idnits 2.17.1 draft-ietf-mile-jsoniodef-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 22, 2019) is 1739 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC8259' is mentioned on line 157, but not defined == Missing Reference: 'RFC 7203' is mentioned on line 159, but not defined == Missing Reference: 'RFC7159' is mentioned on line 202, but not defined ** Obsolete undefined reference: RFC 7159 (Obsoleted by RFC 8259) == Missing Reference: '0-9' is mentioned on line 1977, but not defined == Missing Reference: '0-4' is mentioned on line 1977, but not defined == Missing Reference: '0-5' is mentioned on line 1977, but not defined Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: January 23, 2020 CERT 6 M. Suzuki 7 NICT 8 July 22, 2019 10 JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-10 13 Abstract 15 The Incident Object Description Exchange Format defined in RFC 7970 16 provides an information model and a corresponding XML data model for 17 exchanging incident and indicator information. This draft gives 18 implementers and operators an alternative format to exchange the same 19 information by defining an alternative data model implementation in 20 JSON and its encoding in CBOR. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 23, 2020. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 58 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 59 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 60 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 61 2.2.1. Integer . . . . . . . . . . . . . . . . . . . . . . . 5 62 2.2.2. Multilingual Strings . . . . . . . . . . . . . . . . 5 63 2.2.3. Enum . . . . . . . . . . . . . . . . . . . . . . . . 6 64 2.2.4. Software and Software Reference . . . . . . . . . . . 6 65 2.2.5. Structured Information . . . . . . . . . . . . . . . 6 66 2.2.6. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 67 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 68 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 69 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 17 70 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 71 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 72 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20 73 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 25 74 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 75 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 76 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 77 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 78 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 79 9.2. Informative References . . . . . . . . . . . . . . . . . 41 80 Appendix A. Data Types used in this document . . . . . . . . . . 42 81 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 42 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 70 84 1. Introduction 86 The Incident Object Description Exchange Format (IODEF) [RFC7970] 87 defines a data representation for security incident reports and 88 indicators commonly exchanged by operational security teams. It 89 facilitates the automated exchange of this information to enable 90 mitigation and watch-and-warning. Section 3 of [RFC7970] defined an 91 information model using Unified Modeling Language (UML) and a 92 corresponding Extensible Markup Language (XML) schema data model in 93 Section 8. This UML-based information model and XML-based data model 94 are referred to as IODEF UML and IODEF XML, respectively in this 95 document. 97 IODEF documents are structured and thus suitable for machine 98 processing. They will streamline incident response operations. 99 Another well-used and structured format that is suitable for machine 100 processing is JSON. To facilitate the automation of incident 101 response operations, IODEF documents should support JSON 102 representation. 104 This document defines an alternate implementation of the IODEF UML 105 information model by specifying a JavaScript Object Notation (JSON) 106 data model using CDDL [RFC8610] and JSON Schema [jsonschema]. This 107 JSON data model is referred to as IODEF JSON in this document. IODEF 108 JSON provides all of the expressivity of IODEF XML. It gives 109 implementers and operators an alternative format to exchange the same 110 information. 112 The normative IODEF JSON data model is found in Section 5. Section 2 113 and Section 3 describe the data types and elements of this data 114 model. Section 4 provides examples. 116 1.1. Requirements Language 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 120 "OPTIONAL" in this document are to be interpreted as described in BCP 121 14 [RFC2119][RFC8174] when, and only when, they appear in all 122 capitals, as shown here. 124 2. IODEF Data Types 126 IODEF JSON implements the abstract data types specified in Section 2 127 of [RFC7970]. 129 2.1. Abstract Data Type to JSON Data Type Mapping 131 IODEF JSON uses native and derived JSON data types. Figure 1 132 describes the mapping between the abstract data types in Section 2 of 133 [RFC7970] and their corresponding implementations in IODEF JSON. 135 +-----------------+-------------------+-------------------------------+ 136 | IODEF Data Type | [RFC7970] | JSON Data Type | 137 | | Reference | | 138 +-----------------+-------------------+-------------------------------+ 139 | INTEGER | Section 2.1 | integer, see Section 2.2.1 | 140 | REAL | Section 2.2 | "number" per [RFC8259] | 141 | CHARACTER | Section 2.3 | "string" per [RFC8259] | 142 | STRING | Section 2.3 | "string" per [RFC8259] | 143 | ML_STRING | Section 2.4 | see Section 2.2.2 | 144 | BYTE | Section 2.5.1 | "string" per [RFC8259] | 145 | BYTE[] | Section 2.5.1 | "string" per [RFC8259] | 146 | HEXBIN | Section 2.5.2 | "string" per [RFC8259] | 147 | HEXBIN[] | Section 2.5.2 | "string" per [RFC8259] | 148 | ENUM | Section 2.6 | see Section 2.2.3 | 149 | DATETIME | Section 2.7 | "string" per [RFC8259] | 150 | TIMEZONE | Section 2.8 | "string" per [RFC8259] | 151 | PORTLIST | Section 2.9 | "string" per [RFC8259] | 152 | POSTAL | Section 2.10 | ML_STRING, Section 2.2.2 | 153 | PHONE | Section 2.11 | "string" per [RFC8259] | 154 | EMAIL | Section 2.12 | "string" per [RFC8259] | 155 | URL | Section 2.13 | "string" per [RFC8259] | 156 | ID | Section 2.14 | "string" per [RFC8259] | 157 | IDREF | Section 2.14 | "string" per [RFC8259] | 158 | SOFTWARE | Section 2.15 | see Section 2.2.4 | 159 | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.5 | 160 | EXTENSION | Section 2.16 | see Section 2.2.6 | 161 +-----------------+-------------------+-------------------------------+ 163 Figure 1: JSON Data Types 165 +-----------------+------------------+---------------------------------+ 166 | IODEF Data Type | CBOR Data Type | CDDL prelude | 167 | | | [RFC8610] | 168 +-----------------+------------------+---------------------------------+ 169 | INTEGER | 0, 1, 6 tag 2, | integer | 170 | | 6 tag 3 | | 171 | REAL | 7 bits 26 | float32 | 172 | CHARACTER | 3 | text | 173 | STRING | 3 | text | 174 | ML_STRING | 5 | Maps/Structs (Section 3.5.1) | 175 | BYTE | 6 tag 22 | eb64legacy | 176 | BYTE[] | 6 tag 22 | eb64legacy | 177 | HEXBIN | 2 | bytes | 178 | HEXBIN[] | 2 | bytes | 179 | ENUM | - | Choices (Section 2.2.2) | 180 | DATETIME | 6 tag 0 | tdate | 181 | TIMEZONE | 3 | text | 182 | PORTLIST | 3 | text | 183 | POSTAL | 3 | ML_STRING (Section 2.2.1) | 184 | PHONE | 3 | text | 185 | EMAIL | 3 | text | 186 | URL | 6 tag 32 | uri | 187 | ID | 3 | text | 188 | IDREF | 3 | text | 189 | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | 190 | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | 191 | EXTENSION | 5 | Maps/Structs (Section 3.5.1) | 192 +-----------------+------------------+---------------------------------+ 194 Figure 2: CBOR Data Types 196 2.2. Complex JSON Types 198 2.2.1. Integer 200 An integer is a subset of "number" type of JSON, which represents 201 signed digits encoded in Base 10. The definition of this integer is 202 "[ minus ] int" in [RFC7159] Section 6 manner. 204 2.2.2. Multilingual Strings 206 A string that needs to be represented in a human-readable language 207 different from the default encoding of the document is represented in 208 the information model by the ML_STRING data type. This data type is 209 implemented as either an object with "value", "lang", and 210 "translation-id" elements or a text string as defined in Section 5. 211 Examples are shown below. 213 "MLStringType": { 214 "value": "free-form text", //STRING 215 "lang": "en", //ENUM 216 "translation-id": "jp2en0023" //STRING 217 } 219 2.2.3. Enum 221 Enum is an ordered list of acceptable string values. Each value has 222 a representative keyword. Within the data model, the enumerated type 223 keywords are used as attribute values. 225 2.2.4. Software and Software Reference 227 A particular version of software is represented in the information 228 model by the SOFTWARE data type. This software can be described by 229 using a reference, a Uniform Resource Locator (URL) [RFC3986], or 230 with free-form text. The SOFTWARE data type is implemented as an 231 object with "SoftwareReference", "URL", and "Description" elements as 232 defined in Section 5. Examples are shown below. 234 "SoftwareType": { 235 "SoftwareReference": {...}, //SoftwareReference 236 "Description": ["MS Windows"] //STRING 237 } 239 SoftwareReference class is a reference to a particular version of 240 software. Examples are shown below. 242 "SoftwareReference": { 243 "value": "cpe:/a:google:chrome:59.0.3071.115", //STRING 244 "spec-name": "cpe", //ENUM 245 "dtype": "string" //ENUM 246 } 248 2.2.5. Structured Information 250 Information provided in a form of structured string, such as ID, or 251 structured information, such as XML documents, is represented in the 252 information model by the STRUCTUREDINFO data type. Note that this 253 type was originally specified in [RFC7203]. The STRUCTUREDINFO data 254 type is implemented as an object with "SpecID", "ext-SpecID", 255 "ContentID", "RawData", and "Reference" elements. An example for 256 embedding a structured ID is shown below. 258 "StructuredInfo": { 259 "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", //ENUM 260 "ContentID": "CWE-89" //STRING 261 } 263 When embedding the raw data, base64 encoding defined in Section 4 of 264 [RFC4648] SHOULD be used for encoding the data, as shown below. 266 "StructuredInfo": { 267 "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", //ENUM 268 "RawData": "<<>>" //BYTE 269 } 271 2.2.6. EXTENSION 273 Information not otherwise represented in the IODEF can be added using 274 the EXTENSION data type. This data type is a generic extension 275 mechanism. The EXTENSION data type is implemented as an 276 ExtensionType object with "value", "name", "dtype", "ext-dtype", 277 "meaning", "formatid", "restriction", "ext-restriction", and 278 "observable-id" elements. An example for embedding a structured ID 279 is shown below. 281 "ExtensionType": { 282 "value": "xxxxxxx", //STRING 283 "name": "Syslog", //STRING 284 "dtype": "string", //ENUM 285 "meaning": "Syslog from the security appliance X" //STRING 286 } 288 3. IODEF JSON Data Model 290 3.1. Classes and Elements 292 The following table shows the list of IODEF Classes, their elements, 293 and the corresponding section in [RFC7970]. Note that the complete 294 JSON schema is defined in Section 5 using CDDL. 296 +-----------------------------+--------------------+---------------+ 297 | IODEF Class | Class | Corresponding | 298 | | Elements and | Section | 299 | | Attribute | in [RFC7970] | 300 +-----------------------------+--------------------+---------------+ 301 | IODEF-Document | version | 3.1 | 302 | | lang? | | 303 | | format-id? | | 304 | | private-enum-name? | | 305 | | private-enum-id? | | 306 | | Incident+ | | 307 | | AdditionalData* | | 308 +-----------------------------+--------------------+---------------+ 309 | Incident | purpose | 3.2 | 310 | | ext-purpose? | | 311 | | status? | | 312 | | ext-status? | | 313 | | lang? | | 314 | | restriction? | | 315 | | ext-restriction? | | 316 | | observable-id? | | 317 | | IncidentID | | 318 | | AlternativeID? | | 319 | | RelatedActivity* | | 320 | | DetectTime? | | 321 | | StartTime? | | 322 | | EndTime? | | 323 | | RecoveryTime? | | 324 | | ReportTime? | | 325 | | GenerationTime | | 326 | | Description* | | 327 | | Discovery* | | 328 | | Assessment* | | 329 | | Method* | | 330 | | Contact+ | | 331 | | EventData* | | 332 | | Indicator* | | 333 | | History? | | 334 | | AdditionalData* | | 335 +-----------------------------+--------------------+---------------+ 336 | IncidentID | id | 3.4 | 337 | | name | | 338 | | instance? | | 339 | | restriction? | | 340 | | ext-restriction? | | 341 +-----------------------------+--------------------+---------------+ 342 | AlternativeID | restriction? | 3.5 | 343 | | ext-restriction? | | 344 | | IncidentID+ | | 345 +-----------------------------+--------------------+---------------+ 346 | RelatedActivity | restriction? | 3.6 | 347 | | ext-restriction? | | 348 | | IncidentID* | | 349 | | URL* | | 350 | | ThreatActor* | | 351 | | Campaign* | | 352 | | IndicatorID* | | 353 | | Confidence? | | 354 | | Description* | | 355 | | AdditionalData* | | 356 +-----------------------------+--------------------+---------------+ 357 | ThreatActor | restriction? | 3.7 | 358 | | ext-restriction? | | 359 | | ThreatActorID* | | 360 | | URL* | | 361 | | Description* | | 362 | | AdditionalData* | | 363 +-----------------------------+--------------------+---------------+ 364 | Campaign | restriction? | | 365 | | ext-restriction? | | 366 | | CampaignID* | | 367 | | URL* | | 368 | | Description* | | 369 | | AdditionalData* | 3.8 | 370 +-----------------------------+--------------------+---------------+ 371 | Contact | role | | 372 | | ext-role? | | 373 | | type | | 374 | | ext-type? | | 375 | | restriction? | | 376 | | ext-restriction? | | 377 | | ContactName*, | | 378 | | ContactTitle* | | 379 | | Description* | | 380 | | RegistryHandle* | | 381 | | PostalAddress* | | 382 | | Email* | | 383 | | Telephone* | | 384 | | Timezone? | | 385 | | Contact* | | 386 | | AdditionalData* | 3.9 | 387 +-----------------------------+--------------------+---------------+ 388 | RegistryHandle | handle | | 389 | | registry | | 390 | | ext-registry? | 3.9.1 | 391 +-----------------------------+--------------------+---------------+ 392 | PostalAddress | type? | | 393 | | ext-type? | | 394 | | PAddress | | 395 | | Description* | 3.9.2 | 396 +-----------------------------+--------------------+---------------+ 397 | Email | type? | | 398 | | ext-type? | | 399 | | EmailTo | | 400 | | Description* | 3.9.3 | 401 +-----------------------------+--------------------+---------------+ 402 | Telephone | type? | | 403 | | ext-type? | | 404 | | TelephoneNumber | | 405 | | Description* | 3.9.4 | 406 +-----------------------------+--------------------+---------------+ 407 | Discovery | source? | | 408 | | ext-source? | | 409 | | restriction? | | 410 | | ext-restriction? | | 411 | | Description* | | 412 | | Contact* | | 413 | | DetectionPattern* | 3.10 | 414 +-----------------------------+--------------------+---------------+ 415 | DetectionPattern | restriction? | 3.10.1 | 416 | | ext-restriction? | | 417 | | observable-id? | | 418 | | Application | | 419 | | Description* | | 420 | | DetectionConfiguration* | | 421 +-----------------------------+--------------------+---------------+ 422 | Method | restriction? | | 423 | | ext-restriction? | | 424 | | Reference* | | 425 | | Description* | | 426 | | AttackPattern* | | 427 | | Vulnerability* | | 428 | | Weakness* | | 429 | | AdditionalData* | 3.11 | 430 +-----------------------------+--------------------+---------------+ 431 | Weakness (TBD) | restriction? | | 432 | | ext-restriction? | | 433 +-----------------------------+--------------------+---------------+ 434 | Reference | observable-id? | | 435 | | ReferenceName? | | 436 | | URL* | | 437 | | Description* | 3.11.1 | 438 +-----------------------------+--------------------+---------------+ 439 | Assessment | occurence? | | 440 | | restriction? | | 441 | | ext-restriction? | | 442 | | observable-id? | | 443 | | IncidentCategory* | | 444 | | SystemImpact* | | 445 | | BusinessImpact* | | 446 | | TimeImpact* | | 447 | | MonetaryImpact* | | 448 | | IntendedImpact* | | 449 | | Counter* | | 450 | | MitigatingFactor* | | 451 | | Cause* | | 452 | | Confidence? | | 453 | | AdditionalData* | 3.12 | 454 +-----------------------------+--------------------+---------------+ 455 | SystemImpact | severity? | | 456 | | completion? | | 457 | | type | | 458 | | ext-type? | | 459 | | Description* | 3.12.1 | 460 +-----------------------------+--------------------+---------------+ 461 | BusinessImpact | severity? | | 462 | | ext-severity? | | 463 | | type | | 464 | | ext-type? | | 465 | | Description* | 3.12.2 | 466 +-----------------------------+--------------------+---------------+ 467 | TimeImpact | value | | 468 | | severity? | | 469 | | metric | | 470 | | ext-metric? | | 471 | | duration? | | 472 | | ext-duration? | 3.12.3 | 473 +-----------------------------+--------------------+---------------+ 474 | MonetaryImpact | value | | 475 | | severity? | | 476 | | currency? | 3.12.4 | 477 +-----------------------------+--------------------+---------------+ 478 | Confidence | value | | 479 | | rating | | 480 | | ext-rating? | 3.12.5 | 481 +-----------------------------+--------------------+---------------+ 482 | History | restriction? | | 483 | | ext-restriction? | | 484 | | HistoryItem+ | 3.13 | 485 +-----------------------------+--------------------+---------------+ 486 | HistoryItem | action | | 487 | | ext-action? | | 488 | | restriction? | | 489 | | ext-restriction? | | 490 | | observable-id? | | 491 | | DateTime | | 492 | | IncidentID? | | 493 | | Contact? | | 494 | | Description* | | 495 | | DefinedCOA* | | 496 | | AdditionalData* | 3.13.1 | 497 +-----------------------------+--------------------+---------------+ 498 | EventData | restriction? | | 499 | | ext-restriction? | | 500 | | observable-id? | | 501 | | Description* | | 502 | | DetectTime? | | 503 | | StartTime? | | 504 | | EndTime? | | 505 | | RecoveryTime? | | 506 | | ReportTime? | | 507 | | Contact* | | 508 | | Discovery* | | 509 | | Assessment? | | 510 | | Method* | | 511 | | System* | | 512 | | Expectation* | | 513 | | RecordData* | | 514 | | EventData* | | 515 | | AdditionalData* | 3.14 | 516 +-----------------------------+--------------------+---------------+ 517 | Expectation | action? | | 518 | | ext-action? | | 519 | | severity? | | 520 | | restriction? | | 521 | | ext-restriction? | | 522 | | observable-id? | | 523 | | Description* | | 524 | | DefinedCOA* | | 525 | | StartTime? | | 526 | | EndTime? | | 527 | | Contact? | 3.15 | 528 +-----------------------------+--------------------+---------------+ 529 | System | category? | | 530 | | ext-category? | | 531 | | interface? | | 532 | | spoofed? | | 533 | | virtual? | | 534 | | ownership? | | 535 | | ext-ownership? | | 536 | | restriction? | | 537 | | ext-restriction? | | 538 | | Node | | 539 | | NodeRole* | | 540 | | Service* | | 541 | | OperatingSystem* | | 542 | | Counter* | | 543 | | AssetID* | | 544 | | Description* | | 545 | | AdditionalData* | 3.17 | 546 +-----------------------------+--------------------+---------------+ 547 | Node | DomainData* | | 548 | | Address* | | 549 | | PostalAddress? | | 550 | | Location* | | 551 | | Counter* | 3.18 | 552 +-----------------------------+--------------------+---------------+ 553 | Address | value | | 554 | | category | | 555 | | ext-category? | | 556 | | vlan-name? | | 557 | | vlan-num? | | 558 | | observable-id? | 3.18.1 | 559 +-----------------------------+--------------------+---------------+ 560 | NodeRole | category | | 561 | | ext-category? | | 562 | | Description* | 3.18.2 | 563 +-----------------------------+--------------------+---------------+ 564 | Counter | value | | 565 | | type | | 566 | | ext-type? | | 567 | | unit | | 568 | | ext-unit? | | 569 | | meaning? | | 570 | | duration? | | 571 | | ext-duration? | 3.18.3 | 572 +-----------------------------+--------------------+---------------+ 573 | DomainData | system-status | | 574 | | ext-system-status? | | 575 | | domain-status | | 576 | | ext-domain-status? | | 577 | | observable-id? | | 578 | | Name | | 579 | | DateDomainWasChecked?| | 580 | | RegistrationDate? | | 581 | | ExpirationDate? | | 582 | | RelatedDNS* | | 583 | | Nameservers* | | 584 | | DomainContacts? | 3.19 | 585 +-----------------------------+--------------------+---------------+ 586 | Nameserver | Server | | 587 | | Address* | 3.19.1 | 588 +-----------------------------+--------------------+---------------+ 589 | DomainContacts | SameDomainContact? | | 590 | | Contact+ | 3.19.2 | 591 +-----------------------------+--------------------+---------------+ 592 | Service | ip-protocol? | | 593 | | observable-id? | | 594 | | ServiceName? | | 595 | | Port? | | 596 | | Portlist? | | 597 | | ProtoCode? | | 598 | | ProtoType? | | 599 | | ProtoField? | | 600 | | ApplicationHeaderField*| | 601 | | EmailData? | | 602 | | Application? | 3.20 | 603 +-----------------------------+--------------------+---------------+ 604 | ServiceName | IANAService? | | 605 | | URL* | | 606 | | Description* | 3.20.1 | 607 +-----------------------------+--------------------+---------------+ 608 | EmailData | observable-id? | | 609 | | EmailTo* | | 610 | | EmailFrom? | | 611 | | EmailSubject? | | 612 | | EmailX-Mailer? | | 613 | | EmailHeaderField* | | 614 | | EmailHeaders? | | 615 | | EmailBody? | | 616 | | EmailMessage? | | 617 | | HashData* | | 618 | | Signature* | 3.21 | 619 +-----------------------------+--------------------+---------------+ 620 | RecordData | restriction? | | 621 | | ext-restriction? | | 622 | | observable-id? | | 623 | | DateTime? | | 624 | | Description* | | 625 | | Application? | | 626 | | RecordPattern* | | 627 | | RecordItem* | | 628 | | URL* | | 629 | | FileData* | | 630 | | WindowsRegistryKeysModified*| | 631 | | CertificateData* | | 632 | | AdditionalData* | 3.22.1 | 633 +-----------------------------+--------------------+---------------+ 634 | RecordPattern | type | | 635 | | ext-type? | | 636 | | offset? | | 637 | | offsetunit? | | 638 | | ext-offsetunit? | | 639 | | instance? | | 640 | | value | 3.22.2 | 641 +-----------------------------+--------------------+---------------+ 642 | WindowsRegistryKeysModified | observable-id? | 3.23 | 643 | | Key+ | | 644 +-----------------------------+--------------------+---------------+ 645 | Key | registryaction? | | 646 | | ext-registryaction?| | 647 | | observable-id? | | 648 | | KeyName | | 649 | | KeyValue? | 3.23.1 | 650 +-----------------------------+--------------------+---------------+ 651 | CertificateData | restriction? | | 652 | | ext-restriction? | | 653 | | observable-id? | | 654 | | Certificate+ | 3.24 | 655 +-----------------------------+--------------------+---------------+ 656 | Certificate | observable-id? | | 657 | | X509Data | | 658 | | Description* | 3.24.1 | 659 +-----------------------------+--------------------+---------------+ 660 | FileData | restriction? | | 661 | | ext-restriction? | | 662 | | observable-id? | | 663 | | File+ | 3.25 | 664 +-----------------------------+--------------------+---------------+ 665 | File | observable-id? | | 666 | | FileName? | | 667 | | FileSize? | | 668 | | FileType? | | 669 | | URL* | | 670 | | HashData? | | 671 | | Signature* | | 672 | | AssociatedSoftware?| | 673 | | FileProperties* | 3.25.1 | 674 +-----------------------------+--------------------+---------------+ 675 | HashData | scope | | 676 | | HashTargetID? | | 677 | | Hash* | | 678 | | FuzzyHash* | 3.26 | 679 +-----------------------------+--------------------+---------------+ 680 | Hash | DigestMethod | | 681 | | DigestValue | | 682 | | CanonicalizationMethod?| | 683 | | Application? | 3.26.1 | 684 +-----------------------------+--------------------+---------------+ 685 | FuzzyHash | FuzzyHashValue+ | | 686 | | Application? | | 687 | | AdditionalData* | 3.26.2 | 688 +-----------------------------+--------------------+---------------+ 689 | Indicator | restriction? | | 690 | | ext-restriction? | | 691 | | IndicatorID | | 692 | | AlternativeIndicatorID*| | 693 | | Description* | | 694 | | StartTime? | | 695 | | EndTime? | | 696 | | Confidence? | | 697 | | Contact* | | 698 | | Observable? | | 699 | | uid-ref? | | 700 | | IndicatorExpression?| | 701 | | IndicatorReference?| | 702 | | NodeRole* | | 703 | | AttackPhase* | | 704 | | Reference* | | 705 | | AdditionalData* | 3.29 | 706 +-----------------------------+--------------------+---------------+ 707 | IndicatorID | id | | 708 | | name | | 709 | | version | 3.29.1 | 710 +-----------------------------+--------------------+---------------+ 711 | AlternativeIndicatorID | restriction? | | 712 | | ext-restriction? | | 713 | | IndicatorID+ | 3.29.2 | 714 +-----------------------------+--------------------+---------------+ 715 | Observable | restriction? | | 716 | | ext-restriction? | | 717 | | System? | | 718 | | Address? | | 719 | | DomainData? | | 720 | | Service? | | 721 | | EmailData? | | 722 | | WindowsRegistryKeysModified?| | 723 | | FileData? | | 724 | | CertificateData? | | 725 | | RegistryHandle? | | 726 | | RecordData? | | 727 | | EventData? | | 728 | | Incident? | | 729 | | Expectation? | | 730 | | Reference? | | 731 | | Assessment? | | 732 | | DetectionPattern? | | 733 | | HistoryItem? | | 734 | | BulkObservable? | | 735 | | AdditionalData* | 3.29.3 | 736 +-----------------------------+--------------------+---------------+ 737 | BulkObservable | type? | | 738 | | ext-type? | | 739 | | BulkObservableFormat?| | 740 | | BulkObservableList | | 741 | | AdditionalData* | 3.29.4 | 742 +-----------------------------+--------------------+---------------+ 743 | BulkObservableFormat | Hash? | | 744 | | AdditionalData* | 3.29.5 | 745 +-----------------------------+--------------------+---------------+ 746 | IndicatorExpression | operator? | | 747 | | ext-operator? | | 748 | | IndicatorExpression*| | 749 | | Observable* | | 750 | | uid-ref* | | 751 | | IndicatorReference*| | 752 | | Confidence? | | 753 | | AdditionalData* | 3.29.6 | 754 +-----------------------------+--------------------+---------------+ 755 | IndicatorReference | uid-ref? | | 756 | | euid-ref? | | 757 | | version? | 3.29.7 | 758 +-----------------------------+--------------------+---------------+ 759 | AttackPhase | AttackPhaseID* | | 760 | | URL* | | 761 | | Description* | | 762 | | AdditionalData* | 3.29.8 | 763 +-----------------------------+--------------------+---------------+ 765 Figure 3: IODEF Classes 767 3.2. Mapping between JSON and XML IODEF 769 o Attributes and elements of each class in XML IODEF document are 770 both presented as JSON attributes in JSON IODEF document, and the 771 order of their appearances is ignored. 773 o Flow class is deleted, and classes with its instances now directly 774 have instances of EventData class that used to belong to the Flow 775 class. 777 o ApplicationHeader class is deleted, and classes with its instances 778 now directly have instances of ApplicationHeaderField class that 779 used to belong to the ApplicationHeader class. 