takahashi 2561 National Institute of Information and Communications Technology 2562 4-2-1 Nukui-Kitamachi 2563 Koganei, Tokyo 184-8795 2564 Japan 2566 Phone: +81 42 327 5862 2567 Email: takeshi_takahashi@nict.go.jp 2569 Roman Danyliw 2570 CERT, Software Engineering Institute, Carnegie Mellon University 2571 4500 Fifth Avenue 2572 Pittsburgh, PA 2573 USA 2575 Email: rdd@cert.org 2577 Mio Suzuki 2578 National Institute of Information and Communications Technology 2579 4-2-1 Nukui-Kitamachi 2580 Koganei, Tokyo 184-8795 2581 Japan 2583 Email: mio@nict.go.jp