idnits 2.17.1 draft-ietf-mile-jsoniodef-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 18, 2019) is 1620 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 7203' is mentioned on line 160, but not defined == Missing Reference: '0-9' is mentioned on line 1997, but not defined == Missing Reference: '0-4' is mentioned on line 1997, but not defined == Missing Reference: '0-5' is mentioned on line 1997, but not defined ** Obsolete normative reference: RFC 7049 (Obsoleted by RFC 8949) Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: May 21, 2020 CERT 6 M. Suzuki 7 NICT 8 November 18, 2019 10 JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-11 13 Abstract 15 The Incident Object Description Exchange Format defined in RFC 7970 16 provides an information model and a corresponding XML data model for 17 exchanging incident and indicator information. This draft gives 18 implementers and operators an alternative format to exchange the same 19 information by defining an alternative data model implementation in 20 JSON and its encoding in CBOR. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on May 21, 2020. 39 Copyright Notice 41 Copyright (c) 2019 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 58 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 59 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 60 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 61 2.2.1. Integer . . . . . . . . . . . . . . . . . . . . . . . 5 62 2.2.2. Multilingual Strings . . . . . . . . . . . . . . . . 5 63 2.2.3. Enum . . . . . . . . . . . . . . . . . . . . . . . . 6 64 2.2.4. Software and Software Reference . . . . . . . . . . . 6 65 2.2.5. Structured Information . . . . . . . . . . . . . . . 6 66 2.2.6. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 67 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 68 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 69 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 17 70 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 71 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 72 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20 73 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 25 74 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 75 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40 76 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 77 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 78 9.1. Normative References . . . . . . . . . . . . . . . . . . 41 79 9.2. Informative References . . . . . . . . . . . . . . . . . 42 80 Appendix A. Data Types used in this document . . . . . . . . . . 42 81 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 42 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 70 84 1. Introduction 86 The Incident Object Description Exchange Format (IODEF) [RFC7970] 87 defines a data representation for security incident reports and 88 indicators commonly exchanged by operational security teams. It 89 facilitates the automated exchange of this information to enable 90 mitigation and watch-and-warning. Section 3 of [RFC7970] defined an 91 information model using Unified Modeling Language (UML) and a 92 corresponding Extensible Markup Language (XML) schema data model in 93 Section 8. This UML-based information model and XML-based data model 94 are referred to as IODEF UML and IODEF XML, respectively in this 95 document. 97 IODEF documents are structured and thus suitable for machine 98 processing. They will streamline incident response operations. 99 Another well-used and structured format that is suitable for machine 100 processing is JavaScript Object Notation (JSON) [RFC8259]. To 101 facilitate the automation of incident response operations, IODEF 102 documents should support JSON representation and it encoding in 103 Concise Binary Object Representation (CBOR) [RFC7049]. 105 This document defines an alternate implementation of the IODEF UML 106 information model by specifying a JavaScript Object Notation (JSON) 107 data model using Concise Data Definition Language (CDDL) [RFC8610] 108 and JSON Schema [jsonschema]. This JSON data model is referred to as 109 IODEF JSON in this document. IODEF JSON provides all of the 110 expressivity of IODEF XML. It gives implementers and operators an 111 alternative format to exchange the same information. 113 The normative IODEF JSON data model is found in Section 5. Section 2 114 and Section 3 describe the data types and elements of this data 115 model. Section 4 provides examples. 117 1.1. Requirements Language 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 121 "OPTIONAL" in this document are to be interpreted as described in BCP 122 14 [RFC2119][RFC8174] when, and only when, they appear in all 123 capitals, as shown here. 125 2. IODEF Data Types 127 IODEF JSON implements the abstract data types specified in Section 2 128 of [RFC7970]. 130 2.1. Abstract Data Type to JSON Data Type Mapping 132 IODEF JSON uses native and derived JSON data types. Figure 1 133 describes the mapping between the abstract data types in Section 2 of 134 [RFC7970] and their corresponding implementations in IODEF JSON. 136 +-----------------+-------------------+-------------------------------+ 137 | IODEF Data Type | [RFC7970] | JSON Data Type | 138 | | Reference | | 139 +-----------------+-------------------+-------------------------------+ 140 | INTEGER | Section 2.1 | integer, see Section 2.2.1 | 141 | REAL | Section 2.2 | "number" per [RFC8259] | 142 | CHARACTER | Section 2.3 | "string" per [RFC8259] | 143 | STRING | Section 2.3 | "string" per [RFC8259] | 144 | ML_STRING | Section 2.4 | see Section 2.2.2 | 145 | BYTE | Section 2.5.1 | "string" per [RFC8259] | 146 | BYTE[] | Section 2.5.1 | "string" per [RFC8259] | 147 | HEXBIN | Section 2.5.2 | "string" per [RFC8259] | 148 | HEXBIN[] | Section 2.5.2 | "string" per [RFC8259] | 149 | ENUM | Section 2.6 | see Section 2.2.3 | 150 | DATETIME | Section 2.7 | "string" per [RFC8259] | 151 | TIMEZONE | Section 2.8 | "string" per [RFC8259] | 152 | PORTLIST | Section 2.9 | "string" per [RFC8259] | 153 | POSTAL | Section 2.10 | ML_STRING, Section 2.2.2 | 154 | PHONE | Section 2.11 | "string" per [RFC8259] | 155 | EMAIL | Section 2.12 | "string" per [RFC8259] | 156 | URL | Section 2.13 | "string" per [RFC8259] | 157 | ID | Section 2.14 | "string" per [RFC8259] | 158 | IDREF | Section 2.14 | "string" per [RFC8259] | 159 | SOFTWARE | Section 2.15 | see Section 2.2.4 | 160 | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.5 | 161 | EXTENSION | Section 2.16 | see Section 2.2.6 | 162 +-----------------+-------------------+-------------------------------+ 164 Figure 1: JSON Data Types 166 +-----------------+------------------+---------------------------------+ 167 | IODEF Data Type | CBOR Data Type | CDDL prelude | 168 | | | [RFC8610] | 169 +-----------------+------------------+---------------------------------+ 170 | INTEGER | 0, 1, 6 tag 2, | integer | 171 | | 6 tag 3 | | 172 | REAL | 7 bits 26 | float32 | 173 | CHARACTER | 3 | text | 174 | STRING | 3 | text | 175 | ML_STRING | 5 | Maps/Structs (Section 3.5.1) | 176 | BYTE | 6 tag 22 | eb64legacy | 177 | BYTE[] | 6 tag 22 | eb64legacy | 178 | HEXBIN | 2 | bytes | 179 | HEXBIN[] | 2 | bytes | 180 | ENUM | - | Choices (Section 2.2.2) | 181 | DATETIME | 6 tag 0 | tdate | 182 | TIMEZONE | 3 | text | 183 | PORTLIST | 3 | text | 184 | POSTAL | 3 | ML_STRING (Section 2.2.1) | 185 | PHONE | 3 | text | 186 | EMAIL | 3 | text | 187 | URL | 6 tag 32 | uri | 188 | ID | 3 | text | 189 | IDREF | 3 | text | 190 | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | 191 | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | 192 | EXTENSION | 5 | Maps/Structs (Section 3.5.1) | 193 +-----------------+------------------+---------------------------------+ 195 Figure 2: CBOR Data Types 197 2.2. Complex JSON Types 199 2.2.1. Integer 201 An integer is a subset of "number" type of JSON, which represents 202 signed digits encoded in Base 10. The definition of this integer is 203 "[ minus ] int" in [RFC8259] Section 6 manner. 205 2.2.2. Multilingual Strings 207 A string that needs to be represented in a human-readable language 208 different from the default encoding of the document is represented in 209 the information model by the ML_STRING data type. This data type is 210 implemented as either an object with "value", "lang", and 211 "translation-id" elements or a text string as defined in Section 5. 212 Examples are shown below. 214 "MLStringType": { 215 "value": "free-form text", # STRING 216 "lang": "en", # ENUM 217 "translation-id": "jp2en0023" # STRING 218 } 220 Note that some pieces of supplementary information are provided 221 folloedb by "#" in figures throughout this document, but these are 222 not a valid syntax in JSON. 224 2.2.3. Enum 226 Enum is an ordered list of acceptable string values. Each value has 227 a representative keyword. Within the data model, the enumerated type 228 keywords are used as attribute values. 230 2.2.4. Software and Software Reference 232 A particular version of software is represented in the information 233 model by the SOFTWARE data type. This software can be described by 234 using a reference, a Uniform Resource Locator (URL) [RFC3986], or 235 with free-form text. The SOFTWARE data type is implemented as an 236 object with "SoftwareReference", "URL", and "Description" elements as 237 defined in Section 5. Examples are shown below. 239 "SoftwareType": { 240 "SoftwareReference": {...}, # SoftwareReference 241 "Description": ["MS Windows"] # STRING 242 } 244 SoftwareReference class is a reference to a particular version of 245 software. Examples are shown below. 247 "SoftwareReference": { 248 "value": "cpe:/a:google:chrome:59.0.3071.115", # STRING 249 "spec-name": "cpe", # ENUM 250 "dtype": "string" # ENUM 251 } 253 2.2.5. Structured Information 255 Information provided in a form of structured string, such as ID, or 256 structured information, such as XML documents, is represented in the 257 information model by the STRUCTUREDINFO data type. Note that this 258 type was originally specified in [RFC7203]. The STRUCTUREDINFO data 259 type is implemented as an object with "SpecID", "ext-SpecID", 260 "ContentID", "RawData", and "Reference" elements. An example for 261 embedding a structured ID is shown below. 