781 o SignatureData class is deleted, and classes with its instances now 782 directly have instance of Signature class that used to belong to 783 the SignatureData class. 785 o IndicatorData class is deleted, and classes with its instances now 786 directly have the instances of Indicator class that used to belong 787 to the IndicatorData class. 789 o ObservableReference class is deleted, and classes with its 790 instances now directly have uid-ref as an element. 792 o Record class is deleted, and classes with its instances now 793 directly have the instances of RecordData class that used to 794 belong to the Record class. 796 o The MLStringType were modified to support simple string by 797 allowing the type to have not only a predefined object type but 798 also text type, in order to allow simple descriptions of elements 799 of the type. 801 o The elements of ML_STRING type in XML IODEF document are presented 802 as either STRING type or ML_STRING type in JSON IODEF document. 804 o Data models of the extension classes defined by [RFC7203] and 805 referenced by [RFC7970] are represented by StructuredInfo class 806 defined in this document. 808 o Signature, X509Data, and RawData are encoded with base64 and are 809 represented as string (BYTE type) in JSON IODEF documents. 811 o EmailBody represents an whole message body including MIME 812 structure in the same manner defined in [RFC7970]. In case of an 813 email composed of MIME multipart, the EmailBody contains multiple 814 body parts separated by boundary strings. 816 4. Examples 818 This section provides examples of IODEF documents. These examples do 819 not represent the full capabilities of the data model or the only way 820 to encode particular information. 822 4.1. Minimal Example 824 A document containing only the mandatory elements and attributes is 825 shown below in JSON and CBOR, respectively. 827 { 828 "version": "2.0", 829 "lang": "en", 830 "Incident": [{ 831 "purpose": "reporting", 832 "restriction": "private", 833 "IncidentID": { 834 "id": "492382", 835 "name": "csirt.example.com" 836 }, 837 "GenerationTime": "2015-07-18T09:00:00-05:00", 838 "Contact": [{ 839 "type": "organization", 840 "role": "creator", 841 "Email": [{"EmailTo": "contact@csirt.example.com"}] 842 }] 843 }] 844 } 846 Figure 4: A Minimal Example in JSON 848 A3 # map(3) 849 67 # text(7) 850 76657273696F6E # "version" 851 63 # text(3) 852 322E30 # "2.0" 853 64 # text(4) 854 6C616E67 # "lang" 855 62 # text(2) 856 656E # "en" 857 68 # text(8) 858 496E636964656E74 # "Incident" 859 81 # array(1) 860 A5 # map(5) 861 67 # text(7) 862 707572706F7365 # "purpose" 863 69 # text(9) 864 7265706F7274696E67 # "reporting" 865 6B # text(11) 866 7265737472696374696F6E # "restriction" 867 67 # text(7) 868 70726976617465 # "private" 869 6A # text(10) 870 496E636964656E744944 # "IncidentID" 871 A2 # map(2) 872 62 # text(2) 873 6964 # "id" 874 66 # text(6) 875 343932333832 # "492382" 876 64 # text(4) 877 6E616D65 # "name" 878 71 # text(17) 879 63736972742E6578616D706C652E636F6D # "csirt.example.com" 880 6E # text(14) 881 47656E65726174696F6E54696D65 # "GenerationTime" 882 C0 # tag(0) 883 78 19 # text(25) 884 323031352D30372D31385430393A30303A30302D30353A3030 885 # "2015-07-18T09:00:00-05:00" 886 67 # text(7) 887 436F6E74616374 # "Contact" 888 81 # array(1) 889 A3 # map(3) 890 64 # text(4) 891 74797065 # "type" 892 6C # text(12) 893 6F7267616E697A6174696F6E # "organization" 894 64 # text(4) 895 726F6C65 # "role" 896 67 # text(7) 897 63726561746F72 # "creator" 898 65 # text(5) 899 456D61696C # "Email" 900 81 # array(1) 901 A1 # map(1) 902 67 # text(7) 903 456D61696C546F # "EmailTo" 904 78 19 # text(25) 905 636F6E746163744063736972742E6578616D706C652E636F6D 906 # "contact@csirt.example.com" 908 Figure 5: A Minimal Example in CBOR 910 4.2. Indicators from a Campaign 912 An example of C2 domains from a given campaign is shown below in JSON 913 and CBOR, respectively. 915 { 916 "version": "2.0", 917 "lang": "en", 918 "Incident": [{ 919 "purpose": "watch", 920 "restriction": "green", 921 "IncidentID": { 922 "id": "897923", 923 "name": "csirt.example.com" 924 }, 925 "RelatedActivity": [{ 926 "ThreatActor": [{ 927 "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], 928 "Description": ["Aggressive Butterfly"]}], 929 "Campaign": [{ 930 "CampaignID": ["C-2015-59405"], 931 "Description": ["Orange Giraffe"] 932 }] 933 }], 934 "GenerationTime": "2015-10-02T11:18:00-05:00", 935 "Description": ["Summarizes the Indicators of Compromise for the 936 Orange Giraffe campaign of the Aggressive Butterfly crime gang."], 937 "Assessment": [{ 938 "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] 939 }], 940 "Contact": [{ 941 "type": "organization", 942 "role": "creator", 943 "ContactName": ["CSIRT for example.com"], 944 "Email": [{ 945 "EmailTo": "contact@csirt.example.com" 946 }] 947 }], 948 "Indicator": [{ 949 "IndicatorID": { 950 "id": "G90823490", 951 "name": "csirt.example.com", 952 "version": "1" 953 }, 954 "Description": ["C2 domains"], 955 "StartTime": "2014-12-02T11:18:00-05:00", 956 "Observable": { 957 "BulkObservable": { 958 "type": "domain-name", 959 "BulkObservableList": "kj290023j09r34.example.com"} 960 } 961 }] 962 }] 963 } 965 Figure 6: Indicators from a Campaign in JSON 967 A3 # map(3) 968 67 # text(7) 969 76657273696F6E # "version" 971 63 # text(3) 972 322E30 # "2.0" 973 64 # text(4) 974 6C616E67 # "lang" 975 62 # text(2) 976 656E # "en" 977 68 # text(8) 978 496E636964656E74 # "Incident" 979 81 # array(1) 980 A9 # map(9) 981 67 # text(7) 982 707572706F7365 # "purpose" 983 65 # text(5) 984 7761746368 # "watch" 985 6B # text(11) 986 7265737472696374696F6E # "restriction" 987 65 # text(5) 988 677265656E # "green" 989 6A # text(10) 990 496E636964656E744944 # "IncidentID" 991 A2 # map(2) 992 62 # text(2) 993 6964 # "id" 994 66 # text(6) 995 383937393233 # "897923" 996 64 # text(4) 997 6E616D65 # "name" 998 71 # text(17) 999 63736972742E6578616D706C652E636F6D # "csirt.example.com" 1000 6F # text(15) 1001 52656C617465644163746976697479 # "RelatedActivity" 1002 81 # array(1) 1003 A2 # map(2) 1004 6B # text(11) 1005 5468726561744163746F72 # "ThreatActor" 1006 81 # array(1) 1007 A2 # map(2) 1008 6D # text(13) 1009 5468726561744163746F724944 # "ThreatActorID" 1010 81 # array(1) 1011 78 1A # text(26) 1012 54412D31322D414747524553534956452D425554544552464 1013 C59 # "TA-12-AGGRESSIVE-BUTTERFLY" 1014 6B # text(11) 1015 4465736372697074696F6E # "Description" 1016 81 # array(1) 1017 74 # text(20) 1018 4167677265737369766520427574746572666C79 1019 # "Aggressive Butterfly" 1020 68 # text(8) 1021 43616D706169676E # "Campaign" 1022 81 # array(1) 1023 A2 # map(2) 1024 6A # text(10) 1025 43616D706169676E4944 # "CampaignID" 1026 81 # array(1) 1027 6C # text(12) 1028 432D323031352D3539343035 # "C-2015-59405" 1029 6B # text(11) 1030 4465736372697074696F6E # "Description" 1031 81 # array(1) 1032 6E # text(14) 1033 4F72616E67652047697261666665 # "Orange Giraffe" 1034 6E # text(14) 1035 47656E65726174696F6E54696D65 # "GenerationTime" 1036 C0 # tag(0) 1037 78 19 # text(25) 1038 323031352D31302D30325431313A31383A30302D30353A3030 1039 # "2015-10-02T11:18:00-05:00" 1040 6B # text(11) 1041 4465736372697074696F6E # "Description" 1042 81 # array(1) 1043 78 6F # text(111) 1044 53756D6D6172697A65732074686520496E64696361746F7273206F6620436 1045 F6D70726F6D69736520666F7220746865204F72616E676520476972616666 1046 652063616D706169676E206F6620746865204167677265737369766520427 1047 574746572666C79206372696D652067616E672E 1048 # "Summarizes the Indicators of Compromise for the Orange 1049 Giraffe campaign of the Aggressive Butterfly crime gang." 1050 6A # text(10) 1051 4173736573736D656E74 # "Assessment" 1052 81 # array(1) 1053 A1 # map(1) 1054 66 # text(6) 1055 496D70616374 # "Impact" 1056 81 # array(1) 1057 A1 # map(1) 1058 6E # text(14) 1059 427573696E657373496D70616374 # "BusinessImpact" 1060 A1 # map(1) 1061 64 # text(4) 1062 74797065 # "type" 1063 72 # text(18) 1064 6272656163682D70726F7072696574617279 1065 # "breach-proprietary" 1066 67 # text(7) 1067 436F6E74616374 # "Contact" 1068 81 # array(1) 1069 A4 # map(4) 1070 64 # text(4) 1071 74797065 # "type" 1072 6C # text(12) 1073 6F7267616E697A6174696F6E # "organization" 1074 64 # text(4) 1075 726F6C65 # "role" 1076 67 # text(7) 1077 63726561746F72 # "creator" 1078 6B # text(11) 1079 436F6E746163744E616D65 # "ContactName" 1080 81 # array(1) 1081 75 # text(21) 1082 435349525420666F72206578616D706C652E636F6D 1083 # "CSIRT for example.com" 1084 65 # text(5) 1085 456D61696C # "Email" 1086 81 # array(1) 1087 A1 # map(1) 1088 67 # text(7) 1089 456D61696C546F # "EmailTo" 1090 78 19 # text(25) 1091 636F6E746163744063736972742E6578616D706C652E636F6D 1092 # "contact@csirt.example.com" 1093 69 # text(9) 1094 496E64696361746F72 # "Indicator" 1095 81 # array(1) 1096 A4 # map(4) 1097 6B # text(11) 1098 496E64696361746F724944 # "IndicatorID" 1099 A3 # map(3) 1100 62 # text(2) 1101 6964 # "id" 1102 69 # text(9) 1103 473930383233343930 # "G90823490" 1104 64 # text(4) 1105 6E616D65 # "name" 1106 71 # text(17) 1107 63736972742E6578616D706C652E636F6D 1108 # "csirt.example.com" 1109 67 # text(7) 1110 76657273696F6E # "version" 1111 61 # text(1) 1112 31 # "1" 1113 6B # text(11) 1114 4465736372697074696F6E # "Description" 1116 81 # array(1) 1117 6A # text(10) 1118 433220646F6D61696E73 # "C2 domains" 1119 69 # text(9) 1120 537461727454696D65 # "StartTime" 1121 C0 # tag(0) 1122 78 19 # text(25) 1123 323031342D31322D30325431313A31383A30302D30353A3030 1124 # "2014-12-02T11:18:00-05:00" 1125 6A # text(10) 1126 4F627365727661626C65 # "Observable" 1127 A1 # map(1) 1128 6E # text(14) 1129 42756C6B4F627365727661626C65 # "BulkObservable" 1130 A2 # map(2) 1131 64 # text(4) 1132 74797065 # "type" 1133 6B # text(11) 1134 646F6D61696E2D6E616D65 # "domain-name" 1135 72 # text(18) 1136 42756C6B4F627365727661626C654C697374 1137 # "BulkObservableList" 1138 78 1A # text(26) 1139 6B6A3239303032336A30397233342E6578616D706C652E636F6D 1140 # "kj290023j09r34.example.com" 1142 Figure 7: Indicators from a Campaign in CBOR 1144 5. The IODEF Data Model (CDDL) 1146 start = iodef 1148 ;;; iodef.json: IODEF-Document 1150 iodef = { 1151 version: text 1152 ? lang: lang 1153 ? format-id: text 1154 ? private-enum-name: text 1155 ? private-enum-id: text 1156 Incident: [+ Incident] 1157 ? AdditionalData: [+ ExtensionType] 1158 } 1160 duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / 1161 "year" / "ext-value" 1162 lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" 1163 restriction = "public" / "partner" / "need-to-know" / "private" / 1164 "default" / "white" / "green" / "amber" / "red" / 1165 "ext-value" 1166 SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" 1167 IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" 1168 IDREFType = IDtype 1169 URLtype = uri 1170 TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" 1171 PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*" 1172 action = "nothing" / "contact-source-site" / "contact-target-site" / 1173 "contact-sender" / "investigate" / "block-host" / 1174 "block-network" / "block-port" / "rate-limit-host" / 1175 "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / 1176 "honeypot" / "upgrade-software" / "rebuild-asset" / 1177 "harden-asset" / "remediate-other" / "status-triage" / 1178 "status-new-info" / "watch-and-report" / "training" / 1179 "defined-coa" / "other" / "ext-value" 1181 DATETIME = tdate 1183 BYTE = eb64legacy 1185 MLStringType = { 1186 value: text 1187 ? lang: lang 1188 ? translation-id: text 1189 } / text 1191 PositiveFloatType = float32 .gt 0 1193 PAddressType = MLStringType 1195 ExtensionType = { 1196 value: text 1197 ? name: text 1198 dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / 1199 "ntpstamp" / "integer" / "portlist" / "real" / "string" / 1200 "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/ 1201 "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" 1202 .default "string" 1203 ? ext-dtype: text 1204 ? meaning: text 1205 ? formatid: text 1206 ? restriction: restriction .default "private" 1207 ? ext-restriction: text 1208 ? observable-id: IDtype 1209 } 1210 SoftwareType = { 1211 ? SoftwareReference: SoftwareReference 1212 ? URL: [+ URLtype] 1213 ? Description: [+ MLStringType] 1214 } 1216 SoftwareReference = { 1217 ? value: text 1218 spec-name: "custom" / "cpe" / "swid" / "ext-value" 1219 ? ext-spec-name: text 1220 ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" 1221 .default "string" 1222 ? ext-dtype: text 1223 } 1225 Incident = { 1226 purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / 1227 "ext-value" 1228 ? ext-purpose: text 1229 ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / 1230 "ext-value" 1231 ? ext-status: text 1232 ? lang: lang 1233 ? restriction: restriction .default "private" 1234 ? ext-restriction: text 1235 ? observable-id: IDtype 1236 IncidentID: IncidentID 1237 ? AlternativeID: AlternativeID 1238 ? RelatedActivity: [+ RelatedActivity] 1239 ? DetectTime: DATETIME 1240 ? StartTime: DATETIME 1241 ? EndTime: DATETIME 1242 ? RecoveryTime: DATETIME 1243 ? ReportTime: DATETIME 1244 GenerationTime: DATETIME 1245 ? Description: [+ MLStringType] 1246 ? Discovery: [+ Discovery] 1247 ? Assessment: [+ Assessment] 1248 ? Method: [+ Method] 1249 Contact: [+ Contact] 1250 ? EventData: [+ EventData] 1251 ? Indicator: [+ Indicator] 1252 ? History: History 1253 ? AdditionalData: [+ ExtensionType] 1254 } 1256 IncidentID = { 1257 id: text 1258 name: text 1259 ? instance: text 1260 ? restriction: restriction .default "private" 1261 ? ext-restriction: text 1262 } 1264 AlternativeID = { 1265 ? restriction: restriction .default "private" 1266 ? ext-restriction: text 1267 IncidentID: [+ IncidentID] 1268 } 1270 RelatedActivity = { 1271 ? restriction: restriction .default "private" 1272 ? ext-restriction: text 1273 ? IncidentID: [+ IncidentID] 1274 ? URL: [+ URLtype] 1275 ? ThreatActor: [+ ThreatActor] 1276 ? Campaign: [+ Campaign] 1277 ? IndicatorID: [+ IndicatorID] 1278 ? Confidence: Confidence 1279 ? Description: [+ text] 1280 ? AdditionalData: [+ ExtensionType] 1281 } 1283 ThreatActor = { 1284 ? restriction: restriction .default "private" 1285 ? ext-restriction: text 1286 ? ThreatActorID: [+ text] 1287 ? URL: [+ URLtype] 1288 ? Description: [+ MLStringType] 1289 ? AdditionalData: [+ ExtensionType] 1290 } 1292 Campaign = { 1293 ? restriction: restriction .default "private" 1294 ? ext-restriction: text 1295 ? CampaignID: [+ text] 1296 ? URL: [+ URLtype] 1297 ? Description: [+ MLStringType] 1298 ? AdditionalData: [+ ExtensionType] 1299 } 1301 Contact = { 1302 role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / 1303 "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / 1304 "vendor" / "vendor-support" / "victim" / "victim-notified" / 1305 "ext-value" 1307 ? ext-role: text 1308 type: "person" / "organization" / "ext-value" 1309 ? ext-type: text 1310 ? restriction: restriction .default "private" 1311 ? ext-restriction: text 1312 ? ContactName: [+ MLStringType] 1313 ? ContactTitle: [+ MLStringType] 1314 ? Description: [+ MLStringType] 1315 ? RegistryHandle: [+ RegistryHandle] 1316 ? PostalAddress: [+ PostalAddress] 1317 ? Email: [+ Email] 1318 ? Telephone: [+ Telephone] 1319 ? Timezone: TimeZonetype 1320 ? Contact: [+ Contact] 1321 ? AdditionalData: [+ ExtensionType] 1322 } 1324 RegistryHandle = { 1325 handle: text 1326 registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / 1327 "afrinic" / "local" / "ext-value" 1328 ? ext-registry: text 1329 } 1331 PostalAddress = { 1332 ? type: "street" / "mailing" / "ext-value" 1333 ? ext-type: text 1334 PAddress: PAddressType 1335 ? Description: [+ MLStringType] 1336 } 1338 Email = { 1339 ? type: "direct" / "hotline" / "ext-value" 1340 ? ext-type: text 1341 EmailTo: text 1342 ? Description: [+ MLStringType] 1343 } 1345 Telephone = { 1346 ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" 1347 ? ext-type: text 1348 TelephoneNumber: text 1349 ? Description: [+ MLStringType] 1350 } 1352 Discovery = { 1353 ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / 1354 "incident" / "os-log" / "application-log" / "device-log" / 1355 "network-flow" / "passive-dns" / "investigation" / "audit" / 1356 "internal-notification" / "external-notification" / 1357 "leo" / "partner" / "actor" / "unknown" / "ext-value" 1358 ? ext-source: text 1359 ? restriction: restriction .default "private" 1360 ? ext-restriction: text 1361 ? Description: [+ MLStringType] 1362 ? Contact: [+ Contact] 1363 ? DetectionPattern: [+ DetectionPattern] 1364 } 1366 DetectionPattern = { 1367 ? restriction: restriction .default "private" 1368 ? ext-restriction: text 1369 ? observable-id: IDtype 1370 (Description: [+ MLStringType] // DetectionConfiguration: [+ text]) 1371 Application: SoftwareType 1372 } 1374 Method = { 1375 ? restriction: restriction .default "private" 1376 ? ext-restriction: text 1377 ? Reference: [+ Reference] 1378 ? Description: [+ MLStringType] 1379 ? AttackPattern: [+ StructuredInfo] 1380 ? Vulnerability: [+ StructuredInfo] 1381 ? Weakness: [+ StructuredInfo] 1382 ? AdditionalData: [+ ExtensionType] 1383 } 1385 StructuredInfo = { 1386 SpecID: SpecID 1387 ? ext-SpecID: text 1388 ? ContentID: text 1389 ? (RawData: [+ BYTE] // Reference:[+ Reference]) 1390 ? Platform:[+ Platform] 1391 ? Scoring:[+ Scoring] 1392 } 1394 Platform = { 1395 SpecID: SpecID 1396 ? ext-SpecID: text 1397 ? ContentID: text 1398 ? RawData: [+ BYTE] 1399 ? Reference: [+ Reference] 1400 } 1401 Scoring = { 1402 SpecID: SpecID 1403 ? ext-SpecID: text 1404 ? ContentID: text 1405 ? RawData: [+ BYTE] 1406 ? Reference: [+ Reference] 1407 } 1408 Reference = { 1409 ? observable-id: IDtype 1410 ? ReferenceName: ReferenceName 1411 ? URL: [+ URLtype] 1412 ? Description: [+ MLStringType] 1413 } 1415 ReferenceName = { 1416 specIndex: integer 1417 ID: IDtype 1418 } 1420 Assessment = { 1421 ? occurrence: "actual" / "potential" 1422 ? restriction: restriction .default "private" 1423 ? ext-restriction: text 1424 ? observable-id: IDtype 1425 ? IncidentCategory: [+ MLStringType] 1426 Impact: [+ {SystemImpact: SystemImpact} / 1427 {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / 1428 {MonetaryImpact: MonetaryImpact} / 1429 {IntendedImpact: BusinessImpact}] 1430 ? Counter: [+ Counter] 1431 ? MitigatingFactor: [+ MLStringType] 1432 ? Cause: [+ MLStringType] 1433 ? Confidence: Confidence 1434 ? AdditionalData: [+ ExtensionType] 1435 } 1437 SystemImpact = { 1438 ? severity: "low" / "medium" / "high" 1439 ? completion: "failed" / "succeeded" 1440 type: "takeover-account" / "takeover-service" / "takeover-system" / 1441 "cps-manipulation" / "cps-damage" / "availability-data" / 1442 "availability-account" / "availability-service" / 1443 "availability-system" / "damaged-system" / "damaged-data" / 1444 "breach-proprietary" / "breach-privacy" / "breach-credential" / 1445 "breach-configuration" / "integrity-data" / 1446 "integrity-configuration" / "integrity-hardware" / 1447 "traffic-redirection" / "monitoring-traffic" / "monitoring-host"/ 1448 "policy" / "unknown" / "ext-value" .default "unknown" 1449 ? ext-type: text 1450 ? Description: [+ MLStringType] 1452 } 1454 BusinessImpact = { 1455 ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" 1456 .default "unknown" 1457 ? ext-severity: text 1458 type: "breach-proprietary" / "breach-privacy" / "breach-credential" / 1459 "loss-of-integrity" / "loss-of-service" / "theft-financial" / 1460 "theft-service" / "degraded-reputation" / "asset-damage" / 1461 "asset-manipulation" / "legal" / "extortion" / "unknown" / 1462 "ext-value" .default "unknown" 1463 ? ext-type: text 1464 ? Description: [+ MLStringType] 1465 } 1467 TimeImpact = { 1468 value: PositiveFloatType 1469 ? severity: "low" / "medium" / "high" 1470 metric: "labor" / "elapsed" / "downtime" / "ext-value" 1471 ? ext-metric: text 1472 ? duration: duration .default "hour" 1473 ? ext-duration: text 1474 } 1476 MonetaryImpact = { 1477 value: PositiveFloatType 1478 ? severity: "low" / "medium" / "high" 1479 ? currency: text 1480 } 1482 Confidence = { 1483 value: float32 1484 rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" 1485 ? ext-rating: text 1486 } 1488 History = { 1489 ? restriction: restriction .default "private" 1490 ? ext-restriction: text 1491 HistoryItem: [+ HistoryItem] 1492 } 1494 HistoryItem = { 1495 action: action .default "other" 1496 ? ext-action: text 1497 ? restriction: restriction .default "private" 1498 ? ext-restriction: text 1499 ? observable-id: IDtype 1500 DateTime: DATETIME 1501 ? IncidentID: IncidentID 1502 ? Contact: Contact 1503 ? Description: [+ MLStringType] 1504 ? DefinedCOA: [+ text] 1505 ? AdditionalData: [+ ExtensionType] 1506 } 1508 EventData = { 1509 ? restriction: restriction .default "default" 1510 ? ext-restriction: text 1511 ? observable-id: IDtype 1512 ? Description: [+ MLStringType] 1513 ? DetectTime: DATETIME 1514 ? StartTime: DATETIME 1515 ? EndTime: DATETIME 1516 ? RecoveryTime: DATETIME 1517 ? ReportTime: DATETIME 1518 ? Contact: [+ Contact] 1519 ? Discovery: [+ Discovery] 1520 ? Assessment: Assessment 1521 ? Method: [+ Method] 1522 ? System: [+ System] 1523 ? Expectation: [+ Expectation] 1524 ? RecordData: [+ RecordData] 1525 ? EventData: [+ EventData] 1526 ? AdditionalData: [+ ExtensionType] 1527 } 1529 Expectation = { 1530 ? action: action .default "other" 1531 ? ext-action: text 1532 ? severity: "low" / "medium" / "high" 1533 ? restriction: restriction .default "default" 1534 ? ext-restriction: text 1535 ? observable-id: IDtype 1536 ? Description: [+ MLStringType] 1537 ? DefinedCOA: [+ text] 1538 ? StartTime: DATETIME 1539 ? EndTime: DATETIME 1540 ? Contact: Contact 1541 } 1543 System = { 1544 ? category: "source" / "target" / "intermediate" / "sensor" / 1545 "infrastructure" / "ext-value" 1546 ? ext-category: text 1547 ? interface: text 1548 ? spoofed: "unknown" / "yes" / "no" .default "unknown" 1549 ? virtual: "yes" / "no" / "unknown" .default "unknown" 1550 ? ownership: "organization" / "personal" / "partner" / "customer" / 1551 "no-relationship" / "unknown" / "ext-value" 1552 ? ext-ownership: text 1553 ? restriction: restriction .default "private" 1554 ? ext-restriction: text 1555 ? observable-id: IDtype 1556 Node: Node 1557 ? NodeRole: [+ NodeRole] 1558 ? Service: [+ Service] 1559 ? OperatingSystem: [+ SoftwareType] 1560 ? Counter: [+ Counter] 1561 ? AssetID: [+ text] 1562 ? Description: [+ MLStringType] 1563 ? AdditionalData: [+ ExtensionType] 1564 } 1566 Node = { 1567 (DomainData:[+ DomainData] 1568 ? Address:[+ Address] // 1569 ? DomainData:[+ DomainData] 1570 Address:[+ Address]) 1571 ? PostalAddress: PostalAddress 1572 ? Location: [+ MLStringType] 1573 ? Counter: [+ Counter] 1574 } 1576 Address = { 1577 value: text 1578 category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1579 "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / 1580 "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / 1581 "ext-value" .default "ipv6-addr" 1582 ? ext-category: text 1583 ? vlan-name: text 1584 ? vlan-num: integer 1585 ? observable-id: IDtype 1586 } 1588 NodeRole = { 1589 category: "client" / "client-enterprise" / "client-partner" / 1590 "client-remote" / "client-kiosk" / "client-mobile" / 1591 "server-internal" / "server-public" / "www" / "mail" / 1592 "webmail" / "messaging" / "streaming" / "voice" / "file" / 1593 "ftp" / "p2p" / "name" / "directory" / "credential" / 1594 "print" / "application" / "database" / "backup" / "dhcp" / 1595 "assessment" / "source-control" / "config-management" / 1596 "monitoring" / "infra" / "infra-firewall" / "infra-router" / 1597 "infra-switch" / "camera" / "proxy" / "remote-access" / 1598 "log" / "virtualization" / "pos" / "scada" / 1599 "scada-supervisory" / "sinkhole" / "honeypot" / 1600 "anomyzation" / "c2-server" / "malware-distribution" / 1601 "drop-server" / "hop-point" / "reflector" / 1602 "phishing-site" / "spear-phishing-site" / "recruiting-site" / 1603 "fraudulent-site" / "ext-value" 1604 ? ext-category: text 1605 ? Description: [+ MLStringType] 1606 } 1608 Counter = { 1609 value: float32 1610 type: "count" / "peak" / "average" / "ext-value" 1611 ? ext-type: text 1612 unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / 1613 "message" / "event" / "host" / "site" / "organization" / 1614 "ext-value" 1615 ? ext-unit: text 1616 ? meaning: text 1617 ? duration: duration .default "hour" 1618 ? ext-duration: text 1619 } 1621 DomainData = { 1622 system-status: "spoofed" / "fraudulent" / "innocent-hacked" / 1623 "innocent-hijacked" / "unknown" / "ext-value" 1624 ? ext-system-status: text 1625 domain-status: "reservedDelegation" / "assignedAndActive" / 1626 "assignedAndInactive" / "assignedAndOnHold" / 1627 "revoked" / "transferPending" / "registryLock" / 1628 "registrarLock" / "other" / "unknown" / "ext-value" 1629 ? ext-domain-status: text 1630 ? observable-id: IDtype 1631 Name: text 1632 ? DateDomainWasChecked: DATETIME 1633 ? RegistrationDate: DATETIME 1634 ? ExpirationDate: DATETIME 1635 ? RelatedDNS: [+ ExtensionType] 1636 ? NameServers: [+ NameServers] 1637 ? DomainContacts: DomainContacts 1638 } 1640 NameServers = { 1641 Server: text 1642 Address: [+ Address] 1643 } 1644 DomainContacts = { 1645 (SameDomainContact: text // Contact: [+ Contact]) 1646 } 1648 Service = { 1649 ? ip-protocol: integer 1650 ? observable-id: IDtype 1651 ? ServiceName: ServiceName 1652 ? Port: integer 1653 ? Portlist: PortlistType 1654 ? ProtoCode: integer 1655 ? ProtoType: integer 1656 ? ProtoField: integer 1657 ? ApplicationHeaderField: [+ ExtensionType] 1658 ? EmailData: EmailData 1659 ? Application: SoftwareType 1660 } 1662 ServiceName = { 1663 ? IANAService: text 1664 ? URL: [+ URLtype] 1665 ? Description: [+ MLStringType] 1666 } 1668 EmailData = { 1669 ? observable-id: IDtype 1670 ? EmailTo: [+ text] 1671 ? EmailFrom: text 1672 ? EmailSubject: text 1673 ? EmailX-Mailer: text 1674 ? EmailHeaderField: [+ ExtensionType] 1675 ? EmailHeaders: text 1676 ? EmailBody: text 1677 ? EmailMessage: text 1678 ? HashData: [+ HashData] 1679 ? Signature: [+ BYTE] 1680 } 1682 RecordData = { 1683 ? restriction: restriction .default "private" 1684 ? ext-restriction: text 1685 ? observable-id: IDtype 1686 ? DateTime: DATETIME 1687 ? Description: [+ MLStringType] 1688 ? Application: SoftwareType 1689 ? RecordPattern: [+ RecordPattern] 1690 ? RecordItem: [+ ExtensionType] 1691 ? URL: [+ URLtype] 1692 ? FileData: [+ FileData] 1693 ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] 1694 ? CertificateData: [+ CertificateData] 1695 ? AdditionalData: [+ ExtensionType] 1696 } 1698 RecordPattern = { 1699 value: text 1700 type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" 1701 ? ext-type: text 1702 ? offset: integer 1703 ? offsetunit: "line" / "byte" / "ext-value" .default "line" 1704 ? ext-offsetunit: text 1705 ? instance: integer 1706 } 1708 WindowsRegistryKeysModified = { 1709 ? observable-id: IDtype 1710 Key: [+ Key] 1711 } 1713 Key = { 1714 ? registryaction: "add-key" / "add-value" / "delete-key" / 1715 "delete-value" / "modify-key" / "modify-value" / 1716 "ext-value" 1717 ? ext-registryaction: text 1718 ? observable-id: IDtype 1719 KeyName: text 1720 ? KeyValue: text 1721 } 