idnits 2.17.1 draft-ietf-mile-jsoniodef-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (January 2, 2019) is 1940 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 7203' is mentioned on line 147, but not defined == Missing Reference: '0-9' is mentioned on line 1939, but not defined == Missing Reference: '0-4' is mentioned on line 1939, but not defined == Missing Reference: '0-5' is mentioned on line 1939, but not defined Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: July 6, 2019 CERT 6 M. Suzuki 7 NICT 8 January 2, 2019 10 CBOR/JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-07 13 Abstract 15 RFC7970 specified an information model and a corresponding XML data 16 model for exchanging incident and indicator information. This draft 17 provides an alternative data model implementation in CBOR/JSON. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on July 6, 2019. 36 Copyright Notice 38 Copyright (c) 2019 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 56 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 57 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 58 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5 59 2.2.2. Software and Software Reference . . . . . . . . . . . 6 60 2.2.3. Structured Information . . . . . . . . . . . . . . . 6 61 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 62 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 63 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 64 3.2. Mapping between CBOR/JSON and XML IODEF . . . . . . . . . 17 65 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 66 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 67 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20 68 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 25 69 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 70 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 71 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 40 72 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 73 9.1. Normative References . . . . . . . . . . . . . . . . . . 40 74 9.2. Informative References . . . . . . . . . . . . . . . . . 41 75 Appendix A. Data Types used in this document . . . . . . . . . . 41 76 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 41 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69 79 1. Introduction 81 [RFC7970] defines a data representation for security incident reports 82 and indicators commonly exchanged by operational security teams. It 83 facilitates the automated exchange of this information to enable 84 mitigation and watch-and-warning. Section 3 of [RFC7970] defined an 85 information model using Unified Modeling Language (UML) and a 86 corresponding Extensible Markup Language (XML) schema data model in 87 Section 8. This UML-based information model and XML-based data model 88 are referred to as IODEF UML and IODEF XML, respectively in this 89 document. 91 This document defines an alternate implementation of the IODEF UML 92 information model by specifying a JavaScript Object Notation (JSON) 93 data model using CDDL and JSON Schema [jsonschema]. This JSON data 94 model is referred to as IODEF JSON in this document. 96 IODEF JSON provides all of the expressivity of IODEF XML. It gives 97 implementers and operators an alternative format to exchange the same 98 information. 100 The normative IODEF JSON data model is found in Section 5. Section 2 101 and Section 3 describe the data types and elements of this data 102 model. Section 4 provides examples. 104 1.1. Requirements Language 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 108 "OPTIONAL" in this document are to be interpreted as described in BCP 109 14 [RFC2119][RFC8174] when, and only when, they appear in all 110 capitals, as shown here. 112 2. IODEF Data Types 114 The abstract IODEF JSON implements the abstract data types specified 115 in Section 2 of [RFC7970]. 117 2.1. Abstract Data Type to JSON Data Type Mapping 119 IODEF JSON uses native and derived JSON data types. Figure 1 120 describes the mapping between the abstract data types in Section 2 of 121 [RFC7970] and their corresponding implementations in IODEF JSON. 123 +-----------------+-------------------+-------------------------------+ 124 | IODEF Data Type | [RFC7970] | JSON Data Type | 125 | | Reference | | 126 +-----------------+-------------------+-------------------------------+ 127 | INTEGER | Section 2.1 | "integer" per [jsonschema] | 128 | REAL | Section 2.2 | "number" per [jsonschema] | 129 | CHARACTER | Section 2.3 | "string" per [jsonschema] | 130 | STRING | Section 2.3 | "string" per [jsonschema] | 131 | ML_STRING | Section 2.4 | see Section 2.2.1 | 132 | BYTE | Section 2.5.1 | "string" per [jsonschema] | 133 | BYTE[] | Section 2.5.1 | "string" per [jsonschema] | 134 | HEXBIN | Section 2.5.2 | "string" per [jsonschema] | 135 | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | 136 | ENUM | Section 2.6 | "enum" array per [jsonschema] | 137 | DATETIME | Section 2.7 | "string" per [jsonschema] | 138 | TIMEZONE | Section 2.8 | "string" per [jsonschema] | 139 | PORTLIST | Section 2.9 | "string" per [jsonschema] | 140 | POSTAL | Section 2.10 | ML_STRING, Section 2.2.1 | 141 | PHONE | Section 2.11 | "string" per [jsonschema] | 142 | EMAIL | Section 2.12 | "string" per [jsonschema] | 143 | URL | Section 2.13 | "string" per [jsonschema] | 144 | ID | Section 2.14 | "string" per [jsonschema] | 145 | IDREF | Section 2.14 | "string" per [jsonschema] | 146 | SOFTWARE | Section 2.15 | see Section 2.2.2 | 147 | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.3 | 148 | EXTENSION | Section 2.16 | see Section 2.2.4 | 149 +-----------------+-------------------+-------------------------------+ 151 Figure 1: JSON Data Types 153 +-----------------+------------------+---------------------------------+ 154 | IODEF Data Type | CBOR Data Type | CDDL prelude | 155 | | | [draft-ietf-cbor-cddl-05] | 156 +-----------------+------------------+---------------------------------+ 157 | INTEGER | 0, 1, 6 tag 2, | integer | 158 | | 6 tag 3 | | 159 | REAL | 7 bits 26 | float32 | 160 | CHARACTER | 3 | text | 161 | STRING | 3 | text | 162 | ML_STRING | 5 | Maps/Structs (Section 3.5.1) | 163 | BYTE | 6 tag 22 | eb64legacy | 164 | BYTE[] | 6 tag 22 | eb64legacy | 165 | HEXBIN | 2 | bytes | 166 | HEXBIN[] | 2 | bytes | 167 | ENUM | - | Choices (Section 2.2.2) | 168 | DATETIME | 6 tag 0 | tdate | 169 | TIMEZONE | 3 | text | 170 | PORTLIST | 3 | text | 171 | POSTAL | 3 | ML_STRING (Section 2.2.1) | 172 | PHONE | 3 | text | 173 | EMAIL | 3 | text | 174 | URL | 6 tag 32 | uri | 175 | ID | 3 | text | 176 | IDREF | 3 | text | 177 | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | 178 | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | 179 | EXTENSION | 5 | Maps/Structs (Section 3.5.1) | 180 +-----------------+------------------+---------------------------------+ 182 Figure 2: CBOR Data Types 184 2.2. Complex JSON Types 186 2.2.1. Multilingual Strings 188 A string that needs to be represented in a human-readable language 189 different from the default encoding of the document is represented in 190 the information model by the ML_STRING data type. This data type is 191 implemented as either an object with "value", "lang", and 192 "translation-id" elements or a text string as defined in Section 5. 193 Examples are shown below. 195 "MLStringType": { 196 "value": "free-form text", //STRING 197 "lang": "en", //ENUM 198 "translation-id": "jp2en0023" //STRING 199 } 201 2.2.2. Software and Software Reference 203 A particular version of software is represented in the information 204 model by the SOFTWARE data type. This software can be described by 205 using a reference, a URL, or with free-form text. The SOFTWARE data 206 type is implemented as an object with "SoftwareReference", "URL", and 207 "Description" elements as defined in Section 5. Examples are shown 208 below. 210 "SoftwareType": { 211 "SoftwareReference": {...}, //SoftwareReference 212 "Description": ["MS Windows"] //STRING 213 } 215 SoftwareReference class is a reference to a particular version of 216 software. Examples are shown below. 218 "SoftwareReference": { 219 "value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING 220 "spec-name": "cpe", //ENUM 221 "dtype": "string" //ENUM 222 } 224 2.2.3. Structured Information 226 Information provided in a form of structured string, such as ID, or 227 structured information, such as XML documents, is represented in the 228 information model by the STRUCTUREDINFO data type. Note that this 229 type was originally specified in [RFC7203]. The STRUCTUREDINFO data 230 type is implemented as an object with "SpecID", "ext-SpecID", 231 "ContentID", "dtype", "RawData", "Reference" elements. An example 232 for embedding a structured ID is shown below. 234 "StructuredInfo": { 235 "SpecID": "cve", //ENUM 236 "ContentID": "CVE-2007-5000" //STRING 237 } 239 When embedding the raw data, base64 conversion should be used for 240 encoding the data, as shown below. 242 "StructuredInfo": { 243 "SpecID": "oval", //ENUM 244 "RawData": "<<>>" //BYTE 245 } 247 2.2.4. EXTENSION 249 Information not otherwise represented in the IODEF can be added using 250 the EXTENSION data type. This data type is a generic extension 251 mechanism. The EXTENSION data type is implemented as an 252 ExtensionType object with "value", "name", "dtype", "ext-dtype", 253 "meaning", "formatid", "restriction", "ext-restriction", and 254 "observable-id" elements. An example for embedding a structured ID 255 is shown below. 257 "ExtensionType": { 258 "value": "xxxxxxx", //STRING 259 "name": "Syslog", //STRING 260 "dtype": "string", //ENUM 261 "meaning": "Syslog from the security appliance X" //STRING 262 } 264 3. IODEF JSON Data Model 266 3.1. Classes and Elements 268 The following table shows the list of IODEF Classes, their elements, 269 and the corresponding section in [RFC7970]. Note that the complete 270 JSON schema is defined in Section 5 usind CDDL. 272 +-----------------------------+--------------------+---------------+ 273 | IODEF Class | Class | Corresponding | 274 | | Elements and | Section | 275 | | Attribute | in [RFC7970] | 276 +-----------------------------+--------------------+---------------+ 277 | IODEF-Document | version | 3.1 | 278 | | lang? | | 279 | | format-id? | | 280 | | private-enum-name? | | 281 | | private-enum-id? | | 282 | | Incident+ | | 283 | | AdditionalData* | | 284 +-----------------------------+--------------------+---------------+ 285 | Incident | purpose | 3.2 | 286 | | ext-purpose? | | 287 | | status? | | 288 | | ext-status? | | 289 | | lang? | | 290 | | restriction? | | 291 | | ext-restriction? | | 292 | | observable-id? | | 293 | | IncidentID | | 294 | | AlternativeID? | | 295 | | RelatedActivity* | | 296 | | DetectTime? | | 297 | | StartTime? | | 298 | | EndTime? | | 299 | | RecoveryTime? | | 300 | | ReportTime? | | 301 | | GenerationTime | | 302 | | Description* | | 303 | | Discovery* | | 304 | | Assessment* | | 305 | | Method* | | 306 | | Contact+ | | 307 | | EventData* | | 308 | | Indicator* | | 309 | | History? | | 310 | | AdditionalData* | | 311 +-----------------------------+--------------------+---------------+ 312 | IncidentID | id | 3.4 | 313 | | name | | 314 | | instance? | | 315 | | restriction? | | 316 | | ext-restriction? | | 317 +-----------------------------+--------------------+---------------+ 318 | AlternativeID | restriction? | 3.5 | 319 | | ext-restriction? | | 320 | | IncidentID+ | | 321 +-----------------------------+--------------------+---------------+ 322 | RelatedActivity | restriction? | 3.6 | 323 | | ext-restriction? | | 324 | | IncidentID* | | 325 | | URL* | | 326 | | ThreatActor* | | 327 | | Campaign* | | 328 | | IndicatorID* | | 329 | | Confidence? | | 330 | | Description* | | 331 | | AdditionalData* | | 332 +-----------------------------+--------------------+---------------+ 333 | ThreatActor | restriction? | 3.7 | 334 | | ext-restriction? | | 335 | | ThreatActorID* | | 336 | | URL* | | 337 | | Description* | | 338 | | AdditionalData* | | 339 +-----------------------------+--------------------+---------------+ 340 | Campaign | restriction? | | 341 | | ext-restriction? | | 342 | | CampaignID* | | 343 | | URL* | | 344 | | Description* | | 345 | | AdditionalData* | 3.8 | 346 +-----------------------------+--------------------+---------------+ 347 | Contact | role | | 348 | | ext-role? | | 349 | | type | | 350 | | ext-type? | | 351 | | restriction? | | 352 | | ext-restriction? | | 353 | | ContactName*, | | 354 | | ContactTitle* | | 355 | | Description* | | 356 | | RegistryHandle* | | 357 | | PostalAddress* | | 358 | | Email* | | 359 | | Telephone* | | 360 | | Timezone? | | 361 | | Contact* | | 362 | | AdditionalData* | 3.9 | 363 +-----------------------------+--------------------+---------------+ 364 | RegistryHandle | handle | | 365 | | registry | | 366 | | ext-registry? | 3.9.1 | 367 +-----------------------------+--------------------+---------------+ 368 | PostalAddress | type? | | 369 | | ext-type? | | 370 | | PAddress | | 371 | | Description* | 3.9.2 | 372 +-----------------------------+--------------------+---------------+ 373 | Email | type? | | 374 | | ext-type? | | 375 | | EmailTo | | 376 | | Description* | 3.9.3 | 377 +-----------------------------+--------------------+---------------+ 