idnits 2.17.1 draft-ietf-mile-jsoniodef-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 111 instances of too long lines in the document, the longest one being 49 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (October 22, 2018) is 1984 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 903, but not defined == Missing Reference: '0-4' is mentioned on line 903, but not defined == Missing Reference: '0-5' is mentioned on line 903, but not defined Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: April 25, 2019 CERT 6 M. Suzuki 7 NICT 8 October 22, 2018 10 CBOR/JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-05 13 Abstract 15 RFC7970 specified an information model and a corresponding XML data 16 model for exchanging incident and indicator information. This draft 17 provides an alternative data model implementation in JSON. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on April 25, 2019. 36 Copyright Notice 38 Copyright (c) 2018 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 57 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 58 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5 59 2.2.2. Software and SoftwareReference . . . . . . . . . . . 6 60 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 6 61 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 62 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 63 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 64 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 17 65 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 66 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 67 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 18 68 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 20 69 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 71 8. Security Considerations . . . . . . . . . . . . . . . . . . . 35 72 9. Normative References . . . . . . . . . . . . . . . . . . . . 35 73 Appendix A. The IODEF Data Model (JSON Schema) . . . . . . . . . 35 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 76 1. Introduction 78 [RFC7970] defines a data representation for security incident reports 79 and indicators commonly exchanged by operational security teams. It 80 facilitates the automated exchange of this information to enable 81 mitigation and watch-and-warning. Section 3 of [RFC7970] defined an 82 information model using Unified Modeling Language (UML) and a 83 corresponding Extensible Markup Language (XML) schema data model in 84 Section 8. This UML-based information model and XML-based data model 85 are referred to as IODEF UML and IODEF XML, respectively in this 86 document. 88 This document defines an alternate implementation of the IODEF UML 89 information model by specifying a JavaScript Object Notation (JSON) 90 data model using CDDL and JSON Schema [jsonschema]. This JSON data 91 model is referred to as IODEF JSON in this document. 93 IODEF JSON provides all of the expressivity of IODEF XML. It gives 94 implementers and operators an alternative format to exchange the same 95 information. 97 The normative IODEF JSON data model is found in Section 5. Section 2 98 and Section 3 describe the data types and elements of this data 99 model. Section 4 provides examples. 101 1.1. Requirements Language 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 105 document are to be interpreted as described in RFC 2119 [RFC2119]. 107 2. IODEF Data Types 109 The abstract IODEF JSON implements the abstract data types specified 110 in Section 2 of [RFC7970]. 112 2.1. Abstract Data Type to JSON Data Type Mapping 114 IODEF JSON uses native and derived JSON data types. Figure 1 115 describes the mapping between the abstract data types in Section 2 of 116 [RFC7970] and their corresponding implementations in IODEF JSON. 118 +-----------------+-------------------+-------------------------------+ 119 | IODEF Data Type | [RFC7970] | JSON Data Type | 120 | | Reference | | 121 +-----------------+-------------------+-------------------------------+ 122 | INTEGER | Section 2.1 | "integer" per [jsonschema] | 123 | REAL | Section 2.2 | "number" per [jsonschema] | 124 | CHARACTER | Section 2.3 | "string" per [jsonschema] | 125 | STRING | Section 2.3 | "string" per [jsonschema] | 126 | ML_STRING | Section 2.4 | see Section 2.2.1 | 127 | BYTE | Section 2.5.1 | "string" per [jsonschema] | 128 | BYTE[] | Section 2.5.1 | "string" per [jsonschema] | 129 | HEXBIN | Section 2.5.2 | "string" per [jsonschema] | 130 | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | 131 | ENUM | Section 2.6 | "enum" array per [jsonschema] | 132 | DATETIME | Section 2.7 | "string" per [jsonschema] | 133 | TIMEZONE | Section 2.8 | "string" per [jsonschema] | 134 | PORTLIST | Section 2.9 | "string" per [jsonschema] | 135 | POSTAL | Section 2.10 | "string" per [jsonschema] | 136 | | | / ML_STRING, Section 2.2.1 | 137 | PHONE | Section 2.11 | "string" per [jsonschema] | 138 | EMAIL | Section 2.12 | "string" per [jsonschema] | 139 | URL | Section 2.13 | "string" per [jsonschema] | 140 | ID | Section 2.14 | "string" per [jsonschema] | 141 | IDREF | Section 2.14 | "string" per [jsonschema] | 142 | SOFTWARE | Section 2.15 | see Section 2.2.2 | 143 | STRUCTURED | RFC 7213 | see Section 2.2.3 | 144 | EXTENSION | Section 2.16 | see Section 2.2.4 | 145 +-----------------+-------------------+-------------------------------+ 147 Figure 1 149 +-----------------+------------------+-------------------------------------+ 150 | IODEF Data Type | CBOR Data Type | CDDL prelude | 151 | | | [draft-ietf-cbor-cddl-05] Reference | 152 +-----------------+------------------+-------------------------------------+ 153 | INTEGER | 6 tag 2, 6 tag 3 | integer | 154 | REAL | 7 bits 26 | float32 | 155 | CHARACTER | 3 text string | text | 156 | STRING | 3 text string | text | 157 | ML_STRING | 5 map | see Maps/Structs, Section 3.5.1 | 158 | BYTE | 6 tag 22 | eb64legacy | 159 | BYTE[] | 6 tag 22 | eb64legacy | 160 | HEXBIN | 2 byte string | bytes | 161 | HEXBIN[] | 2 byte string | bytes | 162 | ENUM | - | see Choices, Section 2.2.2 | 163 | DATETIME | 6 tag 0 | tdate | 164 | TIMEZONE | 3 text string | text | 165 | PORTLIST | 3 text string | text | 166 | POSTAL | 3 text string | text | 167 | | | / see Maps/Structs, Section 3.5.1 | 168 | PHONE | 3 text string | text | 169 | EMAIL | 3 text string | text | 170 | URL | 6 tag 32 | uri | 171 | ID | 3 text string | text | 172 | IDREF | 3 text string | text | 173 | SOFTWARE | 5 map | see Maps/Structs, Section 3.5.1 | 174 | STRUCTURED | 5 map | see Maps/Structs, Section 3.5.1 | 175 | EXTENSION | 5 map | see Maps/Structs, Section 3.5.1 | 176 +-----------------+------------------+-------------------------------------+ 178 Figure 2 180 2.2. Complex JSON Types 182 2.2.1. Multilingual Strings 184 A string that needs to be represented in a human-readable language 185 different than the default encoding of the document is represented in 186 the information model by the ML_STRING data type. This data type is 187 implemented as an object with "value", "lang", and "translation-id" 188 elements as defined in Section 5. Examples are shown below. 190 "MLStringType": { 191 "value": "free-form text", //STRING 192 "lang": "en", //ENUM 193 "translation-id": "jp2en0023" //STRING 194 } 196 2.2.2. Software and SoftwareReference 198 A particular version of software is represented in the information 199 model by the SOFTWARE data type. This software can be described by 200 using a reference, a URL, or with free-form text. The SOFTWARE data 201 type is implemented as an object with "SoftwareReference", "URL", and 202 "Description" elements as defined in Section 5. Examples are shown 203 below. 205 "SoftwareType": { 206 "SoftwareReference": {...}, //SoftwareReference 207 "Description": ["MS Windows"] //STRING 208 } 210 SoftwareReference class is a reference to a particular version of 211 software. Examples are shown below. 213 "SoftwareReference": { 214 "value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING 215 "spec-name": "cpe", //ENUM 216 "dtype": "string", //ENUM 217 } 219 2.2.3. StructuredInfo 221 Information provided in a form of structured string, such as ID, or 222 structured information, such as XML documents, is represented in the 223 information model by the StructuredInfo data type. Note that this 224 type was originally specified in RFC7203. The StructuredInfo data 225 type is implemented as an object with "SpecID", "ext-SpecID", 226 "ContentID", "RawData", "Reference" elements. An example for 227 embedding a structured ID is shown below. 229 "StructuredInformation": { 230 "SpecID": "cve", //ENUM 231 "ContentID": "CVE-2007-5000" //STRING 232 } 234 When embedding the raw data, base64 conversion should be used for 235 encoding the data, as shown below. 237 "StructuredInformation": { 238 "SpecID": "oval", //ENUM 239 "RawData": "<<>>" //BYTE 240 } 242 2.2.4. EXTENSION 244 Information not otherwise represented in the IODEF can be added using 245 the EXTENSION data type. This data type is a generic extension 246 mechanism. The EXTENSION data type is implemented as an 247 ExtensionType object with "value", "name", "dtype", "ext-dtype", 248 "meaning", "formatid", "restriction", "ext-restriction", and 249 "observable-id" elements. An example for embedding a structured ID 250 is shown below. 252 "ExtensionType": { 253 "value": "xxxxxxx", //String 254 "name": "Syslog", //String 255 "dtype": "string", //String 256 "meaning": "Syslog from the security appliance X", //String 257 } 259 3. IODEF JSON Data Model 261 3.1. Classes and Elements 263 The following table shows the list of IODEF Classes, their elements, 264 and the corresponding section in [RFC7970]. Note that the complete 265 JSON schema is defined in Section 5 usind CDDL. 267 +-----------------------------+--------------------+---------------+ 268 | IODEF Class | Class | Corresponding | 269 | | Elements and | Section | 270 | | Attribute | in [RFC7970] | 271 +-----------------------------+--------------------+---------------+ 272 | IODEF-Document | version | 3.1 | 273 | | lang? | | 274 | | format-id? | | 275 | | private-enum-name? | | 276 | | private-enum-id? | | 277 | | Incident+ | | 278 | | AdditionalData* | | 279 +-----------------------------+--------------------+---------------+ 280 | Incident | purpose | 3.2 | 281 | | ext-purpose? | | 282 | | status? | | 283 | | ext-status? | | 284 | | lang? | | 285 | | restriction? | | 286 | | ext-restriction? | | 287 | | observable-id? | | 288 | | IncidentID | | 289 | | AlternativeID? | | 290 | | RelatedActivity* | | 291 | | DetectTime? | | 292 | | StartTime? | | 293 | | EndTime? | | 294 | | RecoveryTime? | | 295 | | ReportTime? | | 296 | | GenerationTime | | 297 | | Description* | | 298 | | Discovery* | | 299 | | Assessment* | | 300 | | Method* | | 301 | | Contact+ | | 302 | | EventData* | | 303 | | Indicator* | | 304 | | History? | | 305 | | AdditionalData* | | 306 +-----------------------------+--------------------+---------------+ 307 | IncidentID | id | 3.4 | 308 | | name | | 309 | | instance? | | 310 | | restriction? | | 311 | | ext-restriction? | | 312 +-----------------------------+--------------------+---------------+ 313 | AlternativeID | restriction? | 3.5 | 314 | | ext-restriction? | | 315 | | IncidentID+ | | 316 +-----------------------------+--------------------+---------------+ 317 | RelatedActivity | restriction? | 3.6 | 318 | | ext-restriction? | | 319 | | IncidentID* | | 320 | | URL* | | 321 | | ThreatActor* | | 322 | | Campaign* | | 323 | | IndicatorID* | | 324 | | Confidence? | | 325 | | Description* | | 326 | | AdditionalData* | | 327 +-----------------------------+--------------------+---------------+ 328 | ThreatActor | restriction? | 3.7 | 329 | | ext-restriction? | | 330 | | ThreatActorID* | | 331 | | URL* | | 332 | | Description* | | 333 | | AdditionalData* | | 334 +-----------------------------+--------------------+---------------+ 335 | Campaign | restriction? | | 336 | | ext-restriction? | | 337 | | CampaignID* | | 338 | | URL* | | 339 | | Description* | | 340 | | AdditionalData* | 3.8 | 341 +-----------------------------+--------------------+---------------+ 342 | Contact | role | | 343 | | ext-role? | | 344 | | type | | 345 | | ext-type? | | 346 | | restriction? | | 347 | | ext-restriction? | | 348 | | ContactName*, | | 349 | | ContactTitle* | | 350 | | Description* | | 351 | | RegistryHandle* | | 352 | | PostalAddress* | | 353 | | Email* | | 354 | | Telephone* | | 355 | | Timezone? | | 356 | | Contact* | | 357 | | AdditionalData* | 3.9 | 358 +-----------------------------+--------------------+---------------+ 359 | RegistryHandle | handle | | 360 | | registry | | 361 | | ext-registry? | 3.9.1 | 362 +-----------------------------+--------------------+---------------+ 363 | PostalAddress | type? | | 364 | | ext-type? | | 365 | | PAddress | | 366 | | Description* | 3.9.2 | 367 +-----------------------------+--------------------+---------------+ 368 | Email | type? | | 369 | | ext-type? | | 370 | | EmailTo | | 371 | | Description* | 3.9.3 | 372 +-----------------------------+--------------------+---------------+ 373 | Telephone | type? | | 374 | | ext-type? | | 375 | | TelephoneNumber | | 376 | | Description* | 3.9.4 | 377 +-----------------------------+--------------------+---------------+ 378 | Discovery | source? | | 379 | | ext-source? | | 380 | | restriction? | | 381 | | ext-restriction? | | 382 | | Description* | | 383 | | Contact* | | 384 | | DetectionPattern* | 3.10 | 385 +-----------------------------+--------------------+---------------+ 386 | DetectionPattern | restriction? | 3.10.1 | 387 | | ext-restriction? | | 388 | | observable-id? | | 389 | | Application | | 390 | | Description* | | 391 | | DetectionConfiguration* | | 392 +-----------------------------+--------------------+---------------+ 393 | Method | restriction? | | 394 | | ext-restriction? | | 395 | | Reference* | | 396 | | Description* | | 397 | | AttackPattern* | | 398 | | Vulnerability* | | 399 | | Weakness* | | 400 | | AdditionalData* | 3.11 | 401 +-----------------------------+--------------------+---------------+ 402 | Reference | observable-id? | | 403 | | ReferenceName? | | 404 | | URL* | | 405 | | Description* | 3.11.1 | 406 +-----------------------------+--------------------+---------------+ 407 | Assessment | occurence? | | 408 | | restriction? | | 409 | | ext-restriction? | | 410 | | observable-id? | | 411 | | IncidentCategory* | | 412 | | SystemImpact* | | 413 | | BusinessImpact* | | 414 | | TimeImpact* | | 415 | | MonetaryImpact* | | 416 | | IntendedImpact* | | 417 | | Counter* | | 418 | | MitigatingFactor* | | 419 | | Cause* | | 420 | | Confidence? | | 421 | | AdditionalData* | 3.12 | 422 +-----------------------------+--------------------+---------------+ 423 | SystemImpact | severity? | | 424 | | completion? | | 425 | | type | | 426 | | ext-type? | | 427 | | Description* | 3.12.1 | 428 +-----------------------------+--------------------+---------------+ 429 | BusinessImpact | severity? | | 430 | | ext-severity? | | 431 | | type | | 432 | | ext-type? | | 433 | | Description* | 3.12.2 | 434 +-----------------------------+--------------------+---------------+ 435 | TimeImpact | value | | 436 | | severity? | | 437 | | metric | | 438 | | ext-metric? | | 439 | | duration? | | 440 | | ext-duration? | 3.12.3 | 441 +-----------------------------+--------------------+---------------+ 442 | MonetaryImpact | value | | 443 | | severity? | | 444 | | currency? | 3.12.4 | 445 +-----------------------------+--------------------+---------------+ 446 | Confidence | value | | 447 | | rating | | 448 | | ext-rating? | 3.12.5 | 449 +-----------------------------+--------------------+---------------+ 450 | History | restriction? | | 451 | | ext-restriction? | | 452 | | HistoryItem+ | 3.13 | 453 +-----------------------------+--------------------+---------------+ 454 | HistoryItem | action | | 455 | | ext-action? | | 456 | | restriction? | | 457 | | ext-restriction? | | 458 | | observable-id? | | 459 | | DateTime | | 460 | | IncidentID? | | 461 | | Contact? | | 462 | | Description* | | 463 | | DefinedCOA* | | 464 | | AdditionalData* | 3.13.1 | 465 +-----------------------------+--------------------+---------------+ 466 | EventData | restriction? | | 467 | | ext-restriction? | | 468 | | observable-id? | | 469 | | Description* | | 470 | | DetectTime? | | 471 | | StartTime? | | 472 | | EndTime? | | 473 | | RecoveryTime? | | 474 | | ReportTime? | | 475 | | Contact* | | 476 | | Discovery* | | 477 | | Assessment? | | 478 | | Method* | | 479 | | System* | | 480 | | Expectation* | | 481 | | RecordData* | | 482 | | EventData* | | 483 | | AdditionalData* | 3.14 | 484 +-----------------------------+--------------------+---------------+ 485 | Expectation | action? | | 486 | | ext-action? | | 487 | | severity? | | 488 | | restriction? | | 489 | | ext-restriction? | | 490 | | Description* | | 491 | | DefinedCOA* | | 492 | | StartTime? | | 493 | | EndTime? | | 494 | | Contact? | 3.15 | 495 +-----------------------------+--------------------+---------------+ 496 | System | category? | | 497 | | ext-category? | | 498 | | interface? | | 499 | | spoofed? | | 500 | | virtual? | | 501 | | ownership? | | 502 | | ext-ownership? | | 503 | | restriction? | | 504 | | ext-restriction? | | 505 | | Node | | 506 | | NodeRole* | | 507 | | Service* | | 508 | | OperatingSystem* | | 509 | | Counter* | | 510 | | AssetID* | | 511 | | Description* | | 512 | | AdditionalData* | 3.16 | 513 +-----------------------------+--------------------+---------------+ 514 | Node | DomainData* | | 515 | | Address* | | 516 | | PostalAddress? | | 517 | | Location* | | 518 | | Counter* | 3.17 | 519 +-----------------------------+--------------------+---------------+ 520 | Address | value | | 521 | | category | | 522 | | ext-category? | | 523 | | vlan-name? | | 524 | | vlan-num? | | 525 | | observable-id? | 3.17.1 | 526 +-----------------------------+--------------------+---------------+ 527 | NodeRole | category | | 528 | | ext-category? | | 529 | | Description* | 3.17.2 | 530 +-----------------------------+--------------------+---------------+ 531 | Counter | value | | 532 | | type | | 533 | | ext-type? | | 534 | | unit | | 535 | | ext-unit? | | 536 | | meaning? | | 537 | | duration? | | 538 | | ext-duration? | 3.17.3 | 539 +-----------------------------+--------------------+---------------+ 540 | DomainData | system-status | | 541 | | ext-system-status? | | 542 | | domain-status | | 543 | | ext-domain-status? | | 544 | | observable-id? | | 545 | | Name | | 546 | | DateDomainWasChecked?| | 547 | | RegistrationDate? | | 548 | | ExpirationDate? | | 549 | | RelatedDNS* | | 550 | | Nameservers* | | 551 | | DomainContacts? | 3.18 | 552 +-----------------------------+--------------------+---------------+ 553 | Nameserver | Server | | 554 | | Address* | 3.18.1 | 555 +-----------------------------+--------------------+---------------+ 556 | DomainContacts | SameDomainContact? | | 557 | | Contact+ | 3.18.2 | 558 +-----------------------------+--------------------+---------------+ 559 | Service | ip-protocol? | | 560 | | observable-id? | | 561 | | ServiceName? | | 562 | | Port? | | 563 | | Portlist? | | 564 | | ProtoCode? | | 565 | | ProtoType? | | 566 | | ProtoField? | | 567 | | ApplicationHeaderField*| | 568 | | EmailData? | | 569 | | Application? | 3.19 | 570 +-----------------------------+--------------------+---------------+ 571 | ServiceName | IANAService? | | 572 | | URL* | | 573 | | Description* | 3.19.1 | 574 +-----------------------------+--------------------+---------------+ 575 | EmailData | observable-id? | | 576 | | EmailTo* | | 577 | | EmailFrom? | | 578 | | EmailSubject? | | 579 | | EmailX-Mailer? | | 580 | | EmailHeaderField* | | 581 | | EmailHeaders? | | 582 | | EmailBody? | | 583 | | EmailMessage? | | 584 | | HashData* | | 585 | | Signature* | 3.19.2 | 586 +-----------------------------+--------------------+---------------+ 587 | RecordData | restriction? | | 588 | | ext-restriction? | | 589 | | observable-id? | | 590 | | DateTime? | | 591 | | Description* | | 592 | | Application? | | 593 | | RecordPattern* | | 594 | | RecordItem* | | 595 | | URL* | | 596 | | FileData* | | 597 | | WindowsRegistryKeysModified*| | 598 | | CertificateData* | | 599 | | AdditionalData* | 3.19.3 | 600 +-----------------------------+--------------------+---------------+ 601 | RecordPattern | type | | 602 | | ext-type? | | 603 | | offset? | | 604 | | offsetunit? | | 605 | | ext-offsetunit? | | 606 | | instance? | | 607 | | value | 3.19.4 | 608 +-----------------------------+--------------------+---------------+ 609 | WindowsRegistryKeysModified | observable-id? | 3.20 | 610 | | Key+ | | 611 +-----------------------------+--------------------+---------------+ 612 | Key | registryaction? | | 613 | | ext-registryaction?| | 614 | | observable-id? | | 615 | | KeyName | | 616 | | KeyValue? | 3.20.1 | 617 +-----------------------------+--------------------+---------------+ 618 | CertificateData | restriction? | | 619 | | ext-restriction? | | 620 | | observable-id? | | 621 | | Certificate+ | 3.21 | 622 +-----------------------------+--------------------+---------------+ 623 | Certificate | observable-id? | | 624 | | X509Data | | 625 | | Description* | 3.21.1 | 626 +-----------------------------+--------------------+---------------+ 627 | FileData | restriction? | | 628 | | ext-restriction? | | 629 | | observable-id? | | 630 | | File+ | 3.22 | 631 +-----------------------------+--------------------+---------------+ 632 | File | observable-id? | | 633 | | FileName? | | 634 | | FileSize? | | 635 | | FileType? | | 636 | | URL* | | 637 | | HashData? | | 638 | | Signature* | | 639 | | AssociatedSoftware?| | 640 | | FileProperties* | 3.22.1 | 641 +-----------------------------+--------------------+---------------+ 642 | HashData | scope | | 643 | | HashTargetID? | | 644 | | Hash* | | 645 | | FuzzyHash* | 3.23 | 646 +-----------------------------+--------------------+---------------+ 647 | Hash | DigestMethod | | 648 | | DigestValue | | 649 | | CanonicalizationMethod?