1723 CertificateData = { 1724 ? restriction: restriction .default "private" 1725 ? ext-restriction: text 1726 ? observable-id: IDtype 1727 Certificate: [+ Certificate] 1728 } 1730 Certificate = { 1731 ? observable-id: IDtype 1732 X509Data: BYTE 1733 ? Description: [+ MLStringType] 1734 } 1736 FileData = { 1737 ? restriction: restriction .default "private" 1738 ? ext-restriction: text 1739 ? observable-id: IDtype 1740 File: [+ File] 1741 } 1743 File = { 1744 ? observable-id: IDtype 1745 ? FileName: text 1746 ? FileSize: integer 1747 ? FileType: text 1748 ? URL: [+ URLtype] 1749 ? HashData: HashData 1750 ? Signature: [+ BYTE] 1751 ? AssociatedSoftware: SoftwareType 1752 ? FileProperties: [+ ExtensionType] 1753 } 1755 HashData = { 1756 scope: "file-contents" / "file-pe-section" / "file-pe-iat" / 1757 "file-pe-resource" / "file-pdf-object" / "email-hash" / 1758 "email-headers-hash" / "email-body-hash" / "ext-value" 1759 ? HashTargetID: text 1760 ? Hash: [+ Hash] 1761 ? FuzzyHash: [+ FuzzyHash] 1762 } 1764 Hash = { 1765 DigestMethod: BYTE 1766 DigestValue: BYTE 1767 ? CanonicalizationMethod: BYTE 1768 ? Application: SoftwareType 1769 } 1771 FuzzyHash = { 1772 FuzzyHashValue: [+ ExtensionType] 1773 ? Application: SoftwareType 1774 ? AdditionalData: [+ ExtensionType] 1775 } 1777 Indicator = { 1778 ? restriction: restriction .default "private" 1779 ? ext-restriction: text 1780 IndicatorID: IndicatorID 1781 ? AlternativeIndicatorID: [+ AlternativeIndicatorID] 1782 ? Description: [+ MLStringType] 1783 ? StartTime: DATETIME 1784 ? EndTime: DATETIME 1785 ? Confidence: Confidence 1786 ? Contact: [+ Contact] 1787 (Observable: Observable // uid-ref: IDREFType // 1788 IndicatorExpression: IndicatorExpression // 1789 IndicatorReference: IndicatorReference) 1790 ? NodeRole: [+ NodeRole] 1791 ? AttackPhase: [+ AttackPhase] 1792 ? Reference: [+ Reference] 1793 ? AdditionalData: [+ ExtensionType] 1794 } 1796 IndicatorID = { 1797 id: IDtype 1798 name: text 1799 version: text 1800 } 1802 AlternativeIndicatorID = { 1803 ? restriction: restriction .default "private" 1804 ? ext-restriction: text 1805 IndicatorID: [+ IndicatorID] 1806 } 1808 Observable = { 1809 ? restriction: restriction .default "private" 1810 ? ext-restriction: text 1811 ? (System: System // Address: Address // DomainData: DomainData // 1812 EmailData: EmailData // Service: Service // 1813 WindowsRegistryKeysModified: WindowsRegistryKeysModified // 1814 FileData: FileData // CertificateData: CertificateData // 1815 RegistryHandle: RegistryHandle // RecordData: RecordData // 1816 EventData: EventData // Incident: Incident // 1817 Expectation: Expectation // Reference: Reference // 1818 Assessment: Assessment // DetectionPattern: DetectionPattern // 1819 HistoryItem: HistoryItem // BulkObservable: BulkObservable // 1820 AdditionalData: [+ ExtensionType]) 1821 } 1823 BulkObservable = { 1824 ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1825 "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / 1826 "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / 1827 "domain-to-ipv6" / "domain-to-ipv4-timestamp" / 1828 "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / 1829 "windows-reg-key" / "file-hash" / "email-x-mailer" / 1830 "email-subject" / "http-user-agent" / "http-request-uri" / 1831 "mutex" / "file-path" / "user-name" / "ext-value" 1832 ? ext-type: text 1833 ? BulkObservableFormat: BulkObservableFormat 1834 BulkObservableList: text 1835 ? AdditionalData: [+ ExtensionType] 1837 } 1839 BulkObservableFormat = { 1840 (Hash: Hash // AdditionalData: [+ ExtensionType]) 1841 } 1843 IndicatorExpression = { 1844 ? operator: "not" / "and" / "or" / "xor" .default "and" 1845 ? ext-operator: text 1846 ? IndicatorExpression: [+ IndicatorExpression] 1847 ? Observable: [+ Observable] 1848 ? uid-ref: [+ IDREFType] 1849 ? IndicatorReference: [+ IndicatorReference] 1850 ? Confidence: Confidence 1851 ? AdditionalData: [+ ExtensionType] 1852 } 1854 IndicatorReference = { 1855 (uid-ref: IDREFType // euid-ref: text) 1856 ? version: text 1857 } 1859 AttackPhase = { 1860 ? AttackPhaseID: [+ text] 1861 ? URL: [+ URLtype] 1862 ? Description: [+ MLStringType] 1863 ? AdditionalData: [+ ExtensionType] 1864 } 1866 Figure 8: Data Model in CDDL 1868 6. IANA Considerations 1870 This document does not require any IANA actions. 1872 7. Security Considerations 1874 This document does not provide any further security considerations 1875 than the one described in [RFC7970]. 1877 8. Acknowledgments 1879 We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki 1880 Morita, and Takahiko Nagata for their insightful comments on CDDL. 1882 9. References 1884 9.1. Normative References 1886 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1887 Requirement Levels", BCP 14, RFC 2119, 1888 DOI 10.17487/RFC2119, March 1997, 1889 . 1891 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1892 Resource Identifier (URI): Generic Syntax", STD 66, 1893 RFC 3986, DOI 10.17487/RFC3986, January 2005, 1894 . 1896 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1897 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 1898 . 1900 [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An 1901 Incident Object Description Exchange Format (IODEF) 1902 Extension for Structured Cybersecurity Information", 1903 RFC 7203, DOI 10.17487/RFC7203, April 2014, 1904 . 1906 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 1907 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 1908 November 2016, . 1910 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1911 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1912 May 2017, . 1914 [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data 1915 Definition Language (CDDL): A Notational Convention to 1916 Express Concise Binary Object Representation (CBOR) and 1917 JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, 1918 June 2019, . 1920 9.2. Informative References 1922 [jsonschema] 1923 Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: 1924 core definitions and terminology", 2013. 1926 Appendix A. Data Types used in this document 1928 The CDDL prelude used in this document is mapped to JSON as shown in 1929 the table below. 1931 +-----------------+-------------------+----------------------------+ 1932 | CDDL Prelude | Use of JSON | Instance | Validation | 1933 +-----------------+-------------------+----------------------------+ 1934 | bytes | n/a | string | tool available | 1935 | text | string | string | unnecessary | 1936 | tdate | n/a | string | 7.3.1 date-time | 1937 | integer | n/a | number | integer | 1938 | eb64legacy | n/a | string | tool available | 1939 | uri | n/a | string | 7.3.6 uri | 1940 | float32 | float32 | number | unnecessary | 1941 +-----------------+-------------------+----------------------------+ 1943 Figure 9: CDDL Prelude mapping in JSON 1945 Appendix B. The IODEF Data Model (JSON Schema) 1947 This section provides a JSON schema that defines the IODEF Data Model 1948 defined in this draft. Note that this section is Informative. 1950 { "$schema": "http://json-schema.org/draft-04/schema#", 1951 "definitions": { 1952 "action": {"enum": ["nothing","contact-source-site", 1953 "contact-target-site","contact-sender","investigate", 1954 "block-host","block-network","block-port","rate-limit-host", 1955 "rate-limit-network","rate-limit-port","redirect-traffic", 1956 "honeypot","upgrade-software","rebuild-asset","harden-asset", 1957 "remediate-other","status-triage","status-new-info", 1958 "watch-and-report","training","defined-coa","other", 1959 "ext-value"]}, 1960 "duration":{"enum":["second","minute","hour","day","month", 1961 "quarter","year","ext-value"]}, 1962 "SpecID":{ 1963 "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, 1964 "lang": { 1965 "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, 1966 "purpose": {"enum": ["traceback","mitigation","reporting","watch", 1967 "other","ext-value"]}, 1968 "restriction":{"enum":["public","partner","need-to-know","private", 1969 "default","white","green","amber","red","ext-value"]}, 1970 "status": {"enum": ["new","in-progress","forwarded","resolved", 1971 "future","ext-value"]}, 1972 "DATETIME": {"type": "string","format": "date-time"}, 1973 "BYTE": {"type": "string"}, 1974 "PortlistType": { 1975 "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"}, 1976 "TimeZonetype": { 1977 "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, 1978 "URLtype": { 1979 "type": "string", 1980 "pattern": 1981 "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, 1982 "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, 1983 "IDREFType": {"$ref": "#/definitions/IDtype"}, 1984 "MLStringType": { 1985 "oneOf": [{"type": "string"}, 1986 {"type": "object", 1987 "properties": { 1988 "value": {"type": "string"}, 1989 "lang": {"$ref": "#/definitions/lang"}, 1990 "translation-id": {"type": "string"}}, 1991 "required": ["value"], 1992 "additionalProperties":false}]}, 1993 "PositiveFloatType": {"type": "number","minimum": 0}, 1994 "PAddressType": {"$ref": "#/definitions/MLStringType"}, 1995 "ExtensionType": { 1996 "type": "object", 1997 "properties": { 1998 "value": {"type": "string"}, 1999 "name": {"type": "string"}, 2000 "dtype":{"enum":["boolean","byte","bytes","character", "json", 2001 "date-time","ntpstamp","integer","portlist","real","string", 2002 "file","path","frame","packet","ipv4-packet","ipv6-packet", 2003 "url", "csv","winreg","xml","ext-value"],"default": "string"}, 2004 "ext-dtype": {"type": "string"}, 2005 "meaning": {"type": "string"}, 2006 "formatid": {"type": "string"}, 2007 "restriction": { 2008 "$ref": "#/definitions/restriction","default": "private"}, 2009 "ext-restriction": {"type": "string"}, 2010 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2011 "required": ["value","dtype"], 2012 "additionalProperties":false}, 2013 "ExtensionTypeList": { 2014 "type": "array", 2015 "items": {"$ref": "#/definitions/ExtensionType"}, 2016 "minItems": 1}, 2017 "SoftwareType": { 2018 "type": "object", 2019 "properties": { 2020 "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, 2021 "URL": { 2022 "type": "array", 2023 "items": {"$ref": "#/definitions/URLtype", 2024 "minItems": 1}}, 2025 "Description": { 2026 "type": "array", 2027 "items": {"$ref": "#/definitions/MLStringType"}, 2028 "minItems": 1 }}, 2029 "required": [], 2030 "additionalProperties": false}, 2031 "SoftwareReference": { 2032 "type": "object", 2033 "properties": { 2034 "value": {"type": "string"}, 2035 "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, 2036 "ext-spec-name": {"type": "string"}, 2037 "dtype": {"enum": ["bytes","integer","real","string","xml", 2038 "ext-value"] , "default": "string"}, 2039 "ext-dtype": {"type": "string"}}, 2040 "required": ["spec-name"], 2041 "additionalProperties": false}, 2042 "StructuredInfo": { 2043 "type": "object", 2044 "properties": { 2045 "SpecID": {"$ref":"#/definitions/SpecID"}, 2046 "ext-SpecID": {"type": "string"}, 2047 "ContentID": {"type": "string"}, 2048 "RawData": { 2049 "type": "array", 2050 "items": {"$ref":"#/definitions/BYTE"}, 2051 "minItems": 1 2052 }, 2053 "Reference": { 2054 "type": "array", 2055 "items": {"$ref": "#/definitions/Reference"}, 2056 "minItems": 1 2057 }, 2058 "Platform": { 2059 "type": "array", 2060 "items": {"$ref": "#/definitions/Platform"}, 2061 "minItems": 1 2062 }, 2063 "Scoring": { 2064 "type": "array", 2065 "items": {"$ref": "#/definitions/Scoring"}, 2066 "minItems": 1}}, 2067 "allOf": [ 2068 {"required": ["SpecID"]}, 2069 {"anyOf": [ 2070 {"oneOf": [ 2071 {"required":["Reference"]}, 2072 {"required":["RawData"]}]}, 2073 { "not" : {"required":["Reference", "RawData"]}}]}], 2074 "additionalProperties": false}, 2075 "Platform": { 2076 "type": "object", 2077 "properties": { 2078 "SpecID": {"$ref":"#/definitions/SpecID"}, 2079 "ext-SpecID": {"type": "string"}, 2080 "ContentID": {"type": "string"}, 2081 "RawData": { 2082 "type": "array", 2083 "items": {"$ref":"#/definitions/BYTE"}, 2084 "minItems": 1 2085 }, 2086 "Reference": { 2087 "type": "array", 2088 "items": {"$ref": "#/definitions/Reference"}, 2089 "minItems": 1}}, 2090 "required": ["SpecID"], 2091 "additionalProperties": false}, 2092 "Scoring": { 2093 "type": "object", 2094 "properties": { 2095 "SpecID": {"$ref":"#/definitions/SpecID"}, 2096 "ext-SpecID": {"type": "string"}, 2097 "ContentID": {"type": "string"}, 2098 "RawData": { 2099 "type": "array", 2100 "items": {"$ref":"#/definitions/BYTE"}, 2101 "minItems": 1 2102 }, 2103 "Reference": { 2104 "type": "array", 2105 "items": {"$ref": "#/definitions/Reference"}, 2106 "minItems": 1}}, 2107 "required": ["SpecID"], 2108 "additionalProperties": false}, 2109 "Incident": { 2110 "title": "Incident", 2111 "description": "JSON schema for Incident class", 2112 "type": "object", 2113 "properties": { 2114 "purpose": {"$ref": "#/definitions/purpose"}, 2115 "ext-purpose": {"type": "string"}, 2116 "status": {"$ref": "#/definitions/status"}, 2117 "ext-status": {"type": "string"}, 2118 "lang": {"$ref": "#/definitions/lang"}, 2119 "restriction": {"$ref": "#/definitions/restriction", 2120 "default": "private"}, 2121 "ext-restriction": {"type": "string"}, 2122 "observable-id": {"$ref": "#/definitions/IDtype"}, 2123 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2124 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 2125 "RelatedActivity": { 2126 "type": "array", 2127 "items": {"$ref": "#/definitions/RelatedActivity"}, 2128 "minItems": 1}, 2129 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2130 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2131 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2132 