idnits 2.17.1 draft-ietf-mile-jsoniodef-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (July 8, 2019) is 1754 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC8259' is mentioned on line 157, but not defined == Missing Reference: 'RFC 7203' is mentioned on line 159, but not defined == Missing Reference: 'RFC7159' is mentioned on line 202, but not defined ** Obsolete undefined reference: RFC 7159 (Obsoleted by RFC 8259) == Missing Reference: '0-9' is mentioned on line 1978, but not defined == Missing Reference: '0-4' is mentioned on line 1978, but not defined == Missing Reference: '0-5' is mentioned on line 1978, but not defined Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: January 9, 2020 CERT 6 M. Suzuki 7 NICT 8 July 8, 2019 10 CBOR/JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-09 13 Abstract 15 The Incident Object Description Exchange Format defined in RFC 7970 16 provides an information model and a corresponding XML data model for 17 exchanging incident and indicator information. This draft gives 18 implementers and operators an alternative format to exchange the same 19 information by defining an alternative data model implementation in 20 CBOR/JSON. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 9, 2020. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 58 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 59 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 60 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 61 2.2.1. Integer . . . . . . . . . . . . . . . . . . . . . . . 5 62 2.2.2. Multilingual Strings . . . . . . . . . . . . . . . . 5 63 2.2.3. Enum . . . . . . . . . . . . . . . . . . . . . . . . 6 64 2.2.4. Software and Software Reference . . . . . . . . . . . 6 65 2.2.5. Structured Information . . . . . . . . . . . . . . . 6 66 2.2.6. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 67 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 68 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 69 3.2. Mapping between CBOR/JSON and XML IODEF . . . . . . . . . 17 70 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 71 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 72 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20 73 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 25 74 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 75 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 76 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 77 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 78 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 79 9.2. Informative References . . . . . . . . . . . . . . . . . 41 80 Appendix A. Data Types used in this document . . . . . . . . . . 42 81 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 42 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 70 84 1. Introduction 86 The Incident Object Description Exchange Format (IODEF) [RFC7970] 87 defines a data representation for security incident reports and 88 indicators commonly exchanged by operational security teams. It 89 facilitates the automated exchange of this information to enable 90 mitigation and watch-and-warning. Section 3 of [RFC7970] defined an 91 information model using Unified Modeling Language (UML) and a 92 corresponding Extensible Markup Language (XML) schema data model in 93 Section 8. This UML-based information model and XML-based data model 94 are referred to as IODEF UML and IODEF XML, respectively in this 95 document. 97 IODEF documents are structured and thus suitable for machine 98 processing. They will streamline incident response operations. 99 Another well-used and structured format that is suitable for machine 100 processing is JSON. To facilitate the automation of incident 101 response operations, IODEF documents should support JSON 102 representation. 104 This document defines an alternate implementation of the IODEF UML 105 information model by specifying a JavaScript Object Notation (JSON) 106 data model using CDDL [RFC8610] and JSON Schema [jsonschema]. This 107 JSON data model is referred to as IODEF JSON in this document. IODEF 108 JSON provides all of the expressivity of IODEF XML. It gives 109 implementers and operators an alternative format to exchange the same 110 information. 112 The normative IODEF JSON data model is found in Section 5. Section 2 113 and Section 3 describe the data types and elements of this data 114 model. Section 4 provides examples. 116 1.1. Requirements Language 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 120 "OPTIONAL" in this document are to be interpreted as described in BCP 121 14 [RFC2119][RFC8174] when, and only when, they appear in all 122 capitals, as shown here. 124 2. IODEF Data Types 126 The abstract IODEF JSON implements the abstract data types specified 127 in Section 2 of [RFC7970]. 129 2.1. Abstract Data Type to JSON Data Type Mapping 131 IODEF JSON uses native and derived JSON data types. Figure 1 132 describes the mapping between the abstract data types in Section 2 of 133 [RFC7970] and their corresponding implementations in IODEF JSON. 135 +-----------------+-------------------+-------------------------------+ 136 | IODEF Data Type | [RFC7970] | JSON Data Type | 137 | | Reference | | 138 +-----------------+-------------------+-------------------------------+ 139 | INTEGER | Section 2.1 | integer, see Section 2.2.1 | 140 | REAL | Section 2.2 | "number" per [RFC8259] | 141 | CHARACTER | Section 2.3 | "string" per [RFC8259] | 142 | STRING | Section 2.3 | "string" per [RFC8259] | 143 | ML_STRING | Section 2.4 | see Section 2.2.2 | 144 | BYTE | Section 2.5.1 | "string" per [RFC8259] | 145 | BYTE[] | Section 2.5.1 | "string" per [RFC8259] | 146 | HEXBIN | Section 2.5.2 | "string" per [RFC8259] | 147 | HEXBIN[] | Section 2.5.2 | "string" per [RFC8259] | 148 | ENUM | Section 2.6 | see Section 2.2.3 | 149 | DATETIME | Section 2.7 | "string" per [RFC8259] | 150 | TIMEZONE | Section 2.8 | "string" per [RFC8259] | 151 | PORTLIST | Section 2.9 | "string" per [RFC8259] | 152 | POSTAL | Section 2.10 | ML_STRING, Section 2.2.2 | 153 | PHONE | Section 2.11 | "string" per [RFC8259] | 154 | EMAIL | Section 2.12 | "string" per [RFC8259] | 155 | URL | Section 2.13 | "string" per [RFC8259] | 156 | ID | Section 2.14 | "string" per [RFC8259] | 157 | IDREF | Section 2.14 | "string" per [RFC8259] | 158 | SOFTWARE | Section 2.15 | see Section 2.2.4 | 159 | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.5 | 160 | EXTENSION | Section 2.16 | see Section 2.2.6 | 161 +-----------------+-------------------+-------------------------------+ 163 Figure 1: JSON Data Types 165 +-----------------+------------------+---------------------------------+ 166 | IODEF Data Type | CBOR Data Type | CDDL prelude | 167 | | | [RFC8610] | 168 +-----------------+------------------+---------------------------------+ 169 | INTEGER | 0, 1, 6 tag 2, | integer | 170 | | 6 tag 3 | | 171 | REAL | 7 bits 26 | float32 | 172 | CHARACTER | 3 | text | 173 | STRING | 3 | text | 174 | ML_STRING | 5 | Maps/Structs (Section 3.5.1) | 175 | BYTE | 6 tag 22 | eb64legacy | 176 | BYTE[] | 6 tag 22 | eb64legacy | 177 | HEXBIN | 2 | bytes | 178 | HEXBIN[] | 2 | bytes | 179 | ENUM | - | Choices (Section 2.2.2) | 180 | DATETIME | 6 tag 0 | tdate | 181 | TIMEZONE | 3 | text | 182 | PORTLIST | 3 | text | 183 | POSTAL | 3 | ML_STRING (Section 2.2.1) | 184 | PHONE | 3 | text | 185 | EMAIL | 3 | text | 186 | URL | 6 tag 32 | uri | 187 | ID | 3 | text | 188 | IDREF | 3 | text | 189 | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | 190 | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | 191 | EXTENSION | 5 | Maps/Structs (Section 3.5.1) | 192 +-----------------+------------------+---------------------------------+ 194 Figure 2: CBOR Data Types 196 2.2. Complex JSON Types 198 2.2.1. Integer 200 An integer is a subset of "number" type of JSON, which represents 201 signed digits encoded in Base 10. The definition of this integer is 202 "[ minus ] int" in [RFC7159] Section 6 manner. 204 2.2.2. Multilingual Strings 206 A string that needs to be represented in a human-readable language 207 different from the default encoding of the document is represented in 208 the information model by the ML_STRING data type. This data type is 209 implemented as either an object with "value", "lang", and 210 "translation-id" elements or a text string as defined in Section 5. 211 Examples are shown below. 213 "MLStringType": { 214 "value": "free-form text", //STRING 215 "lang": "en", //ENUM 216 "translation-id": "jp2en0023" //STRING 217 } 219 2.2.3. Enum 221 Enum is an ordered list of acceptable string values. Each value has 222 a representative keyword. Within the data model, the enumerated type 223 keywords are used as attribute values. 225 2.2.4. Software and Software Reference 227 A particular version of software is represented in the information 228 model by the SOFTWARE data type. This software can be described by 229 using a reference, a Uniform Resource Locator (URL) [RFC3986], or 230 with free-form text. The SOFTWARE data type is implemented as an 231 object with "SoftwareReference", "URL", and "Description" elements as 232 defined in Section 5. Examples are shown below. 234 "SoftwareType": { 235 "SoftwareReference": {...}, //SoftwareReference 236 "Description": ["MS Windows"] //STRING 237 } 239 SoftwareReference class is a reference to a particular version of 240 software. Examples are shown below. 242 "SoftwareReference": { 243 "value": "cpe:/a:google:chrome:59.0.3071.115", //STRING 244 "spec-name": "cpe", //ENUM 245 "dtype": "string" //ENUM 246 } 248 2.2.5. Structured Information 250 Information provided in a form of structured string, such as ID, or 251 structured information, such as XML documents, is represented in the 252 information model by the STRUCTUREDINFO data type. Note that this 253 type was originally specified in [RFC7203]. The STRUCTUREDINFO data 254 type is implemented as an object with "SpecID", "ext-SpecID", 255 "ContentID", "RawData", "Reference" elements. An example for 256 embedding a structured ID is shown below. 258 "StructuredInfo": { 259 "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", //ENUM 260 "ContentID": "CWE-89" //STRING 261 } 263 When embedding the raw data, base64 encoding defined in Section 4 of 264 [RFC4648] should be used for encoding the data, as shown below. 266 "StructuredInfo": { 267 "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", //ENUM 268 "RawData": "<<>>" //BYTE 269 } 271 2.2.6. EXTENSION 273 Information not otherwise represented in the IODEF can be added using 274 the EXTENSION data type. This data type is a generic extension 275 mechanism. The EXTENSION data type is implemented as an 276 ExtensionType object with "value", "name", "dtype", "ext-dtype", 277 "meaning", "formatid", "restriction", "ext-restriction", and 278 "observable-id" elements. An example for embedding a structured ID 279 is shown below. 281 "ExtensionType": { 282 "value": "xxxxxxx", //STRING 283 "name": "Syslog", //STRING 284 "dtype": "string", //ENUM 285 "meaning": "Syslog from the security appliance X" //STRING 286 } 288 3. IODEF JSON Data Model 290 3.1. Classes and Elements 292 The following table shows the list of IODEF Classes, their elements, 293 and the corresponding section in [RFC7970]. Note that the complete 294 JSON schema is defined in Section 5 using CDDL. 296 +-----------------------------+--------------------+---------------+ 297 | IODEF Class | Class | Corresponding | 298 | | Elements and | Section | 299 | | Attribute | in [RFC7970] | 300 +-----------------------------+--------------------+---------------+ 301 | IODEF-Document | version | 3.1 | 302 | | lang? | | 303 | | format-id? | | 304 | | private-enum-name? | | 305 | | private-enum-id? | | 306 | | Incident+ | | 307 | | AdditionalData* | | 308 +-----------------------------+--------------------+---------------+ 309 | Incident | purpose | 3.2 | 310 | | ext-purpose? | | 311 | | status? | | 312 | | ext-status? | | 313 | | lang? | | 314 | | restriction? | | 315 | | ext-restriction? | | 316 | | observable-id? | | 317 | | IncidentID | | 318 | | AlternativeID? | | 319 | | RelatedActivity* | | 320 | | DetectTime? | | 321 | | StartTime? | | 322 | | EndTime? | | 323 | | RecoveryTime? | | 324 | | ReportTime? | | 325 | | GenerationTime | | 326 | | Description* | | 327 | | Discovery* | | 328 | | Assessment* | | 329 | | Method* | | 330 | | Contact+ | | 331 | | EventData* | | 332 | | Indicator* | | 333 | | History? | | 334 | | AdditionalData* | | 335 +-----------------------------+--------------------+---------------+ 336 | IncidentID | id | 3.4 | 337 | | name | | 338 | | instance? | | 339 | | restriction? | | 340 | | ext-restriction? | | 341 +-----------------------------+--------------------+---------------+ 342 | AlternativeID | restriction? | 3.5 | 343 | | ext-restriction? | | 344 | | IncidentID+ | | 345 +-----------------------------+--------------------+---------------+ 346 | RelatedActivity | restriction? | 3.6 | 347 | | ext-restriction? | | 348 | | IncidentID* | | 349 | | URL* | | 350 | | ThreatActor* | | 351 | | Campaign* | | 352 | | IndicatorID* | | 353 | | Confidence? | | 354 | | Description* | | 355 | | AdditionalData* | | 356 +-----------------------------+--------------------+---------------+ 357 | ThreatActor | restriction? | 3.7 | 358 | | ext-restriction? | | 359 | | ThreatActorID* | | 360 | | URL* | | 361 | | Description* | | 362 | | AdditionalData* | | 363 +-----------------------------+--------------------+---------------+ 364 | Campaign | restriction? | | 365 | | ext-restriction? | | 