378 | Telephone | type? | | 379 | | ext-type? | | 380 | | TelephoneNumber | | 381 | | Description* | 3.9.4 | 382 +-----------------------------+--------------------+---------------+ 383 | Discovery | source? | | 384 | | ext-source? | | 385 | | restriction? | | 386 | | ext-restriction? | | 387 | | Description* | | 388 | | Contact* | | 389 | | DetectionPattern* | 3.10 | 390 +-----------------------------+--------------------+---------------+ 391 | DetectionPattern | restriction? | 3.10.1 | 392 | | ext-restriction? | | 393 | | observable-id? | | 394 | | Application | | 395 | | Description* | | 396 | | DetectionConfiguration* | | 397 +-----------------------------+--------------------+---------------+ 398 | Method | restriction? | | 399 | | ext-restriction? | | 400 | | Reference* | | 401 | | Description* | | 402 | | AttackPattern* | | 403 | | Vulnerability* | | 404 | | Weakness* | | 405 | | AdditionalData* | 3.11 | 406 +-----------------------------+--------------------+---------------+ 407 | Reference | observable-id? | | 408 | | ReferenceName? | | 409 | | URL* | | 410 | | Description* | 3.11.1 | 411 +-----------------------------+--------------------+---------------+ 412 | Assessment | occurence? | | 413 | | restriction? | | 414 | | ext-restriction? | | 415 | | observable-id? | | 416 | | IncidentCategory* | | 417 | | SystemImpact* | | 418 | | BusinessImpact* | | 419 | | TimeImpact* | | 420 | | MonetaryImpact* | | 421 | | IntendedImpact* | | 422 | | Counter* | | 423 | | MitigatingFactor* | | 424 | | Cause* | | 425 | | Confidence? | | 426 | | AdditionalData* | 3.12 | 427 +-----------------------------+--------------------+---------------+ 428 | SystemImpact | severity? | | 429 | | completion? | | 430 | | type | | 431 | | ext-type? | | 432 | | Description* | 3.12.1 | 433 +-----------------------------+--------------------+---------------+ 434 | BusinessImpact | severity? | | 435 | | ext-severity? | | 436 | | type | | 437 | | ext-type? | | 438 | | Description* | 3.12.2 | 439 +-----------------------------+--------------------+---------------+ 440 | TimeImpact | value | | 441 | | severity? | | 442 | | metric | | 443 | | ext-metric? | | 444 | | duration? | | 445 | | ext-duration? | 3.12.3 | 446 +-----------------------------+--------------------+---------------+ 447 | MonetaryImpact | value | | 448 | | severity? | | 449 | | currency? | 3.12.4 | 450 +-----------------------------+--------------------+---------------+ 451 | Confidence | value | | 452 | | rating | | 453 | | ext-rating? | 3.12.5 | 454 +-----------------------------+--------------------+---------------+ 455 | History | restriction? | | 456 | | ext-restriction? | | 457 | | HistoryItem+ | 3.13 | 458 +-----------------------------+--------------------+---------------+ 459 | HistoryItem | action | | 460 | | ext-action? | | 461 | | restriction? | | 462 | | ext-restriction? | | 463 | | observable-id? | | 464 | | DateTime | | 465 | | IncidentID? | | 466 | | Contact? | | 467 | | Description* | | 468 | | DefinedCOA* | | 469 | | AdditionalData* | 3.13.1 | 470 +-----------------------------+--------------------+---------------+ 471 | EventData | restriction? | | 472 | | ext-restriction? | | 473 | | observable-id? | | 474 | | Description* | | 475 | | DetectTime? | | 476 | | StartTime? | | 477 | | EndTime? | | 478 | | RecoveryTime? | | 479 | | ReportTime? | | 480 | | Contact* | | 481 | | Discovery* | | 482 | | Assessment? | | 483 | | Method* | | 484 | | System* | | 485 | | Expectation* | | 486 | | RecordData* | | 487 | | EventData* | | 488 | | AdditionalData* | 3.14 | 489 +-----------------------------+--------------------+---------------+ 490 | Expectation | action? | | 491 | | ext-action? | | 492 | | severity? | | 493 | | restriction? | | 494 | | ext-restriction? | | 495 | | observable-id? | | 496 | | Description* | | 497 | | DefinedCOA* | | 498 | | StartTime? | | 499 | | EndTime? | | 500 | | Contact? | 3.15 | 501 +-----------------------------+--------------------+---------------+ 502 | System | category? | | 503 | | ext-category? | | 504 | | interface? | | 505 | | spoofed? | | 506 | | virtual? | | 507 | | ownership? | | 508 | | ext-ownership? | | 509 | | restriction? | | 510 | | ext-restriction? | | 511 | | Node | | 512 | | NodeRole* | | 513 | | Service* | | 514 | | OperatingSystem* | | 515 | | Counter* | | 516 | | AssetID* | | 517 | | Description* | | 518 | | AdditionalData* | 3.17 | 519 +-----------------------------+--------------------+---------------+ 520 | Node | DomainData* | | 521 | | Address* | | 522 | | PostalAddress? | | 523 | | Location* | | 524 | | Counter* | 3.18 | 525 +-----------------------------+--------------------+---------------+ 526 | Address | value | | 527 | | category | | 528 | | ext-category? | | 529 | | vlan-name? | | 530 | | vlan-num? | | 531 | | observable-id? | 3.18.1 | 532 +-----------------------------+--------------------+---------------+ 533 | NodeRole | category | | 534 | | ext-category? | | 535 | | Description* | 3.18.2 | 536 +-----------------------------+--------------------+---------------+ 537 | Counter | value | | 538 | | type | | 539 | | ext-type? | | 540 | | unit | | 541 | | ext-unit? | | 542 | | meaning? | | 543 | | duration? | | 544 | | ext-duration? | 3.18.3 | 545 +-----------------------------+--------------------+---------------+ 546 | DomainData | system-status | | 547 | | ext-system-status? | | 548 | | domain-status | | 549 | | ext-domain-status? | | 550 | | observable-id? | | 551 | | Name | | 552 | | DateDomainWasChecked?| | 553 | | RegistrationDate? | | 554 | | ExpirationDate? | | 555 | | RelatedDNS* | | 556 | | Nameservers* | | 557 | | DomainContacts? | 3.19 | 558 +-----------------------------+--------------------+---------------+ 559 | Nameserver | Server | | 560 | | Address* | 3.19.1 | 561 +-----------------------------+--------------------+---------------+ 562 | DomainContacts | SameDomainContact? | | 563 | | Contact+ | 3.19.2 | 564 +-----------------------------+--------------------+---------------+ 565 | Service | ip-protocol? | | 566 | | observable-id? | | 567 | | ServiceName? | | 568 | | Port? | | 569 | | Portlist? | | 570 | | ProtoCode? | | 571 | | ProtoType? | | 572 | | ProtoField? | | 573 | | ApplicationHeaderField*| | 574 | | EmailData? | | 575 | | Application? | 3.20 | 576 +-----------------------------+--------------------+---------------+ 577 | ServiceName | IANAService? | | 578 | | URL* | | 579 | | Description* | 3.20.1 | 580 +-----------------------------+--------------------+---------------+ 581 | EmailData | observable-id? | | 582 | | EmailTo* | | 583 | | EmailFrom? | | 584 | | EmailSubject? | | 585 | | EmailX-Mailer? | | 586 | | EmailHeaderField* | | 587 | | EmailHeaders? | | 588 | | EmailBody? | | 589 | | EmailMessage? | | 590 | | HashData* | | 591 | | Signature* | 3.21 | 592 +-----------------------------+--------------------+---------------+ 593 | RecordData | restriction? | | 594 | | ext-restriction? | | 595 | | observable-id? | | 596 | | DateTime? | | 597 | | Description* | | 598 | | Application? | | 599 | | RecordPattern* | | 600 | | RecordItem* | | 601 | | URL* | | 602 | | FileData* | | 603 | | WindowsRegistryKeysModified*| | 604 | | CertificateData* | | 605 | | AdditionalData* | 3.22.1 | 606 +-----------------------------+--------------------+---------------+ 607 | RecordPattern | type | | 608 | | ext-type? | | 609 | | offset? | | 610 | | offsetunit? | | 611 | | ext-offsetunit? | | 612 | | instance? | | 613 | | value | 3.22.2 | 614 +-----------------------------+--------------------+---------------+ 615 | WindowsRegistryKeysModified | observable-id? | 3.23 | 616 | | Key+ | | 617 +-----------------------------+--------------------+---------------+ 618 | Key | registryaction? | | 619 | | ext-registryaction?| | 620 | | observable-id? | | 621 | | KeyName | | 622 | | KeyValue? | 3.23.1 | 623 +-----------------------------+--------------------+---------------+ 624 | CertificateData | restriction? | | 625 | | ext-restriction? | | 626 | | observable-id? | | 627 | | Certificate+ | 3.24 | 628 +-----------------------------+--------------------+---------------+ 629 | Certificate | observable-id? | | 630 | | X509Data | | 631 | | Description* | 3.24.1 | 632 +-----------------------------+--------------------+---------------+ 633 | FileData | restriction? | | 634 | | ext-restriction? | | 635 | | observable-id? | | 636 | | File+ | 3.25 | 637 +-----------------------------+--------------------+---------------+ 638 | File | observable-id? | | 639 | | FileName? | | 640 | | FileSize? | | 641 | | FileType? | | 642 | | URL* | | 643 | | HashData? | | 644 | | Signature* | | 645 | | AssociatedSoftware?| | 646 | | FileProperties* | 3.25.1 | 647 +-----------------------------+--------------------+---------------+ 648 | HashData | scope | | 649 | | HashTargetID? | | 650 | | Hash* | | 651 | | FuzzyHash* | 3.26 | 652 +-----------------------------+--------------------+---------------+ 653 | Hash | DigestMethod | | 654 | | DigestValue | | 655 | | CanonicalizationMethod?| | 656 | | Application? | 3.26.1 | 657 +-----------------------------+--------------------+---------------+ 658 | FuzzyHash | FuzzyHashValue+ | | 659 | | Application? | | 660 | | AdditionalData* | 3.26.2 | 661 +-----------------------------+--------------------+---------------+ 662 | Indicator | restriction? | | 663 | | ext-restriction? | | 664 | | IndicatorID | | 665 | | AlternativeIndicatorID*| | 666 | | Description* | | 667 | | StartTime? | | 668 | | EndTime? | | 669 | | Confidence? | | 670 | | Contact* | | 671 | | Observable? | | 672 | | uid-ref? | | 673 | | IndicatorExpression?| | 674 | | IndicatorReference?| | 675 | | NodeRole* | | 676 | | AttackPhase* | | 677 | | Reference* | | 678 | | AdditionalData* | 3.29 | 679 +-----------------------------+--------------------+---------------+ 680 | IndicatorID | id | | 681 | | name | | 682 | | version | 3.29.1 | 683 +-----------------------------+--------------------+---------------+ 684 | AlternativeIndicatorID | restriction? | | 685 | | ext-restriction? | | 686 | | IndicatorID+ | 3.29.2 | 687 +-----------------------------+--------------------+---------------+ 688 | Observable | restriction? | | 689 | | ext-restriction? | | 690 | | System? | | 691 | | Address? | | 692 | | DomainData? | | 693 | | Service? | | 694 | | EmailData? | | 695 | | WindowsRegistryKeysModified?| | 696 | | FileData? | | 697 | | CertificateData? | | 698 | | RegistryHandle? | | 699 | | RecordData? | | 700 | | EventData? | | 701 | | Incident? | | 702 | | Expectation? | | 703 | | Reference? | | 704 | | Assessment? | | 705 | | DetectionPattern? | | 706 | | HistoryItem? | | 707 | | BulkObservable? | | 708 | | AdditionalData* | 3.29.3 | 709 +-----------------------------+--------------------+---------------+ 710 | BulkObservable | type? | | 711 | | ext-type? | | 712 | | BulkObservableFormat?| | 713 | | BulkObservableList | | 714 | | AdditionalData* | 3.29.4 | 715 +-----------------------------+--------------------+---------------+ 716 | BulkObservableFormat | Hash? | | 717 | | AdditionalData* | 3.29.5 | 718 +-----------------------------+--------------------+---------------+ 719 | IndicatorExpression | operator? | | 720 | | ext-operator? | | 721 | | IndicatorExpression*| | 722 | | Observable* | | 723 | | uid-ref* | | 724 | | IndicatorReference*| | 725 | | Confidence? | | 726 | | AdditionalData* | 3.29.6 | 727 +-----------------------------+--------------------+---------------+ 728 | IndicatorReference | uid-ref? | | 729 | | euid-ref? | | 730 | | version? | 3.29.7 | 731 +-----------------------------+--------------------+---------------+ 732 | AttackPhase | AttackPhaseID* | | 733 | | URL* | | 734 | | Description* | | 735 | | AdditionalData* | 3.29.8 | 736 +-----------------------------+--------------------+---------------+ 738 Figure 3: IODEF Classes 740 3.2. Mapping between CBOR/JSON and XML IODEF 742 o This document treats attributes and elements of each class defined 743 in [RFC7970] equally and is agnostic on the order of their 744 appearances. 746 o Flow class is deleted, and classes with its instances now directly 747 have instances of EventData class that used to belong to the Flow 748 classs. 750 o ApplicationHeader class is deleted, and classes with its instances 751 now directly have instances of ApplicationHeaderField class that 752 used to belong to the ApplicationHeader class. 754 o SignatureData class is deleted, and classes with its instances now 755 directly have instance of Signature class that used to belong to 756 the SignatureData class. 758 o IndicatorData class is deleted, and classes with its instances now 759 directly have the instances of Indicator class that used to belong 760 to the IndicatorData class. 762 o ObservableReference class is deleted, and classes with its 763 instances now directly have uid-ref as an element. 765 o Record class is replaced by RecordData class, and RecordData class 766 is renamed to Record class. 768 o Record class is deleted, and classes with its instances now 769 directly have the instances of RecordData class that used to 770 belong to the Record class. 772 o The MLStringType were modified to support simple string by 773 allowing the type to have not only a predefined object type but 774 also text type, in order to allow simple descriptions of elements 775 of the type. 777 o The elements of ML_STRING type in XML IODEF document are presented 778 as either STRING type or ML_STRING type in CBOR/JSON IODEF 779 document. 