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2133 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2134 "GenerationTime": {"$ref": "#/definitions/DATETIME"}, 2135 "Description": { 2136 "type": "array", 2137 "items": {"$ref": "#/definitions/MLStringType"}, 2138 "minItems": 1}, 2139 "Discovery": { 2140 "type": "array", 2141 "items": {"$ref": "#/definitions/Discovery"}, 2142 "minItems": 1}, 2143 "Assessment": { 2144 "type": "array", 2145 "items": {"$ref": "#/definitions/Assessment"}, 2146 "minItems": 1}, 2147 "Method": { 2148 "type": "array", 2149 "items": {"$ref": "#/definitions/Method"}, 2150 "minItems": 1}, 2151 "Contact": { 2152 "type": "array", 2153 "items": {"$ref": "#/definitions/Contact"}, 2154 "minItems": 1}, 2155 "EventData": { 2156 "type": "array", 2157 "items": {"$ref": "#/definitions/EventData"}, 2158 "minItems": 1}, 2159 "Indicator": { 2160 "type": "array", 2161 "items": {"$ref": "#/definitions/Indicator"}, 2162 "minItems": 1}, 2163 "History": {"$ref": "#/definitions/History"}, 2164 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2165 "required": ["IncidentID","GenerationTime","Contact","purpose"], 2166 "additionalProperties": false}, 2167 "IncidentID": { 2168 "title": "IncidentID", 2169 "description": "JSON schema for IncidentID class", 2170 "type": "object", 2171 "properties": { 2172 "id": {"type": "string"}, 2173 "name": {"type": "string"}, 2174 "instance": {"type": "string"}, 2175 "restriction": {"$ref": "#/definitions/restriction", 2176 "default": "private"}, 2177 "ext-restriction": {"type": "string"}}, 2178 "required": ["id","name"], 2179 "additionalProperties": false}, 2180 "AlternativeID": { 2181 "title": "AlternativeID", 2182 "description": "JSON schema for AlternativeID class", 2183 "type": "object", 2184 "properties": { 2185 "IncidentID": { 2186 "type": "array", 2187 "items":{"$ref": "#/definitions/IncidentID"}, 2188 "minItems": 1}, 2189 "restriction": {"$ref": "#/definitions/restriction", 2190 "default": "private"}, 2191 "ext-restriction": {"type": "string"}}, 2192 "required": ["IncidentID"], 2193 "additionalProperties": false}, 2194 "RelatedActivity": { 2195 "properties": { 2196 "restriction": {"$ref": "#/definitions/restriction", 2197 "default": "private"}, 2198 "ext-restriction": {"type": "string"}, 2199 "IncidentID": { 2200 "type": "array", 2201 "items": {"$ref": "#/definitions/IncidentID"}, 2202 "minItems": 1}, 2203 "URL": { 2204 "type": "array", 2205 "items": {"$ref": "#/definitions/URLtype"}, 2206 "minItems": 1}, 2207 "ThreatActor": { 2208 "type": "array", 2209 "items": {"$ref": "#/definitions/ThreatActor"}, 2210 "minItems": 1}, 2211 "Campaign": { 2212 "type": "array", 2213 "items": {"$ref": "#/definitions/Campaign"}, 2214 "minItems": 1}, 2215 "IndicatorID": { 2216 "type": "array", 2217 "items": {"$ref": "#/definitions/IndicatorID"}, 2218 "minItems": 1}, 2219 "Confidence": {"$ref": "#/definitions/Confidence"}, 2220 "Description": { 2221 "type": "array", 2222 "items": {"type": "string"}, 2223 "minItems": 1}, 2224 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2225 "additionalProperties": false}, 2226 "ThreatActor": { 2227 "properties": { 2228 "restriction": {"$ref": "#/definitions/restriction", 2229 "default": "private"}, 2230 "ext-restriction": {"type": "string"}, 2231 "ThreatActorID": { 2232 "type": "array", 2233 "items": {"type": "string"}, 2234 "minItems": 1}, 2235 "Description": { 2236 "type": "array", 2237 "items": {"$ref": "#/definitions/MLStringType"}, 2238 "minItems": 1}, 2239 "URL": { 2240 "type":"array", 2241 "items":{"$ref":"#/definitions/URLtype"}, 2242 "minItems": 1}, 2243 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2244 "additionalProperties": false}, 2245 "Campaign": { 2246 "properties": { 2247 "restriction": {"$ref": "#/definitions/restriction", 2248 "default": "private"}, 2249 "ext-restriction": {"type": "string"}, 2250 "CampaignID": { 2251 "type": "array", 2252 "items": {"type": "string"}, 2253 "minItems": 1}, 2254 "URL": { 2255 "type":"array", 2256 "items":{"$ref":"#/definitions/URLtype"}, 2257 "minItems": 1}, 2258 "Description": { 2259 "type": "array", 2260 "items": {"$ref": "#/definitions/MLStringType"}, 2261 "minItems": 1}, 2263 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 2264 "Contact": { 2265 "type": "object", 2266 "properties": { 2267 "role": { 2268 "enum":["creator","reporter","admin","tech","provider","user", 2269 "billing","legal","irt","abuse","cc","cc-irt","leo", 2270 "vendor","vendor-support","victim","victim-notified", 2271 "ext-value"]}, 2272 "ext-role": {"type": "string"}, 2273 "type": {"enum": ["person","organization","ext-value"]}, 2274 "ext-type": {"type": "string"}, 2275 "restriction": {"$ref": "#/definitions/restriction", 2276 "default": "private"}, 2277 "ext-restriction": {"type": "string"}, 2278 "ContactName": { 2279 "type": "array", 2280 "items": {"$ref": "#/definitions/MLStringType"}, 2281 "minItems": 1}, 2282 "ContactTitle": { 2283 "type": "array", 2284 "items": {"$ref": "#/definitions/MLStringType"}, 2285 "minItems": 1}, 2286 "Description": { 2287 "type": "array", 2288 "items": {"$ref": "#/definitions/MLStringType"}, 2289 "minItems": 1}, 2290 "RegistryHandle": { 2291 "type":"array", 2292 "items":{"$ref":"#/definitions/RegistryHandle"}, 2293 "minItems": 1}, 2294 "PostalAddress": { 2295 "type":"array", 2296 "items":{"$ref":"#/definitions/PostalAddress"}, 2297 "minItems": 1}, 2298 "Email": { 2299 "type": "array", 2300 "items": {"$ref": "#/definitions/Email"}, 2301 "minItems": 1}, 2302 "Telephone": { 2303 "type": "array", 2304 "items": {"$ref": "#/definitions/Telephone"}, 2305 "minItems": 1}, 2306 "Timezone": {"$ref": "#/definitions/TimeZonetype"}, 2307 "Contact": { 2308 "type": "array", 2309 "items": {"$ref": "#/definitions/Contact"}, 2310 "minItems": 1}, 2312 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2313 "required": ["role","type"], 2314 "additionalProperties": false}, 2315 "RegistryHandle": { 2316 "type": "object", 2317 "properties": { 2318 "handle": {"type": "string"}, 2319 "registry": { 2320 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", 2321 "local","ext-value"]}, 2322 "ext-registry": {"type": "string"}}, 2323 "required": ["handle","registry"], 2324 "additionalProperties": false}, 2325 "PostalAddress": { 2326 "type": "object", 2327 "properties": { 2328 "type": { 2329 "enum": ["street","mailing","ext-value"]}, 2330 "ext-type": {"type": "string"}, 2331 "PAddress": {"$ref": "#/definitions/PAddressType"}, 2332 "Description": { 2333 "type": "array", 2334 "items": {"$ref": "#/definitions/MLStringType"}, 2335 "minItems": 1}}, 2336 "required": ["PAddress"], 2337 "additionalProperties": false}, 2338 "Email": { 2339 "type": "object", 2340 "properties": { 2341 "type": { 2342 "enum":["direct","hotline","ext-value"]}, 2343 "ext-type": {"type": "string"}, 2344 "EmailTo": {"type": "string"}, 2345 "Description": { 2346 "type": "array", 2347 "items": {"$ref": "#/definitions/MLStringType"}, 2348 "minItems": 1}}, 2349 "required": ["EmailTo"], 2350 "additionalProperties": false}, 2351 "Telephone": { 2352 "type": "object", 2353 "properties": { 2354 "type": { 2355 "enum":["wired","mobile","fax","hotline","ext-value"]}, 2356 "ext-type": {"type": "string"}, 2357 "TelephoneNumber": {"type": "string"}, 2358 "Description": { 2359 "type": "array", 2360 "items": {"$ref": "#/definitions/MLStringType"}, 2361 "minItems": 1}}, 2362 "required": ["TelephoneNumber"], 2363 "additionalProperties": false}, 2364 "Discovery": { 2365 "type": "object", 2366 "properties": { 2367 "source": { 2368 "enum":["nidps","hips","siem","av","third-party-monitoring", 2369 "incident","os-log","application-log","device-log", 2370 "network-flow","passive-dns","investigation","audit", 2371 "internal-notification","external-notification","leo", 2372 "partner","actor","unknown","ext-value"]}, 2373 "ext-source": {"type": "string"}, 2374 "restriction": {"$ref": "#/definitions/restriction", 2375 "default": "private"}, 2376 "ext-restriction": {"type": "string"}, 2377 "Description": { 2378 "type": "array", 2379 "items": {"$ref": "#/definitions/MLStringType"}, 2380 "minItems": 1}, 2381 "Contact": { 2382 "type": "array", 2383 "items": {"$ref": "#/definitions/Contact"}, 2384 "minItems": 1}, 2385 "DetectionPattern": { 2386 "type":"array", 2387 "items":{"$ref":"#/definitions/DetectionPattern"}, 2388 "minItems": 1}}, 2389 "required": [], 2390 "additionalProperties": false}, 2391 "DetectionPattern": { 2392 "type": "object", 2393 "properties": { 2394 "restriction": {"$ref": "#/definitions/restriction", 2395 "default": "private"}, 2396 "ext-restriction": {"type": "string"}, 2397 "observable-id": {"$ref": "#/definitions/IDtype"}, 2398 "Application": {"$ref": "#/definitions/SoftwareType"}, 2399 "Description": { 2400 "type": "array", 2401 "items": {"$ref": "#/definitions/MLStringType"}, 2402 "minItems": 1}, 2403 "DetectionConfiguration": { 2404 "type": "array", 2405 "items": {"type": "string"}, 2406 "minItems": 1}}, 2407 "allOf": [ 2408 {"required": ["Application"]}, 2409 {"oneOf": [ 2410 {"required":["Description"]}, 2411 {"required":["DetectionConfiguration"]}]}], 2412 "additionalProperties": false}, 2413 "Method": { 2414 "type": "object", 2415 "properties": { 2416 "restriction": {"$ref": "#/definitions/restriction", 2417 "default": "private"}, 2418 "ext-restriction": {"type": "string"}, 2419 "Reference": { 2420 "type": "array", 2421 "items": {"$ref": "#/definitions/Reference"}, 2422 "minItems": 1}, 2423 "Description": { 2424 "type": "array", 2425 "items": {"$ref": "#/definitions/MLStringType"}, 2426 "minItems": 1}, 2427 "AttackPattern": { 2428 "type":"array", 2429 "items":{"$ref":"#/definitions/StructuredInfo"}, 2430 "minItems": 1}, 2431 "Vulnerability": { 2432 "type":"array", 2433 "items":{"$ref":"#/definitions/StructuredInfo"}, 2434 "minItems": 1}, 2435 "Weakness": { 2436 "type":"array", 2437 "items":{"$ref":"#/definitions/StructuredInfo"}, 2438 "minItems": 1}, 2439 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2440 "required": [], 2441 "additionalProperties": false}, 2442 "Reference": { 2443 "type": "object", 2444 "properties": { 2445 "observable-id": {"$ref": "#/definitions/IDtype"}, 2446 "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, 2447 "URL":{ 2448 "type":"array", 2449 "items":{"$ref":"#/definitions/URLtype"}, 2450 "minItems": 1}, 2451 "Description": { 2452 "type": "array", 2453 "items": {"$ref": "#/definitions/MLStringType"}, 2454 "minItems": 1}}, 2455 "required": [], 2456 "additionalProperties": false}, 2457 "ReferenceName" : { 2458 "type": "object", 2459 "properties": { 2460 "specIndex": {"type": "number"}, 2461 "ID": {"$ref":"#/definitions/IDtype"}}, 2462 "required": ["specIndex","ID"], 2463 "additionalProperties": false}, 2464 "Assessment": { 2465 "type": "object", 2466 "properties": { 2467 "occurrence": {"enum":["actual","potential"]}, 2468 "restriction": {"$ref": "#/definitions/restriction", 2469 "default": "private"}, 2470 "ext-restriction": {"type": "string"}, 2471 "observable-id": {"$ref": "#/definitions/IDtype"}, 2472 "IncidentCategory": { 2473 "type": "array", 2474 "items": {"$ref": "#/definitions/MLStringType"}, 2475 "minItems": 1}, 2476 "Impact": { 2477 "type": "array", 2478 "items": { 2479 "properties": { 2480 "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, 2481 "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, 2482 "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, 2483 "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, 2484 "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, 2485 "additionalProperties":false}, 2486 "minItems" : 1 2487 }, 2488 "Counter": { 2489 "type": "array", 2490 "items": {"$ref": "#/definitions/Counter"}, 2491 "minItems": 1}, 2492 "MitigatingFactor": { 2493 "type": "array", 2494 "items": {"$ref": "#/definitions/MLStringType"}, 2495 "minItems": 1}, 2496 "Cause": { 2497 "type": "array", 2498 "items": {"$ref": "#/definitions/MLStringType"}, 2499 "minItems": 1}, 2500 "Confidence": {"$ref": "#/definitions/Confidence"}, 2501 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2502 "required": ["Impact"], 2503 "additionalProperties": false}, 2505 "SystemImpact": { 2506 "type": "object", 2507 "properties": { 2508 "severity": {"enum":["low","medium","high"]}, 2509 "completion": {"enum":["failed","succeeded"]}, 2510 "type": { 2511 "enum":["takeover-account","takeover-service", 2512 "takeover-system","cps-manipulation","cps-damage", 2513 "availability-data","availability-account", 2514 "availability-service","availability-system", 2515 "damaged-system","damaged-data","breach-proprietary", 2516 "breach-privacy","breach-credential", 2517 "breach-configuration","integrity-data", 2518 "integrity-configuration","integrity-hardware", 2519 "traffic-redirection","monitoring-traffic", 2520 "monitoring-host","policy","unknown","ext-value"]}, 2521 "ext-type": {"type": "string"}, 2522 "Description": { 2523 "type": "array", 2524 "items": {"$ref": "#/definitions/MLStringType"}, 2525 "minItems": 1}}, 2526 "required": ["type"], 2527 "additionalProperties": false}, 2528 "BusinessImpact": { 2529 "type": "object", 2530 "properties": { 2531 "severity": {"enum":["none","low","medium","high","unknown", 2532 "ext-value"],"default": "unknown"}, 2533 "ext-severity": {"type":"string"}, 2534 "type": {"enum":["breach-proprietary","breach-privacy", 2535 "breach-credential","loss-of-integrity","loss-of-service", 2536 "theft-financial","theft-service","degraded-reputation", 2537 "asset-damage","asset-manipulation","legal","extortion", 2538 "unknown","ext-value"]}, 2539 "ext-type": {"type": "string"}, 2540 "Description": { 2541 "type": "array", 2542 "items": {"$ref": "#/definitions/MLStringType"}, 