263 "StructuredInfo": { 264 "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM 265 "ContentID": "CWE-89" # STRING 266 } 268 When embedding the raw data, base64 encoding defined in Section 4 of 269 [RFC4648] SHOULD be used for encoding the data, as shown below. 271 "StructuredInfo": { 272 "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM 273 "RawData": "<<>>" # BYTE 274 } 276 2.2.6. EXTENSION 278 Information not otherwise represented in the IODEF can be added using 279 the EXTENSION data type. This data type is a generic extension 280 mechanism. The EXTENSION data type is implemented as an 281 ExtensionType object with "value", "name", "dtype", "ext-dtype", 282 "meaning", "formatid", "restriction", "ext-restriction", and 283 "observable-id" elements. An example for embedding a structured ID 284 is shown below. 286 "ExtensionType": { 287 "value": "xxxxxxx", # STRING 288 "name": "Syslog", # STRING 289 "dtype": "string", # ENUM 290 "meaning": "Syslog from the security appliance X" # STRING 291 } 293 3. IODEF JSON Data Model 295 3.1. Classes and Elements 297 The following table shows the list of IODEF Classes, their elements, 298 and the corresponding section in [RFC7970]. Note that the complete 299 JSON schema is defined in Section 5 using CDDL. 301 +-----------------------------+--------------------+---------------+ 302 | IODEF Class | Class | Corresponding | 303 | | Elements and | Section | 304 | | Attribute | in [RFC7970] | 305 +-----------------------------+--------------------+---------------+ 306 | IODEF-Document | version | 3.1 | 307 | | lang? | | 308 | | format-id? | | 309 | | private-enum-name? | | 310 | | private-enum-id? | | 311 | | Incident+ | | 312 | | AdditionalData* | | 313 +-----------------------------+--------------------+---------------+ 314 | Incident | purpose | 3.2 | 315 | | ext-purpose? | | 316 | | status? | | 317 | | ext-status? | | 318 | | lang? | | 319 | | restriction? | | 320 | | ext-restriction? | | 321 | | observable-id? | | 322 | | IncidentID | | 323 | | AlternativeID? | | 324 | | RelatedActivity* | | 325 | | DetectTime? | | 326 | | StartTime? | | 327 | | EndTime? | | 328 | | RecoveryTime? | | 329 | | ReportTime? | | 330 | | GenerationTime | | 331 | | Description* | | 332 | | Discovery* | | 333 | | Assessment* | | 334 | | Method* | | 335 | | Contact+ | | 336 | | EventData* | | 337 | | Indicator* | | 338 | | History? | | 339 | | AdditionalData* | | 340 +-----------------------------+--------------------+---------------+ 341 | IncidentID | id | 3.4 | 342 | | name | | 343 | | instance? | | 344 | | restriction? | | 345 | | ext-restriction? | | 346 +-----------------------------+--------------------+---------------+ 347 | AlternativeID | restriction? | 3.5 | 348 | | ext-restriction? | | 349 | | IncidentID+ | | 350 +-----------------------------+--------------------+---------------+ 351 | RelatedActivity | restriction? | 3.6 | 352 | | ext-restriction? | | 353 | | IncidentID* | | 354 | | URL* | | 355 | | ThreatActor* | | 356 | | Campaign* | | 357 | | IndicatorID* | | 358 | | Confidence? | | 359 | | Description* | | 360 | | AdditionalData* | | 361 +-----------------------------+--------------------+---------------+ 362 | ThreatActor | restriction? | 3.7 | 363 | | ext-restriction? | | 364 | | ThreatActorID* | | 365 | | URL* | | 366 | | Description* | | 367 | | AdditionalData* | | 368 +-----------------------------+--------------------+---------------+ 369 | Campaign | restriction? | | 370 | | ext-restriction? | | 371 | | CampaignID* | | 372 | | URL* | | 373 | | Description* | | 374 | | AdditionalData* | 3.8 | 375 +-----------------------------+--------------------+---------------+ 376 | Contact | role | | 377 | | ext-role? | | 378 | | type | | 379 | | ext-type? | | 380 | | restriction? | | 381 | | ext-restriction? | | 382 | | ContactName*, | | 383 | | ContactTitle* | | 384 | | Description* | | 385 | | RegistryHandle* | | 386 | | PostalAddress* | | 387 | | Email* | | 388 | | Telephone* | | 389 | | Timezone? | | 390 | | Contact* | | 391 | | AdditionalData* | 3.9 | 392 +-----------------------------+--------------------+---------------+ 393 | RegistryHandle | handle | | 394 | | registry | | 395 | | ext-registry? | 3.9.1 | 396 +-----------------------------+--------------------+---------------+ 397 | PostalAddress | type? | | 398 | | ext-type? | | 399 | | PAddress | | 400 | | Description* | 3.9.2 | 401 +-----------------------------+--------------------+---------------+ 402 | Email | type? | | 403 | | ext-type? | | 404 | | EmailTo | | 405 | | Description* | 3.9.3 | 406 +-----------------------------+--------------------+---------------+ 407 | Telephone | type? | | 408 | | ext-type? | | 409 | | TelephoneNumber | | 410 | | Description* | 3.9.4 | 411 +-----------------------------+--------------------+---------------+ 412 | Discovery | source? | | 413 | | ext-source? | | 414 | | restriction? | | 415 | | ext-restriction? | | 416 | | Description* | | 417 | | Contact* | | 418 | | DetectionPattern* | 3.10 | 419 +-----------------------------+--------------------+---------------+ 420 | DetectionPattern | restriction? | 3.10.1 | 421 | | ext-restriction? | | 422 | | observable-id? | | 423 | | Application | | 424 | | Description* | | 425 | | DetectionConfiguration* | | 426 +-----------------------------+--------------------+---------------+ 427 | Method | restriction? | | 428 | | ext-restriction? | | 429 | | Reference* | | 430 | | Description* | | 431 | | AttackPattern* | | 432 | | Vulnerability* | | 433 | | Weakness* | | 434 | | AdditionalData* | 3.11 | 435 +-----------------------------+--------------------+---------------+ 436 | Weakness (TBD) | restriction? | | 437 | | ext-restriction? | | 438 +-----------------------------+--------------------+---------------+ 439 | Reference | observable-id? | | 440 | | ReferenceName? | | 441 | | URL* | | 442 | | Description* | 3.11.1 | 443 +-----------------------------+--------------------+---------------+ 444 | Assessment | occurence? | | 445 | | restriction? | | 446 | | ext-restriction? | | 447 | | observable-id? | | 448 | | IncidentCategory* | | 449 | | SystemImpact* | | 450 | | BusinessImpact* | | 451 | | TimeImpact* | | 452 | | MonetaryImpact* | | 453 | | IntendedImpact* | | 454 | | Counter* | | 455 | | MitigatingFactor* | | 456 | | Cause* | | 457 | | Confidence? | | 458 | | AdditionalData* | 3.12 | 459 +-----------------------------+--------------------+---------------+ 460 | SystemImpact | severity? | | 461 | | completion? | | 462 | | type | | 463 | | ext-type? | | 464 | | Description* | 3.12.1 | 465 +-----------------------------+--------------------+---------------+ 466 | BusinessImpact | severity? | | 467 | | ext-severity? | | 468 | | type | | 469 | | ext-type? | | 470 | | Description* | 3.12.2 | 471 +-----------------------------+--------------------+---------------+ 472 | TimeImpact | value | | 473 | | severity? | | 474 | | metric | | 475 | | ext-metric? | | 476 | | duration? | | 477 | | ext-duration? | 3.12.3 | 478 +-----------------------------+--------------------+---------------+ 479 | MonetaryImpact | value | | 480 | | severity? | | 481 | | currency? | 3.12.4 | 482 +-----------------------------+--------------------+---------------+ 483 | Confidence | value | | 484 | | rating | | 485 | | ext-rating? | 3.12.5 | 486 +-----------------------------+--------------------+---------------+ 487 | History | restriction? | | 488 | | ext-restriction? | | 489 | | HistoryItem+ | 3.13 | 490 +-----------------------------+--------------------+---------------+ 491 | HistoryItem | action | | 492 | | ext-action? | | 493 | | restriction? | | 494 | | ext-restriction? | | 495 | | observable-id? | | 496 | | DateTime | | 497 | | IncidentID? | | 498 | | Contact? | | 499 | | Description* | | 500 | | DefinedCOA* | | 501 | | AdditionalData* | 3.13.1 | 502 +-----------------------------+--------------------+---------------+ 503 | EventData | restriction? | | 504 | | ext-restriction? | | 505 | | observable-id? | | 506 | | Description* | | 507 | | DetectTime? | | 508 | | StartTime? | | 509 | | EndTime? | | 510 | | RecoveryTime? | | 511 | | ReportTime? | | 512 | | Contact* | | 513 | | Discovery* | | 514 | | Assessment? | | 515 | | Method* | | 516 | | System* | | 517 | | Expectation* | | 518 | | RecordData* | | 519 | | EventData* | | 520 | | AdditionalData* | 3.14 | 521 +-----------------------------+--------------------+---------------+ 522 | Expectation | action? | | 523 | | ext-action? | | 524 | | severity? | | 525 | | restriction? | | 526 | | ext-restriction? | | 527 | | observable-id? | | 528 | | Description* | | 529 | | DefinedCOA* | | 530 | | StartTime? | | 531 | | EndTime? | | 532 | | Contact? | 3.15 | 533 +-----------------------------+--------------------+---------------+ 534 | System | category? | | 535 | | ext-category? | | 536 | | interface? | | 537 | | spoofed? | | 538 | | virtual? | | 539 | | ownership? | | 540 | | ext-ownership? | | 541 | | restriction? | | 542 | | ext-restriction? | | 543 | | Node | | 544 | | NodeRole* | | 545 | | Service* | | 546 | | OperatingSystem* | | 547 | | Counter* | | 548 | | AssetID* | | 549 | | Description* | | 550 | | AdditionalData* | 3.17 | 551 +-----------------------------+--------------------+---------------+ 552 | Node | DomainData* | | 553 | | Address* | | 554 | | PostalAddress? | | 555 | | Location* | | 556 | | Counter* | 3.18 | 557 +-----------------------------+--------------------+---------------+ 558 | Address | value | | 559 | | category | | 560 | | ext-category? | | 561 | | vlan-name? | | 562 | | vlan-num? | | 563 | | observable-id? | 3.18.1 | 564 +-----------------------------+--------------------+---------------+ 565 | NodeRole | category | | 566 | | ext-category? | | 567 | | Description* | 3.18.2 | 568 +-----------------------------+--------------------+---------------+ 569 | Counter | value | | 570 | | type | | 571 | | ext-type? | | 572 | | unit | | 573 | | ext-unit? | | 574 | | meaning? | | 575 | | duration? | | 576 | | ext-duration? | 3.18.3 | 577 +-----------------------------+--------------------+---------------+ 578 | DomainData | system-status | | 579 | | ext-system-status? | | 580 | | domain-status | | 581 | | ext-domain-status? | | 582 | | observable-id? | | 583 | | Name | | 584 | | DateDomainWasChecked?