781 o Data models of the extension classes defined by [RFC7203] and 782 referenced by [RFC7970] are represented by StructuredInfo class 783 defined in this document. 785 o Signature, X509Data, and RawData are encoded with base64 and are 786 reprensetend as string (BYTE type) in CBOR/JSON IODEF documents. 788 4. Examples 790 This section provides examples of IODEF documents. These examples do 791 not represent the full capabilities of the data model or the only way 792 to encode particular information. 794 4.1. Minimal Example 796 A document containing only the mandatory elements and attributes is 797 shown below in JSON and CBOR, respectively. 799 { 800 "version": "2.0", 801 "lang": "en", 802 "Incident": [{ 803 "purpose": "reporting", 804 "restriction": "private", 805 "IncidentID": { 806 "id": "492382", 807 "name": "csirt.example.com" 808 }, 809 "GenerationTime": "2015-07-18T09:00:00-05:00", 810 "Contact": [{ 811 "type": "organization", 812 "role": "creator", 813 "Email": [{"EmailTo": "contact@csirt.example.com"}] 814 }] 815 }] 816 } 818 Figure 4: A Minimal Example in JSON 820 A3 # map(3) 821 67 # text(7) 822 76657273696F6E # "version" 823 63 # text(3) 824 322E30 # "2.0" 825 64 # text(4) 826 6C616E67 # "lang" 827 62 # text(2) 828 656E # "en" 829 68 # text(8) 830 496E636964656E74 # "Incident" 831 81 # array(1) 832 A5 # map(5) 833 67 # text(7) 834 707572706F7365 # "purpose" 835 69 # text(9) 836 7265706F7274696E67 # "reporting" 837 6B # text(11) 838 7265737472696374696F6E # "restriction" 839 67 # text(7) 840 70726976617465 # "private" 841 6A # text(10) 842 496E636964656E744944 # "IncidentID" 843 A2 # map(2) 844 62 # text(2) 845 6964 # "id" 846 66 # text(6) 847 343932333832 # "492382" 848 64 # text(4) 849 6E616D65 # "name" 850 71 # text(17) 851 63736972742E6578616D706C652E636F6D # "csirt.example.com" 852 6E # text(14) 853 47656E65726174696F6E54696D65 # "GenerationTime" 854 C0 # tag(0) 855 78 19 # text(25) 856 323031352D30372D31385430393A30303A30302D30353A3030 857 # "2015-07-18T09:00:00-05:00" 858 67 # text(7) 859 436F6E74616374 # "Contact" 860 81 # array(1) 861 A3 # map(3) 862 64 # text(4) 863 74797065 # "type" 864 6C # text(12) 865 6F7267616E697A6174696F6E # "organization" 866 64 # text(4) 867 726F6C65 # "role" 868 67 # text(7) 869 63726561746F72 # "creator" 871 65 # text(5) 872 456D61696C # "Email" 873 81 # array(1) 874 A1 # map(1) 875 67 # text(7) 876 456D61696C546F # "EmailTo" 877 78 19 # text(25) 878 636F6E746163744063736972742E6578616D706C652E636F6D 879 # "contact@csirt.example.com" 881 Figure 5: A Minimal Example in CBOR 883 4.2. Indicators from a Campaign 885 An example of C2 domains from a given campaign is shwon below in JSON 886 and CBOR, respectively. 888 { 889 "version": "2.0", 890 "lang": "en", 891 "Incident": [{ 892 "purpose": "watch", 893 "restriction": "green", 894 "IncidentID": { 895 "id": "897923", 896 "name": "csirt.example.com" 897 }, 898 "RelatedActivity": [{ 899 "ThreatActor": [{ 900 "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], 901 "Description": ["Aggressive Butterfly"]}], 902 "Campaign": [{ 903 "CampaignID": ["C-2015-59405"], 904 "Description": ["Orange Giraffe"] 905 }] 906 }], 907 "GenerationTime": "2015-10-02T11:18:00-05:00", 908 "Description": ["Summarizes the Indicators of Compromise for the 909 Orange Giraffe campaign of the Aggressive Butterfly crime gang."], 910 "Assessment": [{ 911 "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] 912 }], 913 "Contact": [{ 914 "type": "organization", 915 "role": "creator", 916 "ContactName": ["CSIRT for example.com"], 917 "Email": [{ 918 "EmailTo": "contact@csirt.example.com" 919 }] 920 }], 921 "Indicator": [{ 922 "IndicatorID": { 923 "id": "G90823490", 924 "name": "csirt.example.com", 925 "version": "1" 926 }, 927 "Description": ["C2 domains"], 928 "StartTime": "2014-12-02T11:18:00-05:00", 929 "Observable": { 930 "BulkObservable": { 931 "type": "ipv6-addr", 932 "BulkObservableList": "kj290023j09r34.example.com"} 933 } 934 }] 935 }] 936 } 938 Figure 6: Indicators from a Campaign in JSON 940 A3 # map(3) 941 67 # text(7) 942 76657273696F6E # "version" 943 63 # text(3) 944 322E30 # "2.0" 945 64 # text(4) 946 6C616E67 # "lang" 947 62 # text(2) 948 656E # "en" 949 68 # text(8) 950 496E636964656E74 # "Incident" 951 81 # array(1) 952 A9 # map(9) 953 67 # text(7) 954 707572706F7365 # "purpose" 955 65 # text(5) 956 7761746368 # "watch" 957 6B # text(11) 958 7265737472696374696F6E # "restriction" 959 65 # text(5) 960 677265656E # "green" 961 6A # text(10) 962 496E636964656E744944 # "IncidentID" 963 A2 # map(2) 964 62 # text(2) 965 6964 # "id" 967 66 # text(6) 968 383937393233 # "897923" 969 64 # text(4) 970 6E616D65 # "name" 971 71 # text(17) 972 63736972742E6578616D706C652E636F6D # "csirt.example.com" 973 6F # text(15) 974 52656C617465644163746976697479 # "RelatedActivity" 975 81 # array(1) 976 A2 # map(2) 977 6B # text(11) 978 5468726561744163746F72 # "ThreatActor" 979 81 # array(1) 980 A2 # map(2) 981 6D # text(13) 982 5468726561744163746F724944 # "ThreatActorID" 983 81 # array(1) 984 78 1A # text(26) 985 54412D31322D414747524553534956452D425554544552464 986 C59 # "TA-12-AGGRESSIVE-BUTTERFLY" 987 6B # text(11) 988 4465736372697074696F6E # "Description" 989 81 # array(1) 990 74 # text(20) 991 4167677265737369766520427574746572666C79 992 # "Aggressive Butterfly" 993 68 # text(8) 994 43616D706169676E # "Campaign" 995 81 # array(1) 996 A2 # map(2) 997 6A # text(10) 998 43616D706169676E4944 # "CampaignID" 999 81 # array(1) 1000 6C # text(12) 1001 432D323031352D3539343035 # "C-2015-59405" 1002 6B # text(11) 1003 4465736372697074696F6E # "Description" 1004 81 # array(1) 1005 6E # text(14) 1006 4F72616E67652047697261666665 # "Orange Giraffe" 1007 6E # text(14) 1008 47656E65726174696F6E54696D65 # "GenerationTime" 1009 C0 # tag(0) 1010 78 19 # text(25) 1011 323031352D31302D30325431313A31383A30302D30353A3030 1012 # "2015-10-02T11:18:00-05:00" 1013 6B # text(11) 1014 4465736372697074696F6E # "Description" 1016 81 # array(1) 1017 78 6F # text(111) 1018 53756D6D6172697A65732074686520496E64696361746F7273206F6620436 1019 F6D70726F6D69736520666F7220746865204F72616E676520476972616666 1020 652063616D706169676E206F6620746865204167677265737369766520427 1021 574746572666C79206372696D652067616E672E 1022 # "Summarizes the Indicators of Compromise for the Orange 1023 Giraffe campaign of the Aggressive Butterfly crime gang." 1024 6A # text(10) 1025 4173736573736D656E74 # "Assessment" 1026 81 # array(1) 1027 A1 # map(1) 1028 66 # text(6) 1029 496D70616374 # "Impact" 1030 81 # array(1) 1031 A1 # map(1) 1032 6E # text(14) 1033 427573696E657373496D70616374 # "BusinessImpact" 1034 A1 # map(1) 1035 64 # text(4) 1036 74797065 # "type" 1037 72 # text(18) 1038 6272656163682D70726F7072696574617279 1039 # "breach-proprietary" 1040 67 # text(7) 1041 436F6E74616374 # "Contact" 1042 81 # array(1) 1043 A4 # map(4) 1044 64 # text(4) 1045 74797065 # "type" 1046 6C # text(12) 1047 6F7267616E697A6174696F6E # "organization" 1048 64 # text(4) 1049 726F6C65 # "role" 1050 67 # text(7) 1051 63726561746F72 # "creator" 1052 6B # text(11) 1053 436F6E746163744E616D65 # "ContactName" 1054 81 # array(1) 1055 75 # text(21) 1056 435349525420666F72206578616D706C652E636F6D 1057 # "CSIRT for example.com" 1058 65 # text(5) 1059 456D61696C # "Email" 1060 81 # array(1) 1061 A1 # map(1) 1062 67 # text(7) 1063 456D61696C546F # "EmailTo" 1065 78 19 # text(25) 1066 636F6E746163744063736972742E6578616D706C652E636F6D 1067 # "contact@csirt.example.com" 1068 69 # text(9) 1069 496E64696361746F72 # "Indicator" 1070 81 # array(1) 1071 A4 # map(4) 1072 6B # text(11) 1073 496E64696361746F724944 # "IndicatorID" 1074 A3 # map(3) 1075 62 # text(2) 1076 6964 # "id" 1077 69 # text(9) 1078 473930383233343930 # "G90823490" 1079 64 # text(4) 1080 6E616D65 # "name" 1081 71 # text(17) 1082 63736972742E6578616D706C652E636F6D 1083 # "csirt.example.com" 1084 67 # text(7) 1085 76657273696F6E # "version" 1086 61 # text(1) 1087 31 # "1" 1088 6B # text(11) 1089 4465736372697074696F6E # "Description" 1090 81 # array(1) 1091 6A # text(10) 1092 433220646F6D61696E73 # "C2 domains" 1093 69 # text(9) 1094 537461727454696D65 # "StartTime" 1095 C0 # tag(0) 1096 78 19 # text(25) 1097 323031342D31322D30325431313A31383A30302D30353A3030 1098 # "2014-12-02T11:18:00-05:00" 1099 6A # text(10) 1100 4F627365727661626C65 # "Observable" 1101 A1 # map(1) 1102 6E # text(14) 1103 42756C6B4F627365727661626C65 # "BulkObservable" 1104 A2 # map(2) 1105 64 # text(4) 1106 74797065 # "type" 1107 69 # text(9) 1108 697076362D61646472 # "ipv6-addr" 1109 72 # text(18) 1110 42756C6B4F627365727661626C654C697374 1111 # "BulkObservableList" 1112 78 1A # text(26) 1113 6B6A3239303032336A30397233342E6578616D706C652E636F6D 1114 # "kj290023j09r34.example.com" 1116 Figure 7: Indicators from a Campaign in CBOR 1118 5. The IODEF Data Model (CDDL) 1120 start = iodef 1122 ;;; iodef.json: IODEF-Document 1124 iodef = { 1125 version: text 1126 ? lang: lang 1127 ? format-id: text 1128 ? private-enum-name: text 1129 ? private-enum-id: text 1130 Incident: [+ Incident] 1131 ? AdditionalData: [+ ExtensionType] 1132 } 1134 duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / 1135 "year" / "ext-value" 1136 lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" 1138 restriction = "public" / "partner" / "need-to-know" / "private" / 1139 "default" / "white" / "green" / "amber" / "red" / 1140 "ext-value" 1141 SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" 1142 IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" 1143 IDREFType = IDtype 1144 URLtype = uri 1145 TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" 1146 PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*" 1147 action = "nothing" / "contact-source-site" / "contact-target-site" / 1148 "contact-sender" / "investigate" / "block-host" / 1149 "block-network" / "block-port" / "rate-limit-host" / 1150 "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / 1151 "honeypot" / "upgrade-software" / "rebuild-asset" / 1152 "harden-asset" / "remediate-other" / "status-triage" / 1153 "status-new-info" / "watch-and-report" / "training" / 1154 "defined-coa" / "other" / "ext-value" 1156 DATETIME = tdate 1158 BYTE = eb64legacy 1160 MLStringType = { 1161 value: text 1162 ? lang: lang 1163 ? translation-id: text 1164 } / text 1166 PositiveFloatType = float32 .gt 0 1168 PAddressType = MLStringType 1170 ExtensionType = { 1171 value: text 1172 ? name: text 1173 dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / 1174 "ntpstamp" / "integer" / "portlist" / "real" / "string" / 1175 "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/ 1176 "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" 1177 .default "string" 1178 ? ext-dtype: text 1179 ? meaning: text 1180 ? formatid: text 1181 ? restriction: restriction .default "private" 1182 ? ext-restriction: text 1183 ? observable-id: IDtype 1184 } 1186 SoftwareType = { 1187 ? SoftwareReference: SoftwareReference 1188 ? URL: [+ URLtype] 1189 ? Description: [+ MLStringType] 1190 } 1192 SoftwareReference = { 1193 ? value: text 1194 spec-name: "custom" / "cpe" / "swid" / "ext-value" 1195 ? ext-spec-name: text 1196 ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" 1197 .default "string" 1198 ? ext-dtype: text 1199 } 1201 Incident = { 1202 purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / 1203 "ext-value" 1204 ? ext-purpose: text 1205 ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / 1206 "ext-value" 1207 ? ext-status: text 1208 ? lang: lang 1209 ? restriction: restriction .default "private" 1210 ? ext-restriction: text 1211 ? observable-id: IDtype 1212 IncidentID: IncidentID 1213 ? AlternativeID: AlternativeID 1214 ? RelatedActivity: [+ RelatedActivity] 1215 ? DetectTime: DATETIME 1216 ? StartTime: DATETIME 1217 ? EndTime: DATETIME 1218 ? RecoveryTime: DATETIME 1219 ? ReportTime: DATETIME 1220 GenerationTime: DATETIME 1221 ? Description: [+ MLStringType] 1222 ? Discovery: [+ Discovery] 1223 ? Assessment: [+ Assessment] 1224 ? Method: [+ Method] 1225 Contact: [+ Contact] 1226 ? EventData: [+ EventData] 1227 ? Indicator: [+ Indicator] 1228 ? History: History 1229 ? AdditionalData: [+ ExtensionType] 1230 } 1232 IncidentID = { 1233 id: text 1234 name: text 1235 ? instance: text 1236 ? restriction: restriction .default "private" 1237 ? ext-restriction: text 1238 } 1240 AlternativeID = { 1241 ? restriction: restriction .default "private" 1242 ? ext-restriction: text 1243 IncidentID: [+ IncidentID] 1244 } 1246 RelatedActivity = { 1247 ? restriction: restriction .default "private" 1248 ? ext-restriction: text 1249 ? IncidentID: [+ IncidentID] 1250 ? URL: [+ URLtype] 1251 ? ThreatActor: [+ ThreatActor] 1252 ? Campaign: [+ Campaign] 1253 ? IndicatorID: [+ IndicatorID] 1254 ? Confidence: Confidence 1255 ? Description: [+ text] 1256 ? AdditionalData: [+ ExtensionType] 1258 } 1260 ThreatActor = { 1261 ? restriction: restriction .default "private" 1262 ? ext-restriction: text 1263 ? ThreatActorID: [+ text] 1264 ? URL: [+ URLtype] 1265 ? Description: [+ MLStringType] 1266 ? AdditionalData: [+ ExtensionType] 1267 } 1269 Campaign = { 1270 ? restriction: restriction .default "private" 1271 ? ext-restriction: text 1272 ? CampaignID: [+ text] 1273 ? URL: [+ URLtype] 1274 ? Description: [+ MLStringType] 1275 ? AdditionalData: [+ ExtensionType] 1276 } 1278 Contact = { 1279 role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / 1280 "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / 1281 "vendor" / "vendor-support" / "victim" / "victim-notified" / 1282 "ext-value" 1283 ? ext-role: text 1284 type: "person" / "organization" / "ext-value" 1285 ? ext-type: text 1286 ? restriction: restriction .default "private" 1287 ? ext-restriction: text 1288 ? ContactName: [+ MLStringType] 1289 ? ContactTitle: [+ MLStringType] 1290 ? Description: [+ MLStringType] 1291 ? RegistryHandle: [+ RegistryHandle] 1292 ? PostalAddress: [+ PostalAddress] 1293 ? Email: [+ Email] 1294 ? Telephone: [+ Telephone] 1295 ? Timezone: TimeZonetype 1296 ? Contact: [+ Contact] 1297 ? AdditionalData: [+ ExtensionType] 1298 } 1300 RegistryHandle = { 1301 handle: text 1302 registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / 1303 "afrinic" / "local" / "ext-value" 1304 ? ext-registry: text 1305 } 1306 PostalAddress = { 1307 ? type: "street" / "mailing" / "ext-value" 1308 ? ext-type: text 1309 PAddress: PAddressType 1310 ? Description: [+ MLStringType] 1311 } 1313 Email = { 1314 ? type: "direct" / "hotline" / "ext-value" 1315 ? ext-type: text 1316 EmailTo: text 1317 ? Description: [+ MLStringType] 1318 } 1320 Telephone = { 1321 ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" 1322 ? ext-type: text 1323 TelephoneNumber: text 1324 ? Description: [+ MLStringType] 1325 } 1327 Discovery = { 1328 ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / 1329 "incident" / "os-log" / "application-log" / "device-log" / 1330 "network-flow" / "passive-dns" / "investigation" / "audit" / 1331 "internal-notification" / "external-notification" / 1332 "leo" / "partner" / "actor" / "unknown" / "ext-value" 1333 ? ext-source: text 1334 ? restriction: restriction .default "private" 1335 ? ext-restriction: text 1336 ? Description: [+ MLStringType] 1337 ? Contact: [+ Contact] 1338 ? DetectionPattern: [+ DetectionPattern] 1339 } 1341 DetectionPattern = { 1342 ? restriction: restriction .default "private" 1343 ? ext-restriction: text 1344 ? observable-id: IDtype 1345 (Description: [+ MLStringType] // DetectionConfiguration: [+ text]) 1346 Application: SoftwareType 1347 } 1349 Method = { 1350 ? restriction: restriction .default "private" 1351 ? ext-restriction: text 1352 ? Reference: [+ Reference] 1353 ? Description: [+ MLStringType] 1354 ? AttackPattern: [+ StructuredInfo] 1355 ? Vulnerability: [+ StructuredInfo] 1356 ? Weakness: [+ StructuredInfo] 1357 ? AdditionalData: [+ ExtensionType] 1358 } 1360 StructuredInfo = { 1361 SpecID: SpecID 1362 ? ext-SpecID: text 1363 ? ContentID: text 1364 ? (RawData: [+ BYTE] // Reference:[+ Reference]) 1365 ? Platform:[+ Platform] 1366 ? Scoring:[+ Scoring] 1367 } 1369 Platform = { 1370 SpecID: SpecID 1371 ? ext-SpecID: text 1372 ? ContentID: text 1373 ? RawData: [+ BYTE] 1374 ? Reference: [+ Reference] 1375 } 1376 Scoring = { 1377 SpecID: SpecID 1378 ? ext-SpecID: text 1379 ? ContentID: text 1380 ? RawData: [+ BYTE] 1381 ? Reference: [+ Reference] 1382 } 1383 Reference = { 1384 ? observable-id: IDtype 1385 ? ReferenceName: ReferenceName 1386 ? URL: [+ URLtype] 1387 ? Description: [+ MLStringType] 1388 } 1390 ReferenceName = { 1391 specIndex: integer 1392 ID: IDtype 1393 } 1395 Assessment = { 1396 ? occurrence: "actual" / "potential" 1397 ? restriction: restriction .default "private" 1398 ? ext-restriction: text 1399 ? observable-id: IDtype 1400 ? IncidentCategory: [+ MLStringType] 1401 Impact: [+ {SystemImpact: SystemImpact} / 1402 {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / 1403 {MonetaryImpact: MonetaryImpact} / 1404 {IntendedImpact: BusinessImpact}] 1405 ? Counter: [+ Counter] 1406 ? MitigatingFactor: [+ MLStringType] 1407 ? Cause: [+ MLStringType] 1408 ? Confidence: Confidence 1409 ? AdditionalData: [+ ExtensionType] 1410 } 1412 SystemImpact = { 1413 ? severity: "low" / "medium" / "high" 1414 ? completion: "failed" / "succeeded" 1415 type: "takeover-account" / "takeover-service" / "takeover-system" / 1416 "cps-manipulation" / "cps-damage" / "availability-data" / 1417 "availability-account" / "availability-service" / 1418 "availability-system" / "damaged-system" / "damaged-data" / 1419 "breach-proprietary" / "breach-privacy" / "breach-credential" / 1420 "breach-configuration" / "integrity-data" / 1421 "integrity-configuration" / "integrity-hardware" / 1422 "traffic-redirection" / "monitoring-traffic" / "monitoring-host"/ 1423 "policy" / "unknown" / "ext-value" .default "unknown" 1424 ? ext-type: text 1425 ? Description: [+ MLStringType] 1426 } 1428 BusinessImpact = { 1429 ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" 1430 .default "unknown" 1431 ? ext-severity: text 1432 type: "breach-proprietary" / "breach-privacy" / "breach-credential" / 1433 "loss-of-integrity" / "loss-of-service" / "theft-financial" / 1434 "theft-service" / "degraded-reputation" / "asset-damage" / 1435 "asset-manipulation" / "legal" / "extortion" / "unknown" / 1436 "ext-value" .default "unknown" 1437 ? ext-type: text 1438 ? Description: [+ MLStringType] 1439 } 1441 TimeImpact = { 1442 value: PositiveFloatType 1443 ? severity: "low" / "medium" / "high" 1444 metric: "labor" / "elapsed" / "downtime" / "ext-value" 1445 ? ext-metric: text 1446 ? duration: duration .default "hour" 1447 ? ext-duration: text 1448 } 1449 MonetaryImpact = { 1450 value: PositiveFloatType 1451 ? severity: "low" / "medium" / "high" 1452 ? currency: text 1453 } 1455 Confidence = { 1456 value: float32 1457 rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" 1458 ? ext-rating: text 1459 } 1461 History = { 1462 ? restriction: restriction .default "private" 1463 ? ext-restriction: text 1464 HistoryItem: [+ HistoryItem] 1465 } 1467 HistoryItem = { 1468 action: action .default "other" 1469 ? ext-action: text 1470 ? restriction: restriction .default "private" 1471 ? ext-restriction: text 1472 ? observable-id: IDtype 1473 DateTime: DATETIME 1474 ? IncidentID: IncidentID 1475 ? Contact: Contact 1476 ? Description: [+ MLStringType] 1477 ? DefinedCOA: [+ text] 1478 ? AdditionalData: [+ ExtensionType] 1479 } 1481 EventData = { 1482 ? restriction: restriction .default "default" 1483 ? ext-restriction: text 1484 ? observable-id: IDtype 1485 ? Description: [+ MLStringType] 1486 ? DetectTime: DATETIME 1487 ? StartTime: DATETIME 1488 ? EndTime: DATETIME 1489 ? RecoveryTime: DATETIME 1490 ? ReportTime: DATETIME 1491 ? Contact: [+ Contact] 1492 ? Discovery: [+ Discovery] 1493 ? Assessment: Assessment 1494 ? Method: [+ Method] 1495 ? System: [+ System] 1496 ? Expectation: [+ Expectation] 1497 ? RecordData: [+ RecordData] 1498 ? EventData: [+ EventData] 1499 ? AdditionalData: [+ ExtensionType] 1500 } 1502 Expectation = { 1503 ? action: action .default "other" 1504 ? ext-action: text 1505 ? severity: "low" / "medium" / "high" 1506 ? restriction: restriction .default "default" 1507 ? ext-restriction: text 1508 ? observable-id: IDtype 1509 ? Description: [+ MLStringType] 1510 ? DefinedCOA: [+ text] 1511 ? StartTime: DATETIME 1512 ? EndTime: DATETIME 1513 ? Contact: Contact 1514 } 1516 System = { 1517 ? category: "source" / "target" / "intermediate" / "sensor" / 1518 "infrastructure" / "ext-value" 1519 ? ext-category: text 1520 ? interface: text 1521 ? spoofed: "unknown" / "yes" / "no" .default "unknown" 1522 ? virtual: "yes" / "no" / "unknown" .default "unknown" 1523 ? ownership: "organization" / "personal" / "partner" / "customer" / 1524 "no-relationship" / "unknown" / "ext-value" 1525 ? ext-ownership: text 1526 ? restriction: restriction .default "private" 1527 ? ext-restriction: text 1528 ? observable-id: IDtype 1529 Node: Node 1530 ? NodeRole: [+ NodeRole] 1531 ? Service: [+ Service] 1532 ? OperatingSystem: [+ SoftwareType] 1533 ? Counter: [+ Counter] 1534 ? AssetID: [+ text] 1535 ? Description: [+ MLStringType] 1536 ? AdditionalData: [+ ExtensionType] 1537 } 1539 Node = { 1540 (DomainData:[+ DomainData] 1541 ? Address:[+ Address] // 1542 ? DomainData:[+ DomainData] 1543 Address:[+ Address]) 1544 ? PostalAddress: PostalAddress 1545 ? Location: [+ MLStringType] 1546 ? Counter: [+ Counter] 1547 } 1549 Address = { 1550 value: text 1551 category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1552 "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / 1553 "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / 1554 "ext-value" .default "ipv6-addr" 1555 ? ext-category: text 1556 ? vlan-name: text 1557 ? vlan-num: integer 1558 ? observable-id: IDtype 1559 } 1561 NodeRole = { 1562 category: "client" / "client-enterprise" / "client-partner" / 1563 "client-remote" / "client-kiosk" / "client-mobile" / 1564 "server-internal" / "server-public" / "www" / "mail" / 1565 "webmail" / "messaging" / "streaming" / "voice" / "file" / 1566 "ftp" / "p2p" / "name" / "directory" / "credential" / 1567 "print" / "application" / "database" / "backup" / "dhcp" / 1568 "assessment" / "source-control" / "config-management" / 1569 "monitoring" / "infra" / "infra-firewall" / "infra-router" / 1570 "infra-switch" / "camera" / "proxy" / "remote-access" / 1571 "log" / "virtualization" / "pos" / "scada" / 1572 "scada-supervisory" / "sinkhole" / "honeypot" / 1573 "anomyzation" / "c2-server" / "malware-distribution" / 1574 "drop-server" / "hop-point" / "reflector" / 1575 "phishing-site" / "spear-phishing-site" / "recruiting-site" / 1576 "fraudulent-site" / "ext-value" 1577 ? ext-category: text 1578 ? Description: [+ MLStringType] 1579 } 1581 Counter = { 1582 value: float32 1583 type: "count" / "peak" / "average" / "ext-value" 1584 ? ext-type: text 1585 unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / 1586 "message" / "event" / "host" / "site" / "organization" / 1587 "ext-value" 1588 ? ext-unit: text 1589 ? meaning: text 1590 ? duration: duration .default "hour" 1591 ? ext-duration: text 1592 } 1593 DomainData = { 1594 system-status: "spoofed" / "fraudulent" / "innocent-hacked" / 1595 "innocent-hijacked" / "unknown" / "ext-value" 1596 ? ext-system-status: text 1597 domain-status: "reservedDelegation" / "assignedAndActive" / 1598 "assignedAndInactive" / "assignedAndOnHold" / 1599 "revoked" / "transferPending" / "registryLock" / 1600 "registrarLock" / "other" / "unknown" / "ext-value" 1601 ? ext-domain-status: text 1602 ? observable-id: IDtype 1603 Name: text 1604 ? DateDomainWasChecked: DATETIME 1605 ? RegistrationDate: DATETIME 1606 ? ExpirationDate: DATETIME 1607 ? RelatedDNS: [+ ExtensionType] 1608 ? NameServers: [+ NameServers] 1609 ? DomainContacts: DomainContacts 1610 } 1612 NameServers = { 1613 Server: text 1614 Address: [+ Address] 1615 } 1617 DomainContacts = { 1618 (SameDomainContact: text // Contact: [+ Contact]) 1619 } 1621 Service = { 1622 ? ip-protocol: integer 1623 ? observable-id: IDtype 1624 ? ServiceName: ServiceName 1625 ? Port: integer 1626 ? Portlist: PortlistType 1627 ? ProtoCode: integer 1628 ? ProtoType: integer 1629 ? ProtoField: integer 1630 ? ApplicationHeaderField: [+ ExtensionType] 1631 ? EmailData: EmailData 1632 ? Application: SoftwareType 1633 } 1635 ServiceName = { 1636 ? IANAService: text 1637 ? URL: [+ URLtype] 1638 ? Description: [+ MLStringType] 1639 } 1640 EmailData = { 1641 ? observable-id: IDtype 1642 ? EmailTo: [+ text] 1643 ? EmailFrom: text 1644 ? EmailSubject: text 1645 ? EmailX-Mailer: text 1646 ? EmailHeaderField: [+ ExtensionType] 1647 ? EmailHeaders: text 1648 ? EmailBody: text 1649 ? EmailMessage: text 1650 ? HashData: [+ HashData] 1651 ? Signature: [+ BYTE] 1652 } 1654 RecordData = { 1655 ? restriction: restriction .default "private" 1656 ? ext-restriction: text 1657 ? observable-id: IDtype 1658 ? DateTime: DATETIME 1659 ? Description: [+ MLStringType] 1660 ? Application: SoftwareType 1661 ? RecordPattern: [+ RecordPattern] 1662 ? RecordItem: [+ ExtensionType] 1663 ? URL: [+ URLtype] 1664 ? FileData: [+ FileData] 1665 ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] 1666 ? CertificateData: [+ CertificateData] 1667 ? AdditionalData: [+ ExtensionType] 1668 } 1670 RecordPattern = { 1671 value: text 1672 type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" 1673 ? ext-type: text 1674 ? offset: integer 1675 ? offsetunit: "line" / "byte" / "ext-value" .default "line" 1676 ? ext-offsetunit: text 1677 ? instance: integer 1678 } 1680 WindowsRegistryKeysModified = { 1681 ? observable-id: IDtype 1682 Key: [+ Key] 1683 } 1685 Key = { 1686 ? registryaction: "add-key" / "add-value" / "delete-key" / 1687 "delete-value" / "modify-key" / "modify-value" / 1688 "ext-value" 1689 ? ext-registryaction: text 1690 ? observable-id: IDtype 1691 KeyName: text 1692 ? KeyValue: text 1693 } 1695 CertificateData = { 1696 ? restriction: restriction .default "private" 1697 ? ext-restriction: text 1698 ? observable-id: IDtype 1699 Certificate: [+ Certificate] 1700 } 1702 Certificate = { 1703 ? observable-id: IDtype 1704 X509Data: BYTE 1705 ? Description: [+ MLStringType] 1706 } 1708 FileData = { 1709 ? restriction: restriction .default "private" 1710 ? ext-restriction: text 1711 ? observable-id: IDtype 1712 File: [+ File] 1713 } 1715 File = { 1716 ? observable-id: IDtype 1717 ? FileName: text 1718 ? FileSize: integer 1719 ? FileType: text 1720 ? URL: [+ URLtype] 1721 ? HashData: HashData 1722 ? Signature: [+ BYTE] 1723 ? AssociatedSoftware: SoftwareType 1724 ? FileProperties: [+ ExtensionType] 1725 } 1727 HashData = { 1728 scope: "file-contents" / "file-pe-section" / "file-pe-iat" / 1729 "file-pe-resource" / "file-pdf-object" / "email-hash" / 1730 "email-headers-hash" / "email-body-hash" / "ext-value" 1731 ? HashTargetID: text 1732 ? Hash: [+ Hash] 1733 ? FuzzyHash: [+ FuzzyHash] 1734 } 1735 Hash = { 1736 DigestMethod: BYTE 1737 DigestValue: BYTE 1738 ? CanonicalizationMethod: BYTE 1739 ? Application: SoftwareType 1740 } 1742 FuzzyHash = { 1743 FuzzyHashValue: [+ ExtensionType] 1744 ? Application: SoftwareType 1745 ? AdditionalData: [+ ExtensionType] 1746 } 1748 Indicator = { 1749 ? restriction: restriction .default "private" 1750 ? ext-restriction: text 1751 IndicatorID: IndicatorID 1752 ? AlternativeIndicatorID: [+ AlternativeIndicatorID] 1753 ? Description: [+ MLStringType] 1754 ? StartTime: DATETIME 1755 ? EndTime: DATETIME 1756 ? Confidence: Confidence 1757 ? Contact: [+ Contact] 1758 (Observable: Observable // uid-ref: IDREFType // 1759 IndicatorExpression: IndicatorExpression // 1760 IndicatorReference: IndicatorReference) 1761 ? NodeRole: [+ NodeRole] 1762 ? AttackPhase: [+ AttackPhase] 1763 ? Reference: [+ Reference] 1764 ? AdditionalData: [+ ExtensionType] 1765 } 1767 IndicatorID = { 1768 id: IDtype 1769 name: text 1770 version: text 1771 } 1773 AlternativeIndicatorID = { 1774 ? restriction: restriction .default "private" 1775 ? ext-restriction: text 1776 IndicatorID: [+ IndicatorID] 1777 } 1779 Observable = { 1780 ? restriction: restriction .default "private" 1781 ? ext-restriction: text 1782 ? (System: System // Address: Address // DomainData: DomainData // 1783 EmailData: EmailData // Service: Service // 1784 WindowsRegistryKeysModified: WindowsRegistryKeysModified // 1785 FileData: FileData // CertificateData: CertificateData // 1786 RegistryHandle: RegistryHandle // RecordData: RecordData // 1787 EventData: EventData // Incident: Incident // 1788 Expectation: Expectation // Reference: Reference // 1789 Assessment: Assessment // DetectionPattern: DetectionPattern // 1790 HistoryItem: HistoryItem // BulkObservable: BulkObservable // 1791 AdditionalData: [+ ExtensionType]) 1792 } 1794 BulkObservable = { 1795 ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1796 "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / 1797 "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / 1798 "domain-to-ipv6" / "domain-to-ipv4-timestamp" / 1799 "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / 1800 "windows-reg-key" / "file-hash" / "email-x-mailer" / 1801 "email-subject" / "http-user-agent" / "http-request-uri" / 1802 "mutex" / "file-path" / "user-name" / "ext-value" 1803 ? ext-type: text 1804 ? BulkObservableFormat: BulkObservableFormat 1805 BulkObservableList: text 1806 ? AdditionalData: [+ ExtensionType] 1807 } 1809 BulkObservableFormat = { 1810 (Hash: Hash // AdditionalData: [+ ExtensionType]) 1811 } 1813 IndicatorExpression = { 1814 ? operator: "not" / "and" / "or" / "xor" .default "and" 1815 ? ext-operator: text 1816 ? IndicatorExpression: [+ IndicatorExpression] 1817 ? Observable: [+ Observable] 1818 ? uid-ref: [+ IDREFType] 1819 ? IndicatorReference: [+ IndicatorReference] 1820 ? Confidence: Confidence 1821 ? AdditionalData: [+ ExtensionType] 1822 } 1824 IndicatorReference = { 1825 (uid-ref: IDREFType // euid-ref: text) 1826 ? version: text 1827 } 1829 AttackPhase = { 1830 ? AttackPhaseID: [+ text] 1831 ? URL: [+ URLtype] 1832 ? Description: [+ MLStringType] 1833 ? AdditionalData: [+ ExtensionType] 1834 } 1836 Figure 8: Data Model in CDDL 1838 6. IANA Considerations 1840 This document registers an IODEF data model in CDDL. See Section 5. 1842 7. Security Considerations 1844 This memo does not provide any further security considerations than 1845 the one described in [RFC7970]. 1847 8. Acknowledgements 1849 We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki 1850 Morita, and Takahiko Nagata for their insightful comments on CDDL. 1852 9. References 1854 9.1. Normative References 1856 [cddlspec] 1857 Henk Birkholz, Christoph Vigano, and Carsten Bormann, 1858 "Concise data definition language (CDDL): a notational 1859 convention to express CBOR and JSON data structuresy", 1860 2018. 1862 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1863 Requirement Levels", BCP 14, RFC 2119, 1864 DOI 10.17487/RFC2119, March 1997, 1865 . 1867 [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An 1868 Incident Object Description Exchange Format (IODEF) 1869 Extension for Structured Cybersecurity Information", 1870 RFC 7203, DOI 10.17487/RFC7203, April 2014, 1871 . 1873 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 1874 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 1875 November 2016, . 1877 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1878 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1879 May 2017, . 1881 9.2. Informative References 1883 [jsonschema] 1884 Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: 1885 core definitions and terminology", 2013. 1887 Appendix A. Data Types used in this document 1889 The CDDL prelude used in this document is mapped to JSON as shown in 1890 the table below. 1892 +-----------------+-------------------+----------------------------+ 1893 | CDDL Prelude | Use of JSON | Instance | Validation | 1894 +-----------------+-------------------+----------------------------+ 1895 | bytes | n/a | string | tool available | 1896 | text | string | string | unnecessary | 1897 | tdate | n/a | string | 7.3.1 date-time | 1898 | integer | n/a | number | integer | 1899 | eb64legacy | n/a | string | tool available | 1900 | uri | n/a | string | 7.3.6 uri | 1901 | float32 | float32 | number | unnecessary | 1902 +-----------------+-------------------+----------------------------+ 1904 Figure 9: CDDL Prelude mapping in JSON 1906 Appendix B. The IODEF Data Model (JSON Schema) 1908 This section provides a JSON schema that defines the IODEF Data Model 1909 defined in this draft. 1911 { "$schema": "http://json-schema.org/draft-04/schema#", 1912 "definitions": { 1913 "action": {"enum": ["nothing","contact-source-site", 1914 "contact-target-site","contact-sender","investigate", 1915 "block-host","block-network","block-port","rate-limit-host", 1916 "rate-limit-network","rate-limit-port","redirect-traffic", 1917 "honeypot","upgrade-software","rebuild-asset","harden-asset", 1918 "remediate-other","status-triage","status-new-info", 1919 "watch-and-report","training","defined-coa","other", 1920 "ext-value"]}, 1921 "duration":{"enum":["second","minute","hour","day","month", 1922 "quarter","year","ext-value"]}, 1923 "SpecID":{ 1924 "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, 1926 "lang": { 1927 "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, 1928 "purpose": {"enum": ["traceback","mitigation","reporting","watch", 1929 "other","ext-value"]}, 1930 "restriction":{"enum":["public","partner","need-to-know","private", 1931 "default","white","green","amber","red","ext-value"]}, 1932 "status": {"enum": ["new","in-progress","forwarded","resolved", 1933 "future","ext-value"]}, 1934 "DATETIME": {"type": "string","format": "date-time"}, 1935 "BYTE": {"type": "string"}, 1936 "PortlistType": { 1937 "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"}, 1938 "TimeZonetype": { 1939 "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, 1940 "URLtype": { 1941 "type": "string", 1942 "pattern": 1943 "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, 1944 "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, 1945 "IDREFType": {"$ref": "#/definitions/IDtype"}, 1946 "MLStringType": { 1947 "oneOf": [{"type": "string"}, 1948 {"type": "object", 1949 "properties": { 1950 "value": {"type": "string"}, 1951 "lang": {"$ref": "#/definitions/lang"}, 1952 "translation-id": {"type": "string"}}, 1953 "required": ["value"], 1954 "additionalProperties":false}]}, 1955 "PositiveFloatType": {"type": "number","minimum": 0}, 1956 "PAddressType": {"$ref": "#/definitions/MLStringType"}, 1957 "ExtensionType": { 1958 "type": "object", 1959 "properties": { 1960 "value": {"type": "string"}, 1961 "name": {"type": "string"}, 1962 "dtype":{"enum":["boolean","byte","bytes","character", "json", 1963 "date-time","ntpstamp","integer","portlist","real","string", 1964 "file","path","frame","packet","ipv4-packet","ipv6-packet", 1965 "url", "csv","winreg","xml","ext-value"],"default": "string"}, 1966 "ext-dtype": {"type": "string"}, 1967 "meaning": {"type": "string"}, 1968 "formatid": {"type": "string"}, 1969 "restriction": { 1970 "$ref": "#/definitions/restriction","default": "private"}, 1971 "ext-restriction": {"type": "string"}, 1972 "observable-id": {"$ref": "#/definitions/IDtype"}}, 1973 "required": ["value","dtype"], 1974 "additionalProperties":false}, 1975 "ExtensionTypeList": { 1976 "type": "array", 1977 "items": {"$ref": "#/definitions/ExtensionType"}, 1978 "minItems": 1}, 1979 "SoftwareType": { 1980 "type": "object", 1981 "properties": { 1982 "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, 1983 "URL": { 1984 "type": "array", 1985 "items": {"$ref": "#/definitions/URLtype", 1986 "minItems": 1}}, 1987 "Description": { 1988 "type": "array", 1989 "items": {"$ref": "#/definitions/MLStringType"}, 1990 "minItems": 1 }}, 1991 "required": [], 1992 "additionalProperties": false}, 1993 "SoftwareReference": { 1994 "type": "object", 1995 "properties": { 1996 "value": {"type": "string"}, 1997 "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, 1998 "ext-spec-name": {"type": "string"}, 1999 "dtype": {"enum": ["bytes","integer","real","string","xml", 2000 "ext-value"] , "default": "string"}, 2001 "ext-dtype": {"type": "string"}}, 2002 "required": ["spec-name"], 2003 "additionalProperties": false}, 2004 "StructuredInfo": { 2005 "type": "object", 2006 "properties": { 2007 "SpecID": {"$ref":"#/definitions/SpecID"}, 2008 "ext-SpecID": {"type": "string"}, 2009 "ContentID": {"type": "string"}, 2010 "RawData": { 2011 "type": "array", 2012 "items": {"$ref":"#/definitions/BYTE"}, 2013 "minItems": 1 2014 }, 2015 "Reference": { 2016 "type": "array", 2017 "items": {"$ref": "#/definitions/Reference"}, 2018 "minItems": 1 2019 }, 2020 "Platform": { 2021 "type": "array", 2022 "items": {"$ref": "#/definitions/Platform"}, 2023 "minItems": 1 2024 }, 2025 "Scoring": { 2026 "type": "array", 2027 "items": {"$ref": "#/definitions/Scoring"}, 2028 "minItems": 1}}, 2029 "allOf": [ 2030 {"required": ["SpecID"]}, 2031 {"anyOf": [ 2032 {"oneOf": [ 2033 {"required":["Reference"]}, 2034 {"required":["RawData"]}]}, 2035 { "not" : {"required":["Reference", "RawData"]}}]}], 2036 "additionalProperties": false}, 2037 "Platform": { 2038 "type": "object", 2039 "properties": { 2040 "SpecID": {"$ref":"#/definitions/SpecID"}, 2041 "ext-SpecID": {"type": "string"}, 2042 "ContentID": {"type": "string"}, 2043 "RawData": { 2044 "type": "array", 2045 "items": {"$ref":"#/definitions/BYTE"}, 2046 "minItems": 1 2047 }, 2048 "Reference": { 2049 "type": "array", 2050 "items": {"$ref": "#/definitions/Reference"}, 2051 "minItems": 1}}, 2052 "required": ["SpecID"], 2053 "additionalProperties": false}, 2054 "Scoring": { 2055 "type": "object", 2056 "properties": { 2057 "SpecID": {"$ref":"#/definitions/SpecID"}, 2058 "ext-SpecID": {"type": "string"}, 2059 "ContentID": {"type": "string"}, 2060 "RawData": { 2061 "type": "array", 2062 "items": {"$ref":"#/definitions/BYTE"}, 2063 "minItems": 1 2064 }, 2065 "Reference": { 2066 "type": "array", 2067 "items": {"$ref": "#/definitions/Reference"}, 2068 "minItems": 1}}, 2069 "required": ["SpecID"], 2070 "additionalProperties": false}, 2071 "Incident": { 2072 "title": "Incident", 2073 "description": "JSON schema for Incident class", 2074 "type": "object", 2075 "properties": { 2076 "purpose": {"$ref": "#/definitions/purpose"}, 2077 "ext-purpose": {"type": "string"}, 2078 "status": {"$ref": "#/definitions/status"}, 2079 "ext-status": {"type": "string"}, 2080 "lang": {"$ref": "#/definitions/lang"}, 2081 "restriction": {"$ref": "#/definitions/restriction", 2082 "default": "private"}, 2083 "ext-restriction": {"type": "string"}, 2084 "observable-id": {"$ref": "#/definitions/IDtype"}, 2085 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2086 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 2087 "RelatedActivity": { 2088 "type": "array", 2089 "items": {"$ref": "#/definitions/RelatedActivity"}, 2090 "minItems": 1}, 2091 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2092 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2093 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2094 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2095 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2096 "GenerationTime": {"$ref": "#/definitions/DATETIME"}, 2097 "Description": { 2098 "type": "array", 2099 "items": {"$ref": "#/definitions/MLStringType"}, 2100 "minItems": 1}, 2101 "Discovery": { 2102 "type": "array", 2103 "items": {"$ref": "#/definitions/Discovery"}, 2104 "minItems": 1}, 2105 "Assessment": { 2106 "type": "array", 2107 "items": {"$ref": "#/definitions/Assessment"}, 2108 "minItems": 1}, 2109 "Method": { 2110 "type": "array", 2111 "items": {"$ref": "#/definitions/Method"}, 2112 "minItems": 1}, 2113 "Contact": { 2114 "type": "array", 2115 "items": {"$ref": "#/definitions/Contact"}, 2116 "minItems": 1}, 2117 "EventData": { 2118 "type": "array", 2119 "items": {"$ref": "#/definitions/EventData"}, 2120 "minItems": 1}, 2121 "Indicator": { 2122 "type": "array", 2123 "items": {"$ref": "#/definitions/Indicator"}, 2124 "minItems": 1}, 2125 "History": {"$ref": "#/definitions/History"}, 2126 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2127 "required": ["IncidentID","GenerationTime","Contact","purpose"], 2128 "additionalProperties": false}, 2129 "IncidentID": { 2130 "title": "IncidentID", 2131 "description": "JSON schema for IncidentID class", 2132 "type": "object", 2133 "properties": { 2134 "id": {"type": "string"}, 2135 "name": {"type": "string"}, 2136 "instance": {"type": "string"}, 2137 "restriction": {"$ref": "#/definitions/restriction", 2138 "default": "private"}, 2139 "ext-restriction": {"type": "string"}}, 2140 "required": ["id","name"], 2141 "additionalProperties": false}, 2142 "AlternativeID": { 2143 "title": "AlternativeID", 2144 "description": "JSON schema for AlternativeID class", 2145 "type": "object", 2146 "properties": { 2147 "IncidentID": { 2148 "type": "array", 2149 "items":{"$ref": "#/definitions/IncidentID"}, 2150 "minItems": 1}, 2151 "restriction": {"$ref": "#/definitions/restriction", 2152 "default": "private"}, 2153 "ext-restriction": {"type": "string"}}, 2154 "required": ["IncidentID"], 2155 "additionalProperties": false}, 2156 "RelatedActivity": { 2157 "properties": { 2158 "restriction": {"$ref": "#/definitions/restriction", 2159 "default": "private"}, 2160 "ext-restriction": {"type": "string"}, 2161 "IncidentID": { 2162 "type": "array", 2163 "items": {"$ref": "#/definitions/IncidentID"}, 2164 "minItems": 1}, 2165 "URL": { 2166 "type": "array", 2167 "items": {"$ref": "#/definitions/URLtype"}, 2168 "minItems": 1}, 2169 "ThreatActor": { 2170 "type": "array", 2171 "items": {"$ref": "#/definitions/ThreatActor"}, 2172 "minItems": 1}, 2173 "Campaign": { 2174 "type": "array", 2175 "items": {"$ref": "#/definitions/Campaign"}, 2176 "minItems": 1}, 2177 "IndicatorID": { 2178 "type": "array", 2179 "items": {"$ref": "#/definitions/IndicatorID"}, 2180 "minItems": 1}, 2181 "Confidence": {"$ref": "#/definitions/Confidence"}, 2182 "Description": { 2183 "type": "array", 2184 "items": {"type": "string"}, 2185 "minItems": 1}, 2186 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2187 "additionalProperties": false}, 2188 "ThreatActor": { 2189 "properties": { 2190 "restriction": {"$ref": "#/definitions/restriction", 2191 "default": "private"}, 2192 "ext-restriction": {"type": "string"}, 2193 "ThreatActorID": { 2194 "type": "array", 2195 "items": {"type": "string"}, 2196 "minItems": 1}, 2197 "Description": { 2198 "type": "array", 2199 "items": {"$ref": "#/definitions/MLStringType"}, 2200 "minItems": 1}, 2201 "URL": { 2202 "type":"array", 2203 "items":{"$ref":"#/definitions/URLtype"}, 2204 "minItems": 1}, 2205 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2206 "additionalProperties": false}, 2207 "Campaign": { 2208 "properties": { 2209 "restriction": {"$ref": "#/definitions/restriction", 2210 "default": "private"}, 2211 "ext-restriction": {"type": "string"}, 2212 "CampaignID": { 2213 "type": "array", 2214 "items": {"type": "string"}, 2215 "minItems": 1}, 2216 "URL": { 2217 "type":"array", 2218 "items":{"$ref":"#/definitions/URLtype"}, 2219 "minItems": 1}, 2220 "Description": { 2221 "type": "array", 2222 "items": {"$ref": "#/definitions/MLStringType"}, 2223 "minItems": 1}, 2224 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 2225 "Contact": { 2226 "type": "object", 2227 "properties": { 2228 "role": { 2229 "enum":["creator","reporter","admin","tech","provider","user", 2230 "billing","legal","irt","abuse","cc","cc-irt","leo", 2231 "vendor","vendor-support","victim","victim-notified", 2232 "ext-value"]}, 2233 "ext-role": {"type": "string"}, 2234 "type": {"enum": ["person","organization","ext-value"]}, 2235 "ext-type": {"type": "string"}, 2236 "restriction": {"$ref": "#/definitions/restriction", 2237 "default": "private"}, 2238 "ext-restriction": {"type": "string"}, 2239 "ContactName": { 2240 "type": "array", 2241 "items": {"$ref": "#/definitions/MLStringType"}, 2242 "minItems": 1}, 2243 "ContactTitle": { 2244 "type": "array", 2245 "items": {"$ref": "#/definitions/MLStringType"}, 2246 "minItems": 1}, 2247 "Description": { 2248 "type": "array", 2249 "items": {"$ref": "#/definitions/MLStringType"}, 2250 "minItems": 1}, 2251 "RegistryHandle": { 2252 "type":"array", 2253 "items":{"$ref":"#/definitions/RegistryHandle"}, 2254 "minItems": 1}, 2255 "PostalAddress": { 2256 "type":"array", 2257 "items":{"$ref":"#/definitions/PostalAddress"}, 2258 "minItems": 1}, 2259 "Email": { 2260 "type": "array", 2261 "items": {"$ref": "#/definitions/Email"}, 2262 "minItems": 1}, 2263 "Telephone": { 2264 "type": "array", 2265 "items": {"$ref": "#/definitions/Telephone"}, 2266 "minItems": 1}, 2267 "Timezone": {"$ref": "#/definitions/TimeZonetype"}, 2268 "Contact": { 2269 "type": "array", 2270 "items": {"$ref": "#/definitions/Contact"}, 2271 "minItems": 1}, 2272 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2273 "required": ["role","type"], 2274 "additionalProperties": false}, 2275 "RegistryHandle": { 2276 "type": "object", 2277 "properties": { 2278 "handle": {"type": "string"}, 2279 "registry": { 2280 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", 2281 "local","ext-value"]}, 2282 "ext-registry": {"type": "string"}}, 2283 "required": ["handle","registry"], 2284 "additionalProperties": false}, 2285 "PostalAddress": { 2286 "type": "object", 2287 "properties": { 2288 "type": { 2289 "enum": ["street","mailing","ext-value"]}, 2290 "ext-type": {"type": "string"}, 2291 "PAddress": {"$ref": "#/definitions/PAddressType"}, 2292 "Description": { 2293 "type": "array", 2294 "items": {"$ref": "#/definitions/MLStringType"}, 2295 "minItems": 1}}, 2296 "required": ["PAddress"], 2297 "additionalProperties": false}, 2298 "Email": { 2299 "type": "object", 2300 "properties": { 2301 "type": { 2302 "enum":["direct","hotline","ext-value"]}, 2303 "ext-type": {"type": "string"}, 2304 "EmailTo": {"type": "string"}, 2305 "Description": { 2306 "type": "array", 2307 "items": {"$ref": "#/definitions/MLStringType"}, 2308 "minItems": 1}}, 2309 "required": ["EmailTo"], 2310 "additionalProperties": false}, 2311 "Telephone": { 2312 "type": "object", 2313 "properties": { 2314 "type": { 2315 "enum":["wired","mobile","fax","hotline","ext-value"]}, 2316 "ext-type": {"type": "string"}, 2317 "TelephoneNumber": {"type": "string"}, 2318 "Description": { 2319 "type": "array", 2320 "items": {"$ref": "#/definitions/MLStringType"}, 2321 "minItems": 1}}, 2322 "required": ["TelephoneNumber"], 2323 "additionalProperties": false}, 2324 "Discovery": { 2325 "type": "object", 2326 "properties": { 2327 "source": { 2328 "enum":["nidps","hips","siem","av","third-party-monitoring", 2329 "incident","os-log","application-log","device-log", 2330 "network-flow","passive-dns","investigation","audit", 2331 "internal-notification","external-notification","leo", 2332 "partner","actor","unknown","ext-value"]}, 2333 "ext-source": {"type": "string"}, 2334 "restriction": {"$ref": "#/definitions/restriction", 2335 "default": "private"}, 2336 "ext-restriction": {"type": "string"}, 2337 "Description": { 2338 "type": "array", 2339 "items": {"$ref": "#/definitions/MLStringType"}, 2340 "minItems": 1}, 2341 "Contact": { 2342 "type": "array", 2343 "items": {"$ref": "#/definitions/Contact"}, 2344 "minItems": 1}, 2345 "DetectionPattern": { 2346 "type":"array", 2347 "items":{"$ref":"#/definitions/DetectionPattern"}, 2348 "minItems": 1}}, 2349 "required": [], 2350 "additionalProperties": false}, 2351 "DetectionPattern": { 2352 "type": "object", 2353 "properties": { 2354 "restriction": {"$ref": "#/definitions/restriction", 2355 "default": "private"}, 2356 "ext-restriction": {"type": "string"}, 2357 "observable-id": {"$ref": "#/definitions/IDtype"}, 2358 "Application": {"$ref": "#/definitions/SoftwareType"}, 2359 "Description": { 2360 "type": "array", 2361 "items": {"$ref": "#/definitions/MLStringType"}, 2362 "minItems": 1}, 2363 "DetectionConfiguration": { 2364 "type": "array", 2365 "items": {"type": "string"}, 2366 "minItems": 1}}, 2367 "allOf": [ 2368 {"required": ["Application"]}, 2369 {"oneOf": [ 2370 {"required":["Description"]}, 2371 {"required":["DetectionConfiguration"]}]}], 2372 "additionalProperties": false}, 2373 "Method": { 2374 "type": "object", 2375 "properties": { 2376 "restriction": {"$ref": "#/definitions/restriction", 2377 "default": "private"}, 2378 "ext-restriction": {"type": "string"}, 2379 "Reference": { 2380 "type": "array", 2381 "items": {"$ref": "#/definitions/Reference"}, 2382 "minItems": 1}, 2383 "Description": { 2384 "type": "array", 2385 "items": {"$ref": "#/definitions/MLStringType"}, 2386 "minItems": 1}, 2387 "AttackPattern": { 2388 "type":"array", 2389 "items":{"$ref":"#/definitions/StructuredInfo"}, 2390 "minItems": 1}, 2391 "Vulnerability": { 2392 "type":"array", 2393 "items":{"$ref":"#/definitions/StructuredInfo"}, 2394 "minItems": 1}, 2395 "Weakness": { 2396 "type":"array", 2397 "items":{"$ref":"#/definitions/StructuredInfo"}, 2398 "minItems": 1}, 2399 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2400 "required": [], 2401 "additionalProperties": false}, 2402 "Reference": { 2403 "type": "object", 2404 "properties": { 2405 "observable-id": {"$ref": "#/definitions/IDtype"}, 2406 "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, 2407 "URL":{ 2408 "type":"array", 2409 "items":{"$ref":"#/definitions/URLtype"}, 2410 "minItems": 1}, 2411 "Description": { 2412 "type": "array", 2413 "items": {"$ref": "#/definitions/MLStringType"}, 2414 "minItems": 1}}, 2415 "required": [], 2416 "additionalProperties": false}, 2417 "ReferenceName" : { 2418 "type": "object", 2419 "properties": { 2420 "specIndex": {"type": "number"}, 2421 "ID": {"$ref":"#/definitions/IDtype"}}, 2422 "required": ["specIndex","ID"], 2423 "additionalProperties": false}, 2424 "Assessment": { 2425 "type": "object", 2426 "properties": { 2427 "occurrence": {"enum":["actual","potential"]}, 2428 "restriction": {"$ref": "#/definitions/restriction", 2429 "default": "private"}, 2430 "ext-restriction": {"type": "string"}, 2431 "observable-id": {"$ref": "#/definitions/IDtype"}, 2432 "IncidentCategory": { 2433 "type": "array", 2434 "items": {"$ref": "#/definitions/MLStringType"}, 2435 "minItems": 1}, 2436 "Impact": { 2437 "type": "array", 2438 "items": { 2439 "properties": { 2440 "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, 2441 "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, 2442 "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, 2443 "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, 2444 "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, 2445 "additionalProperties":false}, 2446 "minItems" : 1 2447 }, 2448 "Counter": { 2449 "type": "array", 2450 "items": {"$ref": "#/definitions/Counter"}, 2451 "minItems": 1}, 2452 "MitigatingFactor": { 2453 "type": "array", 2454 "items": {"$ref": "#/definitions/MLStringType"}, 2455 "minItems": 1}, 2456 "Cause": { 2457 "type": "array", 2458 "items": {"$ref": "#/definitions/MLStringType"}, 2459 "minItems": 1}, 2460 "Confidence": {"$ref": "#/definitions/Confidence"}, 2461 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2462 "required": ["Impact"], 2463 "additionalProperties": false}, 2464 "SystemImpact": { 2465 "type": "object", 2466 "properties": { 2467 "severity": {"enum":["low","medium","high"]}, 2468 "completion": {"enum":["failed","succeeded"]}, 2469 "type": { 2470 "enum":["takeover-account","takeover-service", 2471 "takeover-system","cps-manipulation","cps-damage", 2472 "availability-data","availability-account", 2473 "availability-service","availability-system", 2474 "damaged-system","damaged-data","breach-proprietary", 2475 "breach-privacy","breach-credential", 2476 "breach-configuration","integrity-data", 2477 "integrity-configuration","integrity-hardware", 2478 "traffic-redirection","monitoring-traffic", 2479 "monitoring-host","policy","unknown","ext-value"]}, 2480 "ext-type": {"type": "string"}, 2481 "Description": { 2482 "type": "array", 2483 "items": {"$ref": "#/definitions/MLStringType"}, 2484 "minItems": 1}}, 2485 "required": ["type"], 2486 "additionalProperties": false}, 2487 "BusinessImpact": { 2488 "type": "object", 2489 "properties": { 2490 "severity": {"enum":["none","low","medium","high","unknown", 2491 "ext-value"],"default": "unknown"}, 2492 "ext-severity": {"type":"string"}, 2493 "type": {"enum":["breach-proprietary","breach-privacy", 2494 "breach-credential","loss-of-integrity","loss-of-service", 2495 "theft-financial","theft-service","degraded-reputation", 2496 "asset-damage","asset-manipulation","legal","extortion", 2497 "unknown","ext-value"]}, 2498 "ext-type": {"type": "string"}, 2499 "Description": { 2500 "type": "array", 2501 "items": {"$ref": "#/definitions/MLStringType"}, 2502 "minItems": 1}}, 2503 "required": ["type"], 2504 "additionalProperties": false}, 2505 "TimeImpact": { 2506 "type": "object", 2507 "properties": { 2508 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2509 "severity": {"enum": ["low","medium","high"]}, 2510 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 2511 "ext-metric": {"type": "string"}, 2512 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2513 "ext-duration": {"type": "string"}}, 2514 "required": ["value","metric"], 2515 "additionalProperties": false}, 2516 "MonetaryImpact": { 2517 "type": "object", 2518 "properties": { 2519 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2520 "severity": {"enum":["low","medium","high"]}, 2521 "currency": {"type": "string"}}, 2522 "required": ["value"], 2523 "additionalProperties": false}, 2524 "Confidence": { 2525 "type": "object", 2526 "properties": { 2527 "value": {"type": "number"}, 2528 "rating": {"enum": ["low","medium","high","numeric","unknown", 2529 "ext-value"]}, 2530 "ext-rating": {"type":"string"}}, 2531 "required": ["value","rating"], 2532 "additionalProperties": false}, 2533 "History": { 2534 "type": "object", 2535 "properties": { 2536 "restriction": {"$ref": "#/definitions/restriction", 2537 "default": "private"}, 2538 "ext-restriction": {"type": "string"}, 2539 "HistoryItem": { 2540 "type": "array", 2541 "items": {"$ref": "#/definitions/HistoryItem"}, 2542 "minItems": 1}}, 2543 "required": ["HistoryItem"], 2544 "additionalProperties": false}, 2545 "HistoryItem": { 2546 "type": "object", 2547 "properties": { 2548 "action": {"$ref": "#/definitions/action","default": "other"}, 2549 "ext-action": {"type": "string"}, 2550 "restriction": {"$ref": "#/definitions/restriction", 2551 "default": "private"}, 2552 "ext-restriction": {"type": "string"}, 2553 "observable-id": {"$ref": "#/definitions/IDtype"}, 2554 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2555 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2556 "Contact": {"$ref": "#/definitions/Contact"}, 2557 "Description": { 2558 "type": "array", 2559 "items": {"$ref": "#/definitions/MLStringType"}, 2560 "minItems": 1}, 2561 "DefinedCOA": { 2562 "type": "array", 2563 "items": {"type": "string"}, 2564 "minItems": 1}, 2565 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2566 "required": ["DateTime","action"], 2567 "additionalProperties": false}, 2568 "EventData": { 2569 "type": "object", 2570 "properties": { 2571 "restriction": {"$ref": "#/definitions/restriction", 2572 "default": "private"}, 2573 "ext-restriction": {"type": "string"}, 2574 "observable-id": {"$ref": "#/definitions/IDtype"}, 2575 "Description": {"type": "array", 2576 "items": { "$ref":"#/definitions/MLStringType"}}, 2577 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2578 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2579 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2580 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2581 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2582 "Contact": { 2583 "type": "array", 2584 "items": {"$ref": "#/definitions/Contact"}, 2585 "minItems": 1}, 2586 "Discovery": { 2587 "type": "array", 2588 "items": {"$ref": "#/definitions/Discovery"}, 2589 "minItems": 1}, 2590 "Assessment": {"$ref": "#/definitions/Assessment"}, 2591 "Method": { 2592 "type": "array", 2593 "items": {"$ref": "#/definitions/Method"}, 2594 "minItems": 1}, 2595 "System": { 2596 "type": "array", 2597 "items": {"$ref": "#/definitions/System"}, 2598 "minItems": 1}, 2599 "Expectation": { 2600 "type": "array", 2601 "items": {"$ref": "#/definitions/Expectation"}, 2602 "minItems": 1}, 2603 "RecordData": { 2604 "type": "array", 2605 "items": {"$ref": "#/definitions/RecordData"}, 2606 "minItems": 1}, 2607 "EventData": { 2608 "type": "array", 2609 "items": {"$ref": "#/definitions/EventData"}, 2610 "minItems": 1}, 2611 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2612 "required": [], 2613 "additionalProperties": false}, 2614 "Expectation": { 2615 "type": "object", 2616 "properties": { 2617 "action": {"$ref":"#/definitions/action","default": "other"}, 2618 "ext-action": {"type": "string"}, 2619 "severity": {"enum": ["low","medium","high"]}, 2620 "restriction": {"$ref": "#/definitions/restriction", 2621 "default": "default"}, 2622 "ext-restriction": {"type": "string"}, 2623 "observable-id": {"$ref": "#/definitions/IDtype"}, 2624 "Description": { 2625 "type": "array", 2626 "items": {"$ref": "#/definitions/MLStringType"}, 2627 "minItems": 1}, 2628 "DefinedCOA": { 2629 "type": "array", 2630 "items": {"type": "string"}, 2631 "minItems": 1}, 2632 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2633 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2634 "Contact": {"$ref": "#/definitions/Contact"}}, 2635 "required": [], 2636 "additionalProperties": false}, 2637 "System": { 2638 "type": "object", 2639 "properties": { 2640 "category": { 2641 "enum": ["source","target","intermediate","sensor", 2642 "infrastructure","ext-value"]}, 2643 "ext-category": {"type": "string"}, 2644 "interface": {"type": "string"}, 2645 "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, 2646 "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, 2647 "ownership": { 2648 "enum":["organization","personal","partner","customer", 2649 "no-relationship","unknown","ext-value"]}, 2650 "ext-ownership": {"type": "string"}, 2651 "restriction": {"$ref": "#/definitions/restriction", 2652 "default": "private"}, 2653 "ext-restriction": {"type": "string"}, 2654 "observable-id": {"$ref": "#/definitions/IDtype"}, 2655 "Node": {"$ref": "#/definitions/Node"}, 2656 "NodeRole": { 2657 "type": "array", 2658 "items": {"$ref": "#/definitions/NodeRole"}, 2659 "minItems": 1}, 2660 "Service": { 2661 "type": "array", 2662 "items": {"$ref": "#/definitions/Service"}, 2663 "minItems": 1}, 2664 "OperatingSystem": { 2665 "type": "array", 2666 "items": {"$ref": "#/definitions/SoftwareType"}, 2667 "minItems": 1}, 2668 "Counter": { 2669 "type": "array", 2670 "items": {"$ref": "#/definitions/Counter"}, 2671 "minItems": 1}, 2672 "AssetID": { 2673 "type": "array", 2674 "items": {"type": "string"}, 2675 "minItems": 1}, 2676 "Description": { 2677 "type": "array", 2678 "items": {"$ref": "#/definitions/MLStringType"}, 2679 "minItems": 1}, 2680 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2681 "required": ["Node"], 2682 "additionalProperties": false}, 2683 "Node": { 2684 "type": "object", 2685 "properties": { 2686 "DomainData": { 2687 "type": "array", 2688 "items": {"$ref": "#/definitions/DomainData"}, 2689 "minItems": 1}, 2690 "Address": { 2691 "type": "array", 2692 "items": {"$ref": "#/definitions/Address"}, 2693 "minItems": 1}, 2695 "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, 2696 "Location": { 2697 "type": "array", 2698 "items": {"$ref": "#/definitions/MLStringType"}, 2699 "minItems": 1}, 2700 "Counter": { 2701 "type":"array", 2702 "items":{"$ref":"#/definitions/Counter"}, 2703 "minItems": 1}}, 2704 "anyOf": [ 2705 {"required": ["DomainData"]}, 2706 {"required": ["Address"]} 2707 ], 2708 "additionalProperties": false}, 2709 "Address": { 2710 "type": "object", 2711 "properties": { 2712 "value": {"type": "string"}, 2713 "category": { 2714 "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", 2715 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 2716 "ipv6-net-masked","mac","site-uri","ext-value"], 2717 "default": "ipv6-addr"}, 2718 "ext-category": {"type": "string"}, 2719 "vlan-name": {"type": "string"}, 2720 "vlan-num": {"type": "number"}, 2721 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2722 "required": ["value","category"], 2723 "additionalProperties": false}, 2724 "NodeRole": { 2725 "type": "object", 2726 "properties": { 2727 "category": { 2728 "enum":["client","client-enterprise","client-partner", 2729 "client-remote","client-kiosk","client-mobile", 2730 "server-internal","server-public","www","mail","webmail", 2731 "messaging","streaming","voice","file","ftp","p2p","name", 2732 "directory","credential","print","application","database", 2733 "backup","dhcp","assessment","source-control", 2734 "config-management","monitoring","infra","infra-firewall", 2735 "infra-router","infra-switch","camera","proxy", 2736 "remote-access","log","virtualization","pos", "scada", 2737 "scada-supervisory","sinkhole","honeypot","anomyzation", 2738 "c2-server","malware-distribution","drop-server", 2739 "hop-point","reflector","phishing-site", 2740 "spear-phishing-site","recruiting-site","fraudulent-site", 2741 "ext-value"]}, 2742 "ext-category": {"type": "string"}, 2743 "Description": { 2744 "type": "array", 2745 "items": {"$ref": "#/definitions/MLStringType"}, 2746 "minItems": 1}}, 2747 "required": ["category"], 2748 "additionalProperties": false}, 2749 "Counter": { 2750 "type": "object", 2751 "properties": { 2752 "value": {"type": "number"}, 2753 "type": {"enum": ["count","peak","average","ext-value"]}, 2754 "ext-type": {"type": "string"}, 2755 "unit":{"enum":["byte","mbit","packet","flow","session","alert", 2756 "message","event","host","site","organization","ext-value"]}, 2757 "ext-unit": {"type": "string"}, 2758 "meaning": {"type": "string"}, 2759 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2760 "ext-duration": {"type": "string"}}, 2761 "required": ["value","type","unit"], 2762 "additionalProperties": false}, 2763 "DomainData": { 2764 "type": "object", 2765 "properties": { 2766 "system-status": { 2767 "enum": ["spoofed","fraudulent","innocent-hacked", 2768 "innocent-hijacked","unknown","ext-value"]}, 2769 "ext-system-status": {"type": "string"}, 2770 "domain-status": { 2771 "enum": [ "reservedDelegation","assignedAndActive", 2772 "assignedAndInactive","assignedAndOnHold","revoked", 2773 "transferPending","registryLock","registrarLock", 2774 "other","unknown","ext-value"]}, 2775 "ext-domain-status": {"type": "string"}, 2776 "observable-id": {"$ref": "#/definitions/IDtype"}, 2777 "Name": {"type": "string"}, 2778 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 2779 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 2780 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 2781 "RelatedDNS": { 2782 "type": "array", 2783 "items": {"$ref": "#/definitions/ExtensionType"}, 2784 "minItems": 1}, 2785 "NameServers": { 2786 "type": "array", 2787 "items": {"$ref": "#/definitions/NameServers"}, 2788 "minItems": 1}, 2789 "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, 2790 "required": ["Name","system-status","domain-status"], 2791 "additionalProperties": false}, 2792 "NameServers": { 2793 "type": "object", 2794 "properties": { 2795 "Server": {"type": "string"}, 2796 "Address": { 2797 "type":"array", 2798 "items":{"$ref":"#/definitions/Address"}, 2799 "minItems": 1}}, 2800 "required": ["Server","Address"], 2801 "additionalProperties": false}, 2802 "DomainContacts": { 2803 "type": "object", 2804 "properties": { 2805 "SameDomainContact": {"type": "string"}, 2806 "Contact": { 2807 "type":"array", 2808 "items":{"$ref":"#/definitions/Contact"}, 2809 "minItems": 1}}, 2810 "oneOf": [ 2811 {"required": ["SameDomainContact"]}, 2812 {"required": ["Contact"]}], 2813 "additionalProperties": false}, 2814 "Service": { 2815 "type": "object", 2816 "properties": { 2817 "ip-protocol": {"type": "number"}, 2818 "observable-id": {"$ref": "#/definitions/IDtype"}, 2819 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 2820 "Port": {"type": "number"}, 2821 "Portlist": {"$ref": "#/definitions/PortlistType"}, 2822 "ProtoCode": {"type": "number"}, 2823 "ProtoType": {"type": "number"}, 2824 "ProtoField": {"type": "number"}, 2825 "ApplicationHeaderField":{ 2826 "$ref":"#/definitions/ExtensionTypeList"}, 2827 "EmailData": {"$ref": "#/definitions/EmailData"}, 2828 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2829 "required": [], 2830 "additionalProperties": false}, 2831 "ServiceName": { 2832 "type": "object", 2833 "properties": { 2834 "IANAService": {"type": "string"}, 2835 "URL": { 2836 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2837 "Description": { 2838 "type": "array", 2839 "items": {"$ref": "#/definitions/MLStringType"}, 2840 "minItems": 1}}, 2841 "required": [], 2842 "additionalProperties": false}, 2843 "EmailData": { 2844 "type": "object", 2845 "properties": { 2846 "observable-id": {"$ref": "#/definitions/IDtype"}, 2847 "EmailTo": { 2848 "type": "array", 2849 "items": {"type": "string"}, 2850 "minItems": 1}, 2851 "EmailFrom": {"type": "string"}, 2852 "EmailSubject": {"type": "string"}, 2853 "EmailX-Mailer": {"type": "string"}, 2854 "EmailHeaderField": { 2855 "type": "array", 2856 "items": {"$ref": "#/definitions/ExtensionType"}, 2857 "minItems": 1}, 2858 "EmailHeaders": {"type": "string"}, 2859 "EmailBody": {"type": "string"}, 2860 "EmailMessage": {"type": "string"}, 2861 "HashData": { 2862 "type": "array", 2863 "items": {"$ref": "#/definitions/HashData"}, 2864 "minItems": 1}, 2865 "Signature": { 2866 "type": "array", 2867 "items": {"$ref": "#/definitions/BYTE"}, 2868 "minItems": 1}}, 2869 "required": [], 2870 "additionalProperties": false}, 2871 "RecordData": { 2872 "type": "object", 2873 "properties": { 2874 "restriction": {"$ref": "#/definitions/restriction", 2875 "default": "private"}, 2876 "ext-restriction": {"type": "string"}, 2877 "observable-id": {"$ref": "#/definitions/IDtype"}, 2878 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2879 "Description": { 2880 "type": "array", 2881 "items": {"$ref": "#/definitions/MLStringType"}, 2882 "minItems": 1}, 2883 "Application": {"$ref": "#/definitions/SoftwareType"}, 2884 "RecordPattern": { 2885 "type": "array", 2886 "items": {"$ref": "#/definitions/RecordPattern"}, 2887 "minItems": 1}, 2888 "RecordItem": { 2889 "type": "array", 2890 "items": {"$ref": "#/definitions/ExtensionType"}, 2891 "minItems": 1}, 2892 "URL": { 2893 "type": "array", 2894 "items": {"$ref": "#/definitions/URLtype"}, 2895 "minItems": 1}, 2896 "FileData": { 