2543 "minItems": 1}}, 2544 "required": ["type"], 2545 "additionalProperties": false}, 2546 "TimeImpact": { 2547 "type": "object", 2548 "properties": { 2549 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2550 "severity": {"enum": ["low","medium","high"]}, 2551 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 2552 "ext-metric": {"type": "string"}, 2553 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2554 "ext-duration": {"type": "string"}}, 2555 "required": ["value","metric"], 2556 "additionalProperties": false}, 2557 "MonetaryImpact": { 2558 "type": "object", 2559 "properties": { 2560 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2561 "severity": {"enum":["low","medium","high"]}, 2562 "currency": {"type": "string"}}, 2563 "required": ["value"], 2564 "additionalProperties": false}, 2565 "Confidence": { 2566 "type": "object", 2567 "properties": { 2568 "value": {"type": "number"}, 2569 "rating": {"enum": ["low","medium","high","numeric","unknown", 2570 "ext-value"]}, 2571 "ext-rating": {"type":"string"}}, 2572 "required": ["value","rating"], 2573 "additionalProperties": false}, 2574 "History": { 2575 "type": "object", 2576 "properties": { 2577 "restriction": {"$ref": "#/definitions/restriction", 2578 "default": "private"}, 2579 "ext-restriction": {"type": "string"}, 2580 "HistoryItem": { 2581 "type": "array", 2582 "items": {"$ref": "#/definitions/HistoryItem"}, 2583 "minItems": 1}}, 2584 "required": ["HistoryItem"], 2585 "additionalProperties": false}, 2586 "HistoryItem": { 2587 "type": "object", 2588 "properties": { 2589 "action": {"$ref": "#/definitions/action","default": "other"}, 2590 "ext-action": {"type": "string"}, 2591 "restriction": {"$ref": "#/definitions/restriction", 2592 "default": "private"}, 2593 "ext-restriction": {"type": "string"}, 2594 "observable-id": {"$ref": "#/definitions/IDtype"}, 2595 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2596 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2597 "Contact": {"$ref": "#/definitions/Contact"}, 2598 "Description": { 2599 "type": "array", 2600 "items": {"$ref": "#/definitions/MLStringType"}, 2601 "minItems": 1}, 2602 "DefinedCOA": { 2603 "type": "array", 2604 "items": {"type": "string"}, 2605 "minItems": 1}, 2606 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2607 "required": ["DateTime","action"], 2608 "additionalProperties": false}, 2609 "EventData": { 2610 "type": "object", 2611 "properties": { 2612 "restriction": {"$ref": "#/definitions/restriction", 2613 "default": "private"}, 2614 "ext-restriction": {"type": "string"}, 2615 "observable-id": {"$ref": "#/definitions/IDtype"}, 2616 "Description": {"type": "array", 2617 "items": { "$ref":"#/definitions/MLStringType"}}, 2618 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2619 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2620 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2621 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2622 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2623 "Contact": { 2624 "type": "array", 2625 "items": {"$ref": "#/definitions/Contact"}, 2626 "minItems": 1}, 2627 "Discovery": { 2628 "type": "array", 2629 "items": {"$ref": "#/definitions/Discovery"}, 2630 "minItems": 1}, 2631 "Assessment": {"$ref": "#/definitions/Assessment"}, 2632 "Method": { 2633 "type": "array", 2634 "items": {"$ref": "#/definitions/Method"}, 2635 "minItems": 1}, 2636 "System": { 2637 "type": "array", 2638 "items": {"$ref": "#/definitions/System"}, 2639 "minItems": 1}, 2640 "Expectation": { 2641 "type": "array", 2642 "items": {"$ref": "#/definitions/Expectation"}, 2643 "minItems": 1}, 2644 "RecordData": { 2645 "type": "array", 2646 "items": {"$ref": "#/definitions/RecordData"}, 2647 "minItems": 1}, 2648 "EventData": { 2649 "type": "array", 2650 "items": {"$ref": "#/definitions/EventData"}, 2651 "minItems": 1}, 2652 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2653 "required": [], 2654 "additionalProperties": false}, 2655 "Expectation": { 2656 "type": "object", 2657 "properties": { 2658 "action": {"$ref":"#/definitions/action","default": "other"}, 2659 "ext-action": {"type": "string"}, 2660 "severity": {"enum": ["low","medium","high"]}, 2661 "restriction": {"$ref": "#/definitions/restriction", 2662 "default": "default"}, 2663 "ext-restriction": {"type": "string"}, 2664 "observable-id": {"$ref": "#/definitions/IDtype"}, 2665 "Description": { 2666 "type": "array", 2667 "items": {"$ref": "#/definitions/MLStringType"}, 2668 "minItems": 1}, 2669 "DefinedCOA": { 2670 "type": "array", 2671 "items": {"type": "string"}, 2672 "minItems": 1}, 2673 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2674 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2675 "Contact": {"$ref": "#/definitions/Contact"}}, 2676 "required": [], 2677 "additionalProperties": false}, 2678 "System": { 2679 "type": "object", 2680 "properties": { 2681 "category": { 2682 "enum": ["source","target","intermediate","sensor", 2683 "infrastructure","ext-value"]}, 2684 "ext-category": {"type": "string"}, 2685 "interface": {"type": "string"}, 2686 "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, 2687 "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, 2688 "ownership": { 2689 "enum":["organization","personal","partner","customer", 2690 "no-relationship","unknown","ext-value"]}, 2691 "ext-ownership": {"type": "string"}, 2692 "restriction": {"$ref": "#/definitions/restriction", 2693 "default": "private"}, 2694 "ext-restriction": {"type": "string"}, 2695 "observable-id": {"$ref": "#/definitions/IDtype"}, 2696 "Node": {"$ref": "#/definitions/Node"}, 2697 "NodeRole": { 2698 "type": "array", 2699 "items": {"$ref": "#/definitions/NodeRole"}, 2700 "minItems": 1}, 2701 "Service": { 2702 "type": "array", 2703 "items": {"$ref": "#/definitions/Service"}, 2704 "minItems": 1}, 2705 "OperatingSystem": { 2706 "type": "array", 2707 "items": {"$ref": "#/definitions/SoftwareType"}, 2708 "minItems": 1}, 2709 "Counter": { 2710 "type": "array", 2711 "items": {"$ref": "#/definitions/Counter"}, 2712 "minItems": 1}, 2713 "AssetID": { 2714 "type": "array", 2715 "items": {"type": "string"}, 2716 "minItems": 1}, 2717 "Description": { 2718 "type": "array", 2719 "items": {"$ref": "#/definitions/MLStringType"}, 2720 "minItems": 1}, 2721 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2722 "required": ["Node"], 2723 "additionalProperties": false}, 2724 "Node": { 2725 "type": "object", 2726 "properties": { 2727 "DomainData": { 2728 "type": "array", 2729 "items": {"$ref": "#/definitions/DomainData"}, 2730 "minItems": 1}, 2731 "Address": { 2732 "type": "array", 2733 "items": {"$ref": "#/definitions/Address"}, 2734 "minItems": 1}, 2735 "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, 2736 "Location": { 2737 "type": "array", 2738 "items": {"$ref": "#/definitions/MLStringType"}, 2739 "minItems": 1}, 2740 "Counter": { 2741 "type":"array", 2742 "items":{"$ref":"#/definitions/Counter"}, 2743 "minItems": 1}}, 2744 "anyOf": [ 2745 {"required": ["DomainData"]}, 2746 {"required": ["Address"]} 2747 ], 2748 "additionalProperties": false}, 2749 "Address": { 2750 "type": "object", 2751 "properties": { 2752 "value": {"type": "string"}, 2753 "category": { 2754 "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", 2755 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 2756 "ipv6-net-masked","mac","site-uri","ext-value"], 2757 "default": "ipv6-addr"}, 2758 "ext-category": {"type": "string"}, 2759 "vlan-name": {"type": "string"}, 2760 "vlan-num": {"type": "number"}, 2761 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2762 "required": ["value","category"], 2763 "additionalProperties": false}, 2764 "NodeRole": { 2765 "type": "object", 2766 "properties": { 2767 "category": { 2768 "enum":["client","client-enterprise","client-partner", 2769 "client-remote","client-kiosk","client-mobile", 2770 "server-internal","server-public","www","mail","webmail", 2771 "messaging","streaming","voice","file","ftp","p2p","name", 2772 "directory","credential","print","application","database", 2773 "backup","dhcp","assessment","source-control", 2774 "config-management","monitoring","infra","infra-firewall", 2775 "infra-router","infra-switch","camera","proxy", 2776 "remote-access","log","virtualization","pos", "scada", 2777 "scada-supervisory","sinkhole","honeypot","anomyzation", 2778 "c2-server","malware-distribution","drop-server", 2779 "hop-point","reflector","phishing-site", 2780 "spear-phishing-site","recruiting-site","fraudulent-site", 2781 "ext-value"]}, 2782 "ext-category": {"type": "string"}, 2783 "Description": { 2784 "type": "array", 2785 "items": {"$ref": "#/definitions/MLStringType"}, 2786 "minItems": 1}}, 2787 "required": ["category"], 2788 "additionalProperties": false}, 2789 "Counter": { 2790 "type": "object", 2791 "properties": { 2792 "value": {"type": "number"}, 2793 "type": {"enum": ["count","peak","average","ext-value"]}, 2794 "ext-type": {"type": "string"}, 2795 "unit":{"enum":["byte","mbit","packet","flow","session","alert", 2796 "message","event","host","site","organization","ext-value"]}, 2797 "ext-unit": {"type": "string"}, 2798 "meaning": {"type": "string"}, 2799 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2800 "ext-duration": {"type": "string"}}, 2801 "required": ["value","type","unit"], 2802 "additionalProperties": false}, 2803 "DomainData": { 2804 "type": "object", 2805 "properties": { 2806 "system-status": { 2807 "enum": ["spoofed","fraudulent","innocent-hacked", 2808 "innocent-hijacked","unknown","ext-value"]}, 2809 "ext-system-status": {"type": "string"}, 2810 "domain-status": { 2811 "enum": [ "reservedDelegation","assignedAndActive", 2812 "assignedAndInactive","assignedAndOnHold","revoked", 2813 "transferPending","registryLock","registrarLock", 2814 "other","unknown","ext-value"]}, 2815 "ext-domain-status": {"type": "string"}, 2816 "observable-id": {"$ref": "#/definitions/IDtype"}, 2817 "Name": {"type": "string"}, 2818 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 2819 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 2820 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 2821 "RelatedDNS": { 2822 "type": "array", 2823 "items": {"$ref": "#/definitions/ExtensionType"}, 2824 "minItems": 1}, 2825 "NameServers": { 2826 "type": "array", 2827 "items": {"$ref": "#/definitions/NameServers"}, 2828 "minItems": 1}, 2829 "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, 2830 "required": ["Name","system-status","domain-status"], 2831 "additionalProperties": false}, 2832 "NameServers": { 2833 "type": "object", 2834 "properties": { 2835 "Server": {"type": "string"}, 2836 "Address": { 2837 "type":"array", 2838 "items":{"$ref":"#/definitions/Address"}, 2839 "minItems": 1}}, 2840 "required": ["Server","Address"], 2841 "additionalProperties": false}, 2842 "DomainContacts": { 2843 "type": "object", 2844 "properties": { 2845 "SameDomainContact": {"type": "string"}, 2846 "Contact": { 2847 "type":"array", 2848 "items":{"$ref":"#/definitions/Contact"}, 2849 "minItems": 1}}, 2850 "oneOf": [ 2851 {"required": ["SameDomainContact"]}, 2852 {"required": ["Contact"]}], 2853 "additionalProperties": false}, 2854 "Service": { 2855 "type": "object", 2856 "properties": { 2857 "ip-protocol": {"type": "number"}, 2858 "observable-id": {"$ref": "#/definitions/IDtype"}, 2859 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 2860 "Port": {"type": "number"}, 2861 "Portlist": {"$ref": "#/definitions/PortlistType"}, 2862 "ProtoCode": {"type": "number"}, 2863 "ProtoType": {"type": "number"}, 2864 "ProtoField": {"type": "number"}, 2865 "ApplicationHeaderField":{ 2866 "$ref":"#/definitions/ExtensionTypeList"}, 2867 "EmailData": {"$ref": "#/definitions/EmailData"}, 2868 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2869 "required": [], 2870 "additionalProperties": false}, 2871 "ServiceName": { 2872 "type": "object", 2873 "properties": { 2874 "IANAService": {"type": "string"}, 2875 "URL": { 2876 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2877 "Description": { 2878 "type": "array", 2879 "items": {"$ref": "#/definitions/MLStringType"}, 2880 "minItems": 1}}, 2881 "required": [], 2882 "additionalProperties": false}, 2883 "EmailData": { 2884 "type": "object", 2885 "properties": { 2886 "observable-id": {"$ref": "#/definitions/IDtype"}, 2887 "EmailTo": { 2888 "type": "array", 2889 "items": {"type": "string"}, 2890 "minItems": 1}, 2891 "EmailFrom": {"type": "string"}, 2892 "EmailSubject": {"type": "string"}, 2893 "EmailX-Mailer": {"type": "string"}, 2894 "EmailHeaderField": { 2895 "type": "array", 2896 "items": {"$ref": "#/definitions/ExtensionType"}, 2897 "minItems": 1}, 2898 "EmailHeaders": {"type": "string"}, 2899 "EmailBody": {"type": "string"}, 2900 "EmailMessage": {"type": "string"}, 2901 "HashData": { 2902 "type": "array", 2903 "items": {"$ref": "#/definitions/HashData"}, 2904 "minItems": 1}, 2905 "Signature": { 2906 "type": "array", 2907 "items": {"$ref": "#/definitions/BYTE"}, 2908 "minItems": 1}}, 2909 "required": [], 2910 "additionalProperties": false}, 2911 "RecordData": { 2912 "type": "object", 2913 "properties": { 2914 "restriction": {"$ref": "#/definitions/restriction", 2915 "default": "private"}, 2916 "ext-restriction": {"type": "string"}, 2917 "observable-id": {"$ref": "#/definitions/IDtype"}, 2918 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2919 "Description": { 2920 "type": "array", 2921 "items": {"$ref": "#/definitions/MLStringType"}, 2922 "minItems": 1}, 2923 "Application": {"$ref": "#/definitions/SoftwareType"}, 2924 "RecordPattern": { 2925 "type": "array", 2926 "items": {"$ref": "#/definitions/RecordPattern"}, 