366 | | CampaignID* | | 367 | | URL* | | 368 | | Description* | | 369 | | AdditionalData* | 3.8 | 370 +-----------------------------+--------------------+---------------+ 371 | Contact | role | | 372 | | ext-role? | | 373 | | type | | 374 | | ext-type? | | 375 | | restriction? | | 376 | | ext-restriction? | | 377 | | ContactName*, | | 378 | | ContactTitle* | | 379 | | Description* | | 380 | | RegistryHandle* | | 381 | | PostalAddress* | | 382 | | Email* | | 383 | | Telephone* | | 384 | | Timezone? | | 385 | | Contact* | | 386 | | AdditionalData* | 3.9 | 387 +-----------------------------+--------------------+---------------+ 388 | RegistryHandle | handle | | 389 | | registry | | 390 | | ext-registry? | 3.9.1 | 391 +-----------------------------+--------------------+---------------+ 392 | PostalAddress | type? | | 393 | | ext-type? | | 394 | | PAddress | | 395 | | Description* | 3.9.2 | 396 +-----------------------------+--------------------+---------------+ 397 | Email | type? | | 398 | | ext-type? | | 399 | | EmailTo | | 400 | | Description* | 3.9.3 | 401 +-----------------------------+--------------------+---------------+ 402 | Telephone | type? | | 403 | | ext-type? | | 404 | | TelephoneNumber | | 405 | | Description* | 3.9.4 | 406 +-----------------------------+--------------------+---------------+ 407 | Discovery | source? | | 408 | | ext-source? | | 409 | | restriction? | | 410 | | ext-restriction? | | 411 | | Description* | | 412 | | Contact* | | 413 | | DetectionPattern* | 3.10 | 414 +-----------------------------+--------------------+---------------+ 415 | DetectionPattern | restriction? | 3.10.1 | 416 | | ext-restriction? | | 417 | | observable-id? | | 418 | | Application | | 419 | | Description* | | 420 | | DetectionConfiguration* | | 421 +-----------------------------+--------------------+---------------+ 422 | Method | restriction? | | 423 | | ext-restriction? | | 424 | | Reference* | | 425 | | Description* | | 426 | | AttackPattern* | | 427 | | Vulnerability* | | 428 | | Weakness* | | 429 | | AdditionalData* | 3.11 | 430 +-----------------------------+--------------------+---------------+ 431 | Reference | observable-id? | | 432 | | ReferenceName? | | 433 | | URL* | | 434 | | Description* | 3.11.1 | 435 +-----------------------------+--------------------+---------------+ 436 | Assessment | occurence? | | 437 | | restriction? | | 438 | | ext-restriction? | | 439 | | observable-id? | | 440 | | IncidentCategory* | | 441 | | SystemImpact* | | 442 | | BusinessImpact* | | 443 | | TimeImpact* | | 444 | | MonetaryImpact* | | 445 | | IntendedImpact* | | 446 | | Counter* | | 447 | | MitigatingFactor* | | 448 | | Cause* | | 449 | | Confidence? | | 450 | | AdditionalData* | 3.12 | 451 +-----------------------------+--------------------+---------------+ 452 | SystemImpact | severity? | | 453 | | completion? | | 454 | | type | | 455 | | ext-type? | | 456 | | Description* | 3.12.1 | 457 +-----------------------------+--------------------+---------------+ 458 | BusinessImpact | severity? | | 459 | | ext-severity? | | 460 | | type | | 461 | | ext-type? | | 462 | | Description* | 3.12.2 | 463 +-----------------------------+--------------------+---------------+ 464 | TimeImpact | value | | 465 | | severity? | | 466 | | metric | | 467 | | ext-metric? | | 468 | | duration? | | 469 | | ext-duration? | 3.12.3 | 470 +-----------------------------+--------------------+---------------+ 471 | MonetaryImpact | value | | 472 | | severity? | | 473 | | currency? | 3.12.4 | 474 +-----------------------------+--------------------+---------------+ 475 | Confidence | value | | 476 | | rating | | 477 | | ext-rating? | 3.12.5 | 478 +-----------------------------+--------------------+---------------+ 479 | History | restriction? | | 480 | | ext-restriction? | | 481 | | HistoryItem+ | 3.13 | 482 +-----------------------------+--------------------+---------------+ 483 | HistoryItem | action | | 484 | | ext-action? | | 485 | | restriction? | | 486 | | ext-restriction? | | 487 | | observable-id? | | 488 | | DateTime | | 489 | | IncidentID? | | 490 | | Contact? | | 491 | | Description* | | 492 | | DefinedCOA* | | 493 | | AdditionalData* | 3.13.1 | 494 +-----------------------------+--------------------+---------------+ 495 | EventData | restriction? | | 496 | | ext-restriction? | | 497 | | observable-id? | | 498 | | Description* | | 499 | | DetectTime? | | 500 | | StartTime? | | 501 | | EndTime? | | 502 | | RecoveryTime? | | 503 | | ReportTime? | | 504 | | Contact* | | 505 | | Discovery* | | 506 | | Assessment? | | 507 | | Method* | | 508 | | System* | | 509 | | Expectation* | | 510 | | RecordData* | | 511 | | EventData* | | 512 | | AdditionalData* | 3.14 | 513 +-----------------------------+--------------------+---------------+ 514 | Expectation | action? | | 515 | | ext-action? | | 516 | | severity? | | 517 | | restriction? | | 518 | | ext-restriction? | | 519 | | observable-id? | | 520 | | Description* | | 521 | | DefinedCOA* | | 522 | | StartTime? | | 523 | | EndTime? | | 524 | | Contact? | 3.15 | 525 +-----------------------------+--------------------+---------------+ 526 | System | category? | | 527 | | ext-category? | | 528 | | interface? | | 529 | | spoofed? | | 530 | | virtual? | | 531 | | ownership? | | 532 | | ext-ownership? | | 533 | | restriction? | | 534 | | ext-restriction? | | 535 | | Node | | 536 | | NodeRole* | | 537 | | Service* | | 538 | | OperatingSystem* | | 539 | | Counter* | | 540 | | AssetID* | | 541 | | Description* | | 542 | | AdditionalData* | 3.17 | 543 +-----------------------------+--------------------+---------------+ 544 | Node | DomainData* | | 545 | | Address* | | 546 | | PostalAddress? | | 547 | | Location* | | 548 | | Counter* | 3.18 | 549 +-----------------------------+--------------------+---------------+ 550 | Address | value | | 551 | | category | | 552 | | ext-category? | | 553 | | vlan-name? | | 554 | | vlan-num? | | 555 | | observable-id? | 3.18.1 | 556 +-----------------------------+--------------------+---------------+ 557 | NodeRole | category | | 558 | | ext-category? | | 559 | | Description* | 3.18.2 | 560 +-----------------------------+--------------------+---------------+ 561 | Counter | value | | 562 | | type | | 563 | | ext-type? | | 564 | | unit | | 565 | | ext-unit? | | 566 | | meaning? | | 567 | | duration? | | 568 | | ext-duration? | 3.18.3 | 569 +-----------------------------+--------------------+---------------+ 570 | DomainData | system-status | | 571 | | ext-system-status? | | 572 | | domain-status | | 573 | | ext-domain-status? | | 574 | | observable-id? | | 575 | | Name | | 576 | | DateDomainWasChecked?| | 577 | | RegistrationDate? | | 578 | | ExpirationDate? | | 579 | | RelatedDNS* | | 580 | | Nameservers* | | 581 | | DomainContacts? | 3.19 | 582 +-----------------------------+--------------------+---------------+ 583 | Nameserver | Server | | 584 | | Address* | 3.19.1 | 585 +-----------------------------+--------------------+---------------+ 586 | DomainContacts | SameDomainContact? | | 587 | | Contact+ | 3.19.2 | 588 +-----------------------------+--------------------+---------------+ 589 | Service | ip-protocol? | | 590 | | observable-id? | | 591 | | ServiceName? | | 592 | | Port? | | 593 | | Portlist? | | 594 | | ProtoCode? | | 595 | | ProtoType? | | 596 | | ProtoField? | | 597 | | ApplicationHeaderField*| | 598 | | EmailData? | | 599 | | Application? | 3.20 | 600 +-----------------------------+--------------------+---------------+ 601 | ServiceName | IANAService? | | 602 | | URL* | | 603 | | Description* | 3.20.1 | 604 +-----------------------------+--------------------+---------------+ 605 | EmailData | observable-id? | | 606 | | EmailTo* | | 607 | | EmailFrom? | | 608 | | EmailSubject? | | 609 | | EmailX-Mailer? | | 610 | | EmailHeaderField* | | 611 | | EmailHeaders? | | 612 | | EmailBody? | | 613 | | EmailMessage? | | 614 | | HashData* | | 615 | | Signature* | 3.21 | 616 +-----------------------------+--------------------+---------------+ 617 | RecordData | restriction? | | 618 | | ext-restriction? | | 619 | | observable-id? | | 620 | | DateTime? | | 621 | | Description* | | 622 | | Application? | | 623 | | RecordPattern* | | 624 | | RecordItem* | | 625 | | URL* | | 626 | | FileData* | | 627 | | WindowsRegistryKeysModified*| | 628 | | CertificateData* | | 629 | | AdditionalData* | 3.22.1 | 630 +-----------------------------+--------------------+---------------+ 631 | RecordPattern | type | | 632 | | ext-type? | | 633 | | offset? | | 634 | | offsetunit? | | 635 | | ext-offsetunit? | | 636 | | instance? | | 637 | | value | 3.22.2 | 638 +-----------------------------+--------------------+---------------+ 639 | WindowsRegistryKeysModified | observable-id? | 3.23 | 640 | | Key+ | | 641 +-----------------------------+--------------------+---------------+ 642 | Key | registryaction? | | 643 | | ext-registryaction?| | 644 | | observable-id? | | 645 | | KeyName | | 646 | | KeyValue? | 3.23.1 | 647 +-----------------------------+--------------------+---------------+ 648 | CertificateData | restriction? | | 649 | | ext-restriction? | | 650 | | observable-id? | | 651 | | Certificate+ | 3.24 | 652 +-----------------------------+--------------------+---------------+ 653 | Certificate | observable-id? | | 654 | | X509Data | | 655 | | Description* | 3.24.1 | 656 +-----------------------------+--------------------+---------------+ 657 | FileData | restriction? | | 658 | | ext-restriction? | | 659 | | observable-id? | | 660 | | File+ | 3.25 | 661 +-----------------------------+--------------------+---------------+ 662 | File | observable-id? | | 663 | | FileName? | | 664 | | FileSize? | | 665 | | FileType? | | 666 | | URL* | | 667 | | HashData? | | 668 | | Signature* | | 669 | | AssociatedSoftware?| | 670 | | FileProperties* | 3.25.1 | 671 +-----------------------------+--------------------+---------------+ 672 | HashData | scope | | 673 | | HashTargetID? | | 674 | | Hash* | | 675 | | FuzzyHash* | 3.26 | 676 +-----------------------------+--------------------+---------------+ 677 | Hash | DigestMethod | | 678 | | DigestValue | | 679 | | CanonicalizationMethod?| | 680 | | Application? | 3.26.1 | 681 +-----------------------------+--------------------+---------------+ 682 | FuzzyHash | FuzzyHashValue+ | | 683 | | Application? | | 684 | | AdditionalData* | 3.26.2 | 685 +-----------------------------+--------------------+---------------+ 686 | Indicator | restriction? | | 687 | | ext-restriction? | | 688 | | IndicatorID | | 689 | | AlternativeIndicatorID*| | 690 | | Description* | | 691 | | StartTime? | | 692 | | EndTime? | | 693 | | Confidence? | | 694 | | Contact* | | 695 | | Observable? | | 696 | | uid-ref? | | 697 | | IndicatorExpression?| | 698 | | IndicatorReference?| | 699 | | NodeRole* | | 700 | | AttackPhase* | | 701 | | Reference* | | 702 | | AdditionalData* | 3.29 | 703 +-----------------------------+--------------------+---------------+ 704 | IndicatorID | id | | 705 | | name | | 706 | | version | 3.29.1 | 707 +-----------------------------+--------------------+---------------+ 708 | AlternativeIndicatorID | restriction? | | 709 | | ext-restriction? | | 710 | | IndicatorID+ | 3.29.2 | 711 +-----------------------------+--------------------+---------------+ 712 | Observable | restriction? | | 713 | | ext-restriction? | | 714 | | System? | | 715 | | Address? | | 716 | | DomainData? | | 717 | | Service? | | 718 | | EmailData? | | 719 | | WindowsRegistryKeysModified?| | 720 | | FileData? | | 721 | | CertificateData? | | 722 | | RegistryHandle? | | 723 | | RecordData? | | 724 | | EventData? | | 725 | | Incident? | | 726 | | Expectation? | | 727 | | Reference? | | 728 | | Assessment? | | 729 | | DetectionPattern? | | 730 | | HistoryItem? | | 731 | | BulkObservable? | | 732 | | AdditionalData* | 3.29.3 | 733 +-----------------------------+--------------------+---------------+ 734 | BulkObservable | type? | | 735 | | ext-type? | | 736 | | BulkObservableFormat?| | 737 | | BulkObservableList | | 738 | | AdditionalData* | 3.29.4 | 739 +-----------------------------+--------------------+---------------+ 740 | BulkObservableFormat | Hash? | | 741 | | AdditionalData* | 3.29.5 | 742 +-----------------------------+--------------------+---------------+ 743 | IndicatorExpression | operator? | | 744 | | ext-operator? | | 745 | | IndicatorExpression*| | 746 | | Observable* | | 747 | | uid-ref* | | 748 | | IndicatorReference*| | 749 | | Confidence? | | 750 | | AdditionalData* | 3.29.6 | 751 +-----------------------------+--------------------+---------------+ 752 | IndicatorReference | uid-ref? | | 753 | | euid-ref? | | 754 | | version? | 3.29.7 | 755 +-----------------------------+--------------------+---------------+ 756 | AttackPhase | AttackPhaseID* | | 757 | | URL* | | 758 | | Description* | | 759 | | AdditionalData* | 3.29.8 | 760 +-----------------------------+--------------------+---------------+ 762 Figure 3: IODEF Classes 764 3.2. Mapping between CBOR/JSON and XML IODEF 766 o This document treats attributes and elements of each class defined 767 in [RFC7970] with no distinction and is agnostic on the order of 768 their appearances. 770 o Flow class is deleted, and classes with its instances now directly 771 have instances of EventData class that used to belong to the Flow 772 class. 774 o ApplicationHeader class is deleted, and classes with its instances 775 now directly have instances of ApplicationHeaderField class that 776 used to belong to the ApplicationHeader class. 