| | 585 | | RegistrationDate? | | 586 | | ExpirationDate? | | 587 | | RelatedDNS* | | 588 | | Nameservers* | | 589 | | DomainContacts? | 3.19 | 590 +-----------------------------+--------------------+---------------+ 591 | Nameserver | Server | | 592 | | Address* | 3.19.1 | 593 +-----------------------------+--------------------+---------------+ 594 | DomainContacts | SameDomainContact? | | 595 | | Contact+ | 3.19.2 | 596 +-----------------------------+--------------------+---------------+ 597 | Service | ip-protocol? | | 598 | | observable-id? | | 599 | | ServiceName? | | 600 | | Port? | | 601 | | Portlist? | | 602 | | ProtoCode? | | 603 | | ProtoType? | | 604 | | ProtoField? | | 605 | | ApplicationHeaderField*| | 606 | | EmailData? | | 607 | | Application? | 3.20 | 608 +-----------------------------+--------------------+---------------+ 609 | ServiceName | IANAService? | | 610 | | URL* | | 611 | | Description* | 3.20.1 | 612 +-----------------------------+--------------------+---------------+ 613 | EmailData | observable-id? | | 614 | | EmailTo* | | 615 | | EmailFrom? | | 616 | | EmailSubject? | | 617 | | EmailX-Mailer? | | 618 | | EmailHeaderField* | | 619 | | EmailHeaders? | | 620 | | EmailBody? | | 621 | | EmailMessage? | | 622 | | HashData* | | 623 | | Signature* | 3.21 | 624 +-----------------------------+--------------------+---------------+ 625 | RecordData | restriction? | | 626 | | ext-restriction? | | 627 | | observable-id? | | 628 | | DateTime? | | 629 | | Description* | | 630 | | Application? | | 631 | | RecordPattern* | | 632 | | RecordItem* | | 633 | | URL* | | 634 | | FileData* | | 635 | | WindowsRegistryKeysModified*| | 636 | | CertificateData* | | 637 | | AdditionalData* | 3.22.1 | 638 +-----------------------------+--------------------+---------------+ 639 | RecordPattern | type | | 640 | | ext-type? | | 641 | | offset? | | 642 | | offsetunit? | | 643 | | ext-offsetunit? | | 644 | | instance? | | 645 | | value | 3.22.2 | 646 +-----------------------------+--------------------+---------------+ 647 | WindowsRegistryKeysModified | observable-id? | 3.23 | 648 | | Key+ | | 649 +-----------------------------+--------------------+---------------+ 650 | Key | registryaction? | | 651 | | ext-registryaction?| | 652 | | observable-id? | | 653 | | KeyName | | 654 | | KeyValue? | 3.23.1 | 655 +-----------------------------+--------------------+---------------+ 656 | CertificateData | restriction? | | 657 | | ext-restriction? | | 658 | | observable-id? | | 659 | | Certificate+ | 3.24 | 660 +-----------------------------+--------------------+---------------+ 661 | Certificate | observable-id? | | 662 | | X509Data | | 663 | | Description* | 3.24.1 | 664 +-----------------------------+--------------------+---------------+ 665 | FileData | restriction? | | 666 | | ext-restriction? | | 667 | | observable-id? | | 668 | | File+ | 3.25 | 669 +-----------------------------+--------------------+---------------+ 670 | File | observable-id? | | 671 | | FileName? | | 672 | | FileSize? | | 673 | | FileType? | | 674 | | URL* | | 675 | | HashData? | | 676 | | Signature* | | 677 | | AssociatedSoftware?| | 678 | | FileProperties* | 3.25.1 | 679 +-----------------------------+--------------------+---------------+ 680 | HashData | scope | | 681 | | HashTargetID? | | 682 | | Hash* | | 683 | | FuzzyHash* | 3.26 | 684 +-----------------------------+--------------------+---------------+ 685 | Hash | DigestMethod | | 686 | | DigestValue | | 687 | | CanonicalizationMethod?| | 688 | | Application? | 3.26.1 | 689 +-----------------------------+--------------------+---------------+ 690 | FuzzyHash | FuzzyHashValue+ | | 691 | | Application? | | 692 | | AdditionalData* | 3.26.2 | 693 +-----------------------------+--------------------+---------------+ 694 | Indicator | restriction? | | 695 | | ext-restriction? | | 696 | | IndicatorID | | 697 | | AlternativeIndicatorID*| | 698 | | Description* | | 699 | | StartTime? | | 700 | | EndTime? | | 701 | | Confidence? | | 702 | | Contact* | | 703 | | Observable? | | 704 | | uid-ref? | | 705 | | IndicatorExpression?| | 706 | | IndicatorReference?| | 707 | | NodeRole* | | 708 | | AttackPhase* | | 709 | | Reference* | | 710 | | AdditionalData* | 3.29 | 711 +-----------------------------+--------------------+---------------+ 712 | IndicatorID | id | | 713 | | name | | 714 | | version | 3.29.1 | 715 +-----------------------------+--------------------+---------------+ 716 | AlternativeIndicatorID | restriction? | | 717 | | ext-restriction? | | 718 | | IndicatorID+ | 3.29.2 | 719 +-----------------------------+--------------------+---------------+ 720 | Observable | restriction? | | 721 | | ext-restriction? | | 722 | | System? | | 723 | | Address? | | 724 | | DomainData? | | 725 | | Service? | | 726 | | EmailData? | | 727 | | WindowsRegistryKeysModified?| | 728 | | FileData? | | 729 | | CertificateData? | | 730 | | RegistryHandle? | | 731 | | RecordData? | | 732 | | EventData? | | 733 | | Incident? | | 734 | | Expectation? | | 735 | | Reference? | | 736 | | Assessment? | | 737 | | DetectionPattern? | | 738 | | HistoryItem? | | 739 | | BulkObservable? | | 740 | | AdditionalData* | 3.29.3 | 741 +-----------------------------+--------------------+---------------+ 742 | BulkObservable | type? | | 743 | | ext-type? | | 744 | | BulkObservableFormat?| | 745 | | BulkObservableList | | 746 | | AdditionalData* | 3.29.4 | 747 +-----------------------------+--------------------+---------------+ 748 | BulkObservableFormat | Hash? | | 749 | | AdditionalData* | 3.29.5 | 750 +-----------------------------+--------------------+---------------+ 751 | IndicatorExpression | operator? | | 752 | | ext-operator? | | 753 | | IndicatorExpression*| | 754 | | Observable* | | 755 | | uid-ref* | | 756 | | IndicatorReference*| | 757 | | Confidence? | | 758 | | AdditionalData* | 3.29.6 | 759 +-----------------------------+--------------------+---------------+ 760 | IndicatorReference | uid-ref? | | 761 | | euid-ref? | | 762 | | version? | 3.29.7 | 763 +-----------------------------+--------------------+---------------+ 764 | AttackPhase | AttackPhaseID* | | 765 | | URL* | | 766 | | Description* | | 767 | | AdditionalData* | 3.29.8 | 768 +-----------------------------+--------------------+---------------+ 770 Figure 3: IODEF Classes 772 3.2. Mapping between JSON and XML IODEF 774 o Attributes and elements of each class in XML IODEF document are 775 both presented as JSON attributes in JSON IODEF document, and the 776 order of their appearances is ignored. 778 o Flow class is deleted, and classes with its instances now directly 779 have instances of EventData class that used to belong to the Flow 780 class. 782 o ApplicationHeader class is deleted, and classes with its instances 783 now directly have instances of ApplicationHeaderField class that 784 used to belong to the ApplicationHeader class. 786 o SignatureData class is deleted, and classes with its instances now 787 directly have instance of Signature class that used to belong to 788 the SignatureData class. 790 o IndicatorData class is deleted, and classes with its instances now 791 directly have the instances of Indicator class that used to belong 792 to the IndicatorData class. 794 o ObservableReference class is deleted, and classes with its 795 instances now directly have uid-ref as an element. 797 o Record class is deleted, and classes with its instances now 798 directly have the instances of RecordData class that used to 799 belong to the Record class. 801 o The MLStringType were modified to support simple string by 802 allowing the type to have not only a predefined object type but 803 also text type, in order to allow simple descriptions of elements 804 of the type. 806 o The elements of ML_STRING type in XML IODEF document are presented 807 as either STRING type or ML_STRING type in JSON IODEF document. 809 o Data models of the extension classes defined by [RFC7203] and 810 referenced by [RFC7970] are represented by StructuredInfo class 811 defined in this document. 813 o Signature, X509Data, and RawData are encoded with base64 and are 814 represented as string (BYTE type) in JSON IODEF documents. 816 o EmailBody represents an whole message body including MIME 817 structure in the same manner defined in [RFC7970]. In case of an 818 email composed of MIME multipart, the EmailBody contains multiple 819 body parts separated by boundary strings. 821 o The "ipv6-net-mask" type attribute of BulkObservable class remains 822 available for the backward compatibility purpose, but the use of 823 this attribute is not recommended because IPV6 does not use 824 netmask any more. 826 4. Examples 828 This section provides examples of IODEF documents. These examples do 829 not represent the full capabilities of the data model or the only way 830 to encode particular information. 832 4.1. Minimal Example 834 A document containing only the mandatory elements and attributes is 835 shown below in JSON and CBOR, respectively. 837 { 838 "version": "2.0", 839 "lang": "en", 840 "Incident": [{ 841 "purpose": "reporting", 842 "restriction": "private", 843 "IncidentID": { 844 "id": "492382", 845 "name": "csirt.example.com" 846 }, 847 "GenerationTime": "2015-07-18T09:00:00-05:00", 848 "Contact": [{ 849 "type": "organization", 850 "role": "creator", 851 "Email": [{"EmailTo": "contact@csirt.example.com"}] 852 }] 853 }] 854 } 856 Figure 4: A Minimal Example in JSON 858 A3 # map(3) 859 67 # text(7) 860 76657273696F6E # "version" 861 63 # text(3) 862 322E30 # "2.0" 863 64 # text(4) 864 6C616E67 # "lang" 865 62 # text(2) 866 656E # "en" 867 68 # text(8) 868 496E636964656E74 # "Incident" 869 81 # array(1) 870 A5 # map(5) 871 67 # text(7) 872 707572706F7365 # "purpose" 873 69 # text(9) 874 7265706F7274696E67 # "reporting" 875 6B # text(11) 876 7265737472696374696F6E # "restriction" 877 67 # text(7) 878 70726976617465 # "private" 879 6A # text(10) 880 496E636964656E744944 # "IncidentID" 881 A2 # map(2) 882 62 # text(2) 883 6964 # "id" 884 66 # text(6) 885 343932333832 # "492382" 886 64 # text(4) 887 6E616D65 # "name" 888 71 # text(17) 889 63736972742E6578616D706C652E636F6D # "csirt.example.com" 890 6E # text(14) 891 47656E65726174696F6E54696D65 # "GenerationTime" 892 C0 # tag(0) 893 78 19 # text(25) 894 323031352D30372D31385430393A30303A30302D30353A3030 895 # "2015-07-18T09:00:00-05:00" 896 67 # text(7) 897 436F6E74616374 # "Contact" 898 81 # array(1) 899 A3 # map(3) 900 64 # text(4) 901 74797065 # "type" 902 6C # text(12) 903 6F7267616E697A6174696F6E # "organization" 904 64 # text(4) 905 726F6C65 # "role" 906 67 # text(7) 907 63726561746F72 # "creator" 908 65 # text(5) 909 456D61696C # "Email" 910 81 # array(1) 911 A1 # map(1) 912 67 # text(7) 913 456D61696C546F # "EmailTo" 914 78 19 # text(25) 915 636F6E746163744063736972742E6578616D706C652E636F6D 916 # "contact@csirt.example.com" 918 Figure 5: A Minimal Example in CBOR 920 4.2. Indicators from a Campaign 922 An example of C2 domains from a given campaign is shown below in JSON 923 and CBOR, respectively. 