2927 "minItems": 1}, 2928 "RecordItem": { 2929 "type": "array", 2930 "items": {"$ref": "#/definitions/ExtensionType"}, 2931 "minItems": 1}, 2932 "URL": { 2933 "type": "array", 2934 "items": {"$ref": "#/definitions/URLtype"}, 2935 "minItems": 1}, 2936 "FileData": { 2937 "type": "array", 2938 "items": {"$ref": "#/definitions/FileData"}, 2939 "minItems": 1}, 2940 "WindowsRegistryKeysModified": { 2941 "type": "array", 2942 "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, 2943 "minItems": 1}, 2944 "CertificateData": { 2945 "type":"array", 2946 "items":{"$ref":"#/definitions/CertificateData"}, 2947 "minItems": 1}, 2948 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2949 "required": [], 2950 "additionalProperties": false}, 2951 "RecordPattern": { 2952 "type": "object", 2953 "properties": { 2954 "value": {"type": "string"}, 2955 "type": {"enum": ["regex","binary","xpath","ext-value"], 2956 "default": "regex"}, 2957 "ext-type": {"type": "string"}, 2958 "offset": {"type": "number"}, 2959 "offsetunit": {"enum":["line","byte","ext-value"] , 2960 "default": "line"}, 2961 "ext-offsetunit": {"type": "string"}, 2962 "instance": {"type": "number"}}, 2963 "required": ["value","type"], 2964 "additionalProperties": false}, 2965 "WindowsRegistryKeysModified": { 2966 "type": "object", 2967 "properties": { 2968 "observable-id": {"$ref": "#/definitions/IDtype"}, 2969 "Key": { 2970 "type": "array", 2971 "items": {"$ref": "#/definitions/Key"}, 2972 "minItems": 1}}, 2973 "required": ["Key"], 2974 "additionalProperties": false}, 2975 "Key": { 2976 "type": "object", 2977 "properties": { 2978 "registryaction": {"enum": ["add-key","add-value","delete-key", 2979 "delete-value","modify-key","modify-value", 2980 "ext-value"]}, 2981 "ext-registryaction": {"type": "string"}, 2982 "observable-id": {"$ref": "#/definitions/IDtype"}, 2983 "KeyName": {"type":"string"}, 2984 "KeyValue": {"type": "string"}}, 2986 "required": ["KeyName"], 2987 "additionalProperties": false}, 2988 "CertificateData": { 2989 "type": "object", 2990 "properties": { 2991 "restriction": {"$ref": "#/definitions/restriction", 2992 "default": "private"}, 2993 "ext-restriction": {"type": "string"}, 2994 "observable-id": {"$ref": "#/definitions/IDtype"}, 2995 "Certificate": { 2996 "type": "array", 2997 "items": {"$ref": "#/definitions/Certificate"}, 2998 "minItems": 1}}, 2999 "required": ["Certificate"], 3000 "additionalProperties": false}, 3001 "Certificate": { 3002 "type": "object", 3003 "properties": { 3004 "observable-id": {"$ref": "#/definitions/IDtype"}, 3005 "X509Data": {"$ref": "#/definitions/BYTE"}, 3006 "Description": { 3007 "type": "array", 3008 "items": {"$ref": "#/definitions/MLStringType"}, 3009 "minItems": 1}}, 3010 "required": ["X509Data"], 3011 "additionalProperties": false}, 3012 "FileData": { 3013 "type": "object", 3014 "properties": { 3015 "restriction": {"$ref": "#/definitions/restriction"}, 3016 "ext-restriction": {"type": "string"}, 3017 "observable-id": {"$ref": "#/definitions/IDtype"}, 3018 "File": { 3019 "type": "array", 3020 "items": {"$ref": "#/definitions/File"}, 3021 "minItems": 1}}, 3022 "required": ["File"], 3023 "additionalProperties": false}, 3024 "File": { 3025 "type": "object", 3026 "properties": { 3027 "observable-id": {"$ref": "#/definitions/IDtype"}, 3028 "FileName": {"type": "string"}, 3029 "FileSize": {"type": "number"}, 3030 "FileType": {"type": "string"}, 3031 "URL": { 3032 "type": "array", 3033 "items": {"$ref": "#/definitions/URLtype"}, 3034 "minItems": 1}, 3035 "HashData": {"$ref": "#/definitions/HashData"}, 3036 "Signature": { 3037 "type": "array", 3038 "items": {"$ref": "#/definitions/BYTE"}, 3039 "minItems": 1}, 3040 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 3041 "FileProperties": { 3042 "type":"array", 3043 "items":{"$ref":"#/definitions/ExtensionType"}, 3044 "minItems": 1}}, 3045 "required": [], 3046 "additionalProperties": false}, 3047 "HashData": { 3048 "type": "object", 3049 "properties": { 3050 "scope": {"enum": ["file-contents","file-pe-section", 3051 "file-pe-iat","file-pe-resource","file-pdf-object", 3052 "email-hash","email-headers-hash","email-body-hash", 3053 "ext-value"]}, 3054 "HashTargetID": {"type": "string"}, 3055 "Hash": { 3056 "type": "array", 3057 "items": {"$ref": "#/definitions/Hash"}, 3058 "minItems": 1}, 3059 "FuzzyHash": { 3060 "type": "array", 3061 "items": {"$ref": "#/definitions/FuzzyHash"}, 3062 "minItems": 1}}, 3063 "required": ["scope"], 3064 "additionalProperties": false}, 3065 "Hash": { 3066 "type": "object", 3067 "properties": { 3068 "DigestMethod": {"$ref": "#/definitions/BYTE"}, 3069 "DigestValue": {"$ref": "#/definitions/BYTE"}, 3070 "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"}, 3071 "Application": {"$ref": "#/definitions/SoftwareType"}}, 3072 "required": ["DigestMethod","DigestValue"], 3073 "additionalProperties": false}, 3074 "FuzzyHash": { 3075 "type": "object", 3076 "properties": { 3077 "FuzzyHashValue": { 3078 "type": "array", 3079 "items": {"$ref": "#/definitions/ExtensionType"}, 3080 "minItems": 1}, 3081 "Application": {"$ref": "#/definitions/SoftwareType"}, 3082 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3083 "required": ["FuzzyHashValue"], 3084 "additionalProperties": false}, 3085 "Indicator": { 3086 "type": "object", 3087 "properties": { 3088 "restriction": {"$ref": "#/definitions/restriction", 3089 "default": "private"}, 3090 "ext-restriction": {"type": "string"}, 3091 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 3092 "AlternativeIndicatorID": { 3093 "type": "array", 3094 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, 3095 "minItems": 1}, 3096 "Description": { 3097 "type": "array", 3098 "items": {"$ref": "#/definitions/MLStringType"}, 3099 "minItems": 1}, 3100 "StartTime": {"$ref": "#/definitions/DATETIME"}, 3101 "EndTime": {"$ref": "#/definitions/DATETIME"}, 3102 "Confidence": {"$ref": "#/definitions/Confidence"}, 3103 "Contact": { 3104 "type": "array", 3105 "items": {"$ref": "#/definitions/Contact"}, 3106 "minItems": 1}, 3107 "Observable": {"$ref": "#/definitions/Observable"}, 3108 "uid-ref": {"$ref": "#/definitions/IDREFType"}, 3109 "IndicatorExpression":{ 3110 "$ref":"#/definitions/IndicatorExpression"}, 3111 "IndicatorReference":{ 3112 "$ref": "#/definitions/IndicatorReference"}, 3113 "NodeRole": { 3114 "type": "array", 3115 "items": {"$ref": "#/definitions/NodeRole"}, 3116 "minItems": 1}, 3117 "AttackPhase": { 3118 "type": "array", 3119 "items": {"$ref": "#/definitions/AttackPhase"}, 3120 "minItems": 1}, 3121 "Reference": { 3122 "type": "array", 3123 "items": {"$ref": "#/definitions/Reference"}, 3124 "minItems": 1}, 3125 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3126 "allOf": [ 3127 {"required": ["IndicatorID"]}, 3128 {"oneOf": [ 3129 {"required":["Observable"]}, 3130 {"required":["uid-ref"]}, 3131 {"required":["IndicatorExpression"]}, 3132 {"required":["IndicatorReference"]}]}], 3133 "additionalProperties": false}, 3134 "IndicatorID": { 3135 "type": "object", 3136 "properties": { 3137 "id": {"type": "string"}, 3138 "name": {"type": "string"}, 3139 "version": {"type": "string"}}, 3140 "required": ["id","name","version"], 3141 "additionalProperties": false}, 3142 "AlternativeIndicatorID": { 3143 "type": "object", 3144 "properties": { 3145 "restriction": {"$ref": "#/definitions/restriction", 3146 "default": "private"}, 3147 "ext-restriction": {"type": "string"}, 3148 "IndicatorID": { 3149 "type": "array", 3150 "items": {"$ref": "#/definitions/IndicatorID"}, 3151 "minItems": 1}}, 3152 "required": ["IndicatorID"], 3153 "additionalProperties": false}, 3154 "Observable": { 3155 "type": "object", 3156 "properties": { 3157 "restriction": {"$ref": "#/definitions/restriction", 3158 "default": "private"}, 3159 "ext-restriction": {"type": "string"}, 3160 "System": {"$ref": "#/definitions/System"}, 3161 "Address": {"$ref": "#/definitions/Address"}, 3162 "DomainData": {"$ref": "#/definitions/DomainData"}, 3163 "EmailData": {"$ref": "#/definitions/EmailData"}, 3164 "Service": {"$ref": "#/definitions/Service"}, 3165 "WindowsRegistryKeysModified": { 3166 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 3167 "FileData": {"$ref": "#/definitions/FileData"}, 3168 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 3169 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 3170 "RecordData": {"$ref": "#/definitions/RecordData"}, 3171 "EventData": {"$ref": "#/definitions/EventData"}, 3172 "Incident": {"$ref": "#/definitions/Incident"}, 3173 "Expectation": {"$ref": "#/definitions/Expectation"}, 3174 "Reference": {"$ref": "#/definitions/Reference"}, 3175 "Assessment": {"$ref": "#/definitions/Assessment"}, 3176 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 3177 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 3178 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 3179 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3180 "oneOf": [ 3181 {"required":["System"]}, 3182 {"required":["Address"]}, 3183 {"required":["DomainData"]}, 3184 {"required":["EmailData"]}, 3185 {"required":["Service"]}, 3186 {"required":["WindowsRegistryKeysModified"]}, 3187 {"required":["FileData"]}, 3188 {"required":["CertificateData"]}, 3189 {"required":["RegistryHandle"]}, 3190 {"required":["RecordData"]}, 3191 {"required":["EventData"]}, 3192 {"required":["Incident"]}, 3193 {"required":["Expectation"]}, 3194 {"required":["Reference"]}, 3195 {"required":["Assessment"]}, 3196 {"required":["DetectionPattern"]}, 3197 {"required":["HistoryItem"]}, 3198 {"required":["BulkObservable"]}, 3199 {"required":["AdditionalData"]}], 3200 "additionalProperties": false}, 3201 "BulkObservable": { 3202 "type": "object", 3203 "properties": { 3204 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 3205 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", 3206 "mac","site-uri","domain-name","domain-to-ipv4", 3207 "domain-to-ipv6","domain-to-ipv4-timestamp", 3208 "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", 3209 "windows-reg-key","file-hash","email-x-mailer", 3210 "email-subject","http-user-agent","http-request-url", 3211 "mutex","file-path","user-name","ext-value"]}, 3212 "ext-type": {"type": "string"}, 3213 "BulkObservableFormat":{ 3214 "$ref": "#/definitions/BulkObservableFormat"}, 3215 "BulkObservableList": {"type": "string"}, 3216 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3217 "required": ["BulkObservableList"], 3218 "additionalProperties": false}, 3219 "BulkObservableFormat": { 3220 "type": "object", 3221 "properties": { 3222 "Hash": {"$ref": "#/definitions/Hash"}, 3223 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3224 "oneOf": [ 3225 {"required": ["Hash"]}, 3226 {"required": ["AdditionalData"]} 3227 ], 3228 "additionalProperties": false}, 3229 "IndicatorExpression": { 3230 "type": "object", 3231 "properties": { 3232 "operator": {"enum": ["not","and","or","xor"],"default": "and"}, 3233 "ext-operator": {"type": "string"}, 3234 "IndicatorExpression": { 3235 "type": "array", 3236 "items": {"$ref": "#/definitions/IndicatorExpression"}, 3237 "minItems": 1}, 3238 "Observable": { 3239 "type": "array", 3240 "items": {"$ref": "#/definitions/Observable"}, 3241 "minItems": 1}, 3242 "uid-ref": { 3243 "type": "array", 3244 "items": {"$ref": "#/definitions/IDREFType"}, 3245 "minItems": 1}, 3246 "IndicatorReference": { 3247 "type": "array", 3248 "items": {"$ref": "#/definitions/IndicatorReference"}, 3249 "minItems": 1}, 3250 "Confidence": {"$ref":"#/definitions/Confidence"}, 3251 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3252 "required": [], 3253 "additionalProperties": false}, 3254 "IndicatorReference": { 3255 "type": "object", 3256 "properties": { 3257 "uid-ref": {"$ref":"#/definitions/IDREFType"}, 3258 "euid-ref": {"type": "string"}, 3259 "version": {"type": "string"}}, 3260 "oneOf": [ 3261 {"required": ["uid-ref"]}, 3262 {"required": ["euid-ref"]} 3263 ], 3264 "additionalProperties": false}, 3265 "AttackPhase": { 3266 "type": "object", 3267 "properties": { 3268 "AttackPhaseID": { 3269 "type": "array", 3270 "items": {"type": "string"}, 3271 "minItems": 1}, 3272 "URL": { 3273 "type": "array", 3274 "items": {"$ref": "#/definitions/URLtype"}, 3275 "minItems": 1}, 3276 "Description": { 3277 "type": "array", 3278 "items": {"$ref": "#/definitions/MLStringType"}, 3279 "minItems": 1}, 3280 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3281 "required": [], 3282 "additionalProperties": false}}, 3283 "title": "IODEF-Document", 3284 "description": "JSON schema for IODEF-Document class", 3285 "type": "object", 3286 "properties": { 3287 "version": {"type": "string"}, 3288 "lang": {"$ref": "#/definitions/lang"}, 3289 "format-id": {"type": "string"}, 3290 "private-enum-name": {"type": "string"}, 3291 "private-enum-id": {"type": "string"}, 3292 "Incident": { 3293 "type": "array", 3294 "items": {"$ref": "#/definitions/Incident"}, 3295 "minItems": 1}, 3296 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3297 "required": ["version","Incident"], 3298 "additionalProperties": false} 3300 Figure 10: JSON schema 3302 Authors' Addresses 3304 Takeshi Takahashi 3305 National Institute of Information and Communications Technology 3306 4-2-1 Nukui-Kitamachi 3307 Koganei, Tokyo 184-8795 3308 Japan 3310 Phone: +81 42 327 5862 3311 Email: takeshi_takahashi@nict.go.jp 3313 Roman Danyliw 3314 CERT, Software Engineering Institute, Carnegie Mellon University 3315 4500 Fifth Avenue 3316 Pittsburgh, PA 3317 USA 3319 Email: rdd@cert.org 3320 Mio Suzuki 3321 National Institute of Information and Communications Technology 3322 4-2-1 Nukui-Kitamachi 3323 Koganei, Tokyo 184-8795 3324 Japan 3326 Email: mio@nict.go.jp