778 o SignatureData class is deleted, and classes with its instances now 779 directly have instance of Signature class that used to belong to 780 the SignatureData class. 782 o IndicatorData class is deleted, and classes with its instances now 783 directly have the instances of Indicator class that used to belong 784 to the IndicatorData class. 786 o ObservableReference class is deleted, and classes with its 787 instances now directly have uid-ref as an element. 789 o Record class is replaced by RecordData class, and RecordData class 790 is renamed to Record class. 792 o Record class is deleted, and classes with its instances now 793 directly have the instances of RecordData class that used to 794 belong to the Record class. 796 o The MLStringType were modified to support simple string by 797 allowing the type to have not only a predefined object type but 798 also text type, in order to allow simple descriptions of elements 799 of the type. 801 o The elements of ML_STRING type in XML IODEF document are presented 802 as either STRING type or ML_STRING type in CBOR/JSON IODEF 803 document. 805 o Data models of the extension classes defined by [RFC7203] and 806 referenced by [RFC7970] are represented by StructuredInfo class 807 defined in this document. 809 o Signature, X509Data, and RawData are encoded with base64 and are 810 represented as string (BYTE type) in CBOR/JSON IODEF documents. 812 o EmailBody represents an whole message body including MIME 813 structure in the same manner defined in [RFC7970]. In case of an 814 email composed of MIME multipart, the EmailBody contains multiple 815 body parts separated by boundary strings. 817 4. Examples 819 This section provides examples of IODEF documents. These examples do 820 not represent the full capabilities of the data model or the only way 821 to encode particular information. 823 4.1. Minimal Example 825 A document containing only the mandatory elements and attributes is 826 shown below in JSON and CBOR, respectively. 828 { 829 "version": "2.0", 830 "lang": "en", 831 "Incident": [{ 832 "purpose": "reporting", 833 "restriction": "private", 834 "IncidentID": { 835 "id": "492382", 836 "name": "csirt.example.com" 837 }, 838 "GenerationTime": "2015-07-18T09:00:00-05:00", 839 "Contact": [{ 840 "type": "organization", 841 "role": "creator", 842 "Email": [{"EmailTo": "contact@csirt.example.com"}] 843 }] 844 }] 845 } 847 Figure 4: A Minimal Example in JSON 849 A3 # map(3) 850 67 # text(7) 851 76657273696F6E # "version" 852 63 # text(3) 853 322E30 # "2.0" 854 64 # text(4) 855 6C616E67 # "lang" 856 62 # text(2) 857 656E # "en" 858 68 # text(8) 859 496E636964656E74 # "Incident" 860 81 # array(1) 861 A5 # map(5) 862 67 # text(7) 863 707572706F7365 # "purpose" 864 69 # text(9) 865 7265706F7274696E67 # "reporting" 866 6B # text(11) 867 7265737472696374696F6E # "restriction" 868 67 # text(7) 869 70726976617465 # "private" 870 6A # text(10) 871 496E636964656E744944 # "IncidentID" 872 A2 # map(2) 873 62 # text(2) 874 6964 # "id" 875 66 # text(6) 876 343932333832 # "492382" 877 64 # text(4) 878 6E616D65 # "name" 879 71 # text(17) 880 63736972742E6578616D706C652E636F6D # "csirt.example.com" 881 6E # text(14) 882 47656E65726174696F6E54696D65 # "GenerationTime" 883 C0 # tag(0) 884 78 19 # text(25) 885 323031352D30372D31385430393A30303A30302D30353A3030 886 # "2015-07-18T09:00:00-05:00" 887 67 # text(7) 888 436F6E74616374 # "Contact" 889 81 # array(1) 890 A3 # map(3) 891 64 # text(4) 892 74797065 # "type" 893 6C # text(12) 894 6F7267616E697A6174696F6E # "organization" 895 64 # text(4) 896 726F6C65 # "role" 897 67 # text(7) 898 63726561746F72 # "creator" 899 65 # text(5) 900 456D61696C # "Email" 901 81 # array(1) 902 A1 # map(1) 903 67 # text(7) 904 456D61696C546F # "EmailTo" 905 78 19 # text(25) 906 636F6E746163744063736972742E6578616D706C652E636F6D 907 # "contact@csirt.example.com" 909 Figure 5: A Minimal Example in CBOR 911 4.2. Indicators from a Campaign 913 An example of C2 domains from a given campaign is shown below in JSON 914 and CBOR, respectively. 916 { 917 "version": "2.0", 918 "lang": "en", 919 "Incident": [{ 920 "purpose": "watch", 921 "restriction": "green", 922 "IncidentID": { 923 "id": "897923", 924 "name": "csirt.example.com" 925 }, 926 "RelatedActivity": [{ 927 "ThreatActor": [{ 928 "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], 929 "Description": ["Aggressive Butterfly"]}], 930 "Campaign": [{ 931 "CampaignID": ["C-2015-59405"], 932 "Description": ["Orange Giraffe"] 933 }] 934 }], 935 "GenerationTime": "2015-10-02T11:18:00-05:00", 936 "Description": ["Summarizes the Indicators of Compromise for the 937 Orange Giraffe campaign of the Aggressive Butterfly crime gang."], 938 "Assessment": [{ 939 "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] 940 }], 941 "Contact": [{ 942 "type": "organization", 943 "role": "creator", 944 "ContactName": ["CSIRT for example.com"], 945 "Email": [{ 946 "EmailTo": "contact@csirt.example.com" 947 }] 948 }], 949 "Indicator": [{ 950 "IndicatorID": { 951 "id": "G90823490", 952 "name": "csirt.example.com", 953 "version": "1" 954 }, 955 "Description": ["C2 domains"], 956 "StartTime": "2014-12-02T11:18:00-05:00", 957 "Observable": { 958 "BulkObservable": { 959 "type": "ipv6-addr", 960 "BulkObservableList": "kj290023j09r34.example.com"} 961 } 962 }] 963 }] 964 } 966 Figure 6: Indicators from a Campaign in JSON 968 A3 # map(3) 969 67 # text(7) 970 76657273696F6E # "version" 972 63 # text(3) 973 322E30 # "2.0" 974 64 # text(4) 975 6C616E67 # "lang" 976 62 # text(2) 977 656E # "en" 978 68 # text(8) 979 496E636964656E74 # "Incident" 980 81 # array(1) 981 A9 # map(9) 982 67 # text(7) 983 707572706F7365 # "purpose" 984 65 # text(5) 985 7761746368 # "watch" 986 6B # text(11) 987 7265737472696374696F6E # "restriction" 988 65 # text(5) 989 677265656E # "green" 990 6A # text(10) 991 496E636964656E744944 # "IncidentID" 992 A2 # map(2) 993 62 # text(2) 994 6964 # "id" 995 66 # text(6) 996 383937393233 # "897923" 997 64 # text(4) 998 6E616D65 # "name" 999 71 # text(17) 1000 63736972742E6578616D706C652E636F6D # "csirt.example.com" 1001 6F # text(15) 1002 52656C617465644163746976697479 # "RelatedActivity" 1003 81 # array(1) 1004 A2 # map(2) 1005 6B # text(11) 1006 5468726561744163746F72 # "ThreatActor" 1007 81 # array(1) 1008 A2 # map(2) 1009 6D # text(13) 1010 5468726561744163746F724944 # "ThreatActorID" 1011 81 # array(1) 1012 78 1A # text(26) 1013 54412D31322D414747524553534956452D425554544552464 1014 C59 # "TA-12-AGGRESSIVE-BUTTERFLY" 1015 6B # text(11) 1016 4465736372697074696F6E # "Description" 1017 81 # array(1) 1018 74 # text(20) 1019 4167677265737369766520427574746572666C79 1020 # "Aggressive Butterfly" 1021 68 # text(8) 1022 43616D706169676E # "Campaign" 1023 81 # array(1) 1024 A2 # map(2) 1025 6A # text(10) 1026 43616D706169676E4944 # "CampaignID" 1027 81 # array(1) 1028 6C # text(12) 1029 432D323031352D3539343035 # "C-2015-59405" 1030 6B # text(11) 1031 4465736372697074696F6E # "Description" 1032 81 # array(1) 1033 6E # text(14) 1034 4F72616E67652047697261666665 # "Orange Giraffe" 1035 6E # text(14) 1036 47656E65726174696F6E54696D65 # "GenerationTime" 1037 C0 # tag(0) 1038 78 19 # text(25) 1039 323031352D31302D30325431313A31383A30302D30353A3030 1040 # "2015-10-02T11:18:00-05:00" 1041 6B # text(11) 1042 4465736372697074696F6E # "Description" 1043 81 # array(1) 1044 78 6F # text(111) 1045 53756D6D6172697A65732074686520496E64696361746F7273206F6620436 1046 F6D70726F6D69736520666F7220746865204F72616E676520476972616666 1047 652063616D706169676E206F6620746865204167677265737369766520427 1048 574746572666C79206372696D652067616E672E 1049 # "Summarizes the Indicators of Compromise for the Orange 1050 Giraffe campaign of the Aggressive Butterfly crime gang." 1051 6A # text(10) 1052 4173736573736D656E74 # "Assessment" 1053 81 # array(1) 1054 A1 # map(1) 1055 66 # text(6) 1056 496D70616374 # "Impact" 1057 81 # array(1) 1058 A1 # map(1) 1059 6E # text(14) 1060 427573696E657373496D70616374 # "BusinessImpact" 1061 A1 # map(1) 1062 64 # text(4) 1063 74797065 # "type" 1064 72 # text(18) 1065 6272656163682D70726F7072696574617279 1066 # "breach-proprietary" 1067 67 # text(7) 1068 436F6E74616374 # "Contact" 1069 81 # array(1) 1070 A4 # map(4) 1071 64 # text(4) 1072 74797065 # "type" 1073 6C # text(12) 1074 6F7267616E697A6174696F6E # "organization" 1075 64 # text(4) 1076 726F6C65 # "role" 1077 67 # text(7) 1078 63726561746F72 # "creator" 1079 6B # text(11) 1080 436F6E746163744E616D65 # "ContactName" 1081 81 # array(1) 1082 75 # text(21) 1083 435349525420666F72206578616D706C652E636F6D 1084 # "CSIRT for example.com" 1085 65 # text(5) 1086 456D61696C # "Email" 1087 81 # array(1) 1088 A1 # map(1) 1089 67 # text(7) 1090 456D61696C546F # "EmailTo" 1091 78 19 # text(25) 1092 636F6E746163744063736972742E6578616D706C652E636F6D 1093 # "contact@csirt.example.com" 1094 69 # text(9) 1095 496E64696361746F72 # "Indicator" 1096 81 # array(1) 1097 A4 # map(4) 1098 6B # text(11) 1099 496E64696361746F724944 # "IndicatorID" 1100 A3 # map(3) 1101 62 # text(2) 1102 6964 # "id" 1103 69 # text(9) 1104 473930383233343930 # "G90823490" 1105 64 # text(4) 1106 6E616D65 # "name" 1107 71 # text(17) 1108 63736972742E6578616D706C652E636F6D 1109 # "csirt.example.com" 1110 67 # text(7) 1111 76657273696F6E # "version" 1112 61 # text(1) 1113 31 # "1" 1114 6B # text(11) 1115 4465736372697074696F6E # "Description" 1117 81 # array(1) 1118 6A # text(10) 1119 433220646F6D61696E73 # "C2 domains" 1120 69 # text(9) 1121 537461727454696D65 # "StartTime" 1122 C0 # tag(0) 1123 78 19 # text(25) 1124 323031342D31322D30325431313A31383A30302D30353A3030 1125 # "2014-12-02T11:18:00-05:00" 1126 6A # text(10) 1127 4F627365727661626C65 # "Observable" 1128 A1 # map(1) 1129 6E # text(14) 1130 42756C6B4F627365727661626C65 # "BulkObservable" 1131 A2 # map(2) 1132 64 # text(4) 1133 74797065 # "type" 1134 69 # text(9) 1135 697076362D61646472 # "ipv6-addr" 1136 72 # text(18) 1137 42756C6B4F627365727661626C654C697374 1138 # "BulkObservableList" 1139 78 1A # text(26) 1140 6B6A3239303032336A30397233342E6578616D706C652E636F6D 1141 # "kj290023j09r34.example.com" 1143 Figure 7: Indicators from a Campaign in CBOR 1145 5. The IODEF Data Model (CDDL) 1147 start = iodef 1149 ;;; iodef.json: IODEF-Document 1151 iodef = { 1152 version: text 1153 ? lang: lang 1154 ? format-id: text 1155 ? private-enum-name: text 1156 ? private-enum-id: text 1157 Incident: [+ Incident] 1158 ? AdditionalData: [+ ExtensionType] 1159 } 1161 duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / 1162 "year" / "ext-value" 1163 lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" 1164 restriction = "public" / "partner" / "need-to-know" / "private" / 1165 "default" / "white" / "green" / "amber" / "red" / 1166 "ext-value" 1167 SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" 1168 IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" 1169 IDREFType = IDtype 1170 URLtype = uri 1171 TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" 1172 PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*" 1173 action = "nothing" / "contact-source-site" / "contact-target-site" / 1174 "contact-sender" / "investigate" / "block-host" / 1175 "block-network" / "block-port" / "rate-limit-host" / 1176 "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / 1177 "honeypot" / "upgrade-software" / "rebuild-asset" / 1178 "harden-asset" / "remediate-other" / "status-triage" / 1179 "status-new-info" / "watch-and-report" / "training" / 1180 "defined-coa" / "other" / "ext-value" 1182 DATETIME = tdate 1184 BYTE = eb64legacy 1186 MLStringType = { 1187 value: text 1188 ? lang: lang 1189 ? translation-id: text 1190 } / text 1192 PositiveFloatType = float32 .gt 0 1194 PAddressType = MLStringType 1196 ExtensionType = { 1197 value: text 1198 ? name: text 1199 dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / 1200 "ntpstamp" / "integer" / "portlist" / "real" / "string" / 1201 "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/ 1202 "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" 1203 .default "string" 1204 ? ext-dtype: text 1205 ? meaning: text 1206 ? formatid: text 1207 ? restriction: restriction .default "private" 1208 ? ext-restriction: text 1209 ? observable-id: IDtype 1210 } 1211 SoftwareType = { 1212 ? SoftwareReference: SoftwareReference 1213 ? URL: [+ URLtype] 1214 ? Description: [+ MLStringType] 1215 } 1217 SoftwareReference = { 1218 ? value: text 1219 spec-name: "custom" / "cpe" / "swid" / "ext-value" 1220 ? ext-spec-name: text 1221 ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" 1222 .default "string" 1223 ? ext-dtype: text 1224 } 1226 Incident = { 1227 purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / 1228 "ext-value" 1229 ? ext-purpose: text 1230 ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / 1231 "ext-value" 1232 ? ext-status: text 1233 ? lang: lang 1234 ? restriction: restriction .default "private" 1235 ? ext-restriction: text 1236 ? observable-id: IDtype 1237 IncidentID: IncidentID 1238 ? AlternativeID: AlternativeID 1239 ? RelatedActivity: [+ RelatedActivity] 1240 ? DetectTime: DATETIME 1241 ? StartTime: DATETIME 1242 ? EndTime: DATETIME 1243 ? RecoveryTime: DATETIME 1244 ? ReportTime: DATETIME 1245 GenerationTime: DATETIME 1246 ? Description: [+ MLStringType] 1247 ? Discovery: [+ Discovery] 1248 ? Assessment: [+ Assessment] 1249 ? Method: [+ Method] 1250 Contact: [+ Contact] 1251 ? EventData: [+ EventData] 1252 ? Indicator: [+ Indicator] 1253 ? History: History 1254 ? AdditionalData: [+ ExtensionType] 1255 } 1257 IncidentID = { 1258 id: text 1259 name: text 1260 ? instance: text 1261 ? restriction: restriction .default "private" 1262 ? ext-restriction: text 1263 } 1265 AlternativeID = { 1266 ? restriction: restriction .default "private" 1267 ? ext-restriction: text 1268 IncidentID: [+ IncidentID] 1269 } 1271 RelatedActivity = { 1272 ? restriction: restriction .default "private" 1273 ? ext-restriction: text 1274 ? IncidentID: [+ IncidentID] 1275 ? URL: [+ URLtype] 1276 ? ThreatActor: [+ ThreatActor] 1277 ? Campaign: [+ Campaign] 1278 ? IndicatorID: [+ IndicatorID] 1279 ? Confidence: Confidence 1280 ? Description: [+ text] 1281 ? AdditionalData: [+ ExtensionType] 1282 } 1284 ThreatActor = { 1285 ? restriction: restriction .default "private" 1286 ? ext-restriction: text 1287 ? ThreatActorID: [+ text] 1288 ? URL: [+ URLtype] 1289 ? Description: [+ MLStringType] 1290 ? AdditionalData: [+ ExtensionType] 1291 } 1293 Campaign = { 1294 ? restriction: restriction .default "private" 1295 ? ext-restriction: text 1296 ? CampaignID: [+ text] 1297 ? URL: [+ URLtype] 1298 ? Description: [+ MLStringType] 1299 ? AdditionalData: [+ ExtensionType] 1300 } 1302 Contact = { 1303 role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / 1304 "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / 1305 "vendor" / "vendor-support" / "victim" / "victim-notified" / 1306 "ext-value" 1308 ? ext-role: text 1309 type: "person" / "organization" / "ext-value" 1310 ? ext-type: text 1311 ? restriction: restriction .default "private" 1312 ? ext-restriction: text 1313 ? ContactName: [+ MLStringType] 1314 ? ContactTitle: [+ MLStringType] 1315 ? Description: [+ MLStringType] 1316 ? RegistryHandle: [+ RegistryHandle] 1317 ? PostalAddress: [+ PostalAddress] 1318 ? Email: [+ Email] 1319 ? Telephone: [+ Telephone] 1320 ? Timezone: TimeZonetype 1321 ? Contact: [+ Contact] 1322 ? AdditionalData: [+ ExtensionType] 1323 } 1325 RegistryHandle = { 1326 handle: text 1327 registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / 1328 "afrinic" / "local" / "ext-value" 1329 ? ext-registry: text 1330 } 1332 PostalAddress = { 1333 ? type: "street" / "mailing" / "ext-value" 1334 ? ext-type: text 1335 PAddress: PAddressType 1336 ? Description: [+ MLStringType] 1337 } 1339 Email = { 1340 ? type: "direct" / "hotline" / "ext-value" 1341 ? ext-type: text 1342 EmailTo: text 1343 ? Description: [+ MLStringType] 1344 } 1346 Telephone = { 1347 ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" 1348 ? ext-type: text 1349 TelephoneNumber: text 1350 ? Description: [+ MLStringType] 1351 } 1353 Discovery = { 1354 ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / 1355 "incident" / "os-log" / "application-log" / "device-log" / 1356 "network-flow" / "passive-dns" / "investigation" / "audit" / 1357 "internal-notification" / "external-notification" / 1358 "leo" / "partner" / "actor" / "unknown" / "ext-value" 1359 ? ext-source: text 1360 ? restriction: restriction .default "private" 1361 ? ext-restriction: text 1362 ? Description: [+ MLStringType] 1363 ? Contact: [+ Contact] 1364 ? DetectionPattern: [+ DetectionPattern] 1365 } 1367 DetectionPattern = { 1368 ? restriction: restriction .default "private" 1369 ? ext-restriction: text 1370 ? observable-id: IDtype 1371 (Description: [+ MLStringType] // DetectionConfiguration: [+ text]) 1372 Application: SoftwareType 1373 } 1375 Method = { 1376 ? restriction: restriction .default "private" 1377 ? ext-restriction: text 1378 ? Reference: [+ Reference] 1379 ? Description: [+ MLStringType] 1380 ? AttackPattern: [+ StructuredInfo] 1381 ? Vulnerability: [+ StructuredInfo] 1382 ? Weakness: [+ StructuredInfo] 1383 ? AdditionalData: [+ ExtensionType] 1384 } 1386 StructuredInfo = { 1387 SpecID: SpecID 1388 ? ext-SpecID: text 1389 ? ContentID: text 1390 ? (RawData: [+ BYTE] // Reference:[+ Reference]) 1391 ? Platform:[+ Platform] 1392 ? Scoring:[+ Scoring] 1393 } 1395 Platform = { 1396 SpecID: SpecID 1397 ? ext-SpecID: text 1398 ? ContentID: text 1399 ? RawData: [+ BYTE] 1400 ? Reference: [+ Reference] 1401 } 1402 Scoring = { 1403 SpecID: SpecID 1404 ? ext-SpecID: text 1405 ? ContentID: text 1406 ? RawData: [+ BYTE] 1407 ? Reference: [+ Reference] 1408 } 1409 Reference = { 1410 ? observable-id: IDtype 1411 ? ReferenceName: ReferenceName 1412 ? URL: [+ URLtype] 1413 ? Description: [+ MLStringType] 1414 } 1416 ReferenceName = { 1417 specIndex: integer 1418 ID: IDtype 1419 } 1421 Assessment = { 1422 ? occurrence: "actual" / "potential" 1423 ? restriction: restriction .default "private" 1424 ? ext-restriction: text 1425 ? observable-id: IDtype 1426 ? IncidentCategory: [+ MLStringType] 1427 Impact: [+ {SystemImpact: SystemImpact} / 1428 {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / 1429 {MonetaryImpact: MonetaryImpact} / 1430 {IntendedImpact: BusinessImpact}] 1431 ? Counter: [+ Counter] 1432 ? MitigatingFactor: [+ MLStringType] 1433 ? Cause: [+ MLStringType] 1434 ? Confidence: Confidence 1435 ? AdditionalData: [+ ExtensionType] 1436 } 1438 SystemImpact = { 1439 ? severity: "low" / "medium" / "high" 1440 ? completion: "failed" / "succeeded" 1441 type: "takeover-account" / "takeover-service" / "takeover-system" / 1442 "cps-manipulation" / "cps-damage" / "availability-data" / 1443 "availability-account" / "availability-service" / 1444 "availability-system" / "damaged-system" / "damaged-data" / 1445 "breach-proprietary" / "breach-privacy" / "breach-credential" / 1446 "breach-configuration" / "integrity-data" / 1447 "integrity-configuration" / "integrity-hardware" / 1448 "traffic-redirection" / "monitoring-traffic" / "monitoring-host"/ 1449 "policy" / "unknown" / "ext-value" .default "unknown" 1450 ? ext-type: text 1451 ? Description: [+ MLStringType] 1453 } 1455 BusinessImpact = { 1456 ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" 1457 .default "unknown" 1458 ? ext-severity: text 1459 type: "breach-proprietary" / "breach-privacy" / "breach-credential" / 1460 "loss-of-integrity" / "loss-of-service" / "theft-financial" / 1461 "theft-service" / "degraded-reputation" / "asset-damage" / 1462 "asset-manipulation" / "legal" / "extortion" / "unknown" / 1463 "ext-value" .default "unknown" 1464 ? ext-type: text 1465 ? Description: [+ MLStringType] 1466 } 1468 TimeImpact = { 1469 value: PositiveFloatType 1470 ? severity: "low" / "medium" / "high" 1471 metric: "labor" / "elapsed" / "downtime" / "ext-value" 1472 ? ext-metric: text 1473 ? duration: duration .default "hour" 1474 ? ext-duration: text 1475 } 1477 MonetaryImpact = { 1478 value: PositiveFloatType 1479 ? severity: "low" / "medium" / "high" 1480 ? currency: text 1481 } 1483 Confidence = { 1484 value: float32 1485 rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" 1486 ? ext-rating: text 1487 } 1489 History = { 1490 ? restriction: restriction .default "private" 1491 ? ext-restriction: text 1492 HistoryItem: [+ HistoryItem] 1493 } 1495 HistoryItem = { 1496 action: action .default "other" 1497 ? ext-action: text 1498 ? restriction: restriction .default "private" 1499 ? ext-restriction: text 1500 ? observable-id: IDtype 1501 DateTime: DATETIME 1502 ? IncidentID: IncidentID 1503 ? Contact: Contact 1504 ? Description: [+ MLStringType] 1505 ? DefinedCOA: [+ text] 1506 ? AdditionalData: [+ ExtensionType] 1507 } 1509 EventData = { 1510 ? restriction: restriction .default "default" 1511 ? ext-restriction: text 1512 ? observable-id: IDtype 1513 ? Description: [+ MLStringType] 1514 ? DetectTime: DATETIME 1515 ? StartTime: DATETIME 1516 ? EndTime: DATETIME 1517 ? RecoveryTime: DATETIME 1518 ? ReportTime: DATETIME 1519 ? Contact: [+ Contact] 1520 ? Discovery: [+ Discovery] 1521 ? Assessment: Assessment 1522 ? Method: [+ Method] 1523 ? System: [+ System] 1524 ? Expectation: [+ Expectation] 1525 ? RecordData: [+ RecordData] 1526 ? EventData: [+ EventData] 1527 ? AdditionalData: [+ ExtensionType] 1528 } 1530 Expectation = { 1531 ? action: action .default "other" 1532 ? ext-action: text 1533 ? severity: "low" / "medium" / "high" 1534 ? restriction: restriction .default "default" 1535 ? ext-restriction: text 1536 ? observable-id: IDtype 1537 ? Description: [+ MLStringType] 1538 ? DefinedCOA: [+ text] 1539 ? StartTime: DATETIME 1540 ? EndTime: DATETIME 1541 ? Contact: Contact 1542 } 1544 System = { 1545 ? category: "source" / "target" / "intermediate" / "sensor" / 1546 "infrastructure" / "ext-value" 1547 ? ext-category: text 1548 ? interface: text 1549 ? spoofed: "unknown" / "yes" / "no" .default "unknown" 1550 ? virtual: "yes" / "no" / "unknown" .default "unknown" 1551 ? ownership: "organization" / "personal" / "partner" / "customer" / 1552 "no-relationship" / "unknown" / "ext-value" 1553 ? ext-ownership: text 1554 ? restriction: restriction .default "private" 1555 ? ext-restriction: text 1556 ? observable-id: IDtype 1557 Node: Node 1558 ? NodeRole: [+ NodeRole] 1559 ? Service: [+ Service] 1560 ? OperatingSystem: [+ SoftwareType] 1561 ? Counter: [+ Counter] 1562 ? AssetID: [+ text] 1563 ? Description: [+ MLStringType] 1564 ? AdditionalData: [+ ExtensionType] 1565 } 1567 Node = { 1568 (DomainData:[+ DomainData] 1569 ? Address:[+ Address] // 1570 ? DomainData:[+ DomainData] 1571 Address:[+ Address]) 1572 ? PostalAddress: PostalAddress 1573 ? Location: [+ MLStringType] 1574 ? Counter: [+ Counter] 1575 } 1577 Address = { 1578 value: text 1579 category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1580 "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / 1581 "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / 1582 "ext-value" .default "ipv6-addr" 1583 ? ext-category: text 1584 ? vlan-name: text 1585 ? vlan-num: integer 1586 ? observable-id: IDtype 1587 } 1589 NodeRole = { 1590 category: "client" / "client-enterprise" / "client-partner" / 1591 "client-remote" / "client-kiosk" / "client-mobile" / 1592 "server-internal" / "server-public" / "www" / "mail" / 1593 "webmail" / "messaging" / "streaming" / "voice" / "file" / 1594 "ftp" / "p2p" / "name" / "directory" / "credential" / 1595 "print" / "application" / "database" / "backup" / "dhcp" / 1596 "assessment" / "source-control" / "config-management" / 1597 "monitoring" / "infra" / "infra-firewall" / "infra-router" / 1598 "infra-switch" / "camera" / "proxy" / "remote-access" / 1599 "log" / "virtualization" / "pos" / "scada" / 1600 "scada-supervisory" / "sinkhole" / "honeypot" / 1601 "anomyzation" / "c2-server" / "malware-distribution" / 1602 "drop-server" / "hop-point" / "reflector" / 1603 "phishing-site" / "spear-phishing-site" / "recruiting-site" / 1604 "fraudulent-site" / "ext-value" 1605 ? ext-category: text 1606 ? Description: [+ MLStringType] 1607 } 1609 Counter = { 1610 value: float32 1611 type: "count" / "peak" / "average" / "ext-value" 1612 ? ext-type: text 1613 unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / 1614 "message" / "event" / "host" / "site" / "organization" / 1615 "ext-value" 1616 ? ext-unit: text 1617 ? meaning: text 1618 ? duration: duration .default "hour" 1619 ? ext-duration: text 1620 } 1622 DomainData = { 1623 system-status: "spoofed" / "fraudulent" / "innocent-hacked" / 1624 "innocent-hijacked" / "unknown" / "ext-value" 1625 ? ext-system-status: text 1626 domain-status: "reservedDelegation" / "assignedAndActive" / 1627 "assignedAndInactive" / "assignedAndOnHold" / 1628 "revoked" / "transferPending" / "registryLock" / 1629 "registrarLock" / "other" / "unknown" / "ext-value" 1630 ? ext-domain-status: text 1631 ? observable-id: IDtype 1632 Name: text 1633 ? DateDomainWasChecked: DATETIME 1634 ? RegistrationDate: DATETIME 1635 ? ExpirationDate: DATETIME 1636 ? RelatedDNS: [+ ExtensionType] 1637 ? NameServers: [+ NameServers] 1638 ? DomainContacts: DomainContacts 1639 } 1641 NameServers = { 1642 Server: text 1643 Address: [+ Address] 1644 } 1645 DomainContacts = { 1646 (SameDomainContact: text // Contact: [+ Contact]) 1647 } 1649 Service = { 1650 ? ip-protocol: integer 1651 ? observable-id: IDtype 1652 ? ServiceName: ServiceName 1653 ? Port: integer 1654 ? Portlist: PortlistType 1655 ? ProtoCode: integer 1656 ? ProtoType: integer 1657 ? ProtoField: integer 1658 ? ApplicationHeaderField: [+ ExtensionType] 1659 ? EmailData: EmailData 1660 ? Application: SoftwareType 1661 } 1663 ServiceName = { 1664 ? IANAService: text 1665 ? URL: [+ URLtype] 1666 ? Description: [+ MLStringType] 1667 } 1669 EmailData = { 1670 ? observable-id: IDtype 1671 ? EmailTo: [+ text] 1672 ? EmailFrom: text 1673 ? EmailSubject: text 1674 ? EmailX-Mailer: text 1675 ? EmailHeaderField: [+ ExtensionType] 1676 ? EmailHeaders: text 1677 ? EmailBody: text 1678 ? EmailMessage: text 1679 ? HashData: [+ HashData] 1680 ? Signature: [+ BYTE] 1681 } 1683 RecordData = { 1684 ? restriction: restriction .default "private" 1685 ? ext-restriction: text 1686 ? observable-id: IDtype 1687 ? DateTime: DATETIME 1688 ? Description: [+ MLStringType] 1689 ? Application: SoftwareType 1690 ? RecordPattern: [+ RecordPattern] 1691 ? RecordItem: [+ ExtensionType] 1692 ? URL: [+ URLtype] 1693 ? FileData: [+ FileData] 1694 ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] 1695 ? CertificateData: [+ CertificateData] 1696 ? AdditionalData: [+ ExtensionType] 1697 } 1699 RecordPattern = { 1700 value: text 1701 type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" 1702 ? ext-type: text 1703 ? offset: integer 1704 ? offsetunit: "line" / "byte" / "ext-value" .default "line" 1705 ? ext-offsetunit: text 1706 ? instance: integer 1707 } 1709 WindowsRegistryKeysModified = { 1710 ? observable-id: IDtype 1711 Key: [+ Key] 1712 } 1714 Key = { 1715 ? registryaction: "add-key" / "add-value" / "delete-key" / 1716 "delete-value" / "modify-key" / "modify-value" / 1717 "ext-value" 1718 ? ext-registryaction: text 1719 ? observable-id: IDtype 1720 KeyName: text 1721 ? KeyValue: text 1722 } 1724 CertificateData = { 1725 ? restriction: restriction .default "private" 1726 ? ext-restriction: text 1727 ? observable-id: IDtype 1728 Certificate: [+ Certificate] 1729 } 1731 Certificate = { 1732 ? observable-id: IDtype 1733 X509Data: BYTE 1734 ? Description: [+ MLStringType] 1735 } 1737 FileData = { 1738 ? restriction: restriction .default "private" 1739 ? ext-restriction: text 1740 ? observable-id: IDtype 1741 File: [+ File] 1742 } 1744 File = { 1745 ? observable-id: IDtype 1746 ? FileName: text 1747 ? FileSize: integer 1748 ? FileType: text 1749 ? URL: [+ URLtype] 1750 ? HashData: HashData 1751 ? Signature: [+ BYTE] 1752 ? AssociatedSoftware: SoftwareType 1753 ? FileProperties: [+ ExtensionType] 1754 } 1756 HashData = { 1757 scope: "file-contents" / "file-pe-section" / "file-pe-iat" / 1758 "file-pe-resource" / "file-pdf-object" / "email-hash" / 1759 "email-headers-hash" / "email-body-hash" / "ext-value" 1760 ? HashTargetID: text 1761 ? Hash: [+ Hash] 1762 ? FuzzyHash: [+ FuzzyHash] 1763 } 1765 Hash = { 1766 DigestMethod: BYTE 1767 DigestValue: BYTE 1768 ? CanonicalizationMethod: BYTE 1769 ? Application: SoftwareType 1770 } 1772 FuzzyHash = { 1773 FuzzyHashValue: [+ ExtensionType] 1774 ? Application: SoftwareType 1775 ? AdditionalData: [+ ExtensionType] 1776 } 1778 Indicator = { 1779 ? restriction: restriction .default "private" 1780 ? ext-restriction: text 1781 IndicatorID: IndicatorID 1782 ? AlternativeIndicatorID: [+ AlternativeIndicatorID] 1783 ? Description: [+ MLStringType] 1784 ? StartTime: DATETIME 1785 ? EndTime: DATETIME 1786 ? Confidence: Confidence 1787 ? Contact: [+ Contact] 1788 (Observable: Observable // uid-ref: IDREFType // 1789 IndicatorExpression: IndicatorExpression // 1790 IndicatorReference: IndicatorReference) 1791 ? NodeRole: [+ NodeRole] 1792 ? AttackPhase: [+ AttackPhase] 1793 ? Reference: [+ Reference] 1794 ? AdditionalData: [+ ExtensionType] 1795 } 1797 IndicatorID = { 1798 id: IDtype 1799 name: text 1800 version: text 1801 } 1803 AlternativeIndicatorID = { 1804 ? restriction: restriction .default "private" 1805 ? ext-restriction: text 1806 IndicatorID: [+ IndicatorID] 1807 } 1809 Observable = { 1810 ? restriction: restriction .default "private" 1811 ? ext-restriction: text 1812 ? (System: System // Address: Address // DomainData: DomainData // 1813 EmailData: EmailData // Service: Service // 1814 WindowsRegistryKeysModified: WindowsRegistryKeysModified // 1815 FileData: FileData // CertificateData: CertificateData // 1816 RegistryHandle: RegistryHandle // RecordData: RecordData // 1817 EventData: EventData // Incident: Incident // 1818 Expectation: Expectation // Reference: Reference // 1819 Assessment: Assessment // DetectionPattern: DetectionPattern // 1820 HistoryItem: HistoryItem // BulkObservable: BulkObservable // 1821 AdditionalData: [+ ExtensionType]) 1822 } 1824 BulkObservable = { 1825 ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1826 "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / 1827 "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / 1828 "domain-to-ipv6" / "domain-to-ipv4-timestamp" / 1829 "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / 1830 "windows-reg-key" / "file-hash" / "email-x-mailer" / 1831 "email-subject" / "http-user-agent" / "http-request-uri" / 1832 "mutex" / "file-path" / "user-name" / "ext-value" 1833 ? ext-type: text 1834 ? BulkObservableFormat: BulkObservableFormat 1835 BulkObservableList: text 1836 ? AdditionalData: [+ ExtensionType] 1838 } 1840 BulkObservableFormat = { 1841 (Hash: Hash // AdditionalData: [+ ExtensionType]) 1842 } 1844 IndicatorExpression = { 1845 ? operator: "not" / "and" / "or" / "xor" .default "and" 1846 ? ext-operator: text 1847 ? IndicatorExpression: [+ IndicatorExpression] 1848 ? Observable: [+ Observable] 1849 ? uid-ref: [+ IDREFType] 1850 ? IndicatorReference: [+ IndicatorReference] 1851 ? Confidence: Confidence 1852 ? AdditionalData: [+ ExtensionType] 1853 } 1855 IndicatorReference = { 1856 (uid-ref: IDREFType // euid-ref: text) 1857 ? version: text 1858 } 1860 AttackPhase = { 1861 ? AttackPhaseID: [+ text] 1862 ? URL: [+ URLtype] 1863 ? Description: [+ MLStringType] 1864 ? AdditionalData: [+ ExtensionType] 1865 } 1867 Figure 8: Data Model in CDDL 1869 6. IANA Considerations 1871 This document does not require any IANA actions. 1873 7. Security Considerations 1875 This document does not provide any further security considerations 1876 than the one described in [RFC7970]. 1878 8. Acknowledgments 1880 We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki 1881 Morita, and Takahiko Nagata for their insightful comments on CDDL. 1883 9. References 1885 9.1. Normative References 1887 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1888 Requirement Levels", BCP 14, RFC 2119, 1889 DOI 10.17487/RFC2119, March 1997, 1890 . 1892 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1893 Resource Identifier (URI): Generic Syntax", STD 66, 1894 RFC 3986, DOI 10.17487/RFC3986, January 2005, 1895 . 1897 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1898 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 1899 . 1901 [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An 1902 Incident Object Description Exchange Format (IODEF) 1903 Extension for Structured Cybersecurity Information", 1904 RFC 7203, DOI 10.17487/RFC7203, April 2014, 1905 . 1907 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 1908 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 1909 November 2016, . 1911 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1912 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1913 May 2017, . 1915 [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data 1916 Definition Language (CDDL): A Notational Convention to 1917 Express Concise Binary Object Representation (CBOR) and 1918 JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, 1919 June 2019, . 1921 9.2. Informative References 1923 [jsonschema] 1924 Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: 1925 core definitions and terminology", 2013. 1927 Appendix A. Data Types used in this document 1929 The CDDL prelude used in this document is mapped to JSON as shown in 1930 the table below. 1932 +-----------------+-------------------+----------------------------+ 1933 | CDDL Prelude | Use of JSON | Instance | Validation | 1934 +-----------------+-------------------+----------------------------+ 1935 | bytes | n/a | string | tool available | 1936 | text | string | string | unnecessary | 1937 | tdate | n/a | string | 7.3.1 date-time | 1938 | integer | n/a | number | integer | 1939 | eb64legacy | n/a | string | tool available | 1940 | uri | n/a | string | 7.3.6 uri | 1941 | float32 | float32 | number | unnecessary | 1942 +-----------------+-------------------+----------------------------+ 1944 Figure 9: CDDL Prelude mapping in JSON 1946 Appendix B. The IODEF Data Model (JSON Schema) 1948 This section provides a JSON schema that defines the IODEF Data Model 1949 defined in this draft. Note that this section is Informative. 1951 { "$schema": "http://json-schema.org/draft-04/schema#", 1952 "definitions": { 1953 "action": {"enum": ["nothing","contact-source-site", 1954 "contact-target-site","contact-sender","investigate", 1955 "block-host","block-network","block-port","rate-limit-host", 1956 "rate-limit-network","rate-limit-port","redirect-traffic", 1957 "honeypot","upgrade-software","rebuild-asset","harden-asset", 1958 "remediate-other","status-triage","status-new-info", 1959 "watch-and-report","training","defined-coa","other", 1960 "ext-value"]}, 1961 "duration":{"enum":["second","minute","hour","day","month", 1962 "quarter","year","ext-value"]}, 1963 "SpecID":{ 1964 "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, 1965 "lang": { 1966 "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, 1967 "purpose": {"enum": ["traceback","mitigation","reporting","watch", 1968 "other","ext-value"]}, 1969 "restriction":{"enum":["public","partner","need-to-know","private", 1970 "default","white","green","amber","red","ext-value"]}, 1971 "status": {"enum": ["new","in-progress","forwarded","resolved", 1972 "future","ext-value"]}, 1973 "DATETIME": {"type": "string","format": "date-time"}, 1974 "BYTE": {"type": "string"}, 1975 "PortlistType": { 1976 "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"}, 1977 "TimeZonetype": { 1978 "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, 1979 "URLtype": { 1980 "type": "string", 1981 "pattern": 1982 "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, 1983 "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, 1984 "IDREFType": {"$ref": "#/definitions/IDtype"}, 1985 "MLStringType": { 1986 "oneOf": [{"type": "string"}, 1987 {"type": "object", 1988 "properties": { 1989 "value": {"type": "string"}, 1990 "lang": {"$ref": "#/definitions/lang"}, 1991 "translation-id": {"type": "string"}}, 1992 "required": ["value"], 1993 "additionalProperties":false}]}, 1994 "PositiveFloatType": {"type": "number","minimum": 0}, 1995 "PAddressType": {"$ref": "#/definitions/MLStringType"}, 1996 "ExtensionType": { 1997 "type": "object", 1998 "properties": { 1999 "value": {"type": "string"}, 2000 "name": {"type": "string"}, 2001 "dtype":{"enum":["boolean","byte","bytes","character", "json", 2002 "date-time","ntpstamp","integer","portlist","real","string", 2003 "file","path","frame","packet","ipv4-packet","ipv6-packet", 2004 "url", "csv","winreg","xml","ext-value"],"default": "string"}, 2005 "ext-dtype": {"type": "string"}, 2006 "meaning": {"type": "string"}, 2007 "formatid": {"type": "string"}, 2008 "restriction": { 2009 "$ref": "#/definitions/restriction","default": "private"}, 2010 "ext-restriction": {"type": "string"}, 2011 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2012 "required": ["value","dtype"], 2013 "additionalProperties":false}, 2014 "ExtensionTypeList": { 2015 "type": "array", 2016 "items": {"$ref": "#/definitions/ExtensionType"}, 2017 "minItems": 1}, 2018 "SoftwareType": { 2019 "type": "object", 2020 "properties": { 2021 "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, 2022 "URL": { 2023 "type": "array", 2024 "items": {"$ref": "#/definitions/URLtype", 2025 "minItems": 1}}, 2026 "Description": { 2027 "type": "array", 2028 "items": {"$ref": "#/definitions/MLStringType"}, 2029 "minItems": 1 }}, 2030 "required": [], 2031 "additionalProperties": false}, 2032 "SoftwareReference": { 2033 "type": "object", 2034 "properties": { 2035 "value": {"type": "string"}, 2036 "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, 2037 "ext-spec-name": {"type": "string"}, 2038 "dtype": {"enum": ["bytes","integer","real","string","xml", 2039 "ext-value"] , "default": "string"}, 2040 "ext-dtype": {"type": "string"}}, 2041 "required": ["spec-name"], 2042 "additionalProperties": false}, 2043 "StructuredInfo": { 2044 "type": "object", 2045 "properties": { 2046 "SpecID": {"$ref":"#/definitions/SpecID"}, 2047 "ext-SpecID": {"type": "string"}, 2048 "ContentID": {"type": "string"}, 2049 "RawData": { 2050 "type": "array", 2051 "items": {"$ref":"#/definitions/BYTE"}, 2052 "minItems": 1 2053 }, 2054 "Reference": { 2055 "type": "array", 2056 "items": {"$ref": "#/definitions/Reference"}, 2057 "minItems": 1 2058 }, 2059 "Platform": { 2060 "type": "array", 2061 "items": {"$ref": "#/definitions/Platform"}, 2062 "minItems": 1 2063 }, 2064 "Scoring": { 2065 "type": "array", 2066 "items": {"$ref": "#/definitions/Scoring"}, 2067 "minItems": 1}}, 2068 "allOf": [ 2069 {"required": ["SpecID"]}, 2070 {"anyOf": [ 2071 {"oneOf": [ 2072 {"required":["Reference"]}, 2073 {"required":["RawData"]}]}, 2074 { "not" : {"required":["Reference", "RawData"]}}]}], 2075 "additionalProperties": false}, 2076 "Platform": { 2077 "type": "object", 2078 "properties": { 2079 "SpecID": {"$ref":"#/definitions/SpecID"}, 2080 "ext-SpecID": {"type": "string"}, 2081 "ContentID": {"type": "string"}, 2082 "RawData": { 2083 "type": "array", 2084 "items": {"$ref":"#/definitions/BYTE"}, 2085 "minItems": 1 2086 }, 2087 "Reference": { 2088 "type": "array", 2089 "items": {"$ref": "#/definitions/Reference"}, 2090 "minItems": 1}}, 2091 "required": ["SpecID"], 2092 "additionalProperties": false}, 2093 "Scoring": { 2094 "type": "object", 2095 "properties": { 2096 "SpecID": {"$ref":"#/definitions/SpecID"}, 2097 "ext-SpecID": {"type": "string"}, 2098 "ContentID": {"type": "string"}, 2099 "RawData": { 2100 "type": "array", 2101 "items": {"$ref":"#/definitions/BYTE"}, 2102 "minItems": 1 2103 }, 2104 "Reference": { 2105 "type": "array", 2106 "items": {"$ref": "#/definitions/Reference"}, 2107 "minItems": 1}}, 2108 "required": ["SpecID"], 2109 "additionalProperties": false}, 2110 "Incident": { 2111 "title": "Incident", 2112 "description": "JSON schema for Incident class", 2113 "type": "object", 2114 "properties": { 2115 "purpose": {"$ref": "#/definitions/purpose"}, 2116 "ext-purpose": {"type": "string"}, 2117 "status": {"$ref": "#/definitions/status"}, 2118 "ext-status": {"type": "string"}, 2119 "lang": {"$ref": "#/definitions/lang"}, 2120 "restriction": {"$ref": "#/definitions/restriction", 2121 "default": "private"}, 2122 "ext-restriction": {"type": "string"}, 2123 "observable-id": {"$ref": "#/definitions/IDtype"}, 2124 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2125 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 2126 "RelatedActivity": { 2127 "type": "array", 2128 "items": {"$ref": "#/definitions/RelatedActivity"}, 2129 "minItems": 1}, 2130 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2131 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2132 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2133 