| | 650 | | Application? | 3.23.1 | 651 +-----------------------------+--------------------+---------------+ 652 | FuzzyHash | FuzzyHashValue+ | | 653 | | Application? | | 654 | | AdditionalData* | 3.23.2 | 655 +-----------------------------+--------------------+---------------+ 656 | Indicator | restriction? | | 657 | | ext-restriction? | | 658 | | IndicatorID | | 659 | | AlternativeIndicatorID*| | 660 | | Description* | | 661 | | StartTime? | | 662 | | EndTime? | | 663 | | Confidence? | | 664 | | Contact* | | 665 | | Observable? | | 666 | | uid-ref? | | 667 | | IndicatorExpression?| | 668 | | IndicatorReference?| | 669 | | NodeRole* | | 670 | | AttackPhase* | | 671 | | Reference* | | 672 | | AdditionalData* | 3.24 | 673 +-----------------------------+--------------------+---------------+ 674 | IndicatorID | id | | 675 | | name | | 676 | | version | 3.24.1 | 677 +-----------------------------+--------------------+---------------+ 678 | AlternativeIndicatorID | restriction? | | 679 | | ext-restriction? | | 680 | | IndicatorReference+| 3.24.2 | 681 +-----------------------------+--------------------+---------------+ 682 | Observable | restriction? | | 683 | | ext-restriction? | | 684 | | System? | | 685 | | Address? | | 686 | | DomainData? | | 687 | | Service? | | 688 | | EmailData? | | 689 | | WindowsRegistryKeysModified?| | 690 | | FileData? | | 691 | | CertificateData? | | 692 | | RegistryHandle? | | 693 | | RecordData? | | 694 | | EventData? | | 695 | | Incident? | | 696 | | Expectation? | | 697 | | Reference? | | 698 | | Assessment? | | 699 | | DetectionPattern? | | 700 | | HistoryItem? | | 701 | | BulkObservable? | | 702 | | AdditionalData* | 3.24.3 | 703 +-----------------------------+--------------------+---------------+ 704 | BulkObservable | type? | | 705 | | ext-type? | | 706 | | BulkObservableFormat?| | 707 | | BulkObservableList | | 708 | | AdditionalData* | 3.24.4 | 709 +-----------------------------+--------------------+---------------+ 710 | BulkObservableFormat | Hash? | | 711 | | AdditionalData* | 3.24.5 | 712 +-----------------------------+--------------------+---------------+ 713 | IndicatorExpression | operator? | | 714 | | ext-operator? | | 715 | | IndicatorExpression*| | 716 | | Observable* | | 717 | | uid-ref* | | 718 | | IndicatorReference*| | 719 | | Confidence? | | 720 | | AdditionalData* | 3.24.6 | 721 +-----------------------------+--------------------+---------------+ 722 | IndicatorReference | uid-ref? | | 723 | | euid-ref? | | 724 | | version? | 3.24.7 | 725 +-----------------------------+--------------------+---------------+ 726 | AttackPhase | AttackPhaseID* | | 727 | | URL* | | 728 | | Description* | | 729 | | AdditionalData* | 3.24.8 | 730 +-----------------------------+--------------------+---------------+ 732 3.2. Mapping between JSON and XML IODEF 734 o This document treats attributes and elements of each class defined 735 in [RFC7970] equally and is agnostic on the order of their 736 appearances. 738 o Flow class is deleted, and classes with its instances now directly 739 have instances of EventData class that used to belong to the Flow 740 classs. 742 o ApplicationHeader class is deleted, and classes with its instances 743 now directly have instances of ApplicationHeaderField class that 744 used to belong to the ApplicationHeader class. 746 o SignatureData class is deleted, and classes with its instances now 747 directly have instance of Signature class that used to belong to 748 the SignatureData class. 750 o IndicatorData class is deleted, and classes with its instances now 751 directly have the instances of Indicator class that used to belong 752 to the IndicatorData class. 754 o ObservableReference class is deleted, and classes with its 755 instances now directly have uid-ref as an element. 757 o Record class is replaced by RecordData class, and RecordData class 758 is renamed to Record class. 760 o Record class is deleted, and classes with its instances now 761 directly have the instances of RecordData class that used to 762 belong to the Record class. 764 o The elements of ML_STRING type are prepared as two separate 765 elements: one of STRING type and another of ML_STRING type, in 766 order to maintain the simplicity of IODEF documents when writing 767 with only STRING type characters. 769 4. Examples 771 This section provides example of IODEF documents. These examples do 772 not represent the full capabilities of the data model or the the only 773 way to encode particular information. 775 4.1. Minimal Example 777 A document containing only the mandatory elements and attributes. 779 { 780 "version": "2.0", 781 "lang": "en", 782 "Incident": [{ 783 "purpose": "reporting", 784 "restriction": "private", 785 "IncidentID": { 786 "id": "492382", 787 "name": "csirt.example.com" 788 }, 789 "GenerationTime": "2015-07-18T09:00:00-05:00", 790 "Contact": [{ 791 "type": "organization", 792 "role": "creator", 793 "Email": [{ 794 "EmailTo": "contact@csirt.example.com" 795 }] 796 }] 797 }] 798 } 800 4.2. Indicators from a Campaign 802 An example of C2 domains from a given campaign. 804 { 805 "version": "2.0", 806 "lang": "en", 807 "Incidents": [ 808 { 809 "purpose": "watch", 810 "restriction": "green", 811 "IncidentID": { 812 "id": "897923", 813 "name": "csirt.example.com" 814 }, 815 "RelatedActivity": [ 816 { 817 "ThreatActor": [ 818 { 819 "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", 820 "Description": "Aggressive Butterfly" 821 } 822 ], 823 "Campaign": [ 824 { 825 "CampaignID": "C-2015-59405", 826 "Description": "Orange Giraffe" 827 } 828 ] 829 } 830 ], 831 "GenerationTime": "2015-10-02T11:18:00-05:00", 832 "Description": [ 833 "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." 834 ], 835 "Assessment": [ 836 { 837 "BusinessImpact": { 838 "type": "breach-proprietary" 839 } 840 } 841 ], 842 "Contacts": [ 843 { 844 "type": "organization", 845 "role": "creator", 846 "ContactName": "CSIRT for example.com", 847 "Email": { 848 "emailTo": "contact@csirt.example.com" 849 } 850 } 851 ], 852 "IndicatorList": [ 853 { 854 "IndicatorID": { 855 "id": "G90823490", 856 "name": "csirt.example.com", 857 "version": "1" 858 }, 859 "Description": "C2 domains", 860 "StartTime": "2014-12-02T11:18:00-05:00", 861 "Observable": { 862 "BulkObservable": { 863 "type": "fqdn" 864 }, 865 "BulkObservableList": [ 866 "kj290023j09r34.example.com", 867 "09ijk23jfj0k8.example.net", 868 "klknjwfjiowjefr923.example.org", 869 "oimireik79msd.example.org" 870 ] 871 } 872 } 873 ] 874 } 875 ] 876 } 878 5. The IODEF Data Model (CDDL) 880 start = iodef 882 ;;; iodef.json: IODEF-Document 884 iodef = { 885 version: text 886 ? lang: lang 887 ? format-id: text 888 ? private-enum-name: text 889 ? private-enum-id: text 890 Incident: [+ Incident] 891 ? AdditionalData: [+ ExtensionType] 892 } 894 duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / 895 "year" / "ext-value" 896 lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" 898 restriction = "public" / "partner" / "need-to-know" / "private" / 899 "default" / "white" / "green" / "amber" / "red" / 900 "ext-value" 901 IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" 902 IDREFType = IDtype 903 TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" 904 PortlistType = text .regexp "\d+(\-\d+)?(,\d+(\-\d+)?)*" 905 action = "nothing" / "contact-source-site" / "cotact-target-site" / 906 "contact-sender" / "investigate" / "block-host" / 907 "block-network" / "block-port" / "rate-limit-host" / 908 "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / 909 "honeypot" / "upgrade-software" / "rebuild-asset" / 910 "harden-asset" / "remediate-other" / "status-triage" / 911 "status-new-info" / "watch-and-report" / "training" / 912 "defined-coa" / "other" / "ext-value" 914 MLStringType = { 915 value: text 916 ?lang: lang 917 ?translation-id: text 918 } 920 PositiveFloatType = { 921 value: float32 .gt 0 922 } 924 PAddressType = MLStringType 926 ExtensionType = { 927 value: text 928 ? Name: text 929 dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / 930 "ntpstamp" / "integer" / "portlist" / "real" / "string" / 931 "file" / "path" / "frame" / "packet" / "ipv4-packet" / 932 "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string" 933 ? ext-dtype: text 934 ? meaning: text 935 ? formatid: text 936 ? restriction: restriction .default "private" 937 ? ext-restriction: text 938 ? observable-id: IDtype 939 } 941 SoftwareType = { 942 ? SoftwareReference: SoftwareReference 943 ? URL: [+ uri] 944 ? Description: [+ text / MLStringType] 945 } 947 SoftwareReference = { 948 ? value: text 949 spec-name: "custom" / "cpe" / "swid" / "ext-value" 950 ? ext-spec-name: text 951 ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string" 952 ? ext-dtype: text 953 } 955 Incident = { 956 purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / 957 "ext-value" 958 ? ext-purpose: text 959 ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / 960 "ext-value" 961 ? ext-status: text 962 ? lang: lang 963 ? restriction: restriction .default "private" 964 ? ext-restriction: text 965 ? observable-id: IDtype 966 IncidentID: IncidentID 967 ? AlternativeID: AlternativeID 968 ? RelatedActivity: [+ RelatedActivity] 969 ? DetectTime: tdate 970 ? StartTime: tdate 971 ? EndTime: tdate 972 ? RecoveryTime: tdate 973 ? ReportTime: tdate 974 GenerationTime: tdate 975 ? Description: [+ text / MLStringType] 976 ? Discovery: [+ Discovery] 977 ? Assessment: [+ Assessment] 978 ? Method: [+ Method] 979 Contact: [+ Contact] 980 ? EventData: [+ EventData] 981 ? Indicator: [+ Indicator] 982 ? History: History 983 ? AdditionalData: [+ ExtensionType] 984 } 986 IncidentID = { 987 id: text 988 name: text 989 ? instance: text 990 ? restriction: restriction .default "private" 991 ? ext-restriction: text 992 } 994 AlternativeID = { 995 ? restriction: restriction .default "private" 996 ? ext-restriction: text 997 IncidentID: [+ IncidentID] 998 } 1000 RelatedActivity = { 1001 ? restriction: restriction .default "private" 1002 ? ext-restriction: text 1003 ? IncidentID: [+ IncidentID] 1004 ? URL: [+ uri] 1005 ? ThreatActor: [+ ThreatActor] 1006 ? Campaign: [+ Campaign] 1007 ? IndicatorID: [+ IndicatorID] 1008 ? Confidence: Confidence 1009 ? Description: [+ text] 1010 ? AdditionalData: [+ ExtensionType] 1011 } 1013 ThreatActor = { 1014 ? restriction: restriction .default "private" 1015 ? ext-restriction: text 1016 ? ThreatActorID: [+ text] 1017 ? URL: [+ uri] 1018 ? Description: [+ text / MLStringType] 1019 ? AdditionalData: [+ ExtensionType] 1020 } 1022 Campaign = { 1023 ? restriction: restriction .default "private" 1024 ? ext-restriction: text 1025 ? CampaignID: [+ text] 1026 ? URL: [+ uri] 1027 ? Description: [+ text / MLStringType] 1028 ? AdditionalData: [+ ExtensionType] 1029 } 1031 Contact = { 1032 role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / 1033 "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / 1034 "vendor" / "vendor-support" / "victim" / "victim-notified" / 1035 "ext-value" 1036 ? ext-role: text 1037 type: "person" / "organization" / "ext-value" 1038 ? ext-type: text 1039 ? restriction: restriction .default "private" 1040 ? ext-restriction: text 1041 ? ContactName: [+ text / MLStringType] 1042 ? ContactTitle: [+ text / MLStringType] 1043 ? Description: [+ text / MLStringType] 1044 ? RegistryHandle: [+ RegistryHandle] 1045 ? PostalAddress: [+ PostalAddress] 1046 ? Email: [+ Email] 1047 ? Telephone: [+ Telephone] 1048 ? Timezone: TimeZonetype 1049 ? Contact: [+ Contact] 1050 ? AdditionalData: [+ ExtensionType] 1051 } 1053 RegistryHandle = { 1054 handle: text 1055 registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / 1056 "local" / "ext-value" 1057 ? ext-registry: text 1059 } 1061 PostalAddress = { 1062 ? type: text 1063 ? ext-type: text 1064 PAddress: PAddressType 1065 ? Description: [+ text / MLStringTYpe] 1066 } 1068 Email = { 1069 ? type: "direct" / "hotline" / "ext-value" 1070 ? ext-type: text 1071 EmailTo: text 1072 ? Description: [+ text / MLStringType] 1073 } 1075 Telephone = { 1076 ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" 1077 ? ext-type: text 1078 TelephoneNumber: text 1079 ? Description: [+ text / MLStringType] 1080 } 1082 Discovery = { 1083 ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / 1084 "incident" / "os-log" / "application-log" / "device-log" / 1085 "network-flow" / "passive-dns" / "investiation" / "audit" / 1086 "international-notification" / "external-notification" / 1087 "leo" / "partner" / "actor" / "unknown" / "ext-value" 1088 ? ext-source: text 1089 ? restriction: restriction .default "private" 1090 ? ext-restriction: text 1091 ? Description: [+ text / MLStringType] 1092 ? Contact: [+ Contact] 1093 ? DetectionPattern: [+ DetectionPattern] 1094 } 1096 DetectionPattern = { 1097 ? restriction: restriction .default "private" 1098 ? ext-restriction: text 1099 ? observable-id: IDtype 1100 Application: SoftwareType 1101 ? Description: [+ text / MLStringType] 1102 ? DetectionConfiguration: [+ text] 1103 } 1105 Method = { 1106 ? restriction: restriction .default "private" 1107 ? ext-restriction: text 1108 ? Reference: [+ Reference] 1109 ? Description: [+ text / MLStringType] 1110 ? AttackPattern: [+ StructuredInformation] 1111 ? Vulnerability: [+ StructuredInformation] 1112 ? Weakness: [+ StructuredInformation] 1113 ? AdditionalData: [+ ExtensionType] 1114 } 1116 StructuredInformation = { 1117 specID: text 1118 ? ext-specID: text 1119 ? contentID: text 1120 ? RawData: any 1121 ? URL: uri 1122 } 1124 Reference = { 1125 ? observable-id: IDtype 1126 ? ReferenceName: ReferenceName 1127 ? URL: [+ uri] 1128 ? Description: [+ text / MLStringType] 1129 } 1131 ReferenceName = { 1132 specIndex: integer 1133 ID: IDtype 1134 } 1136 Assessment = { 1137 ? occurrence: "actual" / "potential" 1138 ? restriction: restriction .default "private" 1139 ? ext-restriction: text 1140 ? observable-id: IDtype 1141 ? IncidentCategory: [+ text / MLStringType] 1142 Impact: [+ {SystemImpact: SystemImpact} / {BusinessImpact: BusinessImpact} / 1143 {TimeImpact: TimeImpact} / {MonetaryImpact: MonetaryImpact} / 1144 {MonetaryImpact: MonetaryImpact} / {IntendedImpact: BusinessImpact}] 1145 ? Counter: [+ Counter] 1146 ? MitigatingFactor: [+ text / MLStringType] 1147 ? Cause: [+ text / MLStringType] 1148 ? Confidence: Confidence 1149 ? AdditionalData: [+ ExtensionType] 1150 } 1152 SystemImpact = { 1153 ? severity: "low" / "medium" / "high" 1154 ? completion: "failed" / "succeeded" 1155 type: "takeover-account" / "takeover-service" / "takeover-system" / 1156 "cps-manipulation" / "cps-damage" / "availability-data" / 1157 "availability-account" / "availability-service" / 1158 "availability-system" / "damaged-system" / "damaged-data" / 1159 "breach-proprietary" / "breach-privacy" / "breach-credential" / 1160 "breack-configuration" / "integrity-data" / 1161 "integrity-configuration" / "integrity-hardware" / 1162 "traffic-redirection" / "monitoring-traffic" / "monitoring-host" / 1163 "policy" / "unknown" / "ext-value" .default "unknown" 1164 ? ext-type: text 1165 ? Description: [+ text / MLStringType] 1166 } 1168 BusinessImpact = { 1169 ? severity: "none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown" 1170 ? ext-severity: text 1171 type: "breach-proprietary" / "breach-privacy" / "breach-credential" / 1172 "loss-of-integrity" / "loss-of-service" / "theft-financial" / 1173 "theft-service" / "degraded-reputation" / "asset-damage" / 1174 "asset-manipulation" / "legal" / "extortion" / "unknown" / 1175 "ext-value" .default "unknown" 1176 ? ext-type: text 1177 ? Description: [+ text / MLStringType] 1178 } 1180 TimeImpact = { 1181 value: PositiveFloatType 1182 ? severity: "low" / "medium" / "high" 1183 metric: "labor" / "elapsed" / "downtime" / "ext-value" 1184 ? ext-metric: text 1185 ? duration: duration .default "hour" 1186 ? ext-duration: text 1187 } 1189 MonetaryImpact = { 1190 value: PositiveFloatType 1191 ? severity: "low" / "medium" / "high" 1192 ? currency: text 1193 } 1195 Confidence = { 1196 value: float32 1197 rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" 1198 ? ext-rating: text 1199 } 1201 History = { 1202 ? restriction: restriction .default "private" 1203 ? ext-restriction: text 1204 HistoryItem: [+ HistoryItem] 1205 } 1207 HistoryItem = { 1208 action: action .default "other" 1209 ? ext-action: text 1210 ? restriction: restriction .default "private" 1211 ? ext-restriction: text 1212 ? observable-id: IDtype 1213 DateTime: tdate 1214 ? IncidentID: IncidentID 1215 ? Contact: Contact 1216 ? Description: [+ text / MLStringType] 1217 ? DefinedCOA: [+ text] 1218 ? AdditionalData: [+ ExtensionType] 1219 } 1221 EventData = { 1222 ? restriction: restriction .default "default" 1223 ? ext-restriction: text 1224 ? observable-id: IDtype 1225 ? Description: [+ text / MLStringType] 1226 ? DetectTime: tdate 1227 ? StartTime: tdate 1228 ? EndTime: tdate 1229 ? RecoveryTime: tdate 1230 ? ReportTime: tdate 1231 ? Contact: [+ Contact] 1232 ? Discovery: [+ Discovery] 1233 ? Assessment: Assessment 1234 ? Method: [+ Method] 1235 ? System: [+ System] 1236 ? Expectation: [+ Expectation] 1237 ? RecordData: [+ RecordData] 1238 ? EventData: [+ EventData] 1239 ? AdditionalData: [+ ExtensionType] 1240 } 1242 Expectation = { 1243 ? action: action .default "other" 1244 ? ext-action: text 1245 ? severity: "low" / "medium" / "high" 1246 ? restriction: restriction .default "default" 1247 ? ext-restriction: text 1248 ? observable-id: IDtype 1249 ? Description: [+ text / MLStringType] 1250 ? DefinedCOA: [+ text] 1251 ? StartTime: tdate 1252 ? EndTime: tdate 1253 ? Contact: Contact 1254 } 1256 System = { 1257 ? category: "source" / "target" / "intermediate" / "sensor" / 1258 "infrastructure" / "ext-value" 1259 ? ext-category: text 1260 ? interface: text 1261 ? spoofed: "unknown" / "yes" / "no" .default "unknown" 1262 ? virtual: "yes" / "no" / "unknown" .default "unknown" 1263 ? ownership: "organization" / "personal" / "partner" / "customer" / 1264 "no-relationship" / "unknown" / "ext-value" 1265 ? ext-ownership: text 1266 ? restriction: restriction .default "private" 1267 ? ext-restriction: text 1268 ? observable-id: IDtype 1269 Node: Node 1270 ? NodeRole: [+ NodeRole] 1271 ? Service: [+ Service] 1272 ? OperatingSystem: [+ SoftwareType] 1273 ? Counter: [+ Counter] 1274 ? AssetID: [+ text] 1275 ? Description: [+ text / MLStringType] 1276 ? AdditionalData: [+ ExtensionType] 1277 } 1279 Node = { 1280 ? DomainData: [+ DomainData] 1281 ? Address: [+ Address] 1282 ? PostalAddress: PAddressType 1283 ? Location: [+ text / MLSTringType] 1284 ? Counter: [+ Counter] 1285 } 1287 Address = { 1288 value: text 1289 category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1290 "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / 1291 "ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" / 1292 "ext-value" .default "ipv6-addr" 1293 ? ext-category: text 1294 ? vlan-name: text 1295 ? vlan-num: integer 1296 ? observable-id: IDtype 1297 } 1298 NodeRole = { 1299 category: "client" / "client-enterprise" / "clent-partner" / 1300 "client-remote" / "client-kiosk" / "client-mobile" / 1301 "server-internal" / "server-public" / "www" / "mail" / 1302 "webmail" / "messaging" / "streaming" / "voice" / "file" / 1303 "ftp" / "p2p" / "name" / "directory" / "credential" / 1304 "print" / "application" / "database" / "backup" / "dhcp" / 1305 "assessment" / "source-control" / "config-management" / 1306 "monitoring" / "infra" / "infra-firewall" / "infra-router" / 1307 "infra-switch" / "camera" / "proxy" / "remote-access" / 1308 "log" / "virtualization" / "pos" / "scada" / 1309 "scada-supervisory" / "sinkhole" / "honeypot" / 1310 "anomyzation" / "c2-server" / "malware-distribution" / 1311 "drop-server" / "hot-point" / "reflector" / 1312 "phishing-site" / "spear-phishing-site" / "recruiting-site" / 1313 "fraudulent-site" / "ext-value" 1314 ? ext-category: text 1315 ? Description: [+ text / MLStringType] 1316 } 1318 Counter = { 1319 value: float32 1320 type: "count" / "peak" / "average" / "ext-value" 1321 ? ext-type: text 1322 unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / 1323 "message" / "event" / "host" / "site" / "organization" / 1324 "ext-value" 1325 ? ext-unit: text 1326 ? meaning: text / MLStringTYpe 1327 ? duration: duration .default "hour" 1328 ? ext-duration: text 1329 } 1331 DomainData = { 1332 system-status: "spoofed" / "fraudulent" / "innocent-hacked" / 1333 "innocent-hijacked" / "unknown" / "ext-value" 1334 ? ext-system-status: text 1335 domain-status: "reservedDelegation" / "assignedAndActive" / 1336 "assignedAndInactive" / "assignedAndOnHold" / 1337 "revoked" / "transferPending" / "registryLock" / 1338 "registrarLock" / "other" / "unknown" / "ext-value" 1339 ? ext-domain-status: text 1340 ? observable-id: IDtype 1341 Name: text 1342 ? DateDomainWasChecked: tdate 1343 ? RegistrationDate: tdate 1344 ? ExpirationDate: tdate 1345 ? RelatedDNS: [+ ExtensionType] 1346 ? NameServers: [+ NameServers] 1347 ? DomainContacts: DomainContacts 1348 } 1350 NameServers = { 1351 Server: text 1352 Address: [+ Address] 1353 } 1355 DomainContacts = { 1356 ? SameDomainContact: text 1357 Contact: [+ Contact] 1358 } 1360 Service = { 1361 ? ip-protocol: integer 1362 ? observable-id: IDtype 1363 ? ServiceName: ServiceName 1364 ? Port: integer 1365 ? Portlist: PortlistType 1366 ? ProtoCode: integer 1367 ? ProtoType: integer 1368 ? ProtoField: integer 1369 ? ApplicationHeaderField: [+ ExtensionType] 1370 ? EmailData: EmailData 1371 ? Application: SoftwareType 1372 } 1374 ServiceName = { 1375 ? IANAService: text 1376 ? URL: [+ uri] 1377 ? Description: [+ text / MLStringType] 1378 } 1380 EmailData = { 1381 ? observable-id: IDtype 1382 ? EmailTo: [+ text] 1383 ? EmailFrom: text 1384 ? EmailSubject: text 1385 ? EmailX-Mailer: text 1386 ? EmailHeaderField: [+ ExtensionType] 1387 ? EmailHeaders: text 1388 ? EmailBody: text 1389 ? EmailMessage: text 1390 ? HashData: [+ HashData] 1391 ? Signature: [+ text] 1392 } 1393 RecordData = { 1394 ? restriction: restriction .default "private" 1395 ? ext-restriction: text 1396 ? observable-id: IDtype 1397 ? DateTime: tdate 1398 ? Description: [+ text / MLStringType] 1399 ? Applicadtion: SoftwareType 1400 ? RecordPattern: [+ RecordPattern] 1401 ? RecordItem: [+ ExtensionType] 1402 ? URL: [+ uri] 1403 ? FileData: [+ FileData] 1404 ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] 1405 ? CertificateData: [+ CertificateData] 1406 ? AdditionalData: [+ ExtensionType] 1407 } 1409 RecordPattern = { 1410 value: text 1411 type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" 1412 ? ext-type: text 1413 ? offset: integer 1414 ? offsetunit: "line" / "byte" / "ext-value" .default "line" 1415 ? ext-offsetunit: text 1416 ? instance: integer 1417 } 1419 WindowsRegistryKeysModified = { 1420 ? observable-id: IDtype 1421 Key: [+ Key] 1422 } 1424 Key = { 1425 ? registryaction: "add-key" / "add-value" / "delete-key" / 1426 "delete-value" / "modify-key" / "modify-value" / 1427 "ext-value" 1428 ? ext-registryaction: text 1429 ? observable-id: IDtype 1430 KeyName: text 1431 ? KeyValue: text 1432 } 1434 CertificateData = { 1435 ? restriction: restriction .default "private" 1436 ? ext-restriction: text 1437 ? observable-id: IDtype 1438 Certificate: [+ Certificate] 1439 } 1440 Certificate = { 1441 ? observable-id: IDtype 1442 X509Data: text 1443 ? Description: [+ text / MLStringType] 1444 } 1446 FileData = { 1447 ? restriction: restriction .default "private" 1448 ? ext-restriction: text 1449 ? observable-id: IDtype 1450 File: [+ File] 1451 } 1453 File = { 1454 ? observable-id: IDtype 1455 ? FileName: text 1456 ? FileSize: integer 1457 ? FileType: text 1458 ? URL: [+ uri] 1459 ? HashData: HashData 1460 ? Signature: [+ text] 1461 ? AssociatedSoftware: SoftwareType 1462 ? FileProperties: [+ ExtensionType] 1463 } 1465 HashData = { 1466 scope: "file-contents" / "file-pe-section" / "file-pe-iat" / 1467 "file-pe-resource" / "file-pdf-object" / "email-hash" / 1468 "email-hash-header" / "email-hash-body" 1469 ? HashTargetID: text 1470 ? Hash: [+ Hash] 1471 ? FuzzyHash: [+ FuzzyHash] 1472 } 1474 Hash = { 1475 DigestMethod: text 1476 DigestValue: text 1477 ? CanonicalizationMethod: any 1478 ? Application: SoftwareType 1479 } 1481 FuzzyHash = { 1482 FuzzyHashValue: [+ ExtensionType] 1483 ? Application: SoftwareType 1484 ? AdditionalData: [+ ExtensionType] 1485 } 1487 Indicator = { 1488 ? restriction: restriction .default "private" 1489 ? ext-restriction: text 1490 IndicatorID: IndicatorID 1491 ? AlternativeIndicatorID: [+ AlternativeIndicatorID] 1492 ? Description: [+ text / MLStringType] 1493 ? StartTime: tdate 1494 ? EndTime: tdate 1495 ? Confidence: Confidence 1496 ? Contact: [+ Contact] 1497 ? Observable: Observable 1498 ? uid-ref: IDREFType 1499 ? IndicatorExpression: IndicatorExpression 1500 ? IndicatorReference: IndicatorReference 1501 ? NodeRole: [+ NodeRole] 1502 ? AttackPhase: [+ AttackPhase] 1503 ? Reference: [+ Reference] 1504 ? AdditionalData: [+ ExtensionType] 1505 } 1507 IndicatorID = { 1508 id: IDtype 1509 name: text 1510 version: text 1511 } 1513 AlternativeIndicatorID = { 1514 ? restriction: restriction .default "private" 1515 ? ext-restriction: text 1516 IndicatorReference: [+ IndicatorReference] 1517 } 1519 Observable = { 1520 ? restriction: restriction .default "private" 1521 ? ext-restriction: text 1522 ? System: System 1523 ? Address: Address 1524 ? DomainData: DomainData 1525 ? EmailData: EmailData 1526 ? Service: Service 1527 ? WindowsRegistryKeysModified: WindowsRegistryKeysModified 1528 ? FileData: FileData 1529 ? CertificateData: CertificateData 1530 ? RegistryHandle: RegistryHandle 1531 ? RecordData: RecordData 1532 ? EventData: EventData 1533 ? Incident: Incident 1534 ? Expectation: Expectation 1535 ? Reference: Reference 1536 ? Assessment: Assessment 1537 ? DetectionPattern: DetectionPattern 1538 ? HistoryItem: HistoryItem 1539 ? BulkObservable: BulkObservable 1540 ? AdditionalData: [+ ExtensionType] 1541 } 1543 BulkObservable = { 1544 ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1545 "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / 1546 "mac" / "site-url" / "domain-name" / "domain-to-ipv4" / 1547 "domain-to-ipv6" / "domain-to-ipv4-timestamp" / 1548 "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / 1549 "windows-reg-key" / "file-hash" / "email-x-mailer" / 1550 "email-subject" / "http-user-agent" / "http-request-uri" / 1551 "mutex" / "file-path" / "user-name" / "ext-value" 1552 ? ext-type: text 1553 ? BulkObservableFormat: BulkObservableFormat 1554 BulkObservableList: text 1555 ? AdditionalData: [+ ExtensionType] 1556 } 1558 BulkObservableFormat = { 1559 ? Hash: Hash 1560 ? AdditionalData: [+ ExtensionType] 1561 } 1563 IndicatorExpression = { 1564 ? operator: "not" / "and" / "or" / "xor" .default "and" 1565 ? ext-operator: text 1566 ? IndicatorExpression: [+ IndicatorExpression] 1567 ? Observable: [+ Observable] 1568 ? uid-ref: [+ IDREFType] 1569 ? IndicatorReference: [+ IndicatorReference] 1570 ? Confidence: Confidence 1571 ? AdditionalData: [+ ExtensionType] 1572 } 1574 IndicatorReference = { 1575 ? uid-ref: IDREFType 1576 ? euid-ref: text 1577 ? version: text 1578 } 1580 AttackPhase = { 1581 ? AttackPhaseID: [+ text] 1582 ? URL: [+ uri] 1583 ? Description: [+ text / MLStringType] 1584 ? AdditionalData: [+ ExtensionType] 1585 } 1587 Figure 3: Data Model in CDDL 1589 6. Acknowledgements 1591 We would like to thank Yasuaki Morita, Henk Birkholz and Carsten 1592 Bormann for their insightful comments on CDDL. 1594 7. IANA Considerations 1596 This document registers a JSON schema. 1598 8. Security Considerations 1600 This memo does not provide any further security considerations than 1601 the one described in [RFC7970]. 1603 9. Normative References 1605 [jsonschema] 1606 "JSON Schema", 2006. 1608 http://json-schema.org/ 1610 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1611 Requirement Levels", BCP 14, RFC 2119, 1612 DOI 10.17487/RFC2119, March 1997, 1613 . 1615 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 1616 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 1617 November 2016, . 1619 Appendix A. The IODEF Data Model (JSON Schema) 1621 This section provides a JSON schema that defines the IODEF Data Model 1622 defined in this draft. 1624 { "$schema": "http://json-schema.org/draft-04/schema#", 1625 "definitions": { 1626 "action": {"enum": ["nothing","contact-source-site", 1627 "contact-target-site","contact-sender","investigate", 1628 "block-host","block-network","block-port","rate-limit-host", 1629 "rate-limit-network","rate-limit-port","redirect-traffic", 1630 "honeypot","upgrade-software","rebuild-asset","harden-asset", 1631 "remediate-other","status-triage","status-new-info", 1632 "watch-and-report","training","defined-coa","ext-value"]}, 1633 "duration": {"enum": ["second","minute","hour","day","month","quarter", 1634 "year","ext-value"]}, 1635 "lang": {"enum": ["en","jp"]}, 1636 "purpose": {"enum": ["traceback","mitigation","reporting","watch", 1637 "other","ext-value"]}, 1638 "restriction": {"enum": ["public","partner","need-to-know","private", 1639 "default","white","green","amber","red","ext-value"]}, 1640 "status": {"enum": ["new","in-progress","forwarded","resolved", 1641 "future","ext-value"]}, 1642 "DATETIME": {"type": "string"}, 1643 "PORTLIST": {"type": "string"}, 1644 "URLtype": {"type": "string"}, 1645 "IDtype": {"type": "string"}, 1646 "ExtensionType": { 1647 "type": "object", 1648 "properties": { 1649 "name": {"type": "string"}, 1650 "dtype": {"enum": ["boolean","byte","bytes","character","date-time", 1651 "ntpstamp","integer","portlist","real","string","file", 1652 "path","frame","packet","ipv4-packet","ipv6-packet","url", 1653 "csv","winreg","xml","ext-value"]}, 1654 "ext-dtype": {"type": "string"}, 1655 "meaning": {"type": "string"}, 1656 "formatid": {"type": "string"}, 1657 "restriction": {"$ref": "#/definitions/restriction"}, 1658 "ext-restriction": {"type": "string"}, 1659 "observable-id": {"$ref": "#/definitions/IDtype"}}}, 1660 "ExtensionTypeList": { 1661 "type": "array", 1662 "items": {"$ref": "#/definitions/ExtensionType"}}, 1663 "SoftwareType": { 1664 "type": "object", 1665 "properties": { 1666 "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, 1667 "URL": {"$ref": "#/definitions/URLtype"}, 1668 "Description": {"type": "array", "items": {"type":"string"}}}, 1669 "required": [], 1670 "additionalProperties": false}, 1671 "SoftwareReference": { 1672 "type": "object", 1673 "properties": { 1674 "value": {"type": "string"}, 1675 "spec-name": {"type": "string"}, 1676 "ext-spec-name": {"type": "string"}, 1677 "dtype": {"type": "string"}, 1678 "ext-dtype": {"type": "string"}}, 1679 "required": ["spec-name"], 1680 "additionalProperties": false}, 1681 "StructuredInfo": { 1682 "type": "object", 1683 "properties": { 1684 "specID": {"type": "string"}, 1685 "ext-specID": {"type": "string"}, 1686 "contentID": {"type": "string"}, 1687 "RawData": {"type": "string"}, 1688 "URL": {"$ref": "#/definitions/URLtype"}}, 1689 "required": ["specID"], 1690 "additionalProperties": false}, 1691 "Incident": { 1692 "title": "Incident", 1693 "description": "JSON schema for Incident class", 1694 "type": "object", 1695 "properties": { 1696 "purpose": {"$ref": "#/definitions/purpose"}, 1697 "ext-purpose": {"type": "string"}, 1698 "status": {"$ref": "#/definitions/status"}, 1699 "ext-status": {"type": "string"}, 1700 "lang": {"$ref": "#/definitions/lang"}, 1701 "restriction": {"$ref": "#/definitions/restriction"}, 1702 "ext-restriction": {"type": "string"}, 1703 "observable-id": {"$ref": "#/definitions/IDtype"}, 1704 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 1705 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 1706 "RelatedActivity": { 1707 "type": "array", 1708 "items": {"$ref": "#/definitions/RelatedActivity"}}, 1709 "DetectTime": {"type": "string"}, 1710 "StartTime": {"type": "string"}, 1711 "EndTime": {"type": "string"}, 1712 "RecoveryTime": {"type": "string"}, 1713 "ReportTime": {"type": "string"}, 1714 "GenerationTime": {"type": "string"}, 1715 "Description": {"type": "array","items": {"type": "string"}}, 1716 "Discovery": { 1717 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 1718 "Assessment": { 1719 "type": "array","items": {"$ref": "#/definitions/Assessment"}}, 1720 "Methods": { 1721 "type": "array","items": {"$ref": "#/definitions/Method"}}, 1722 "Contacts": { 1723 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 1724 "EventData": { 1725 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 1726 "IndicatorList": { 1727 "type": "array","items": {"$ref": "#/definitions/Indicator"}}, 1729 "History": {"$ref": "#/definitions/History"}, 1730 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1731 "required": ["IncidentID","GenerationTime","Contacts","purpose"], 1732 "additionalProperties": false}, 1733 "IncidentID": { 1734 "title": "IncidentID", 1735 "description": "JSON