925 { 926 "version": "2.0", 927 "lang": "en", 928 "Incident": [{ 929 "purpose": "watch", 930 "restriction": "green", 931 "IncidentID": { 932 "id": "897923", 933 "name": "csirt.example.com" 934 }, 935 "RelatedActivity": [{ 936 "ThreatActor": [{ 937 "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], 938 "Description": ["Aggressive Butterfly"]}], 939 "Campaign": [{ 940 "CampaignID": ["C-2015-59405"], 941 "Description": ["Orange Giraffe"] 942 }] 943 }], 944 "GenerationTime": "2015-10-02T11:18:00-05:00", 945 "Description": ["Summarizes the Indicators of Compromise for the 946 Orange Giraffe campaign of the Aggressive Butterfly crime gang."], 947 "Assessment": [{ 948 "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] 949 }], 950 "Contact": [{ 951 "type": "organization", 952 "role": "creator", 953 "ContactName": ["CSIRT for example.com"], 954 "Email": [{ 955 "EmailTo": "contact@csirt.example.com" 956 }] 957 }], 958 "Indicator": [{ 959 "IndicatorID": { 960 "id": "G90823490", 961 "name": "csirt.example.com", 962 "version": "1" 963 }, 964 "Description": ["C2 domains"], 965 "StartTime": "2014-12-02T11:18:00-05:00", 966 "Observable": { 967 "BulkObservable": { 968 "type": "domain-name", 969 "BulkObservableList": "kj290023j09r34.example.com"} 970 } 971 }] 972 }] 973 } 975 Figure 6: Indicators from a Campaign in JSON 977 A3 # map(3) 978 67 # text(7) 979 76657273696F6E # "version" 981 63 # text(3) 982 322E30 # "2.0" 983 64 # text(4) 984 6C616E67 # "lang" 985 62 # text(2) 986 656E # "en" 987 68 # text(8) 988 496E636964656E74 # "Incident" 989 81 # array(1) 990 A9 # map(9) 991 67 # text(7) 992 707572706F7365 # "purpose" 993 65 # text(5) 994 7761746368 # "watch" 995 6B # text(11) 996 7265737472696374696F6E # "restriction" 997 65 # text(5) 998 677265656E # "green" 999 6A # text(10) 1000 496E636964656E744944 # "IncidentID" 1001 A2 # map(2) 1002 62 # text(2) 1003 6964 # "id" 1004 66 # text(6) 1005 383937393233 # "897923" 1006 64 # text(4) 1007 6E616D65 # "name" 1008 71 # text(17) 1009 63736972742E6578616D706C652E636F6D # "csirt.example.com" 1010 6F # text(15) 1011 52656C617465644163746976697479 # "RelatedActivity" 1012 81 # array(1) 1013 A2 # map(2) 1014 6B # text(11) 1015 5468726561744163746F72 # "ThreatActor" 1016 81 # array(1) 1017 A2 # map(2) 1018 6D # text(13) 1019 5468726561744163746F724944 # "ThreatActorID" 1020 81 # array(1) 1021 78 1A # text(26) 1022 54412D31322D414747524553534956452D425554544552464 1023 C59 # "TA-12-AGGRESSIVE-BUTTERFLY" 1024 6B # text(11) 1025 4465736372697074696F6E # "Description" 1026 81 # array(1) 1027 74 # text(20) 1028 4167677265737369766520427574746572666C79 1029 # "Aggressive Butterfly" 1030 68 # text(8) 1031 43616D706169676E # "Campaign" 1032 81 # array(1) 1033 A2 # map(2) 1034 6A # text(10) 1035 43616D706169676E4944 # "CampaignID" 1036 81 # array(1) 1037 6C # text(12) 1038 432D323031352D3539343035 # "C-2015-59405" 1039 6B # text(11) 1040 4465736372697074696F6E # "Description" 1041 81 # array(1) 1042 6E # text(14) 1043 4F72616E67652047697261666665 # "Orange Giraffe" 1044 6E # text(14) 1045 47656E65726174696F6E54696D65 # "GenerationTime" 1046 C0 # tag(0) 1047 78 19 # text(25) 1048 323031352D31302D30325431313A31383A30302D30353A3030 1049 # "2015-10-02T11:18:00-05:00" 1050 6B # text(11) 1051 4465736372697074696F6E # "Description" 1052 81 # array(1) 1053 78 6F # text(111) 1054 53756D6D6172697A65732074686520496E64696361746F7273206F6620436 1055 F6D70726F6D69736520666F7220746865204F72616E676520476972616666 1056 652063616D706169676E206F6620746865204167677265737369766520427 1057 574746572666C79206372696D652067616E672E 1058 # "Summarizes the Indicators of Compromise for the Orange 1059 Giraffe campaign of the Aggressive Butterfly crime gang." 1060 6A # text(10) 1061 4173736573736D656E74 # "Assessment" 1062 81 # array(1) 1063 A1 # map(1) 1064 66 # text(6) 1065 496D70616374 # "Impact" 1066 81 # array(1) 1067 A1 # map(1) 1068 6E # text(14) 1069 427573696E657373496D70616374 # "BusinessImpact" 1070 A1 # map(1) 1071 64 # text(4) 1072 74797065 # "type" 1073 72 # text(18) 1074 6272656163682D70726F7072696574617279 1075 # "breach-proprietary" 1076 67 # text(7) 1077 436F6E74616374 # "Contact" 1078 81 # array(1) 1079 A4 # map(4) 1080 64 # text(4) 1081 74797065 # "type" 1082 6C # text(12) 1083 6F7267616E697A6174696F6E # "organization" 1084 64 # text(4) 1085 726F6C65 # "role" 1086 67 # text(7) 1087 63726561746F72 # "creator" 1088 6B # text(11) 1089 436F6E746163744E616D65 # "ContactName" 1090 81 # array(1) 1091 75 # text(21) 1092 435349525420666F72206578616D706C652E636F6D 1093 # "CSIRT for example.com" 1094 65 # text(5) 1095 456D61696C # "Email" 1096 81 # array(1) 1097 A1 # map(1) 1098 67 # text(7) 1099 456D61696C546F # "EmailTo" 1100 78 19 # text(25) 1101 636F6E746163744063736972742E6578616D706C652E636F6D 1102 # "contact@csirt.example.com" 1103 69 # text(9) 1104 496E64696361746F72 # "Indicator" 1105 81 # array(1) 1106 A4 # map(4) 1107 6B # text(11) 1108 496E64696361746F724944 # "IndicatorID" 1109 A3 # map(3) 1110 62 # text(2) 1111 6964 # "id" 1112 69 # text(9) 1113 473930383233343930 # "G90823490" 1114 64 # text(4) 1115 6E616D65 # "name" 1116 71 # text(17) 1117 63736972742E6578616D706C652E636F6D 1118 # "csirt.example.com" 1119 67 # text(7) 1120 76657273696F6E # "version" 1121 61 # text(1) 1122 31 # "1" 1123 6B # text(11) 1124 4465736372697074696F6E # "Description" 1126 81 # array(1) 1127 6A # text(10) 1128 433220646F6D61696E73 # "C2 domains" 1129 69 # text(9) 1130 537461727454696D65 # "StartTime" 1131 C0 # tag(0) 1132 78 19 # text(25) 1133 323031342D31322D30325431313A31383A30302D30353A3030 1134 # "2014-12-02T11:18:00-05:00" 1135 6A # text(10) 1136 4F627365727661626C65 # "Observable" 1137 A1 # map(1) 1138 6E # text(14) 1139 42756C6B4F627365727661626C65 # "BulkObservable" 1140 A2 # map(2) 1141 64 # text(4) 1142 74797065 # "type" 1143 6B # text(11) 1144 646F6D61696E2D6E616D65 # "domain-name" 1145 72 # text(18) 1146 42756C6B4F627365727661626C654C697374 1147 # "BulkObservableList" 1148 78 1A # text(26) 1149 6B6A3239303032336A30397233342E6578616D706C652E636F6D 1150 # "kj290023j09r34.example.com" 1152 Figure 7: Indicators from a Campaign in CBOR 1154 5. The IODEF Data Model (CDDL) 1156 start = iodef 1158 ;;; iodef.json: IODEF-Document 1160 iodef = { 1161 version: text 1162 ? lang: lang 1163 ? format-id: text 1164 ? private-enum-name: text 1165 ? private-enum-id: text 1166 Incident: [+ Incident] 1167 ? AdditionalData: [+ ExtensionType] 1168 } 1170 duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / 1171 "year" / "ext-value" 1172 lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" 1173 restriction = "public" / "partner" / "need-to-know" / "private" / 1174 "default" / "white" / "green" / "amber" / "red" / 1175 "ext-value" 1176 SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" 1177 IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" 1178 IDREFType = IDtype 1179 URLtype = uri 1180 TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" 1181 PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*" 1182 action = "nothing" / "contact-source-site" / "contact-target-site" / 1183 "contact-sender" / "investigate" / "block-host" / 1184 "block-network" / "block-port" / "rate-limit-host" / 1185 "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / 1186 "honeypot" / "upgrade-software" / "rebuild-asset" / 1187 "harden-asset" / "remediate-other" / "status-triage" / 1188 "status-new-info" / "watch-and-report" / "training" / 1189 "defined-coa" / "other" / "ext-value" 1191 DATETIME = tdate 1193 BYTE = eb64legacy 1195 MLStringType = { 1196 value: text 1197 ? lang: lang 1198 ? translation-id: text 1199 } / text 1201 PositiveFloatType = float32 .gt 0 1203 PAddressType = MLStringType 1205 ExtensionType = { 1206 value: text 1207 ? name: text 1208 dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / 1209 "ntpstamp" / "integer" / "portlist" / "real" / "string" / 1210 "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/ 1211 "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" 1212 .default "string" 1213 ? ext-dtype: text 1214 ? meaning: text 1215 ? formatid: text 1216 ? restriction: restriction .default "private" 1217 ? ext-restriction: text 1218 ? observable-id: IDtype 1219 } 1220 SoftwareType = { 1221 ? SoftwareReference: SoftwareReference 1222 ? URL: [+ URLtype] 1223 ? Description: [+ MLStringType] 1224 } 1226 SoftwareReference = { 1227 ? value: text 1228 spec-name: "custom" / "cpe" / "swid" / "ext-value" 1229 ? ext-spec-name: text 1230 ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" 1231 .default "string" 1232 ? ext-dtype: text 1233 } 1235 Incident = { 1236 purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / 1237 "ext-value" 1238 ? ext-purpose: text 1239 ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / 1240 "ext-value" 1241 ? ext-status: text 1242 ? lang: lang 1243 ? restriction: restriction .default "private" 1244 ? ext-restriction: text 1245 ? observable-id: IDtype 1246 IncidentID: IncidentID 1247 ? AlternativeID: AlternativeID 1248 ? RelatedActivity: [+ RelatedActivity] 1249 ? DetectTime: DATETIME 1250 ? StartTime: DATETIME 1251 ? EndTime: DATETIME 1252 ? RecoveryTime: DATETIME 1253 ? ReportTime: DATETIME 1254 GenerationTime: DATETIME 1255 ? Description: [+ MLStringType] 1256 ? Discovery: [+ Discovery] 1257 ? Assessment: [+ Assessment] 1258 ? Method: [+ Method] 1259 Contact: [+ Contact] 1260 ? EventData: [+ EventData] 1261 ? Indicator: [+ Indicator] 1262 ? History: History 1263 ? AdditionalData: [+ ExtensionType] 1264 } 1266 IncidentID = { 1267 id: text 1268 name: text 1269 ? instance: text 1270 ? restriction: restriction .default "private" 1271 ? ext-restriction: text 1272 } 1274 AlternativeID = { 1275 ? restriction: restriction .default "private" 1276 ? ext-restriction: text 1277 IncidentID: [+ IncidentID] 1278 } 1280 RelatedActivity = { 1281 ? restriction: restriction .default "private" 1282 ? ext-restriction: text 1283 ? IncidentID: [+ IncidentID] 1284 ? URL: [+ URLtype] 1285 ? ThreatActor: [+ ThreatActor] 1286 ? Campaign: [+ Campaign] 1287 ? IndicatorID: [+ IndicatorID] 1288 ? Confidence: Confidence 1289 ? Description: [+ text] 1290 ? AdditionalData: [+ ExtensionType] 1291 } 1293 ThreatActor = { 1294 ? restriction: restriction .default "private" 1295 ? ext-restriction: text 1296 ? ThreatActorID: [+ text] 1297 ? URL: [+ URLtype] 1298 ? Description: [+ MLStringType] 1299 ? AdditionalData: [+ ExtensionType] 1300 } 1302 Campaign = { 1303 ? restriction: restriction .default "private" 1304 ? ext-restriction: text 1305 ? CampaignID: [+ text] 1306 ? URL: [+ URLtype] 1307 ? Description: [+ MLStringType] 1308 ? AdditionalData: [+ ExtensionType] 1309 } 1311 Contact = { 1312 role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / 1313 "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / 1314 "vendor" / "vendor-support" / "victim" / "victim-notified" / 1315 "ext-value" 1317 ? ext-role: text 1318 type: "person" / "organization" / "ext-value" 1319 ? ext-type: text 1320 ? restriction: restriction .default "private" 1321 ? ext-restriction: text 1322 ? ContactName: [+ MLStringType] 1323 ? ContactTitle: [+ MLStringType] 1324 ? Description: [+ MLStringType] 1325 ? RegistryHandle: [+ RegistryHandle] 1326 ? PostalAddress: [+ PostalAddress] 1327 ? Email: [+ Email] 1328 ? Telephone: [+ Telephone] 1329 ? Timezone: TimeZonetype 1330 ? Contact: [+ Contact] 1331 ? AdditionalData: [+ ExtensionType] 1332 } 1334 RegistryHandle = { 1335 handle: text 1336 registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / 1337 "afrinic" / "local" / "ext-value" 1338 ? ext-registry: text 1339 } 1341 PostalAddress = { 1342 ? type: "street" / "mailing" / "ext-value" 1343 ? ext-type: text 1344 PAddress: PAddressType 1345 ? Description: [+ MLStringType] 1346 } 1348 Email = { 1349 ? type: "direct" / "hotline" / "ext-value" 1350 ? ext-type: text 1351 EmailTo: text 1352 ? Description: [+ MLStringType] 1353 } 1355 Telephone = { 1356 ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" 1357 ? ext-type: text 1358 TelephoneNumber: text 1359 ? Description: [+ MLStringType] 1360 } 1362 Discovery = { 1363 ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / 1364 "incident" / "os-log" / "application-log" / "device-log" / 1365 "network-flow" / "passive-dns" / "investigation" / "audit" / 1366 "internal-notification" / "external-notification" / 1367 "leo" / "partner" / "actor" / "unknown" / "ext-value" 1368 ? ext-source: text 1369 ? restriction: restriction .default "private" 1370 ? ext-restriction: text 1371 ? Description: [+ MLStringType] 1372 ? Contact: [+ Contact] 1373 ? DetectionPattern: [+ DetectionPattern] 1374 } 1376 DetectionPattern = { 1377 ? restriction: restriction .default "private" 1378 ? ext-restriction: text 1379 ? observable-id: IDtype 1380 (Description: [+ MLStringType] // DetectionConfiguration: [+ text]) 1381 Application: SoftwareType 1382 } 1384 Method = { 1385 ? restriction: restriction .default "private" 1386 ? ext-restriction: text 1387 ? Reference: [+ Reference] 1388 ? Description: [+ MLStringType] 1389 ? AttackPattern: [+ StructuredInfo] 1390 ? Vulnerability: [+ StructuredInfo] 1391 ? Weakness: [+ StructuredInfo] 1392 ? AdditionalData: [+ ExtensionType] 1393 } 1395 StructuredInfo = { 1396 SpecID: SpecID 1397 ? ext-SpecID: text 1398 ? ContentID: text 1399 ? (RawData: [+ BYTE] // Reference:[+ Reference]) 1400 ? Platform:[+ Platform] 1401 ? Scoring:[+ Scoring] 1402 } 1404 Platform = { 1405 SpecID: SpecID 1406 ? ext-SpecID: text 1407 ? ContentID: text 1408 ? RawData: [+ BYTE] 1409 ? Reference: [+ Reference] 1410 } 1411 Scoring = { 1412 SpecID: SpecID 1413 ? ext-SpecID: text 1414 ? ContentID: text 1415 ? RawData: [+ BYTE] 1416 ? Reference: [+ Reference] 1417 } 1418 Reference = { 1419 ? observable-id: IDtype 1420 ? ReferenceName: ReferenceName 1421 ? URL: [+ URLtype] 1422 ? Description: [+ MLStringType] 1423 } 1425 ReferenceName = { 1426 specIndex: integer 1427 ID: IDtype 1428 } 1430 Assessment = { 1431 ? occurrence: "actual" / "potential" 1432 ? restriction: restriction .default "private" 1433 ? ext-restriction: text 1434 ? observable-id: IDtype 1435 ? IncidentCategory: [+ MLStringType] 1436 Impact: [+ {SystemImpact: SystemImpact} / 1437 {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / 1438 {MonetaryImpact: MonetaryImpact} / 1439 {IntendedImpact: BusinessImpact}] 1440 ? Counter: [+ Counter] 1441 ? MitigatingFactor: [+ MLStringType] 1442 ? Cause: [+ MLStringType] 1443 ? Confidence: Confidence 1444 ? AdditionalData: [+ ExtensionType] 1445 } 1447 SystemImpact = { 1448 ? severity: "low" / "medium" / "high" 1449 ? completion: "failed" / "succeeded" 1450 type: "takeover-account" / "takeover-service" / "takeover-system" / 1451 "cps-manipulation" / "cps-damage" / "availability-data" / 1452 "availability-account" / "availability-service" / 1453 "availability-system" / "damaged-system" / "damaged-data" / 1454 "breach-proprietary" / "breach-privacy" / "breach-credential" / 1455 "breach-configuration" / "integrity-data" / 1456 "integrity-configuration" / "integrity-hardware" / 1457 "traffic-redirection" / "monitoring-traffic" / "monitoring-host"/ 1458 "policy" / "unknown" / "ext-value" .default "unknown" 1459 ? ext-type: text 1460 ? Description: [+ MLStringType] 1462 } 1464 BusinessImpact = { 1465 ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" 1466 .default "unknown" 1467 ? ext-severity: text 1468 type: "breach-proprietary" / "breach-privacy" / "breach-credential" / 1469 "loss-of-integrity" / "loss-of-service" / "theft-financial" / 1470 "theft-service" / "degraded-reputation" / "asset-damage" / 1471 "asset-manipulation" / "legal" / "extortion" / "unknown" / 1472 "ext-value" .default "unknown" 1473 ? ext-type: text 1474 ? Description: [+ MLStringType] 1475 } 1477 TimeImpact = { 1478 value: PositiveFloatType 1479 ? severity: "low" / "medium" / "high" 1480 metric: "labor" / "elapsed" / "downtime" / "ext-value" 1481 ? ext-metric: text 1482 ? duration: duration .default "hour" 1483 ? ext-duration: text 1484 } 1486 MonetaryImpact = { 1487 value: PositiveFloatType 1488 ? severity: "low" / "medium" / "high" 1489 ? currency: text 1490 } 1492 Confidence = { 1493 value: float32 1494 rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" 1495 ? ext-rating: text 1496 } 1498 History = { 1499 ? restriction: restriction .default "private" 1500 ? ext-restriction: text 1501 HistoryItem: [+ HistoryItem] 1502 } 1504 HistoryItem = { 1505 action: action .default "other" 1506 ? ext-action: text 1507 ? restriction: restriction .default "private" 1508 ? ext-restriction: text 1509 ? observable-id: IDtype 1510 DateTime: DATETIME 1511 ? IncidentID: IncidentID 1512 ? Contact: Contact 1513 ? Description: [+ MLStringType] 1514 ? DefinedCOA: [+ text] 1515 ? AdditionalData: [+ ExtensionType] 1516 } 1518 EventData = { 1519 ? restriction: restriction .default "default" 1520 ? ext-restriction: text 1521 ? observable-id: IDtype 1522 ? Description: [+ MLStringType] 1523 ? DetectTime: DATETIME 1524 ? StartTime: DATETIME 1525 ? EndTime: DATETIME 1526 ? RecoveryTime: DATETIME 1527 ? ReportTime: DATETIME 1528 ? Contact: [+ Contact] 1529 ? Discovery: [+ Discovery] 1530 ? Assessment: Assessment 1531 ? Method: [+ Method] 1532 ? System: [+ System] 1533 ? Expectation: [+ Expectation] 1534 ? RecordData: [+ RecordData] 1535 ? EventData: [+ EventData] 1536 ? AdditionalData: [+ ExtensionType] 1537 } 1539 Expectation = { 1540 ? action: action .default "other" 1541 ? ext-action: text 1542 ? severity: "low" / "medium" / "high" 1543 ? restriction: restriction .default "default" 1544 ? ext-restriction: text 1545 ? observable-id: IDtype 1546 ? Description: [+ MLStringType] 1547 ? DefinedCOA: [+ text] 1548 ? StartTime: DATETIME 1549 ? EndTime: DATETIME 1550 ? Contact: Contact 1551 } 1553 System = { 1554 ? category: "source" / "target" / "intermediate" / "sensor" / 1555 "infrastructure" / "ext-value" 1556 ? ext-category: text 1557 ? interface: text 1558 ? spoofed: "unknown" / "yes" / "no" .default "unknown" 1559 ? virtual: "yes" / "no" / "unknown" .default "unknown" 1560 ? ownership: "organization" / "personal" / "partner" / "customer" / 1561 "no-relationship" / "unknown" / "ext-value" 1562 ? ext-ownership: text 1563 ? restriction: restriction .default "private" 1564 ? ext-restriction: text 1565 ? observable-id: IDtype 1566 Node: Node 1567 ? NodeRole: [+ NodeRole] 1568 ? Service: [+ Service] 1569 ? OperatingSystem: [+ SoftwareType] 1570 ? Counter: [+ Counter] 1571 ? AssetID: [+ text] 1572 ? Description: [+ MLStringType] 1573 ? AdditionalData: [+ ExtensionType] 1574 } 1576 Node = { 1577 (DomainData:[+ DomainData] 1578 ? Address:[+ Address] // 1579 ? DomainData:[+ DomainData] 1580 Address:[+ Address]) 1581 ? PostalAddress: PostalAddress 1582 ? Location: [+ MLStringType] 1583 ? Counter: [+ Counter] 1584 } 1586 Address = { 1587 value: text 1588 category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1589 "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / 1590 "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / 1591 "ext-value" .default "ipv6-addr" 1592 ? ext-category: text 1593 ? vlan-name: text 1594 ? vlan-num: integer 1595 ? observable-id: IDtype 1596 } 1598 NodeRole = { 1599 category: "client" / "client-enterprise" / "client-partner" / 1600 "client-remote" / "client-kiosk" / "client-mobile" / 1601 "server-internal" / "server-public" / "www" / "mail" / 1602 "webmail" / "messaging" / "streaming" / "voice" / "file" / 1603 "ftp" / "p2p" / "name" / "directory" / "credential" / 1604 "print" / "application" / "database" / "backup" / "dhcp" / 1605 "assessment" / "source-control" / "config-management" / 1606 "monitoring" / "infra" / "infra-firewall" / "infra-router" / 1607 "infra-switch" / "camera" / "proxy" / "remote-access" / 1608 "log" / "virtualization" / "pos" / "scada" / 1609 "scada-supervisory" / "sinkhole" / "honeypot" / 1610 "anomyzation" / "c2-server" / "malware-distribution" / 1611 "drop-server" / "hop-point" / "reflector" / 1612 "phishing-site" / "spear-phishing-site" / "recruiting-site" / 1613 "fraudulent-site" / "ext-value" 1614 ? ext-category: text 1615 ? Description: [+ MLStringType] 1616 } 1618 Counter = { 1619 value: float32 1620 type: "count" / "peak" / "average" / "ext-value" 1621 ? ext-type: text 1622 unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / 1623 "message" / "event" / "host" / "site" / "organization" / 1624 "ext-value" 1625 ? ext-unit: text 1626 ? meaning: text 1627 ? duration: duration .default "hour" 1628 ? ext-duration: text 1629 } 1631 DomainData = { 1632 system-status: "spoofed" / "fraudulent" / "innocent-hacked" / 1633 "innocent-hijacked" / "unknown" / "ext-value" 1634 ? ext-system-status: text 1635 domain-status: "reservedDelegation" / "assignedAndActive" / 1636 "assignedAndInactive" / "assignedAndOnHold" / 1637 "revoked" / "transferPending" / "registryLock" / 1638 "registrarLock" / "other" / "unknown" / "ext-value" 1639 ? ext-domain-status: text 1640 ? observable-id: IDtype 1641 Name: text 1642 ? DateDomainWasChecked: DATETIME 1643 ? RegistrationDate: DATETIME 1644 ? ExpirationDate: DATETIME 1645 ? RelatedDNS: [+ ExtensionType] 1646 ? NameServers: [+ NameServers] 1647 ? DomainContacts: DomainContacts 1648 } 1650 NameServers = { 1651 Server: text 1652 Address: [+ Address] 1653 } 1654 DomainContacts = { 1655 (SameDomainContact: text // Contact: [+ Contact]) 1656 } 1658 Service = { 1659 ? ip-protocol: integer 1660 ? observable-id: IDtype 1661 ? ServiceName: ServiceName 1662 ? Port: integer 1663 ? Portlist: PortlistType 1664 ? ProtoCode: integer 1665 ? ProtoType: integer 1666 ? ProtoField: integer 1667 ? ApplicationHeaderField: [+ ExtensionType] 1668 ? EmailData: EmailData 1669 ? Application: SoftwareType 1670 } 1672 ServiceName = { 1673 ? IANAService: text 1674 ? URL: [+ URLtype] 1675 ? Description: [+ MLStringType] 1676 } 1678 EmailData = { 1679 ? observable-id: IDtype 1680 ? EmailTo: [+ text] 1681 ? EmailFrom: text 1682 ? EmailSubject: text 1683 ? EmailX-Mailer: text 1684 ? EmailHeaderField: [+ ExtensionType] 1685 ? EmailHeaders: text 1686 ? EmailBody: text 1687 ? EmailMessage: text 1688 ? HashData: [+ HashData] 1689 ? Signature: [+ BYTE] 1690 } 1692 RecordData = { 1693 ? restriction: restriction .default "private" 1694 ? ext-restriction: text 1695 ? observable-id: IDtype 1696 ? DateTime: DATETIME 1697 ? Description: [+ MLStringType] 1698 ? Application: SoftwareType 1699 ? RecordPattern: [+ RecordPattern] 1700 ? RecordItem: [+ ExtensionType] 1701 ? URL: [+ URLtype] 1702 ? FileData: [+ FileData] 1703 ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] 1704 ? CertificateData: [+ CertificateData] 1705 ? AdditionalData: [+ ExtensionType] 1706 } 1708 RecordPattern = { 1709 value: text 1710 type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" 1711 ? ext-type: text 1712 ? offset: integer 1713 ? offsetunit: "line" / "byte" / "ext-value" .default "line" 1714 ? ext-offsetunit: text 1715 ? instance: integer 1716 } 1718 WindowsRegistryKeysModified = { 1719 ? observable-id: IDtype 1720 Key: [+ Key] 1721 } 1723 Key = { 1724 ? registryaction: "add-key" / "add-value" / "delete-key" / 1725 "delete-value" / "modify-key" / "modify-value" / 1726 "ext-value" 1727 ? ext-registryaction: text 1728 ? observable-id: IDtype 1729 KeyName: text 1730 ? KeyValue: text 1731 } 1733 CertificateData = { 1734 ? restriction: restriction .default "private" 1735 ? ext-restriction: text 1736 ? observable-id: IDtype 1737 Certificate: [+ Certificate] 1738 } 1740 Certificate = { 1741 ? observable-id: IDtype 1742 X509Data: BYTE 1743 ? Description: [+ MLStringType] 1744 } 1746 FileData = { 1747 ? restriction: restriction .default "private" 1748 ? ext-restriction: text 1749 ? observable-id: IDtype 1750 File: [+ File] 1751 } 1753 File = { 1754 ? observable-id: IDtype 1755 ? FileName: text 1756 ? FileSize: integer 1757 ? FileType: text 1758 ? URL: [+ URLtype] 1759 ? HashData: HashData 1760 ? Signature: [+ BYTE] 1761 ? AssociatedSoftware: SoftwareType 1762 ? FileProperties: [+ ExtensionType] 1763 } 1765 HashData = { 1766 scope: "file-contents" / "file-pe-section" / "file-pe-iat" / 1767 "file-pe-resource" / "file-pdf-object" / "email-hash" / 1768 "email-headers-hash" / "email-body-hash" / "ext-value" 1769 ? HashTargetID: text 1770 ? Hash: [+ Hash] 1771 ? FuzzyHash: [+ FuzzyHash] 1772 } 1774 Hash = { 1775 DigestMethod: BYTE 1776 DigestValue: BYTE 1777 ? CanonicalizationMethod: BYTE 1778 ? Application: SoftwareType 1779 } 1781 FuzzyHash = { 1782 FuzzyHashValue: [+ ExtensionType] 1783 ? Application: SoftwareType 1784 ? AdditionalData: [+ ExtensionType] 1785 } 1787 Indicator = { 1788 ? restriction: restriction .default "private" 1789 ? ext-restriction: text 1790 IndicatorID: IndicatorID 1791 ? AlternativeIndicatorID: [+ AlternativeIndicatorID] 1792 ? Description: [+ MLStringType] 1793 ? StartTime: DATETIME 1794 ? EndTime: DATETIME 1795 ? Confidence: Confidence 1796 ? Contact: [+ Contact] 1797 (Observable: Observable // uid-ref: IDREFType // 1798 IndicatorExpression: IndicatorExpression // 1799 IndicatorReference: IndicatorReference) 1800 ? NodeRole: [+ NodeRole] 1801 ? AttackPhase: [+ AttackPhase] 1802 ? Reference: [+ Reference] 1803 ? AdditionalData: [+ ExtensionType] 1804 } 1806 IndicatorID = { 1807 id: IDtype 1808 name: text 1809 version: text 1810 } 1812 AlternativeIndicatorID = { 1813 ? restriction: restriction .default "private" 1814 ? ext-restriction: text 1815 IndicatorID: [+ IndicatorID] 1816 } 1818 Observable = { 1819 ? restriction: restriction .default "private" 1820 ? ext-restriction: text 1821 ? (System: System // Address: Address // DomainData: DomainData // 1822 EmailData: EmailData // Service: Service // 1823 WindowsRegistryKeysModified: WindowsRegistryKeysModified // 1824 FileData: FileData // CertificateData: CertificateData // 1825 RegistryHandle: RegistryHandle // RecordData: RecordData // 1826 EventData: EventData // Incident: Incident // 1827 Expectation: Expectation // Reference: Reference // 1828 Assessment: Assessment // DetectionPattern: DetectionPattern // 1829 HistoryItem: HistoryItem // BulkObservable: BulkObservable // 1830 AdditionalData: [+ ExtensionType]) 1831 } 1833 BulkObservable = { 1834 ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1835 "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / 1836 "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / 1837 "domain-to-ipv6" / "domain-to-ipv4-timestamp" / 1838 "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / 1839 "windows-reg-key" / "file-hash" / "email-x-mailer" / 1840 "email-subject" / "http-user-agent" / "http-request-uri" / 1841 "mutex" / "file-path" / "user-name" / "ext-value" 1842 ? ext-type: text 1843 ? BulkObservableFormat: BulkObservableFormat 1844 BulkObservableList: text 1845 ? AdditionalData: [+ ExtensionType] 1847 } 1849 BulkObservableFormat = { 1850 (Hash: Hash // AdditionalData: [+ ExtensionType]) 1851 } 1853 IndicatorExpression = { 1854 ? operator: "not" / "and" / "or" / "xor" .default "and" 1855 ? ext-operator: text 1856 ? IndicatorExpression: [+ IndicatorExpression] 1857 ? Observable: [+ Observable] 1858 ? uid-ref: [+ IDREFType] 1859 ? IndicatorReference: [+ IndicatorReference] 1860 ? Confidence: Confidence 1861 ? AdditionalData: [+ ExtensionType] 1862 } 1864 IndicatorReference = { 1865 (uid-ref: IDREFType // euid-ref: text) 1866 ? version: text 1867 } 1869 AttackPhase = { 1870 ? AttackPhaseID: [+ text] 1871 ? URL: [+ URLtype] 1872 ? Description: [+ MLStringType] 1873 ? AdditionalData: [+ ExtensionType] 1874 } 1876 Figure 8: Data Model in CDDL 1878 6. IANA Considerations 1880 This document does not require any IANA actions. 1882 7. Security Considerations 1884 This document does not provide any further security considerations 1885 than the one described in [RFC7970]. 1887 8. Acknowledgments 1889 We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki 1890 Morita, and Takahiko Nagata for their insightful comments on CDDL. 1892 9. References 1894 9.1. Normative References 1896 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1897 Requirement Levels", BCP 14, RFC 2119, 1898 DOI 10.17487/RFC2119, March 1997, 1899 . 1901 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 1902 Resource Identifier (URI): Generic Syntax", STD 66, 1903 RFC 3986, DOI 10.17487/RFC3986, January 2005, 1904 . 1906 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1907 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 1908 . 1910 [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object 1911 Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, 1912 October 2013, . 1914 [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An 1915 Incident Object Description Exchange Format (IODEF) 1916 Extension for Structured Cybersecurity Information", 1917 RFC 7203, DOI 10.17487/RFC7203, April 2014, 1918 . 1920 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 1921 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 1922 November 2016, . 1924 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1925 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1926 May 2017, . 1928 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 1929 Interchange Format", STD 90, RFC 8259, 1930 DOI 10.17487/RFC8259, December 2017, 1931 . 1933 [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data 1934 Definition Language (CDDL): A Notational Convention to 1935 Express Concise Binary Object Representation (CBOR) and 1936 JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, 1937 June 2019, . 1939 9.2. Informative References 1941 [jsonschema] 1942 Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: 1943 core definitions and terminology", 2013. 1945 Appendix A. Data Types used in this document 1947 The CDDL prelude used in this document is mapped to JSON as shown in 1948 the table below. 1950 +-----------------+-------------------+----------------------------+ 1951 | CDDL Prelude | Use of JSON | Instance | Validation | 1952 +-----------------+-------------------+----------------------------+ 1953 | bytes | n/a | string | tool available | 1954 | text | string | string | unnecessary | 1955 | tdate | n/a | string | 7.3.1 date-time | 1956 | integer | n/a | number | integer | 1957 | eb64legacy | n/a | string | tool available | 1958 | uri | n/a | string | 7.3.6 uri | 1959 | float32 | float32 | number | unnecessary | 1960 +-----------------+-------------------+----------------------------+ 1962 Figure 9: CDDL Prelude mapping in JSON 1964 Appendix B. The IODEF Data Model (JSON Schema) 1966 This section provides a JSON schema that defines the IODEF Data Model 1967 defined in this draft. Note that this section is Informative. 