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2134 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2135 "GenerationTime": {"$ref": "#/definitions/DATETIME"}, 2136 "Description": { 2137 "type": "array", 2138 "items": {"$ref": "#/definitions/MLStringType"}, 2139 "minItems": 1}, 2140 "Discovery": { 2141 "type": "array", 2142 "items": {"$ref": "#/definitions/Discovery"}, 2143 "minItems": 1}, 2144 "Assessment": { 2145 "type": "array", 2146 "items": {"$ref": "#/definitions/Assessment"}, 2147 "minItems": 1}, 2148 "Method": { 2149 "type": "array", 2150 "items": {"$ref": "#/definitions/Method"}, 2151 "minItems": 1}, 2152 "Contact": { 2153 "type": "array", 2154 "items": {"$ref": "#/definitions/Contact"}, 2155 "minItems": 1}, 2156 "EventData": { 2157 "type": "array", 2158 "items": {"$ref": "#/definitions/EventData"}, 2159 "minItems": 1}, 2160 "Indicator": { 2161 "type": "array", 2162 "items": {"$ref": "#/definitions/Indicator"}, 2163 "minItems": 1}, 2164 "History": {"$ref": "#/definitions/History"}, 2165 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2166 "required": ["IncidentID","GenerationTime","Contact","purpose"], 2167 "additionalProperties": false}, 2168 "IncidentID": { 2169 "title": "IncidentID", 2170 "description": "JSON schema for IncidentID class", 2171 "type": "object", 2172 "properties": { 2173 "id": {"type": "string"}, 2174 "name": {"type": "string"}, 2175 "instance": {"type": "string"}, 2176 "restriction": {"$ref": "#/definitions/restriction", 2177 "default": "private"}, 2178 "ext-restriction": {"type": "string"}}, 2179 "required": ["id","name"], 2180 "additionalProperties": false}, 2181 "AlternativeID": { 2182 "title": "AlternativeID", 2183 "description": "JSON schema for AlternativeID class", 2184 "type": "object", 2185 "properties": { 2186 "IncidentID": { 2187 "type": "array", 2188 "items":{"$ref": "#/definitions/IncidentID"}, 2189 "minItems": 1}, 2190 "restriction": {"$ref": "#/definitions/restriction", 2191 "default": "private"}, 2192 "ext-restriction": {"type": "string"}}, 2193 "required": ["IncidentID"], 2194 "additionalProperties": false}, 2195 "RelatedActivity": { 2196 "properties": { 2197 "restriction": {"$ref": "#/definitions/restriction", 2198 "default": "private"}, 2199 "ext-restriction": {"type": "string"}, 2200 "IncidentID": { 2201 "type": "array", 2202 "items": {"$ref": "#/definitions/IncidentID"}, 2203 "minItems": 1}, 2204 "URL": { 2205 "type": "array", 2206 "items": {"$ref": "#/definitions/URLtype"}, 2207 "minItems": 1}, 2208 "ThreatActor": { 2209 "type": "array", 2210 "items": {"$ref": "#/definitions/ThreatActor"}, 2211 "minItems": 1}, 2212 "Campaign": { 2213 "type": "array", 2214 "items": {"$ref": "#/definitions/Campaign"}, 2215 "minItems": 1}, 2216 "IndicatorID": { 2217 "type": "array", 2218 "items": {"$ref": "#/definitions/IndicatorID"}, 2219 "minItems": 1}, 2220 "Confidence": {"$ref": "#/definitions/Confidence"}, 2221 "Description": { 2222 "type": "array", 2223 "items": {"type": "string"}, 2224 "minItems": 1}, 2225 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2226 "additionalProperties": false}, 2227 "ThreatActor": { 2228 "properties": { 2229 "restriction": {"$ref": "#/definitions/restriction", 2230 "default": "private"}, 2231 "ext-restriction": {"type": "string"}, 2232 "ThreatActorID": { 2233 "type": "array", 2234 "items": {"type": "string"}, 2235 "minItems": 1}, 2236 "Description": { 2237 "type": "array", 2238 "items": {"$ref": "#/definitions/MLStringType"}, 2239 "minItems": 1}, 2240 "URL": { 2241 "type":"array", 2242 "items":{"$ref":"#/definitions/URLtype"}, 2243 "minItems": 1}, 2244 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2245 "additionalProperties": false}, 2246 "Campaign": { 2247 "properties": { 2248 "restriction": {"$ref": "#/definitions/restriction", 2249 "default": "private"}, 2250 "ext-restriction": {"type": "string"}, 2251 "CampaignID": { 2252 "type": "array", 2253 "items": {"type": "string"}, 2254 "minItems": 1}, 2255 "URL": { 2256 "type":"array", 2257 "items":{"$ref":"#/definitions/URLtype"}, 2258 "minItems": 1}, 2259 "Description": { 2260 "type": "array", 2261 "items": {"$ref": "#/definitions/MLStringType"}, 2262 "minItems": 1}, 2264 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 2265 "Contact": { 2266 "type": "object", 2267 "properties": { 2268 "role": { 2269 "enum":["creator","reporter","admin","tech","provider","user", 2270 "billing","legal","irt","abuse","cc","cc-irt","leo", 2271 "vendor","vendor-support","victim","victim-notified", 2272 "ext-value"]}, 2273 "ext-role": {"type": "string"}, 2274 "type": {"enum": ["person","organization","ext-value"]}, 2275 "ext-type": {"type": "string"}, 2276 "restriction": {"$ref": "#/definitions/restriction", 2277 "default": "private"}, 2278 "ext-restriction": {"type": "string"}, 2279 "ContactName": { 2280 "type": "array", 2281 "items": {"$ref": "#/definitions/MLStringType"}, 2282 "minItems": 1}, 2283 "ContactTitle": { 2284 "type": "array", 2285 "items": {"$ref": "#/definitions/MLStringType"}, 2286 "minItems": 1}, 2287 "Description": { 2288 "type": "array", 2289 "items": {"$ref": "#/definitions/MLStringType"}, 2290 "minItems": 1}, 2291 "RegistryHandle": { 2292 "type":"array", 2293 "items":{"$ref":"#/definitions/RegistryHandle"}, 2294 "minItems": 1}, 2295 "PostalAddress": { 2296 "type":"array", 2297 "items":{"$ref":"#/definitions/PostalAddress"}, 2298 "minItems": 1}, 2299 "Email": { 2300 "type": "array", 2301 "items": {"$ref": "#/definitions/Email"}, 2302 "minItems": 1}, 2303 "Telephone": { 2304 "type": "array", 2305 "items": {"$ref": "#/definitions/Telephone"}, 2306 "minItems": 1}, 2307 "Timezone": {"$ref": "#/definitions/TimeZonetype"}, 2308 "Contact": { 2309 "type": "array", 2310 "items": {"$ref": "#/definitions/Contact"}, 2311 "minItems": 1}, 2313 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2314 "required": ["role","type"], 2315 "additionalProperties": false}, 2316 "RegistryHandle": { 2317 "type": "object", 2318 "properties": { 2319 "handle": {"type": "string"}, 2320 "registry": { 2321 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", 2322 "local","ext-value"]}, 2323 "ext-registry": {"type": "string"}}, 2324 "required": ["handle","registry"], 2325 "additionalProperties": false}, 2326 "PostalAddress": { 2327 "type": "object", 2328 "properties": { 2329 "type": { 2330 "enum": ["street","mailing","ext-value"]}, 2331 "ext-type": {"type": "string"}, 2332 "PAddress": {"$ref": "#/definitions/PAddressType"}, 2333 "Description": { 2334 "type": "array", 2335 "items": {"$ref": "#/definitions/MLStringType"}, 2336 "minItems": 1}}, 2337 "required": ["PAddress"], 2338 "additionalProperties": false}, 2339 "Email": { 2340 "type": "object", 2341 "properties": { 2342 "type": { 2343 "enum":["direct","hotline","ext-value"]}, 2344 "ext-type": {"type": "string"}, 2345 "EmailTo": {"type": "string"}, 2346 "Description": { 2347 "type": "array", 2348 "items": {"$ref": "#/definitions/MLStringType"}, 2349 "minItems": 1}}, 2350 "required": ["EmailTo"], 2351 "additionalProperties": false}, 2352 "Telephone": { 2353 "type": "object", 2354 "properties": { 2355 "type": { 2356 "enum":["wired","mobile","fax","hotline","ext-value"]}, 2357 "ext-type": {"type": "string"}, 2358 "TelephoneNumber": {"type": "string"}, 2359 "Description": { 2360 "type": "array", 2361 "items": {"$ref": "#/definitions/MLStringType"}, 2362 "minItems": 1}}, 2363 "required": ["TelephoneNumber"], 2364 "additionalProperties": false}, 2365 "Discovery": { 2366 "type": "object", 2367 "properties": { 2368 "source": { 2369 "enum":["nidps","hips","siem","av","third-party-monitoring", 2370 "incident","os-log","application-log","device-log", 2371 "network-flow","passive-dns","investigation","audit", 2372 "internal-notification","external-notification","leo", 2373 "partner","actor","unknown","ext-value"]}, 2374 "ext-source": {"type": "string"}, 2375 "restriction": {"$ref": "#/definitions/restriction", 2376 "default": "private"}, 2377 "ext-restriction": {"type": "string"}, 2378 "Description": { 2379 "type": "array", 2380 "items": {"$ref": "#/definitions/MLStringType"}, 2381 "minItems": 1}, 2382 "Contact": { 2383 "type": "array", 2384 "items": {"$ref": "#/definitions/Contact"}, 2385 "minItems": 1}, 2386 "DetectionPattern": { 2387 "type":"array", 2388 "items":{"$ref":"#/definitions/DetectionPattern"}, 2389 "minItems": 1}}, 2390 "required": [], 2391 "additionalProperties": false}, 2392 "DetectionPattern": { 2393 "type": "object", 2394 "properties": { 2395 "restriction": {"$ref": "#/definitions/restriction", 2396 "default": "private"}, 2397 "ext-restriction": {"type": "string"}, 2398 "observable-id": {"$ref": "#/definitions/IDtype"}, 2399 "Application": {"$ref": "#/definitions/SoftwareType"}, 2400 "Description": { 2401 "type": "array", 2402 "items": {"$ref": "#/definitions/MLStringType"}, 2403 "minItems": 1}, 2404 "DetectionConfiguration": { 2405 "type": "array", 2406 "items": {"type": "string"}, 2407 "minItems": 1}}, 2408 "allOf": [ 2409 {"required": ["Application"]}, 2410 {"oneOf": [ 2411 {"required":["Description"]}, 2412 {"required":["DetectionConfiguration"]}]}], 2413 "additionalProperties": false}, 2414 "Method": { 2415 "type": "object", 2416 "properties": { 2417 "restriction": {"$ref": "#/definitions/restriction", 2418 "default": "private"}, 2419 "ext-restriction": {"type": "string"}, 2420 "Reference": { 2421 "type": "array", 2422 "items": {"$ref": "#/definitions/Reference"}, 2423 "minItems": 1}, 2424 "Description": { 2425 "type": "array", 2426 "items": {"$ref": "#/definitions/MLStringType"}, 2427 "minItems": 1}, 2428 "AttackPattern": { 2429 "type":"array", 2430 "items":{"$ref":"#/definitions/StructuredInfo"}, 2431 "minItems": 1}, 2432 "Vulnerability": { 2433 "type":"array", 2434 "items":{"$ref":"#/definitions/StructuredInfo"}, 2435 "minItems": 1}, 2436 "Weakness": { 2437 "type":"array", 2438 "items":{"$ref":"#/definitions/StructuredInfo"}, 2439 "minItems": 1}, 2440 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2441 "required": [], 2442 "additionalProperties": false}, 2443 "Reference": { 2444 "type": "object", 2445 "properties": { 2446 "observable-id": {"$ref": "#/definitions/IDtype"}, 2447 "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, 2448 "URL":{ 2449 "type":"array", 2450 "items":{"$ref":"#/definitions/URLtype"}, 2451 "minItems": 1}, 2452 "Description": { 2453 "type": "array", 2454 "items": {"$ref": "#/definitions/MLStringType"}, 2455 "minItems": 1}}, 2456 "required": [], 2457 "additionalProperties": false}, 2458 "ReferenceName" : { 2459 "type": "object", 2460 "properties": { 2461 "specIndex": {"type": "number"}, 2462 "ID": {"$ref":"#/definitions/IDtype"}}, 2463 "required": ["specIndex","ID"], 2464 "additionalProperties": false}, 2465 "Assessment": { 2466 "type": "object", 2467 "properties": { 2468 "occurrence": {"enum":["actual","potential"]}, 2469 "restriction": {"$ref": "#/definitions/restriction", 2470 "default": "private"}, 2471 "ext-restriction": {"type": "string"}, 2472 "observable-id": {"$ref": "#/definitions/IDtype"}, 2473 "IncidentCategory": { 2474 "type": "array", 2475 "items": {"$ref": "#/definitions/MLStringType"}, 2476 "minItems": 1}, 2477 "Impact": { 2478 "type": "array", 2479 "items": { 2480 "properties": { 2481 "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, 2482 "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, 2483 "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, 2484 "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, 2485 "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, 2486 "additionalProperties":false}, 2487 "minItems" : 1 2488 }, 2489 "Counter": { 2490 "type": "array", 2491 "items": {"$ref": "#/definitions/Counter"}, 2492 "minItems": 1}, 2493 "MitigatingFactor": { 2494 "type": "array", 2495 "items": {"$ref": "#/definitions/MLStringType"}, 2496 "minItems": 1}, 2497 "Cause": { 2498 "type": "array", 2499 "items": {"$ref": "#/definitions/MLStringType"}, 2500 "minItems": 1}, 2501 "Confidence": {"$ref": "#/definitions/Confidence"}, 2502 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2503 "required": ["Impact"], 2504 "additionalProperties": false}, 2506 "SystemImpact": { 2507 "type": "object", 2508 "properties": { 2509 "severity": {"enum":["low","medium","high"]}, 2510 "completion": {"enum":["failed","succeeded"]}, 2511 "type": { 2512 "enum":["takeover-account","takeover-service", 2513 "takeover-system","cps-manipulation","cps-damage", 2514 "availability-data","availability-account", 2515 "availability-service","availability-system", 2516 "damaged-system","damaged-data","breach-proprietary", 2517 "breach-privacy","breach-credential", 2518 "breach-configuration","integrity-data", 2519 "integrity-configuration","integrity-hardware", 2520 "traffic-redirection","monitoring-traffic", 2521 "monitoring-host","policy","unknown","ext-value"]}, 2522 "ext-type": {"type": "string"}, 2523 "Description": { 2524 "type": "array", 2525 "items": {"$ref": "#/definitions/MLStringType"}, 2526 "minItems": 1}}, 2527 "required": ["type"], 2528 "additionalProperties": false}, 2529 "BusinessImpact": { 2530 "type": "object", 2531 "properties": { 2532 "severity": {"enum":["none","low","medium","high","unknown", 2533 "ext-value"],"default": "unknown"}, 2534 "ext-severity": {"type":"string"}, 2535 "type": {"enum":["breach-proprietary","breach-privacy", 2536 "breach-credential","loss-of-integrity","loss-of-service", 2537 "theft-financial","theft-service","degraded-reputation", 2538 "asset-damage","asset-manipulation","legal","extortion", 2539 "unknown","ext-value"]}, 2540 "ext-type": {"type": "string"}, 2541 "Description": { 2542 "type": "array", 2543 "items": {"$ref": "#/definitions/MLStringType"}, 