schema for IncidentID class", 1736 "type": "object", 1737 "properties": { 1738 "id": {"type": "string"}, 1739 "name": {"type": "string"}, 1740 "instance": {"type": "string"}, 1741 "restriction": {"$ref": "#/definitions/restriction"}, 1742 "ext-restriction": {"type": "string"}}, 1743 "required": ["name"], 1744 "additionalProperties": false}, 1745 "AlternativeID": { 1746 "title": "AlternativeID", 1747 "description": "JSON schema for AlternativeID class", 1748 "type": "object", 1749 "properties": { 1750 "IncidentID": { 1751 "type": "array","items":{"$ref": "#/definitions/IncidentID"}}, 1752 "restriction": {"$ref": "#/definitions/restriction"}, 1753 "ext-restriction": {"type": "string"}}, 1754 "required": ["IncidentID"], 1755 "additionalProperties": false}, 1756 "RelatedActivity": { 1757 "properties": { 1758 "restriction": {"$ref": "#/definitions/restriction"}, 1759 "ext-restriction": {"type": "string"}, 1760 "IncidentID": { 1761 "type": "array","items": {"$ref": "#/definitions/IncidentID"}}, 1762 "URL": { 1763 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 1764 "ThreatActor": { 1765 "type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, 1766 "Campaign": { 1767 "type": "array","items": {"$ref": "#/definitions/Campaign"}}, 1768 "IndicatorID": { 1769 "type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, 1770 "Confidence": {"$ref": "#/definitions/Confidence"}, 1771 "Description": { "type": "array","items": {"type": "string"}}, 1772 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1773 "additionalProperties": false}, 1774 "ThreatActor": { 1775 "properties": { 1776 "restriction": {"$ref": "#/definitions/restriction"}, 1777 "ext-restriction": {"type": "string"}, 1778 "ThreatActorID": {"type": "array", "items": {"type": "string"}}, 1779 "Description": {"type": "array", "items": {"type": "string"}}, 1780 "URL": {"type":"array","items":{"$ref":"#/definitions/URLtype"}}, 1781 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1782 "additionalProperties": false}, 1783 "Campaign": { 1784 "properties": { 1785 "restriction": {"$ref": "#/definitions/restriction"}, 1786 "ext-restriction": {"type": "string"}, 1787 "CampaignID": {"type": "array", "items": {"type": "string"}}, 1788 "URL": {"type":"array", "items":{"$ref":"#/definitions/URLtype"}}, 1789 "Description": {"type": "array", "items": {"type": "string"}}, 1790 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 1791 "Contact": { 1792 "type": "object", 1793 "properties": { 1794 "role": { 1795 "enum": ["creator","reporter","admin","tech","provider","user", 1796 "billing","legal","irt","abuse","cc","cc-irt","leo", 1797 "vendor","vendor-support","victim","victim-notified", 1798 "ext-value"]}, 1799 "ext-role": {"type": "string"}, 1800 "type": {"enum": ["person","organization","ext-value"]}, 1801 "ext-type": {"type": "string"}, 1802 "restriction": {"$ref": "#/definitions/restriction"}, 1803 "ext-restriction": {"type": "string"}, 1804 "ContactName": {"type": "array", "items": {"type": "string"}}, 1805 "ContactTitle": {"type": "array", "items": {"type": "string"}}, 1806 "Description": {"type": "array", "items": {"type": "string"}}, 1807 "RegistryHandle": { 1808 "type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}}, 1809 "PostalAddress": { 1810 "type":"array", "items":{"$ref":"#/definitions/PostalAddress"}}, 1811 "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, 1812 "Telephone": { 1813 "type": "array", "items": {"$ref": "#/definitions/Telephone"}}, 1814 "Timezone": {"type": "string"}, 1815 "Contact": { 1816 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1817 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1818 "required": ["role","type"], 1819 "additionalProperties": false}, 1820 "RegistryHandle": { 1821 "type": "object", 1822 "properties": { 1823 "handle": {"type": "string"}, 1824 "registry": { 1825 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", 1826 "local","ext-value"]}, 1827 "ext-registry": {"type": "string"}}, 1828 "required": ["registry"], 1829 "additionalProperties": false}, 1830 "PostalAddress": { 1831 "type": "object", 1832 "properties": { 1833 "type": {"type": "string"}, 1834 "ext-type": {"type": "string"}, 1835 "PAddress": {"type": "string"}, 1836 "Description": {"type": "array", "items": {"type": "string"}}}, 1837 "required": ["PAddress"], 1838 "additionalProperties": false}, 1839 "Email": { 1840 "type": "object", 1841 "properties": { 1842 "type": { 1843 "enum":["direct","hotline","ext-value"]}, 1844 "ext-type": {"type": "string"}, 1845 "EmailTo": {"type": "string"}, 1846 "Description": {"type": "array", "items": {"type": "string"}}}, 1847 "required": ["EmailTo"], 1848 "additionalProperties": false}, 1849 "Telephone": { 1850 "type": "object", 1851 "properties": { 1852 "type": { 1853 "enum":["wired","mobile","fax","hotline","ext-value"]}, 1854 "ext-type": {"type": "string"}, 1855 "TelephoneNumber": {"type": "string"}, 1856 "Description": {"type": "array", "items": {"type": "string"}}}, 1857 "required": ["TelephoneNumber"], 1858 "additionalProperties": false}, 1859 "Discovery": { 1860 "type": "object", 1861 "properties": { 1862 "source": { 1863 "enum":["nidps","hips","siem","av","third-party-monitoring", 1864 "incident","os-log","application-log","device-log", 1865 "network-flow","passive-dns","investigation","audit", 1866 "internal-notification","external-notification","leo", 1867 "partner","actor","unknown","ext-value"]}, 1868 "ext-source": {"type": "string"}, 1869 "restriction": {"$ref": "#/definitions/restriction"}, 1870 "ext-restriction": {"type": "string"}, 1871 "Description": {"type": "array", "items": {"type": "string"}}, 1872 "Contact": { 1873 "type": "array", "items": {"$ref": "#/definitions/Contact"}}, 1874 "DetectionPattern": { 1875 "type":"array", 1876 "items":{"$ref":"#/definitions/DetectionPattern"}}}, 1877 "required": [], 1878 "additionalProperties": false}, 1879 "DetectionPattern": { 1880 "type": "object", 1881 "properties": { 1882 "restriction": {"$ref": "#/definitions/restriction"}, 1883 "ext-restriction": {"type": "string"}, 1884 "observable-id": {"$ref": "#/definitions/IDtype"}, 1885 "Application": {"$ref": "#/definitions/SoftwareType"}, 1886 "Description": {"type": "array", "items": {"type": "string"}}, 1887 "DetectionConfiguration": { 1888 "type": "array", "items": {"type": "string"}}}, 1889 "required": ["Application"], 1890 "additionalProperties": false}, 1891 "Method": { 1892 "type": "object", 1893 "properties": { 1894 "restriction": {"$ref": "#/definitions/restriction"}, 1895 "ext-restriction": {"type": "string"}, 1896 "References": { 1897 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 1898 "Description": {"type": "array", "items": {"type": "string"}}, 1899 "AttackPattern": { 1900 "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, 1901 "Vulnerability": { 1902 "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, 1903 "Weakness": { 1904 "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, 1905 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1906 "required": [], 1907 "additionalProperties": false}, 1908 "Reference": { 1909 "type": "object", 1910 "properties": { 1911 "observable-id": {"$ref": "#/definitions/IDtype"}, 1912 "ReferenceName": {"type": "string"}, 1913 "URL":{"type":"array", "items":{"$ref":"#/definitions/URLtype"}}, 1914 "Description": {"type": "array", "items": {"type": "string"}}}, 1915 "required": [], 1916 "additionalProperties": false}, 1917 "Assessment": { 1918 "type": "object", 1919 "properties": { 1920 "occurrence": {"enum":["actual","potential"]}, 1921 "restriction": {"$ref": "#/definitions/restriction"}, 1922 "ext-restriction": {"type": "string"}, 1923 "observable-id": {"$ref": "#/definitions/IDtype"}, 1924 "IncidentCategory": {"type": "array", "items": {"type": "string"}}, 1925 "SystemImpact": { 1926 "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, 1927 "BusinessImpact": { 1928 "type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}}, 1929 "TimeImpact": { 1930 "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, 1931 "MonetaryImpact": { 1932 "type":"array", "items":{"$ref":"#/definitions/MonetaryImpact"}}, 1933 "IntendedImpact": { 1934 "type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}}, 1935 "Counter": { 1936 "type": "array", "items": {"$ref": "#/definitions/Counter"}}, 1937 "MitigatingFactor": { 1938 "type": "array", "items": {"$type": "string"}}, 1939 "Cause": {"type": "array", "items": {"$type": "string"}}, 1940 "Confidence": {"$ref": "#/definitions/Confidence"}, 1941 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 1942 "required": [], 1943 "additionalProperties": false}, 1944 "SystemImpact": { 1945 "type": "object", 1946 "properties": { 1947 "severity": { 1948 "enum":["low","medium","high"]}, 1949 "completion": {"enum":["failed","succeeded"]}, 1950 "type": { 1951 "enum":["takeover-account","takeover-service","takeover-system", 1952 "cps-manipulation","cps-damage","availability-data", 1953 "availability-account","availability-service", 1954 "availability-system","damaged-system","damaged-data", 1955 "breach-proprietary","breach-privacy","breach-credential", 1956 "breach-configuration","integrity-data", 1957 "integrity-configuration","integrity-hardware", 1958 "traffic-redirection","monitoring-traffic", 1959 "monitoring-host","policy","unknown","ext-value"]}, 1960 "ext-type": {"type": "string"}, 1961 "Description": {"type": "array","items": {"type": "string"}}}, 1962 "required": ["type"], 1963 "additionalProperties": false}, 1964 "BusinessImpact": { 1965 "type": "object", 1966 "properties": { 1967 "severity": { 1968 "enum":["none","low","medium","high","unknown","ext-value"]}, 1970 "ext-severity": {"type":"string"}, 1971 "type": { 1972 "enum":["breach-proprietary","breach-privacy","breach-credential", 1973 "loss-of-integrity","loss-of-service","theft-financial", 1974 "theft-service","degraded-reputation","asset-damage", 1975 "asset-manipulation","legal","extortion","unknown", 1976 "ext-value"]}, 1977 "ext-type": {"type": "string"}, 1978 "Description": {"type": "array","items": {"type": "string"}}}, 1979 "required": ["type"], 1980 "additionalProperties": false}, 1981 "TimeImpact": { 1982 "type": "object", 1983 "properties": { 1984 "value": {"type": "number"}, 1985 "severity": {"enum": ["low","medium","high"]}, 1986 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 1987 "ext-metric": {"type": "string"}, 1988 "duration": {"$ref":"#/definitions/duration"}, 1989 "ext-duration": {"type": "string"}}, 1990 "required": ["metric"], 1991 "additionalProperties": false}, 1992 "MonetaryImpact": { 1993 "type": "object", 1994 "properties": { 1995 "value": {"type": "number"}, 1996 "severity": {"enum":["low","medium","high"]}, 1997 "currency": {"type": "string"}}, 1998 "required": [], 1999 "additionalProperties": false}, 2000 "Confidence": { 2001 "type": "object", 2002 "properties": { 2003 "value": {"type": "number"}, 2004 "rating": { 2005 "enum": ["low","medium","high","numeric","unknown","ext-value"]}, 2006 "ext-rating": {"type":"string"}}, 