2897 "type": "array", 2898 "items": {"$ref": "#/definitions/FileData"}, 2899 "minItems": 1}, 2900 "WindowsRegistryKeysModified": { 2901 "type": "array", 2902 "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, 2903 "minItems": 1}, 2904 "CertificateData": { 2905 "type":"array", 2906 "items":{"$ref":"#/definitions/CertificateData"}, 2907 "minItems": 1}, 2908 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2909 "required": [], 2910 "additionalProperties": false}, 2911 "RecordPattern": { 2912 "type": "object", 2913 "properties": { 2914 "value": {"type": "string"}, 2915 "type": {"enum": ["regex","binary","xpath","ext-value"], 2916 "default": "regex"}, 2917 "ext-type": {"type": "string"}, 2918 "offset": {"type": "number"}, 2919 "offsetunit": {"enum":["line","byte","ext-value"] , 2920 "default": "line"}, 2921 "ext-offsetunit": {"type": "string"}, 2922 "instance": {"type": "number"}}, 2923 "required": ["value","type"], 2924 "additionalProperties": false}, 2925 "WindowsRegistryKeysModified": { 2926 "type": "object", 2927 "properties": { 2928 "observable-id": {"$ref": "#/definitions/IDtype"}, 2929 "Key": { 2930 "type": "array", 2931 "items": {"$ref": "#/definitions/Key"}, 2932 "minItems": 1}}, 2933 "required": ["Key"], 2934 "additionalProperties": false}, 2936 "Key": { 2937 "type": "object", 2938 "properties": { 2939 "registryaction": {"enum": ["add-key","add-value","delete-key", 2940 "delete-value","modify-key","modify-value", 2941 "ext-value"]}, 2942 "ext-registryaction": {"type": "string"}, 2943 "observable-id": {"$ref": "#/definitions/IDtype"}, 2944 "KeyName": {"type":"string"}, 2945 "KeyValue": {"type": "string"}}, 2946 "required": ["KeyName"], 2947 "additionalProperties": false}, 2948 "CertificateData": { 2949 "type": "object", 2950 "properties": { 2951 "restriction": {"$ref": "#/definitions/restriction", 2952 "default": "private"}, 2953 "ext-restriction": {"type": "string"}, 2954 "observable-id": {"$ref": "#/definitions/IDtype"}, 2955 "Certificate": { 2956 "type": "array", 2957 "items": {"$ref": "#/definitions/Certificate"}, 2958 "minItems": 1}}, 2959 "required": ["Certificate"], 2960 "additionalProperties": false}, 2961 "Certificate": { 2962 "type": "object", 2963 "properties": { 2964 "observable-id": {"$ref": "#/definitions/IDtype"}, 2965 "X509Data": {"$ref": "#/definitions/BYTE"}, 2966 "Description": { 2967 "type": "array", 2968 "items": {"$ref": "#/definitions/MLStringType"}, 2969 "minItems": 1}}, 2970 "required": ["X509Data"], 2971 "additionalProperties": false}, 2972 "FileData": { 2973 "type": "object", 2974 "properties": { 2975 "restriction": {"$ref": "#/definitions/restriction"}, 2976 "ext-restriction": {"type": "string"}, 2977 "observable-id": {"$ref": "#/definitions/IDtype"}, 2978 "File": { 2979 "type": "array", 2980 "items": {"$ref": "#/definitions/File"}, 2981 "minItems": 1}}, 2982 "required": ["File"], 2983 "additionalProperties": false}, 2985 "File": { 2986 "type": "object", 2987 "properties": { 2988 "observable-id": {"$ref": "#/definitions/IDtype"}, 2989 "FileName": {"type": "string"}, 2990 "FileSize": {"type": "number"}, 2991 "FileType": {"type": "string"}, 2992 "URL": { 2993 "type": "array", 2994 "items": {"$ref": "#/definitions/URLtype"}, 2995 "minItems": 1}, 2996 "HashData": {"$ref": "#/definitions/HashData"}, 2997 "Signature": { 2998 "type": "array", 2999 "items": {"$ref": "#/definitions/BYTE"}, 3000 "minItems": 1}, 3001 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 3002 "FileProperties": { 3003 "type":"array", 3004 "items":{"$ref":"#/definitions/ExtensionType"}, 3005 "minItems": 1}}, 3006 "required": [], 3007 "additionalProperties": false}, 3008 "HashData": { 3009 "type": "object", 3010 "properties": { 3011 "scope": {"enum": ["file-contents","file-pe-section", 3012 "file-pe-iat","file-pe-resource","file-pdf-object", 3013 "email-hash","email-headers-hash","email-body-hash", 3014 "ext-value"]}, 3015 "HashTargetID": {"type": "string"}, 3016 "Hash": { 3017 "type": "array", 3018 "items": {"$ref": "#/definitions/Hash"}, 3019 "minItems": 1}, 3020 "FuzzyHash": { 3021 "type": "array", 3022 "items": {"$ref": "#/definitions/FuzzyHash"}, 3023 "minItems": 1}}, 3024 "required": ["scope"], 3025 "additionalProperties": false}, 3026 "Hash": { 3027 "type": "object", 3028 "properties": { 3029 "DigestMethod": {"$ref": "#/definitions/BYTE"}, 3030 "DigestValue": {"$ref": "#/definitions/BYTE"}, 3031 "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"}, 3032 "Application": {"$ref": "#/definitions/SoftwareType"}}, 3034 "required": ["DigestMethod","DigestValue"], 3035 "additionalProperties": false}, 3036 "FuzzyHash": { 3037 "type": "object", 3038 "properties": { 3039 "FuzzyHashValue": { 3040 "type": "array", 3041 "items": {"$ref": "#/definitions/ExtensionType"}, 3042 "minItems": 1}, 3043 "Application": {"$ref": "#/definitions/SoftwareType"}, 3044 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3045 "required": ["FuzzyHashValue"], 3046 "additionalProperties": false}, 3047 "Indicator": { 3048 "type": "object", 3049 "properties": { 3050 "restriction": {"$ref": "#/definitions/restriction", 3051 "default": "private"}, 3052 "ext-restriction": {"type": "string"}, 3053 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 3054 "AlternativeIndicatorID": { 3055 "type": "array", 3056 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, 3057 "minItems": 1}, 3058 "Description": { 3059 "type": "array", 3060 "items": {"$ref": "#/definitions/MLStringType"}, 3061 "minItems": 1}, 3062 "StartTime": {"$ref": "#/definitions/DATETIME"}, 3063 "EndTime": {"$ref": "#/definitions/DATETIME"}, 3064 "Confidence": {"$ref": "#/definitions/Confidence"}, 3065 "Contact": { 3066 "type": "array", 3067 "items": {"$ref": "#/definitions/Contact"}, 3068 "minItems": 1}, 3069 "Observable": {"$ref": "#/definitions/Observable"}, 3070 "uid-ref": {"$ref": "#/definitions/IDREFType"}, 3071 "IndicatorExpression":{ 3072 "$ref":"#/definitions/IndicatorExpression"}, 3073 "IndicatorReference":{ 3074 "$ref": "#/definitions/IndicatorReference"}, 3075 "NodeRole": { 3076 "type": "array", 3077 "items": {"$ref": "#/definitions/NodeRole"}, 3078 "minItems": 1}, 3079 "AttackPhase": { 3080 "type": "array", 3081 "items": {"$ref": "#/definitions/AttackPhase"}, 3082 "minItems": 1}, 3083 "Reference": { 3084 "type": "array", 3085 "items": {"$ref": "#/definitions/Reference"}, 3086 "minItems": 1}, 3087 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3088 "allOf": [ 3089 {"required": ["IndicatorID"]}, 3090 {"oneOf": [ 3091 {"required":["Observable"]}, 3092 {"required":["uid-ref"]}, 3093 {"required":["IndicatorExpression"]}, 3094 {"required":["IndicatorReference"]}]}], 3095 "additionalProperties": false}, 3096 "IndicatorID": { 3097 "type": "object", 3098 "properties": { 3099 "id": {"type": "string"}, 3100 "name": {"type": "string"}, 3101 "version": {"type": "string"}}, 3102 "required": ["id","name","version"], 3103 "additionalProperties": false}, 3104 "AlternativeIndicatorID": { 3105 "type": "object", 3106 "properties": { 3107 "restriction": {"$ref": "#/definitions/restriction", 3108 "default": "private"}, 3109 "ext-restriction": {"type": "string"}, 3110 "IndicatorID": { 3111 "type": "array", 3112 "items": {"$ref": "#/definitions/IndicatorID"}, 3113 "minItems": 1}}, 3114 "required": ["IndicatorID"], 3115 "additionalProperties": false}, 3116 "Observable": { 3117 "type": "object", 3118 "properties": { 3119 "restriction": {"$ref": "#/definitions/restriction", 3120 "default": "private"}, 3121 "ext-restriction": {"type": "string"}, 3122 "System": {"$ref": "#/definitions/System"}, 3123 "Address": {"$ref": "#/definitions/Address"}, 3124 "DomainData": {"$ref": "#/definitions/DomainData"}, 3125 "EmailData": {"$ref": "#/definitions/EmailData"}, 3126 "Service": {"$ref": "#/definitions/Service"}, 3127 "WindowsRegistryKeysModified": { 3128 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 3129 "FileData": {"$ref": "#/definitions/FileData"}, 3130 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 3131 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 3132 "RecordData": {"$ref": "#/definitions/RecordData"}, 3133 "EventData": {"$ref": "#/definitions/EventData"}, 3134 "Incident": {"$ref": "#/definitions/Incident"}, 3135 "Expectation": {"$ref": "#/definitions/Expectation"}, 3136 "Reference": {"$ref": "#/definitions/Reference"}, 3137 "Assessment": {"$ref": "#/definitions/Assessment"}, 3138 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 3139 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 3140 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 3141 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3142 "oneOf": [ 3143 {"required":["System"]}, 3144 {"required":["Address"]}, 3145 {"required":["DomainData"]}, 3146 {"required":["EmailData"]}, 3147 {"required":["Service"]}, 3148 {"required":["WindowsRegistryKeysModified"]}, 3149 {"required":["FileData"]}, 3150 {"required":["CertificateData"]}, 3151 {"required":["RegistryHandle"]}, 3152 {"required":["RecordData"]}, 3153 {"required":["EventData"]}, 3154 {"required":["Incident"]}, 3155 {"required":["Expectation"]}, 3156 {"required":["Reference"]}, 3157 {"required":["Assessment"]}, 3158 {"required":["DetectionPattern"]}, 3159 {"required":["HistoryItem"]}, 3160 {"required":["BulkObservable"]}, 3161 {"required":["AdditionalData"]}], 3162 "additionalProperties": false}, 3163 "BulkObservable": { 3164 "type": "object", 3165 "properties": { 3166 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 3167 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", 3168 "mac","site-uri","domain-name","domain-to-ipv4", 3169 "domain-to-ipv6","domain-to-ipv4-timestamp", 3170 "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", 3171 "windows-reg-key","file-hash","email-x-mailer", 3172 "email-subject","http-user-agent","http-request-url", 3173 "mutex","file-path","user-name","ext-value"]}, 3174 "ext-type": {"type": "string"}, 3175 "BulkObservableFormat":{ 3176 "$ref": "#/definitions/BulkObservableFormat"}, 3177 "BulkObservableList": {"type": "string"}, 3178 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3179 "required": ["BulkObservableList"], 3180 "additionalProperties": false}, 3181 "BulkObservableFormat": { 3182 "type": "object", 3183 "properties": { 3184 "Hash": {"$ref": "#/definitions/Hash"}, 3185 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3186 "oneOf": [ 3187 {"required": ["Hash"]}, 3188 {"required": ["AdditionalData"]} 3189 ], 3190 "additionalProperties": false}, 3191 "IndicatorExpression": { 3192 "type": "object", 3193 "properties": { 3194 "operator": {"enum": ["not","and","or","xor"],"default": "and"}, 3195 "ext-operator": {"type": "string"}, 3196 "IndicatorExpression": { 3197 "type": "array", 3198 "items": {"$ref": "#/definitions/IndicatorExpression"}, 3199 "minItems": 1}, 3200 "Observable": { 3201 "type": "array", 3202 "items": {"$ref": "#/definitions/Observable"}, 3203 "minItems": 1}, 3204 "uid-ref": { 3205 "type": "array", 3206 "items": {"$ref": "#/definitions/IDREFType"}, 3207 "minItems": 1}, 3208 "IndicatorReference": { 3209 "type": "array", 3210 "items": {"$ref": "#/definitions/IndicatorReference"}, 3211 "minItems": 1}, 3212 "Confidence": {"$ref":"#/definitions/Confidence"}, 3213 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3214 "required": [], 3215 "additionalProperties": false}, 3216 "IndicatorReference": { 3217 "type": "object", 3218 "properties": { 3219 "uid-ref": {"$ref":"#/definitions/IDREFType"}, 3220 "euid-ref": {"type": "string"}, 3221 "version": {"type": "string"}}, 3222 "oneOf": [ 3223 {"required": ["uid-ref"]}, 3224 {"required": ["euid-ref"]} 3225 ], 3226 "additionalProperties": false}, 3227 "AttackPhase": { 3228 "type": "object", 3229 "properties": { 3230 "AttackPhaseID": { 3231 "type": "array", 3232 "items": {"type": "string"}, 3233 "minItems": 1}, 3234 "URL": { 3235 "type": "array", 3236 "items": {"$ref": "#/definitions/URLtype"}, 3237 "minItems": 1}, 3238 "Description": { 3239 "type": "array", 3240 "items": {"$ref": "#/definitions/MLStringType"}, 3241 "minItems": 1}, 3242 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3243 "required": [], 3244 "additionalProperties": false}}, 3245 "title": "IODEF-Document", 3246 "description": "JSON schema for IODEF-Document class", 3247 "type": "object", 3248 "properties": { 3249 "version": {"type": "string"}, 3250 "lang": {"$ref": "#/definitions/lang"}, 3251 "format-id": {"type": "string"}, 3252 "private-enum-name": {"type": "string"}, 3253 "private-enum-id": {"type": "string"}, 3254 "Incident": { 3255 "type": "array", 3256 "items": {"$ref": "#/definitions/Incident"}, 3257 "minItems": 1}, 3258 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3259 "required": ["version","Incident"], 3260 "additionalProperties": false} 3262 Figure 10: JSON schema 3264 Authors' Addresses 3266 Takeshi Takahashi 3267 National Institute of Information and Communications Technology 3268 4-2-1 Nukui-Kitamachi 3269 Koganei, Tokyo 184-8795 3270 Japan 3272 Phone: +81 42 327 5862 3273 Email: takeshi_takahashi@nict.go.jp 3274 Roman Danyliw 3275 CERT, Software Engineering Institute, Carnegie Mellon University 3276 4500 Fifth Avenue 3277 Pittsburgh, PA 3278 USA 3280 Email: rdd@cert.org 3282 Mio Suzuki 3283 National Institute of Information and Communications Technology 3284 4-2-1 Nukui-Kitamachi 3285 Koganei, Tokyo 184-8795 3286 Japan 3288 Email: mio@nict.go.jp