2544 "minItems": 1}}, 2545 "required": ["type"], 2546 "additionalProperties": false}, 2547 "TimeImpact": { 2548 "type": "object", 2549 "properties": { 2550 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2551 "severity": {"enum": ["low","medium","high"]}, 2552 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 2553 "ext-metric": {"type": "string"}, 2554 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2555 "ext-duration": {"type": "string"}}, 2556 "required": ["value","metric"], 2557 "additionalProperties": false}, 2558 "MonetaryImpact": { 2559 "type": "object", 2560 "properties": { 2561 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2562 "severity": {"enum":["low","medium","high"]}, 2563 "currency": {"type": "string"}}, 2564 "required": ["value"], 2565 "additionalProperties": false}, 2566 "Confidence": { 2567 "type": "object", 2568 "properties": { 2569 "value": {"type": "number"}, 2570 "rating": {"enum": ["low","medium","high","numeric","unknown", 2571 "ext-value"]}, 2572 "ext-rating": {"type":"string"}}, 2573 "required": ["value","rating"], 2574 "additionalProperties": false}, 2575 "History": { 2576 "type": "object", 2577 "properties": { 2578 "restriction": {"$ref": "#/definitions/restriction", 2579 "default": "private"}, 2580 "ext-restriction": {"type": "string"}, 2581 "HistoryItem": { 2582 "type": "array", 2583 "items": {"$ref": "#/definitions/HistoryItem"}, 2584 "minItems": 1}}, 2585 "required": ["HistoryItem"], 2586 "additionalProperties": false}, 2587 "HistoryItem": { 2588 "type": "object", 2589 "properties": { 2590 "action": {"$ref": "#/definitions/action","default": "other"}, 2591 "ext-action": {"type": "string"}, 2592 "restriction": {"$ref": "#/definitions/restriction", 2593 "default": "private"}, 2594 "ext-restriction": {"type": "string"}, 2595 "observable-id": {"$ref": "#/definitions/IDtype"}, 2596 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2597 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2598 "Contact": {"$ref": "#/definitions/Contact"}, 2599 "Description": { 2600 "type": "array", 2601 "items": {"$ref": "#/definitions/MLStringType"}, 2602 "minItems": 1}, 2603 "DefinedCOA": { 2604 "type": "array", 2605 "items": {"type": "string"}, 2606 "minItems": 1}, 2607 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2608 "required": ["DateTime","action"], 2609 "additionalProperties": false}, 2610 "EventData": { 2611 "type": "object", 2612 "properties": { 2613 "restriction": {"$ref": "#/definitions/restriction", 2614 "default": "private"}, 2615 "ext-restriction": {"type": "string"}, 2616 "observable-id": {"$ref": "#/definitions/IDtype"}, 2617 "Description": {"type": "array", 2618 "items": { "$ref":"#/definitions/MLStringType"}}, 2619 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2620 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2621 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2622 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2623 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2624 "Contact": { 2625 "type": "array", 2626 "items": {"$ref": "#/definitions/Contact"}, 2627 "minItems": 1}, 2628 "Discovery": { 2629 "type": "array", 2630 "items": {"$ref": "#/definitions/Discovery"}, 2631 "minItems": 1}, 2632 "Assessment": {"$ref": "#/definitions/Assessment"}, 2633 "Method": { 2634 "type": "array", 2635 "items": {"$ref": "#/definitions/Method"}, 2636 "minItems": 1}, 2637 "System": { 2638 "type": "array", 2639 "items": {"$ref": "#/definitions/System"}, 2640 "minItems": 1}, 2641 "Expectation": { 2642 "type": "array", 2643 "items": {"$ref": "#/definitions/Expectation"}, 2644 "minItems": 1}, 2645 "RecordData": { 2646 "type": "array", 2647 "items": {"$ref": "#/definitions/RecordData"}, 2648 "minItems": 1}, 2649 "EventData": { 2650 "type": "array", 2651 "items": {"$ref": "#/definitions/EventData"}, 2652 "minItems": 1}, 2653 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2654 "required": [], 2655 "additionalProperties": false}, 2656 "Expectation": { 2657 "type": "object", 2658 "properties": { 2659 "action": {"$ref":"#/definitions/action","default": "other"}, 2660 "ext-action": {"type": "string"}, 2661 "severity": {"enum": ["low","medium","high"]}, 2662 "restriction": {"$ref": "#/definitions/restriction", 2663 "default": "default"}, 2664 "ext-restriction": {"type": "string"}, 2665 "observable-id": {"$ref": "#/definitions/IDtype"}, 2666 "Description": { 2667 "type": "array", 2668 "items": {"$ref": "#/definitions/MLStringType"}, 2669 "minItems": 1}, 2670 "DefinedCOA": { 2671 "type": "array", 2672 "items": {"type": "string"}, 2673 "minItems": 1}, 2674 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2675 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2676 "Contact": {"$ref": "#/definitions/Contact"}}, 2677 "required": [], 2678 "additionalProperties": false}, 2679 "System": { 2680 "type": "object", 2681 "properties": { 2682 "category": { 2683 "enum": ["source","target","intermediate","sensor", 2684 "infrastructure","ext-value"]}, 2685 "ext-category": {"type": "string"}, 2686 "interface": {"type": "string"}, 2687 "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, 2688 "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, 2689 "ownership": { 2690 "enum":["organization","personal","partner","customer", 2691 "no-relationship","unknown","ext-value"]}, 2692 "ext-ownership": {"type": "string"}, 2693 "restriction": {"$ref": "#/definitions/restriction", 2694 "default": "private"}, 2695 "ext-restriction": {"type": "string"}, 2696 "observable-id": {"$ref": "#/definitions/IDtype"}, 2697 "Node": {"$ref": "#/definitions/Node"}, 2698 "NodeRole": { 2699 "type": "array", 2700 "items": {"$ref": "#/definitions/NodeRole"}, 2701 "minItems": 1}, 2702 "Service": { 2703 "type": "array", 2704 "items": {"$ref": "#/definitions/Service"}, 2705 "minItems": 1}, 2706 "OperatingSystem": { 2707 "type": "array", 2708 "items": {"$ref": "#/definitions/SoftwareType"}, 2709 "minItems": 1}, 2710 "Counter": { 2711 "type": "array", 2712 "items": {"$ref": "#/definitions/Counter"}, 2713 "minItems": 1}, 2714 "AssetID": { 2715 "type": "array", 2716 "items": {"type": "string"}, 2717 "minItems": 1}, 2718 "Description": { 2719 "type": "array", 2720 "items": {"$ref": "#/definitions/MLStringType"}, 2721 "minItems": 1}, 2722 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2723 "required": ["Node"], 2724 "additionalProperties": false}, 2725 "Node": { 2726 "type": "object", 2727 "properties": { 2728 "DomainData": { 2729 "type": "array", 2730 "items": {"$ref": "#/definitions/DomainData"}, 2731 "minItems": 1}, 2732 "Address": { 2733 "type": "array", 2734 "items": {"$ref": "#/definitions/Address"}, 2735 "minItems": 1}, 2736 "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, 2737 "Location": { 2738 "type": "array", 2739 "items": {"$ref": "#/definitions/MLStringType"}, 2740 "minItems": 1}, 2741 "Counter": { 2742 "type":"array", 2743 "items":{"$ref":"#/definitions/Counter"}, 2744 "minItems": 1}}, 2745 "anyOf": [ 2746 {"required": ["DomainData"]}, 2747 {"required": ["Address"]} 2748 ], 2749 "additionalProperties": false}, 2750 "Address": { 2751 "type": "object", 2752 "properties": { 2753 "value": {"type": "string"}, 2754 "category": { 2755 "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", 2756 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 2757 "ipv6-net-masked","mac","site-uri","ext-value"], 2758 "default": "ipv6-addr"}, 2759 "ext-category": {"type": "string"}, 2760 "vlan-name": {"type": "string"}, 2761 "vlan-num": {"type": "number"}, 2762 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2763 "required": ["value","category"], 2764 "additionalProperties": false}, 2765 "NodeRole": { 2766 "type": "object", 2767 "properties": { 2768 "category": { 2769 "enum":["client","client-enterprise","client-partner", 2770 "client-remote","client-kiosk","client-mobile", 2771 "server-internal","server-public","www","mail","webmail", 2772 "messaging","streaming","voice","file","ftp","p2p","name", 2773 "directory","credential","print","application","database", 2774 "backup","dhcp","assessment","source-control", 2775 "config-management","monitoring","infra","infra-firewall", 2776 "infra-router","infra-switch","camera","proxy", 2777 "remote-access","log","virtualization","pos", "scada", 2778 "scada-supervisory","sinkhole","honeypot","anomyzation", 2779 "c2-server","malware-distribution","drop-server", 2780 "hop-point","reflector","phishing-site", 2781 "spear-phishing-site","recruiting-site","fraudulent-site", 2782 "ext-value"]}, 2783 "ext-category": {"type": "string"}, 2784 "Description": { 2785 "type": "array", 2786 "items": {"$ref": "#/definitions/MLStringType"}, 2787 "minItems": 1}}, 2788 "required": ["category"], 2789 "additionalProperties": false}, 2790 "Counter": { 2791 "type": "object", 2792 "properties": { 2793 "value": {"type": "number"}, 2794 "type": {"enum": ["count","peak","average","ext-value"]}, 2795 "ext-type": {"type": "string"}, 2796 "unit":{"enum":["byte","mbit","packet","flow","session","alert", 2797 "message","event","host","site","organization","ext-value"]}, 2798 "ext-unit": {"type": "string"}, 2799 "meaning": {"type": "string"}, 2800 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2801 "ext-duration": {"type": "string"}}, 2802 "required": ["value","type","unit"], 2803 "additionalProperties": false}, 2804 "DomainData": { 2805 "type": "object", 2806 "properties": { 2807 "system-status": { 2808 "enum": ["spoofed","fraudulent","innocent-hacked", 2809 "innocent-hijacked","unknown","ext-value"]}, 2810 "ext-system-status": {"type": "string"}, 2811 "domain-status": { 2812 "enum": [ "reservedDelegation","assignedAndActive", 2813 "assignedAndInactive","assignedAndOnHold","revoked", 2814 "transferPending","registryLock","registrarLock", 2815 "other","unknown","ext-value"]}, 2816 "ext-domain-status": {"type": "string"}, 2817 "observable-id": {"$ref": "#/definitions/IDtype"}, 2818 "Name": {"type": "string"}, 2819 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 2820 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 2821 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 2822 "RelatedDNS": { 2823 "type": "array", 2824 "items": {"$ref": "#/definitions/ExtensionType"}, 2825 "minItems": 1}, 2826 "NameServers": { 2827 "type": "array", 2828 "items": {"$ref": "#/definitions/NameServers"}, 2829 "minItems": 1}, 2830 "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, 2831 "required": ["Name","system-status","domain-status"], 2832 "additionalProperties": false}, 2833 "NameServers": { 2834 "type": "object", 2835 "properties": { 2836 "Server": {"type": "string"}, 2837 "Address": { 2838 "type":"array", 2839 "items":{"$ref":"#/definitions/Address"}, 2840 "minItems": 1}}, 2841 "required": ["Server","Address"], 2842 "additionalProperties": false}, 2843 "DomainContacts": { 2844 "type": "object", 2845 "properties": { 2846 "SameDomainContact": {"type": "string"}, 2847 "Contact": { 2848 "type":"array", 2849 "items":{"$ref":"#/definitions/Contact"}, 2850 "minItems": 1}}, 2851 "oneOf": [ 2852 {"required": ["SameDomainContact"]}, 2853 {"required": ["Contact"]}], 2854 "additionalProperties": false}, 2855 "Service": { 2856 "type": "object", 2857 "properties": { 2858 "ip-protocol": {"type": "number"}, 2859 "observable-id": {"$ref": "#/definitions/IDtype"}, 2860 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 2861 "Port": {"type": "number"}, 2862 "Portlist": {"$ref": "#/definitions/PortlistType"}, 2863 "ProtoCode": {"type": "number"}, 2864 "ProtoType": {"type": "number"}, 2865 "ProtoField": {"type": "number"}, 2866 "ApplicationHeaderField":{ 2867 "$ref":"#/definitions/ExtensionTypeList"}, 2868 "EmailData": {"$ref": "#/definitions/EmailData"}, 2869 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2870 "required": [], 2871 "additionalProperties": false}, 2872 "ServiceName": { 2873 "type": "object", 2874 "properties": { 2875 "IANAService": {"type": "string"}, 2876 "URL": { 2877 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2878 "Description": { 2879 "type": "array", 2880 "items": {"$ref": "#/definitions/MLStringType"}, 2881 "minItems": 1}}, 2882 "required": [], 2883 "additionalProperties": false}, 2884 "EmailData": { 2885 "type": "object", 2886 "properties": { 2887 "observable-id": {"$ref": "#/definitions/IDtype"}, 2888 "EmailTo": { 2889 "type": "array", 2890 "items": {"type": "string"}, 2891 "minItems": 1}, 2892 "EmailFrom": {"type": "string"}, 2893 "EmailSubject": {"type": "string"}, 2894 "EmailX-Mailer": {"type": "string"}, 2895 "EmailHeaderField": { 2896 "type": "array", 2897 "items": {"$ref": "#/definitions/ExtensionType"}, 2898 "minItems": 1}, 2899 "EmailHeaders": {"type": "string"}, 2900 "EmailBody": {"type": "string"}, 2901 "EmailMessage": {"type": "string"}, 2902 "HashData": { 2903 "type": "array", 2904 "items": {"$ref": "#/definitions/HashData"}, 2905 "minItems": 1}, 2906 "Signature": { 2907 "type": "array", 2908 "items": {"$ref": "#/definitions/BYTE"}, 2909 "minItems": 1}}, 2910 "required": [], 2911 "additionalProperties": false}, 2912 "RecordData": { 2913 "type": "object", 2914 "properties": { 2915 "restriction": {"$ref": "#/definitions/restriction", 2916 "default": "private"}, 2917 "ext-restriction": {"type": "string"}, 2918 "observable-id": {"$ref": "#/definitions/IDtype"}, 2919 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2920 "Description": { 2921 "type": "array", 2922 "items": {"$ref": "#/definitions/MLStringType"}, 2923 "minItems": 1}, 2924 "Application": {"$ref": "#/definitions/SoftwareType"}, 2925 "RecordPattern": { 2926 "type": "array", 2927 "items": {"$ref": "#/definitions/RecordPattern"}, 2928 "minItems": 1}, 2929 "RecordItem": { 2930 "type": "array", 2931 "items": {"$ref": "#/definitions/ExtensionType"}, 2932 "minItems": 1}, 2933 "URL": { 2934 "type": "array", 2935 "items": {"$ref": "#/definitions/URLtype"}, 2936 "minItems": 1}, 2937 "FileData": { 2938 "type": "array", 2939 "items": {"$ref": "#/definitions/FileData"}, 2940 "minItems": 1}, 2941 "WindowsRegistryKeysModified": { 2942 "type": "array", 2943 "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, 2944 "minItems": 1}, 2945 "CertificateData": { 2946 "type":"array", 2947 "items":{"$ref":"#/definitions/CertificateData"}, 2948 "minItems": 1}, 2949 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2950 "required": [], 2951 "additionalProperties": false}, 2952 "RecordPattern": { 2953 "type": "object", 2954 "properties": { 2955 "value": {"type": "string"}, 2956 "type": {"enum": ["regex","binary","xpath","ext-value"], 2957 "default": "regex"}, 2958 "ext-type": {"type": "string"}, 2959 "offset": {"type": "number"}, 2960 "offsetunit": {"enum":["line","byte","ext-value"] , 2961 "default": "line"}, 2962 "ext-offsetunit": {"type": "string"}, 2963 "instance": {"type": "number"}}, 2964 "required": ["value","type"], 2965 "additionalProperties": false}, 2966 "WindowsRegistryKeysModified": { 2967 "type": "object", 2968 "properties": { 2969 "observable-id": {"$ref": "#/definitions/IDtype"}, 2970 "Key": { 2971 "type": "array", 2972 "items": {"$ref": "#/definitions/Key"}, 2973 "minItems": 1}}, 2974 "required": ["Key"], 2975 "additionalProperties": false}, 2976 "Key": { 2977 "type": "object", 2978 "properties": { 2979 "registryaction": {"enum": ["add-key","add-value","delete-key", 2980 "delete-value","modify-key","modify-value", 2981 "ext-value"]}, 2982 "ext-registryaction": {"type": "string"}, 2983 "observable-id": {"$ref": "#/definitions/IDtype"}, 2984 "KeyName": {"type":"string"}, 2985 "KeyValue": {"type": "string"}}, 2987 "required": ["KeyName"], 2988 "additionalProperties": false}, 2989 "CertificateData": { 2990 "type": "object", 2991 "properties": { 2992 "restriction": {"$ref": "#/definitions/restriction", 2993 "default": "private"}, 2994 "ext-restriction": {"type": "string"}, 2995 "observable-id": {"$ref": "#/definitions/IDtype"}, 2996 "Certificate": { 2997 "type": "array", 2998 "items": {"$ref": "#/definitions/Certificate"}, 2999 "minItems": 1}}, 3000 "required": ["Certificate"], 3001 "additionalProperties": false}, 3002 "Certificate": { 3003 "type": "object", 3004 "properties": { 3005 "observable-id": {"$ref": "#/definitions/IDtype"}, 3006 "X509Data": {"$ref": "#/definitions/BYTE"}, 3007 "Description": { 3008 "type": "array", 3009 "items": {"$ref": "#/definitions/MLStringType"}, 3010 "minItems": 1}}, 3011 "required": ["X509Data"], 3012 "additionalProperties": false}, 3013 "FileData": { 3014 "type": "object", 3015 "properties": { 3016 "restriction": {"$ref": "#/definitions/restriction"}, 3017 "ext-restriction": {"type": "string"}, 3018 "observable-id": {"$ref": "#/definitions/IDtype"}, 3019 "File": { 3020 "type": "array", 3021 "items": {"$ref": "#/definitions/File"}, 3022 "minItems": 1}}, 3023 "required": ["File"], 3024 "additionalProperties": false}, 3025 "File": { 3026 "type": "object", 3027 "properties": { 3028 "observable-id": {"$ref": "#/definitions/IDtype"}, 3029 "FileName": {"type": "string"}, 3030 "FileSize": {"type": "number"}, 3031 "FileType": {"type": "string"}, 3032 "URL": { 3033 "type": "array", 3034 "items": {"$ref": "#/definitions/URLtype"}, 3035 "minItems": 1}, 3036 "HashData": {"$ref": "#/definitions/HashData"}, 3037 "Signature": { 3038 "type": "array", 3039 "items": {"$ref": "#/definitions/BYTE"}, 3040 "minItems": 1}, 3041 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 3042 "FileProperties": { 3043 "type":"array", 3044 "items":{"$ref":"#/definitions/ExtensionType"}, 3045 "minItems": 1}}, 3046 "required": [], 3047 "additionalProperties": false}, 3048 "HashData": { 3049 "type": "object", 3050 "properties": { 3051 "scope": {"enum": ["file-contents","file-pe-section", 3052 "file-pe-iat","file-pe-resource","file-pdf-object", 3053 "email-hash","email-headers-hash","email-body-hash", 3054 "ext-value"]}, 3055 "HashTargetID": {"type": "string"}, 3056 "Hash": { 3057 "type": "array", 3058 "items": {"$ref": "#/definitions/Hash"}, 3059 "minItems": 1}, 3060 "FuzzyHash": { 3061 "type": "array", 3062 "items": {"$ref": "#/definitions/FuzzyHash"}, 3063 "minItems": 1}}, 3064 "required": ["scope"], 3065 "additionalProperties": false}, 3066 "Hash": { 3067 "type": "object", 3068 "properties": { 3069 "DigestMethod": {"$ref": "#/definitions/BYTE"}, 3070 "DigestValue": {"$ref": "#/definitions/BYTE"}, 3071 "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"}, 3072 "Application": {"$ref": "#/definitions/SoftwareType"}}, 3073 "required": ["DigestMethod","DigestValue"], 3074 "additionalProperties": false}, 3075 "FuzzyHash": { 3076 "type": "object", 3077 "properties": { 3078 "FuzzyHashValue": { 3079 "type": "array", 3080 "items": {"$ref": "#/definitions/ExtensionType"}, 3081 "minItems": 1}, 3082 "Application": {"$ref": "#/definitions/SoftwareType"}, 3083 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3084 "required": ["FuzzyHashValue"], 3085 "additionalProperties": false}, 3086 "Indicator": { 3087 "type": "object", 3088 "properties": { 3089 "restriction": {"$ref": "#/definitions/restriction", 3090 "default": "private"}, 3091 "ext-restriction": {"type": "string"}, 3092 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 3093 "AlternativeIndicatorID": { 3094 "type": "array", 3095 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, 3096 "minItems": 1}, 3097 "Description": { 3098 "type": "array", 3099 "items": {"$ref": "#/definitions/MLStringType"}, 3100 "minItems": 1}, 3101 "StartTime": {"$ref": "#/definitions/DATETIME"}, 3102 "EndTime": {"$ref": "#/definitions/DATETIME"}, 3103 "Confidence": {"$ref": "#/definitions/Confidence"}, 3104 "Contact": { 3105 "type": "array", 3106 "items": {"$ref": "#/definitions/Contact"}, 3107 "minItems": 1}, 3108 "Observable": {"$ref": "#/definitions/Observable"}, 3109 "uid-ref": {"$ref": "#/definitions/IDREFType"}, 3110 "IndicatorExpression":{ 3111 "$ref":"#/definitions/IndicatorExpression"}, 3112 "IndicatorReference":{ 3113 "$ref": "#/definitions/IndicatorReference"}, 3114 "NodeRole": { 3115 "type": "array", 3116 "items": {"$ref": "#/definitions/NodeRole"}, 3117 "minItems": 1}, 3118 "AttackPhase": { 3119 "type": "array", 3120 "items": {"$ref": "#/definitions/AttackPhase"}, 3121 "minItems": 1}, 3122 "Reference": { 3123 "type": "array", 3124 "items": {"$ref": "#/definitions/Reference"}, 3125 "minItems": 1}, 3126 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3127 "allOf": [ 3128 {"required": ["IndicatorID"]}, 3129 {"oneOf": [ 3130 {"required":["Observable"]}, 3131 {"required":["uid-ref"]}, 3132 {"required":["IndicatorExpression"]}, 3133 {"required":["IndicatorReference"]}]}], 3134 "additionalProperties": false}, 3135 "IndicatorID": { 3136 "type": "object", 3137 "properties": { 3138 "id": {"type": "string"}, 3139 "name": {"type": "string"}, 3140 "version": {"type": "string"}}, 3141 "required": ["id","name","version"], 3142 "additionalProperties": false}, 3143 "AlternativeIndicatorID": { 3144 "type": "object", 3145 "properties": { 3146 "restriction": {"$ref": "#/definitions/restriction", 3147 "default": "private"}, 3148 "ext-restriction": {"type": "string"}, 3149 "IndicatorID": { 3150 "type": "array", 3151 "items": {"$ref": "#/definitions/IndicatorID"}, 3152 "minItems": 1}}, 3153 "required": ["IndicatorID"], 3154 "additionalProperties": false}, 3155 "Observable": { 3156 "type": "object", 3157 "properties": { 3158 "restriction": {"$ref": "#/definitions/restriction", 3159 "default": "private"}, 3160 "ext-restriction": {"type": "string"}, 3161 "System": {"$ref": "#/definitions/System"}, 3162 "Address": {"$ref": "#/definitions/Address"}, 3163 "DomainData": {"$ref": "#/definitions/DomainData"}, 3164 "EmailData": {"$ref": "#/definitions/EmailData"}, 3165 "Service": {"$ref": "#/definitions/Service"}, 3166 "WindowsRegistryKeysModified": { 3167 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 3168 "FileData": {"$ref": "#/definitions/FileData"}, 3169 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 3170 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 3171 "RecordData": {"$ref": "#/definitions/RecordData"}, 3172 "EventData": {"$ref": "#/definitions/EventData"}, 3173 "Incident": {"$ref": "#/definitions/Incident"}, 3174 "Expectation": {"$ref": "#/definitions/Expectation"}, 3175 "Reference": {"$ref": "#/definitions/Reference"}, 3176 "Assessment": {"$ref": "#/definitions/Assessment"}, 3177 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 3178 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 3179 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 3180 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3181 "oneOf": [ 3182 {"required":["System"]}, 3183 {"required":["Address"]}, 3184 {"required":["DomainData"]}, 3185 {"required":["EmailData"]}, 3186 {"required":["Service"]}, 3187 {"required":["WindowsRegistryKeysModified"]}, 3188 {"required":["FileData"]}, 3189 {"required":["CertificateData"]}, 3190 {"required":["RegistryHandle"]}, 3191 {"required":["RecordData"]}, 3192 {"required":["EventData"]}, 3193 {"required":["Incident"]}, 3194 {"required":["Expectation"]}, 3195 {"required":["Reference"]}, 3196 {"required":["Assessment"]}, 3197 {"required":["DetectionPattern"]}, 3198 {"required":["HistoryItem"]}, 3199 {"required":["BulkObservable"]}, 3200 {"required":["AdditionalData"]}], 3201 "additionalProperties": false}, 3202 "BulkObservable": { 3203 "type": "object", 3204 "properties": { 3205 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 3206 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", 3207 "mac","site-uri","domain-name","domain-to-ipv4", 3208 "domain-to-ipv6","domain-to-ipv4-timestamp", 3209 "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", 3210 "windows-reg-key","file-hash","email-x-mailer", 3211 "email-subject","http-user-agent","http-request-url", 3212 "mutex","file-path","user-name","ext-value"]}, 3213 "ext-type": {"type": "string"}, 3214 "BulkObservableFormat":{ 3215 "$ref": "#/definitions/BulkObservableFormat"}, 3216 "BulkObservableList": {"type": "string"}, 3217 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3218 "required": ["BulkObservableList"], 3219 "additionalProperties": false}, 3220 "BulkObservableFormat": { 3221 "type": "object", 3222 "properties": { 3223 "Hash": {"$ref": "#/definitions/Hash"}, 3224 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3225 "oneOf": [ 3226 {"required": ["Hash"]}, 3227 {"required": ["AdditionalData"]} 3228 ], 3229 "additionalProperties": false}, 3230 "IndicatorExpression": { 3231 "type": "object", 3232 "properties": { 3233 "operator": {"enum": ["not","and","or","xor"],"default": "and"}, 3234 "ext-operator": {"type": "string"}, 3235 "IndicatorExpression": { 3236 "type": "array", 3237 "items": {"$ref": "#/definitions/IndicatorExpression"}, 3238 "minItems": 1}, 3239 "Observable": { 3240 "type": "array", 3241 "items": {"$ref": "#/definitions/Observable"}, 3242 "minItems": 1}, 3243 "uid-ref": { 3244 "type": "array", 3245 "items": {"$ref": "#/definitions/IDREFType"}, 3246 "minItems": 1}, 3247 "IndicatorReference": { 3248 "type": "array", 3249 "items": {"$ref": "#/definitions/IndicatorReference"}, 3250 "minItems": 1}, 3251 "Confidence": {"$ref":"#/definitions/Confidence"}, 3252 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3253 "required": [], 3254 "additionalProperties": false}, 3255 "IndicatorReference": { 3256 "type": "object", 3257 "properties": { 3258 "uid-ref": {"$ref":"#/definitions/IDREFType"}, 3259 "euid-ref": {"type": "string"}, 3260 "version": {"type": "string"}}, 3261 "oneOf": [ 3262 {"required": ["uid-ref"]}, 3263 {"required": ["euid-ref"]} 3264 ], 3265 "additionalProperties": false}, 3266 "AttackPhase": { 3267 "type": "object", 3268 "properties": { 3269 "AttackPhaseID": { 3270 "type": "array", 3271 "items": {"type": "string"}, 3272 "minItems": 1}, 3273 "URL": { 3274 "type": "array", 3275 "items": {"$ref": "#/definitions/URLtype"}, 3276 "minItems": 1}, 3277 "Description": { 3278 "type": "array", 3279 "items": {"$ref": "#/definitions/MLStringType"}, 3280 "minItems": 1}, 3281 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3282 "required": [], 3283 "additionalProperties": false}}, 3284 "title": "IODEF-Document", 3285 "description": "JSON schema for IODEF-Document class", 3286 "type": "object", 3287 "properties": { 3288 "version": {"type": "string"}, 3289 "lang": {"$ref": "#/definitions/lang"}, 3290 "format-id": {"type": "string"}, 3291 "private-enum-name": {"type": "string"}, 3292 "private-enum-id": {"type": "string"}, 3293 "Incident": { 3294 "type": "array", 3295 "items": {"$ref": "#/definitions/Incident"}, 3296 "minItems": 1}, 3297 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3298 "required": ["version","Incident"], 3299 "additionalProperties": false} 3301 Figure 10: JSON schema 3303 Authors' Addresses 3305 Takeshi Takahashi 3306 National Institute of Information and Communications Technology 3307 4-2-1 Nukui-Kitamachi 3308 Koganei, Tokyo 184-8795 3309 Japan 3311 Phone: +81 42 327 5862 3312 Email: takeshi_takahashi@nict.go.jp 3314 Roman Danyliw 3315 CERT, Software Engineering Institute, Carnegie Mellon University 3316 4500 Fifth Avenue 3317 Pittsburgh, PA 3318 USA 3320 Email: rdd@cert.org 3321 Mio Suzuki 3322 National Institute of Information and Communications Technology 3323 4-2-1 Nukui-Kitamachi 3324 Koganei, Tokyo 184-8795 3325 Japan 3327 Email: mio@nict.go.jp