2007 "required": ["rating"], 2008 "additionalProperties": false}, 2009 "History": { 2010 "type": "object", 2011 "properties": { 2012 "restriction": {"$ref": "#/definitions/restriction"}, 2013 "ext-restriction": {"type": "string"}, 2014 "HistoryItem": { 2015 "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, 2016 "required": ["HistoryItem"], 2017 "additionalProperties": false}, 2019 "HistoryItem": { 2020 "type": "object", 2021 "properties": { 2022 "action": {"$ref": "#/definitions/action"}, 2023 "ext-action": {"type": "string"}, 2024 "restriction": {"$ref": "#/definitions/restriction"}, 2025 "ext-restriction": {"type": "string"}, 2026 "observable-id": {"$ref": "#/definitions/IDtype"}, 2027 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2028 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2029 "Contact": {"$ref": "#/definitions/Contact"}, 2030 "Description": {"type": "array","items": {"type": "string"}}, 2031 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 2032 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2033 "required": ["DateTime","action"], 2034 "additionalProperties": false}, 2035 "EventData": { 2036 "type": "object", 2037 "properties": { 2038 "restriction": {"$ref": "#/definitions/restriction"}, 2039 "ext-restriction": {"type": "string"}, 2040 "observable-id": {"$ref": "#/definitions/IDtype"}, 2041 "Description": {"type": "array","items": {"type": "string"}}, 2042 "DetectTime": {"type": "string"}, 2043 "StartTime": {"type": "string"}, 2044 "EndTime": {"type": "string"}, 2045 "RecoveryTime": {"type": "string"}, 2046 "ReportTime": {"type": "string"}, 2047 "Contact": { 2048 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 2049 "Discovery": { 2050 "type": "array","items": {"$ref": "#/definitions/Discovery"}}, 2051 "Assessment": {"$ref": "#/definitions/Assessment"}, 2052 "Method": { 2053 "type": "array","items": {"$ref": "#/definitions/Method"}}, 2054 "System": { 2055 "type": "array","items": {"$ref": "#/definitions/System"}}, 2056 "Expectation": { 2057 "type": "array","items": {"$ref": "#/definitions/Expectation"}}, 2058 "RecordData": {"type": "array", 2059 "items": {"$ref": "#/definitions/RecordData"}}, 2060 "EventData": { 2061 "type": "array","items": {"$ref": "#/definitions/EventData"}}, 2062 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2063 "required": ["ReportTime"], 2064 "additionalProperties": false}, 2065 "Expectation": { 2066 "type": "object", 2067 "properties": { 2068 "action": {"$ref":"#/definitions/action"}, 2069 "ext-action": {"type": "string"}, 2070 "severity": {"enum": ["low","medium","high"]}, 2071 "restriction": {"$ref": "#/definitions/restriction"}, 2072 "ext-restriction": {"type": "string"}, 2073 "observable-id": {"$ref": "#/definitions/IDtype"}, 2074 "Description": {"type": "array","items": {"type": "string"}}, 2075 "DefinedCOA": {"type": "array","items": {"type": "string"}}, 2076 "StartTime": {"type": "string"}, 2077 "EndTime": {"type": "string"}, 2078 "Contact": {"$ref": "#/definitions/Contact"}}, 2079 "required": [], 2080 "additionalProperties": false}, 2081 "System": { 2082 "type": "object", 2083 "properties": { 2084 "category": { 2085 "enum": ["source","target","intermediate","sensor", 2086 "infrastructure","ext-value"]}, 2087 "ext-category": {"type": "string"}, 2088 "interface": {"type": "string"}, 2089 "spoofed": {"enum": ["unknown","yes","no"]}, 2090 "virtual": {"enum": ["yes","no","unknown"]}, 2091 "ownership": { 2092 "enum":["organization","personal","partner","customer", 2093 "no-relationship","unknown","ext-value"]}, 2094 "ext-ownership": {"type": "string"}, 2095 "restriction": {"$ref": "#/definitions/restriction"}, 2096 "ext-restriction": {"type": "string"}, 2097 "observable-id": {"$ref": "#/definitions/IDtype"}, 2098 "Node": {"$ref": "#/definitions/Node"}, 2099 "NodeRole": { 2100 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 2101 "Service": { 2102 "type": "array","items": {"$ref": "#/definitions/Service"}}, 2103 "OperatingSystem": { 2104 "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, 2105 "Counter": { 2106 "type": "array","items": {"$ref": "#/definitions/Counter"}}, 2107 "AssetID": {"type": "array","items": {"type": "string"}}, 2108 "Description": {"type": "array","items": {"type": "string"}}, 2109 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2110 "required": ["Node"], 2111 "additionalProperties": false}, 2112 "Node": { 2113 "type": "object", 2114 "properties": { 2115 "DomainData": { 2116 "type": "array","items": {"$ref": "#/definitions/DomainData"}}, 2117 "Address": { 2118 "type": "array","items": {"$ref": "#/definitions/Address"}}, 2119 "PostalAddress": {"type": "string"}, 2120 "Location": {"type": "array","items": {"type": "string"}}, 2121 "Counter": {"type":"array", 2122 "items":{"$ref":"#/definitions/Counter"}}}, 2123 "required": [], 2124 "additionalProperties": false}, 2125 "Address": { 2126 "type": "object", 2127 "properties": { 2128 "value": {"type": "string"}, 2129 "category": { 2130 "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", 2131 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 2132 "ipv6-net-masked","mac","site-url","ext-value"]}, 2133 "ext-category": {"type": "string"}, 2134 "vlan-name": {"type": "string"}, 2135 "vlan-num": {"type": "integer"}, 2136 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2137 "required": ["category"], 2138 "additionalProperties": false}, 2139 "NodeRole": { 2140 "type": "object", 2141 "properties": { 2142 "category": { 2143 "enum":["client","client-enterprise","clent-partner", 2144 "client-remote","client-kiosk","client-mobile", 2145 "server-internal","server-public","www","mail","webmail", 2146 "messaging","streaming","voice","file","ftp","p2p","name", 2147 "directory","credential","print","application","database", 2148 "backup","dhcp","assessment","source-control", 2149 "config-management","monitoring","infra","infra-firewall", 2150 "infra-router","infra-switch","camera","proxy", 2151 "remote-access","log","virtualization","pos", "scada", 2152 "scada-supervisory","sinkhole","honeypot","anomyzation", 2153 "c2-server","malware-distribution","drop-server", 2154 "hot-point","reflector","phishing-site", 2155 "spear-phishing-site","recruiting-site", 2156 "fraudulent-site","ext-value"]}, 2157 "ext-category": {"type": "string"}, 2158 "Description": {"type": "array","items": {"type": "string"}}}, 2159 "required": ["category"], 2160 "additionalProperties": false}, 2161 "Counter": { 2162 "type": "object", 2163 "properties": { 2164 "value": {"type": "string"}, 2165 "type": {"enum": ["count","peak","average","ext-value"]}, 2166 "ext-type": {"type": "string"}, 2167 "unit": {"enum": ["byte","mbit","packet","flow","session","alert", 2168 "message","event","host","site","organization", 2169 "ext-value"]}, 2170 "ext-unit": {"type": "string"}, 2171 "meaning": {"type": "string"}, 2172 "duration": {"$ref":"#/definitions/duration"}, 2173 "ext-duration": {"type": "string"}}, 2174 "required": ["type","unit"], 2175 "additionalProperties": false}, 2176 "DomainData": { 2177 "type": "object", 2178 "properties": { 2179 "system-status": { 2180 "enum": ["spoofed","fraudulent","innocent-hacked", 2181 "innocent-hijacked","unknown","ext-value"]}, 2182 "ext-system-status": {"type": "string"}, 2183 "domain-status": { 2184 "enum": [ 2185 "reservedDelegation","assignedAndActive","assignedAndInactive", 2186 "assignedAndOnHold","revoked","transferPending","registryLock", 2187 "registrarLock","other","unknown","ext-value"]}, 2188 "ext-domain-status": {"type": "string"}, 2189 "observable-id": {"$ref": "#/definitions/IDtype"}, 2190 "Name": {"type": "string"}, 2191 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 2192 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 2193 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 2194 "RelatedDNS": { 2195 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2196 "NameServers": { 2197 "type": "array","items": {"$ref": "#/definitions/NameServers"}}, 2198 "DomainContacts": { 2199 "$ref": "#/definitions/DomainContacts"}}, 2200 "required": ["Name","system-status","domain-status"], 2201 "additionalProperties": false}, 2202 "NameServers": { 2203 "type": "object", 2204 "properties": { 2205 "Server": {"type": "string"}, 2206 "Address": {"type":"array", 2207 "items":{"$ref":"#/definitions/Address"}}}, 2208 "required": ["Server","Address"], 2209 "additionalProperties": false}, 2210 "DomainContacts": { 2211 "type": "object", 2212 "properties": { 2213 "SameDomainContact": {"type": "string"}, 2214 "Contact": {"type":"array", 2215 "items":{"$ref":"#/definitions/Contact"}}}, 2216 "required": ["Contact"], 2217 "additionalProperties": false}, 2218 "Service": { 2219 "type": "object", 2220 "properties": { 2221 "ip-protocol": {"type": "integer"}, 2222 "observable-id": {"$ref": "#/definitions/IDtype"}, 2223 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 2224 "Port": {"type": "integer"}, 2225 "Portlist": {"$ref": "#/definitions/PORTLIST"}, 2226 "ProtoCode": {"type": "integer"}, 2227 "ProtoType": {"type": "integer"}, 2228 "ProtoField": {"type": "integer"}, 2229 "ApplicationHeaderField":{"$ref":"#/definitions/ExtensionTypeList"}, 2230 "EmailData": {"$ref": "#/definitions/EmailData"}, 2231 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2232 "required": [], 2233 "additionalProperties": false}, 2234 "ServiceName": { 2235 "type": "object", 2236 "properties": { 2237 "IANAService": {"type": "string"}, 2238 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2239 "Description": {"type": "array","items": {"type": "string"}}}, 2240 "required": [], 2241 "additionalProperties": false}, 2242 "EmailData": { 2243 "type": "object", 2244 "properties": { 2245 "observable-id": {"$ref": "#/definitions/IDtype"}, 2246 "EmailTo": {"type": "array","items": {"type": "string"}}, 2247 "EmailFrom": {"type": "string"}, 2248 "EmailSubject": {"type": "string"}, 2249 "EmailX-Mailer": {"type": "string"}, 2250 "EmailHeaderField": { 2251 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2252 "EmailHeaders": {"type": "string"}, 2253 "EmailBody": {"type": "string"}, 2254 "EmailMessage": {"type": "string"}, 2255 "HashData": { 2256 "type": "array","items": {"$ref": "#/definitions/HashData"}}, 2257 "Signature": {"type": "array","items": {"type": "string"}}}, 2258 "required": [], 2259 "additionalProperties": false}, 2260 "RecordData": { 2261 "type": "object", 2262 "properties": { 2263 "restriction": {"$ref": "#/definitions/restriction"}, 2264 "ext-restriction": {"type": "string"}, 2265 "observable-id": {"$ref": "#/definitions/IDtype"}, 2266 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2267 "Description": {"type": "array","items": {"type": "string"}}, 2268 "Applicadtion": {"$ref": "#/definitions/SoftwareType"}, 2269 "RecordPattern": { 2270 "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, 2271 "RecordItem": { 2272 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2273 "URL": { 2274 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2275 "FileData": { 2276 "type": "array","items": {"$ref": "#/definitions/FileData"}}, 2277 "WindowsRegistryKeysModified": { 2278 "type": "array", 2279 "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, 2280 "CertificateData": { 2281 "type":"array","items":{"$ref":"#/definitions/CertificateData"}}, 2282 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2283 "required": [], 2284 "additionalProperties": false 2285 }, 2286 "RecordPattern": { 2287 "type": "object", 2288 "properties": { 2289 "value": {"type": "string"}, 2290 "type": {"enum": ["regex","binary","xpath","ext-value"]}, 2291 "ext-type": {"type": "string"}, 2292 "offset": {"type": "integer"}, 2293 "offsetunit": {"enum":["line","byte","ext-value"]}, 2294 "ext-offsetunit": {"type": "string"}, 2295 "instance": {"type": "integer"}}, 2296 "required": ["type"], 2297 "additionalProperties": false}, 2298 "WindowsRegistryKeysModified": { 2299 "type": "object", 2300 "properties": { 2301 "observabile-id": {"$ref": "#/definitions/IDtype"}, 2302 "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, 2303 "required": ["Key"], 2304 "additionalProperties": false}, 2305 "Key": { 2306 "type": "object", 2307 "properties": { 2308 "registryaction": {"enum": ["add-key","add-value","delete-key", 2309 "delete-value","modify-key","modify-value", 2310 "ext-value"]}, 2311 "ext-registryaction": {"type": "string"}, 2312 "observable-id": {"$ref": "#/definitions/IDtype"}, 2313 "KeyName": {"type":"string"}, 2314 "KeyValue": {"type": "string"}}, 2315 "required": ["KeyName"], 2316 "additionalProperties": false}, 2317 "CertificateData": { 2318 "type": "object", 2319 "properties": { 2320 "restriction": {"$ref": "#/definitions/restriction"}, 2321 "ext-restriction": {"type": "string"}, 2322 "observable-id": {"$ref": "#/definitions/IDtype"}, 2323 "Certificate": { 2324 "type": "array","items": {"$ref": "#/definitions/Certificate"}}}, 2325 "required": ["Certificate"], 2326 "additionalProperties": false}, 2327 "Certificate": { 2328 "type": "object", 2329 "properties": { 2330 "observable-id": {"$ref": "#/definitions/IDtype"}, 2331 "X509Data": {type: "string"}, 2332 "Description": {"type": "array","items": {"type": "string"}}}, 2333 "required": ["X509Data"], 2334 "additionalProperties": false}, 2335 "FileData": { 2336 "type": "object", 2337 "properties": { 2338 "restriction": {"$ref": "#/definitions/restriction"}, 2339 "ext-restriction": {"type": "string"}, 2340 "observable-id": {"$ref": "#/definitions/IDtype"}, 2341 "File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, 2342 "required": ["File"], 2343 "additionalProperties": false}, 2344 "File": { 2345 "type": "object", 2346 "properties": { 2347 "FileName": {"type": "string"}, 2348 "FileSize": {"type": "integer"}, 2349 "FileType": {"type": "string"}, 2350 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2351 "HashData": {"$ref": "#/definitions/HashData"}, 2352 "Signature": {"type": "array","items": {"type": "string"}}, 2353 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 2354 "FileProperties": { 2355 "type":"array","items":{"$ref":"#/definitions/ExtensionType"}}}, 2356 "required": [], 2357 "additionalProperties": false}, 2358 "HashData": { 2359 "type": "object", 2360 "properties": { 2361 "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", 2362 "file-pe-resource","file-pdf-object","email-hash", 2363 "email-hash-header","email-hash-body"]}, 2364 "HashTargetID": {"type": "string"}, 2365 "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, 2366 "FuzzyHash": { 2367 "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, 2368 "required": ["scope"], 2369 "additionalProperties": false}, 2370 "Hash": { 2371 "type": "object", 2372 "properties": { 2373 "DigestMethod": {"type": "string"}, 2374 "DigestValue": {"type": "string"}, 2375 "CanonicalizationMethod": {}, 2376 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2377 "required": ["DigestMethod","DigestValue"], 2378 "additionalProperties": false}, 2379 "FuzzyHash": { 2380 "type": "object", 2381 "properties": { 2382 "FuzzyHashValue": { 2383 "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, 2384 "Application": {"$ref": "#/definitions/SoftwareType"}, 2385 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2386 "required": ["FuzzyHashValue"], 2387 "additionalProperties": false}, 2388 "Indicator": { 2389 "type": "object", 2390 "properties": { 2391 "restriction": {"$ref": "#/definitions/restriction"}, 2392 "ext-restriction": {"type": "string"}, 2393 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 2394 "AlternativeIndicatorID": { 2395 "type": "array", 2396 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, 2397 "Description": {"type": "array","items": {"type": "string"}}, 2398 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2399 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2400 "Confidence": {"$ref": "#/definitions/Confidence"}, 2401 "Contact": { 2402 "type": "array","items": {"$ref": "#/definitions/Contact"}}, 2404 "Observable": {"$ref": "#/definitions/Observable"}, 2405 "uid-ref": {"type": "string"}, 2406 "IndicatorExpression":{"$ref":"#/definitions/IndicatorExpression"}, 2407 "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, 2408 "NodeRole": { 2409 "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, 2410 "AttackPhase": { 2411 "type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, 2412 "Reference": { 2413 "type": "array","items": {"$ref": "#/definitions/Reference"}}, 2414 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2415 "required": ["IndicatorID"], 2416 "additionalProperties": false}, 2417 "IndicatorID": { 2418 "type": "object", 2419 "properties": { 2420 "id": {"type": "string"}, 2421 "name": {"type": "string"}, 2422 "version": {"type": "string"}}, 2423 "required": ["name","version"], 2424 "additionalProperties": false}, 2425 "AlternativeIndicatorID": { 2426 "type": "object", 2427 "properties": { 2428 "restriction": {"$ref": "#/definitions/restriction"}, 2429 "ext-restriction": {"type": "string"}, 2430 "IndicatorReference": { 2431 "type": "array", 2432 "items": {"$ref": "#/definitions/IndicatorReference"}}}, 2433 "required": ["IndicatorReference"], 2434 "additionalProperties": false}, 2435 "Observable": { 2436 "type": "object", 2437 "properties": { 2438 "restriction": {"$ref": "#/definitions/restriction"}, 2439 "ext-restriction": {"type": "string"}, 2440 "System": {"$ref": "#/definitions/System"}, 2441 "Address": {"$ref": "#/definitions/Address"}, 2442 "DomainData": {"$ref": "#/definitions/DomainData"}, 2443 "EmailData": {"$ref": "#/definitions/EmailData"}, 2444 "Service": {"$ref": "#/definitions/Service"}, 2445 "WindowsRegistryKeysModified": { 2446 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 2447 "FileData": {"$ref": "#/definitions/FileData"}, 2448 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 2449 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 2450 "RecordData": {"type": "array", 2451 "item": {"$ref": "#/definitions/Record"}}, 2453 "EventData": {"$ref": "#/definitions/EventData"}, 2454 "Incident": {"$ref": "#/definitions/Incident"}, 2455 "Expectation": {"$ref": "#/definitions/Expectation"}, 2456 "Reference": {"$ref": "#/definitions/Reference"}, 2457 "Assessment": {"$ref": "#/definitions/Assessment"}, 2458 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 2459 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 2460 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 2461 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2462 "required": [], 2463 "additionalProperties": false}, 2464 "BulkObservable": { 2465 "type": "object", 2466 "properties": { 2467 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 2468 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", 2469 "mac","site-url","domain-name","domain-to-ipv4", 2470 "domain-to-ipv6","domain-to-ipv4-timestamp", 2471 "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", 2472 "windows-reg-key","file-hash","email-x-mailer", 2473 "email-subject","http-user-agent","http-request-url", 2474 "mutex","file-path","user-name","ext-value"]}, 2475 "ext-type": {"type": "string"}, 2476 "BulkObservableFormant":{ 2477 "$ref": "#/definitions/BulkObservableFormat"}, 2478 "BulkObservableList": {"type": "array", "item":{"type": "string"}}, 2479 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2480 "required": [], 2481 "additionalProperties": false}, 2482 "BulkObservableFormat": { 2483 "type": "object", 2484 "properties": { 2485 "Hash": {"$ref": "#/definitions/Hash"}, 2486 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2487 "required": [], 2488 "additionalProperties": false}, 2489 "IndicatorExpression": { 2490 "type": "object", 2491 "properties": { 2492 "operator": {"enum": ["not","and","or","xor"]}, 2493 "ext-operator": {"type": "string"}, 2494 "IndicatorExpression": { 2495 "type": "array", 2496 "items": {"$ref": "#/definitions/IndicatorExpression"}}, 2497 "Observable": { 2498 "type": "array","items": {"$ref": "#/definitions/Observable"}}, 2499 "uid-ref": {"type": "string"}, 2500 "IndicatorReference": { 2501 "type": "array", 2502 "items": {"$ref": "#/definitions/IndicatorReference"}}, 2503 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2504 "required": [], 2505 "additionalProperties": false}, 2506 "IndicatorReference": { 2507 "type": "object", 2508 "properties": { 2509 "uid-ref": {"type": "string"}, 2510 "euid-ref": {"type": "string"}, 2511 "version": {"type": "string"}}, 2512 "required": [], 2513 "additionalProperties": false}, 2514 "AttackPhase": { 2515 "type": "object", 2516 "properties": { 2517 "AttackPhaseID": {"type": "array","items": {"type": "string"}}, 2518 "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2519 "Description": {"type": "array","items": {"type": "string"}}, 2520 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2521 "required": [], 2522 "additionalProperties": false}}, 2523 "title": "IODEF-Document", 2524 "description": "JSON schema for IODEF-Document class", 2525 "type": "object", 2526 "properties": { 2527 "version": {"type": "string"}, 2528 "lang": {"$ref": "#/definitions/lang"}, 2529 "format-id": {"type": "string"}, 2530 "private-enum-name": {"type": "string"}, 2531 "private-enum-id": {"type": "string"}, 2532 "Incident": { 2533 "type": "array","items": {"$ref": "#/definitions/Incident"}}, 2534 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2535 "required": ["version","Incident"], 2536 "additionalProperties": false} 2538 Figure 4: JSON schema 2540 Authors' Addresses 2541 Takeshi Takahashi 2542 National Institute of Information and Communications Technology 2543 4-2-1 Nukui-Kitamachi 2544 Koganei, Tokyo 184-8795 2545 Japan 2547 Phone: +81 42 327 5862 2548 Email: takeshi_takahashi@nict.go.jp 2550 Roman Danyliw 2551 CERT, Software Engineering Institute, Carnegie Mellon University 2552 4500 Fifth Avenue 2553 Pittsburgh, PA 2554 USA 2556 Email: rdd@cert.org 2558 Mio Suzuki 2559 National Institute of Information and Communications Technology 2560 4-2-1 Nukui-Kitamachi 2561 Koganei, Tokyo 184-8795 2562 Japan 2564 Email: mio@nict.go.jp