1969 { "$schema": "http://json-schema.org/draft-04/schema#", 1970 "definitions": { 1971 "action": {"enum": ["nothing","contact-source-site", 1972 "contact-target-site","contact-sender","investigate", 1973 "block-host","block-network","block-port","rate-limit-host", 1974 "rate-limit-network","rate-limit-port","redirect-traffic", 1975 "honeypot","upgrade-software","rebuild-asset","harden-asset", 1976 "remediate-other","status-triage","status-new-info", 1977 "watch-and-report","training","defined-coa","other", 1978 "ext-value"]}, 1979 "duration":{"enum":["second","minute","hour","day","month", 1980 "quarter","year","ext-value"]}, 1981 "SpecID":{ 1982 "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, 1983 "lang": { 1984 "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, 1985 "purpose": {"enum": ["traceback","mitigation","reporting","watch", 1986 "other","ext-value"]}, 1988 "restriction":{"enum":["public","partner","need-to-know","private", 1989 "default","white","green","amber","red","ext-value"]}, 1990 "status": {"enum": ["new","in-progress","forwarded","resolved", 1991 "future","ext-value"]}, 1992 "DATETIME": {"type": "string","format": "date-time"}, 1993 "BYTE": {"type": "string"}, 1994 "PortlistType": { 1995 "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"}, 1996 "TimeZonetype": { 1997 "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, 1998 "URLtype": { 1999 "type": "string", 2000 "pattern": 2001 "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, 2002 "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, 2003 "IDREFType": {"$ref": "#/definitions/IDtype"}, 2004 "MLStringType": { 2005 "oneOf": [{"type": "string"}, 2006 {"type": "object", 2007 "properties": { 2008 "value": {"type": "string"}, 2009 "lang": {"$ref": "#/definitions/lang"}, 2010 "translation-id": {"type": "string"}}, 2011 "required": ["value"], 2012 "additionalProperties":false}]}, 2013 "PositiveFloatType": {"type": "number","minimum": 0}, 2014 "PAddressType": {"$ref": "#/definitions/MLStringType"}, 2015 "ExtensionType": { 2016 "type": "object", 2017 "properties": { 2018 "value": {"type": "string"}, 2019 "name": {"type": "string"}, 2020 "dtype":{"enum":["boolean","byte","bytes","character", "json", 2021 "date-time","ntpstamp","integer","portlist","real","string", 2022 "file","path","frame","packet","ipv4-packet","ipv6-packet", 2023 "url", "csv","winreg","xml","ext-value"],"default": "string"}, 2024 "ext-dtype": {"type": "string"}, 2025 "meaning": {"type": "string"}, 2026 "formatid": {"type": "string"}, 2027 "restriction": { 2028 "$ref": "#/definitions/restriction","default": "private"}, 2029 "ext-restriction": {"type": "string"}, 2030 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2031 "required": ["value","dtype"], 2032 "additionalProperties":false}, 2033 "ExtensionTypeList": { 2034 "type": "array", 2035 "items": {"$ref": "#/definitions/ExtensionType"}, 2036 "minItems": 1}, 2037 "SoftwareType": { 2038 "type": "object", 2039 "properties": { 2040 "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, 2041 "URL": { 2042 "type": "array", 2043 "items": {"$ref": "#/definitions/URLtype", 2044 "minItems": 1}}, 2045 "Description": { 2046 "type": "array", 2047 "items": {"$ref": "#/definitions/MLStringType"}, 2048 "minItems": 1 }}, 2049 "required": [], 2050 "additionalProperties": false}, 2051 "SoftwareReference": { 2052 "type": "object", 2053 "properties": { 2054 "value": {"type": "string"}, 2055 "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, 2056 "ext-spec-name": {"type": "string"}, 2057 "dtype": {"enum": ["bytes","integer","real","string","xml", 2058 "ext-value"] , "default": "string"}, 2059 "ext-dtype": {"type": "string"}}, 2060 "required": ["spec-name"], 2061 "additionalProperties": false}, 2062 "StructuredInfo": { 2063 "type": "object", 2064 "properties": { 2065 "SpecID": {"$ref":"#/definitions/SpecID"}, 2066 "ext-SpecID": {"type": "string"}, 2067 "ContentID": {"type": "string"}, 2068 "RawData": { 2069 "type": "array", 2070 "items": {"$ref":"#/definitions/BYTE"}, 2071 "minItems": 1 2072 }, 2073 "Reference": { 2074 "type": "array", 2075 "items": {"$ref": "#/definitions/Reference"}, 2076 "minItems": 1 2077 }, 2078 "Platform": { 2079 "type": "array", 2080 "items": {"$ref": "#/definitions/Platform"}, 2081 "minItems": 1 2082 }, 2083 "Scoring": { 2084 "type": "array", 2085 "items": {"$ref": "#/definitions/Scoring"}, 2086 "minItems": 1}}, 2087 "allOf": [ 2088 {"required": ["SpecID"]}, 2089 {"anyOf": [ 2090 {"oneOf": [ 2091 {"required":["Reference"]}, 2092 {"required":["RawData"]}]}, 2093 { "not" : {"required":["Reference", "RawData"]}}]}], 2094 "additionalProperties": false}, 2095 "Platform": { 2096 "type": "object", 2097 "properties": { 2098 "SpecID": {"$ref":"#/definitions/SpecID"}, 2099 "ext-SpecID": {"type": "string"}, 2100 "ContentID": {"type": "string"}, 2101 "RawData": { 2102 "type": "array", 2103 "items": {"$ref":"#/definitions/BYTE"}, 2104 "minItems": 1 2105 }, 2106 "Reference": { 2107 "type": "array", 2108 "items": {"$ref": "#/definitions/Reference"}, 2109 "minItems": 1}}, 2110 "required": ["SpecID"], 2111 "additionalProperties": false}, 2112 "Scoring": { 2113 "type": "object", 2114 "properties": { 2115 "SpecID": {"$ref":"#/definitions/SpecID"}, 2116 "ext-SpecID": {"type": "string"}, 2117 "ContentID": {"type": "string"}, 2118 "RawData": { 2119 "type": "array", 2120 "items": {"$ref":"#/definitions/BYTE"}, 2121 "minItems": 1 2122 }, 2123 "Reference": { 2124 "type": "array", 2125 "items": {"$ref": "#/definitions/Reference"}, 2126 "minItems": 1}}, 2127 "required": ["SpecID"], 2128 "additionalProperties": false}, 2129 "Incident": { 2130 "title": "Incident", 2131 "description": "JSON schema for Incident class", 2132 "type": "object", 2133 "properties": { 2134 "purpose": {"$ref": "#/definitions/purpose"}, 2135 "ext-purpose": {"type": "string"}, 2136 "status": {"$ref": "#/definitions/status"}, 2137 "ext-status": {"type": "string"}, 2138 "lang": {"$ref": "#/definitions/lang"}, 2139 "restriction": {"$ref": "#/definitions/restriction", 2140 "default": "private"}, 2141 "ext-restriction": {"type": "string"}, 2142 "observable-id": {"$ref": "#/definitions/IDtype"}, 2143 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2144 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 2145 "RelatedActivity": { 2146 "type": "array", 2147 "items": {"$ref": "#/definitions/RelatedActivity"}, 2148 "minItems": 1}, 2149 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2150 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2151 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2152 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2153 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2154 "GenerationTime": {"$ref": "#/definitions/DATETIME"}, 2155 "Description": { 2156 "type": "array", 2157 "items": {"$ref": "#/definitions/MLStringType"}, 2158 "minItems": 1}, 2159 "Discovery": { 2160 "type": "array", 2161 "items": {"$ref": "#/definitions/Discovery"}, 2162 "minItems": 1}, 2163 "Assessment": { 2164 "type": "array", 2165 "items": {"$ref": "#/definitions/Assessment"}, 2166 "minItems": 1}, 2167 "Method": { 2168 "type": "array", 2169 "items": {"$ref": "#/definitions/Method"}, 2170 "minItems": 1}, 2171 "Contact": { 2172 "type": "array", 2173 "items": {"$ref": "#/definitions/Contact"}, 2174 "minItems": 1}, 2175 "EventData": { 2176 "type": "array", 2177 "items": {"$ref": "#/definitions/EventData"}, 2178 "minItems": 1}, 2179 "Indicator": { 2180 "type": "array", 2181 "items": {"$ref": "#/definitions/Indicator"}, 2182 "minItems": 1}, 2183 "History": {"$ref": "#/definitions/History"}, 2184 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2185 "required": ["IncidentID","GenerationTime","Contact","purpose"], 2186 "additionalProperties": false}, 2187 "IncidentID": { 2188 "title": "IncidentID", 2189 "description": "JSON schema for IncidentID class", 2190 "type": "object", 2191 "properties": { 2192 "id": {"type": "string"}, 2193 "name": {"type": "string"}, 2194 "instance": {"type": "string"}, 2195 "restriction": {"$ref": "#/definitions/restriction", 2196 "default": "private"}, 2197 "ext-restriction": {"type": "string"}}, 2198 "required": ["id","name"], 2199 "additionalProperties": false}, 2200 "AlternativeID": { 2201 "title": "AlternativeID", 2202 "description": "JSON schema for AlternativeID class", 2203 "type": "object", 2204 "properties": { 2205 "IncidentID": { 2206 "type": "array", 2207 "items":{"$ref": "#/definitions/IncidentID"}, 2208 "minItems": 1}, 2209 "restriction": {"$ref": "#/definitions/restriction", 2210 "default": "private"}, 2211 "ext-restriction": {"type": "string"}}, 2212 "required": ["IncidentID"], 2213 "additionalProperties": false}, 2214 "RelatedActivity": { 2215 "properties": { 2216 "restriction": {"$ref": "#/definitions/restriction", 2217 "default": "private"}, 2218 "ext-restriction": {"type": "string"}, 2219 "IncidentID": { 2220 "type": "array", 2221 "items": {"$ref": "#/definitions/IncidentID"}, 2222 "minItems": 1}, 2223 "URL": { 2224 "type": "array", 2225 "items": {"$ref": "#/definitions/URLtype"}, 2226 "minItems": 1}, 2227 "ThreatActor": { 2228 "type": "array", 2229 "items": {"$ref": "#/definitions/ThreatActor"}, 2230 "minItems": 1}, 2231 "Campaign": { 2232 "type": "array", 2233 "items": {"$ref": "#/definitions/Campaign"}, 2234 "minItems": 1}, 2235 "IndicatorID": { 2236 "type": "array", 2237 "items": {"$ref": "#/definitions/IndicatorID"}, 2238 "minItems": 1}, 2239 "Confidence": {"$ref": "#/definitions/Confidence"}, 2240 "Description": { 2241 "type": "array", 2242 "items": {"type": "string"}, 2243 "minItems": 1}, 2244 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2245 "additionalProperties": false}, 2246 "ThreatActor": { 2247 "properties": { 2248 "restriction": {"$ref": "#/definitions/restriction", 2249 "default": "private"}, 2250 "ext-restriction": {"type": "string"}, 2251 "ThreatActorID": { 2252 "type": "array", 2253 "items": {"type": "string"}, 2254 "minItems": 1}, 2255 "Description": { 2256 "type": "array", 2257 "items": {"$ref": "#/definitions/MLStringType"}, 2258 "minItems": 1}, 2259 "URL": { 2260 "type":"array", 2261 "items":{"$ref":"#/definitions/URLtype"}, 2262 "minItems": 1}, 2263 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2264 "additionalProperties": false}, 2265 "Campaign": { 2266 "properties": { 2267 "restriction": {"$ref": "#/definitions/restriction", 2268 "default": "private"}, 2269 "ext-restriction": {"type": "string"}, 2270 "CampaignID": { 2271 "type": "array", 2272 "items": {"type": "string"}, 2273 "minItems": 1}, 2274 "URL": { 2275 "type":"array", 2276 "items":{"$ref":"#/definitions/URLtype"}, 2277 "minItems": 1}, 2278 "Description": { 2279 "type": "array", 2280 "items": {"$ref": "#/definitions/MLStringType"}, 2281 "minItems": 1}, 2282 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 2283 "Contact": { 2284 "type": "object", 2285 "properties": { 2286 "role": { 2287 "enum":["creator","reporter","admin","tech","provider","user", 2288 "billing","legal","irt","abuse","cc","cc-irt","leo", 2289 "vendor","vendor-support","victim","victim-notified", 2290 "ext-value"]}, 2291 "ext-role": {"type": "string"}, 2292 "type": {"enum": ["person","organization","ext-value"]}, 2293 "ext-type": {"type": "string"}, 2294 "restriction": {"$ref": "#/definitions/restriction", 2295 "default": "private"}, 2296 "ext-restriction": {"type": "string"}, 2297 "ContactName": { 2298 "type": "array", 2299 "items": {"$ref": "#/definitions/MLStringType"}, 2300 "minItems": 1}, 2301 "ContactTitle": { 2302 "type": "array", 2303 "items": {"$ref": "#/definitions/MLStringType"}, 2304 "minItems": 1}, 2305 "Description": { 2306 "type": "array", 2307 "items": {"$ref": "#/definitions/MLStringType"}, 2308 "minItems": 1}, 2309 "RegistryHandle": { 2310 "type":"array", 2311 "items":{"$ref":"#/definitions/RegistryHandle"}, 2312 "minItems": 1}, 2313 "PostalAddress": { 2314 "type":"array", 2315 "items":{"$ref":"#/definitions/PostalAddress"}, 2316 "minItems": 1}, 2317 "Email": { 2318 "type": "array", 2319 "items": {"$ref": "#/definitions/Email"}, 2320 "minItems": 1}, 2321 "Telephone": { 2322 "type": "array", 2323 "items": {"$ref": "#/definitions/Telephone"}, 2324 "minItems": 1}, 2325 "Timezone": {"$ref": "#/definitions/TimeZonetype"}, 2326 "Contact": { 2327 "type": "array", 2328 "items": {"$ref": "#/definitions/Contact"}, 2329 "minItems": 1}, 2330 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2331 "required": ["role","type"], 2332 "additionalProperties": false}, 2333 "RegistryHandle": { 2334 "type": "object", 2335 "properties": { 2336 "handle": {"type": "string"}, 2337 "registry": { 2338 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", 2339 "local","ext-value"]}, 2340 "ext-registry": {"type": "string"}}, 2341 "required": ["handle","registry"], 2342 "additionalProperties": false}, 2343 "PostalAddress": { 2344 "type": "object", 2345 "properties": { 2346 "type": { 2347 "enum": ["street","mailing","ext-value"]}, 2348 "ext-type": {"type": "string"}, 2349 "PAddress": {"$ref": "#/definitions/PAddressType"}, 2350 "Description": { 2351 "type": "array", 2352 "items": {"$ref": "#/definitions/MLStringType"}, 2353 "minItems": 1}}, 2354 "required": ["PAddress"], 2355 "additionalProperties": false}, 2356 "Email": { 2357 "type": "object", 2358 "properties": { 2359 "type": { 2360 "enum":["direct","hotline","ext-value"]}, 2361 "ext-type": {"type": "string"}, 2362 "EmailTo": {"type": "string"}, 2363 "Description": { 2364 "type": "array", 2365 "items": {"$ref": "#/definitions/MLStringType"}, 2366 "minItems": 1}}, 2367 "required": ["EmailTo"], 2368 "additionalProperties": false}, 2369 "Telephone": { 2370 "type": "object", 2371 "properties": { 2372 "type": { 2373 "enum":["wired","mobile","fax","hotline","ext-value"]}, 2374 "ext-type": {"type": "string"}, 2375 "TelephoneNumber": {"type": "string"}, 2376 "Description": { 2377 "type": "array", 2378 "items": {"$ref": "#/definitions/MLStringType"}, 2379 "minItems": 1}}, 2380 "required": ["TelephoneNumber"], 2381 "additionalProperties": false}, 2382 "Discovery": { 2383 "type": "object", 2384 "properties": { 2385 "source": { 2386 "enum":["nidps","hips","siem","av","third-party-monitoring", 2387 "incident","os-log","application-log","device-log", 2388 "network-flow","passive-dns","investigation","audit", 2389 "internal-notification","external-notification","leo", 2390 "partner","actor","unknown","ext-value"]}, 2391 "ext-source": {"type": "string"}, 2392 "restriction": {"$ref": "#/definitions/restriction", 2393 "default": "private"}, 2394 "ext-restriction": {"type": "string"}, 2395 "Description": { 2396 "type": "array", 2397 "items": {"$ref": "#/definitions/MLStringType"}, 2398 "minItems": 1}, 2399 "Contact": { 2400 "type": "array", 2401 "items": {"$ref": "#/definitions/Contact"}, 2402 "minItems": 1}, 2403 "DetectionPattern": { 2404 "type":"array", 2405 "items":{"$ref":"#/definitions/DetectionPattern"}, 2406 "minItems": 1}}, 2407 "required": [], 2408 "additionalProperties": false}, 2409 "DetectionPattern": { 2410 "type": "object", 2411 "properties": { 2412 "restriction": {"$ref": "#/definitions/restriction", 2413 "default": "private"}, 2414 "ext-restriction": {"type": "string"}, 2415 "observable-id": {"$ref": "#/definitions/IDtype"}, 2416 "Application": {"$ref": "#/definitions/SoftwareType"}, 2417 "Description": { 2418 "type": "array", 2419 "items": {"$ref": "#/definitions/MLStringType"}, 2420 "minItems": 1}, 2421 "DetectionConfiguration": { 2422 "type": "array", 2423 "items": {"type": "string"}, 2424 "minItems": 1}}, 2425 "allOf": [ 2426 {"required": ["Application"]}, 2427 {"oneOf": [ 2428 {"required":["Description"]}, 2429 {"required":["DetectionConfiguration"]}]}], 2430 "additionalProperties": false}, 2431 "Method": { 2432 "type": "object", 2433 "properties": { 2434 "restriction": {"$ref": "#/definitions/restriction", 2435 "default": "private"}, 2436 "ext-restriction": {"type": "string"}, 2437 "Reference": { 2438 "type": "array", 2439 "items": {"$ref": "#/definitions/Reference"}, 2440 "minItems": 1}, 2441 "Description": { 2442 "type": "array", 2443 "items": {"$ref": "#/definitions/MLStringType"}, 2444 "minItems": 1}, 2445 "AttackPattern": { 2446 "type":"array", 2447 "items":{"$ref":"#/definitions/StructuredInfo"}, 2448 "minItems": 1}, 2449 "Vulnerability": { 2450 "type":"array", 2451 "items":{"$ref":"#/definitions/StructuredInfo"}, 2452 "minItems": 1}, 2453 "Weakness": { 2454 "type":"array", 2455 "items":{"$ref":"#/definitions/StructuredInfo"}, 2456 "minItems": 1}, 2457 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2458 "required": [], 2459 "additionalProperties": false}, 2460 "Reference": { 2461 "type": "object", 2462 "properties": { 2463 "observable-id": {"$ref": "#/definitions/IDtype"}, 2464 "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, 2465 "URL":{ 2466 "type":"array", 2467 "items":{"$ref":"#/definitions/URLtype"}, 2468 "minItems": 1}, 2469 "Description": { 2470 "type": "array", 2471 "items": {"$ref": "#/definitions/MLStringType"}, 2472 "minItems": 1}}, 2473 "required": [], 2474 "additionalProperties": false}, 2475 "ReferenceName" : { 2476 "type": "object", 2477 "properties": { 2478 "specIndex": {"type": "number"}, 2479 "ID": {"$ref":"#/definitions/IDtype"}}, 2480 "required": ["specIndex","ID"], 2481 "additionalProperties": false}, 2482 "Assessment": { 2483 "type": "object", 2484 "properties": { 2485 "occurrence": {"enum":["actual","potential"]}, 2486 "restriction": {"$ref": "#/definitions/restriction", 2487 "default": "private"}, 2488 "ext-restriction": {"type": "string"}, 2489 "observable-id": {"$ref": "#/definitions/IDtype"}, 2490 "IncidentCategory": { 2491 "type": "array", 2492 "items": {"$ref": "#/definitions/MLStringType"}, 2493 "minItems": 1}, 2494 "Impact": { 2495 "type": "array", 2496 "items": { 2497 "properties": { 2498 "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, 2499 "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, 2500 "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, 2501 "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, 2502 "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, 2503 "additionalProperties":false}, 2504 "minItems" : 1 2505 }, 2506 "Counter": { 2507 "type": "array", 2508 "items": {"$ref": "#/definitions/Counter"}, 2509 "minItems": 1}, 2510 "MitigatingFactor": { 2511 "type": "array", 2512 "items": {"$ref": "#/definitions/MLStringType"}, 2513 "minItems": 1}, 2514 "Cause": { 2515 "type": "array", 2516 "items": {"$ref": "#/definitions/MLStringType"}, 2517 "minItems": 1}, 2518 "Confidence": {"$ref": "#/definitions/Confidence"}, 2519 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2520 "required": ["Impact"], 2521 "additionalProperties": false}, 2522 "SystemImpact": { 2523 "type": "object", 2524 "properties": { 2525 "severity": {"enum":["low","medium","high"]}, 2526 "completion": {"enum":["failed","succeeded"]}, 2527 "type": { 2528 "enum":["takeover-account","takeover-service", 2529 "takeover-system","cps-manipulation","cps-damage", 2530 "availability-data","availability-account", 2531 "availability-service","availability-system", 2532 "damaged-system","damaged-data","breach-proprietary", 2533 "breach-privacy","breach-credential", 2534 "breach-configuration","integrity-data", 2535 "integrity-configuration","integrity-hardware", 2536 "traffic-redirection","monitoring-traffic", 2537 "monitoring-host","policy","unknown","ext-value"]}, 2538 "ext-type": {"type": "string"}, 2539 "Description": { 2540 "type": "array", 2541 "items": {"$ref": "#/definitions/MLStringType"}, 2542 "minItems": 1}}, 2543 "required": ["type"], 2544 "additionalProperties": false}, 2545 "BusinessImpact": { 2546 "type": "object", 2547 "properties": { 2548 "severity": {"enum":["none","low","medium","high","unknown", 2549 "ext-value"],"default": "unknown"}, 2550 "ext-severity": {"type":"string"}, 2551 "type": {"enum":["breach-proprietary","breach-privacy", 2552 "breach-credential","loss-of-integrity","loss-of-service", 2553 "theft-financial","theft-service","degraded-reputation", 2554 "asset-damage","asset-manipulation","legal","extortion", 2555 "unknown","ext-value"]}, 2556 "ext-type": {"type": "string"}, 2557 "Description": { 2558 "type": "array", 2559 "items": {"$ref": "#/definitions/MLStringType"}, 2560 "minItems": 1}}, 2561 "required": ["type"], 2562 "additionalProperties": false}, 2563 "TimeImpact": { 2564 "type": "object", 2565 "properties": { 2566 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2567 "severity": {"enum": ["low","medium","high"]}, 2568 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 2569 "ext-metric": {"type": "string"}, 2570 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2571 "ext-duration": {"type": "string"}}, 2572 "required": ["value","metric"], 2573 "additionalProperties": false}, 2574 "MonetaryImpact": { 2575 "type": "object", 2576 "properties": { 2577 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2578 "severity": {"enum":["low","medium","high"]}, 2579 "currency": {"type": "string"}}, 2580 "required": ["value"], 2581 "additionalProperties": false}, 2582 "Confidence": { 2583 "type": "object", 2584 "properties": { 2585 "value": {"type": "number"}, 2586 "rating": {"enum": ["low","medium","high","numeric","unknown", 2587 "ext-value"]}, 2588 "ext-rating": {"type":"string"}}, 2589 "required": ["value","rating"], 2590 "additionalProperties": false}, 2591 "History": { 2592 "type": "object", 2593 "properties": { 2594 "restriction": {"$ref": "#/definitions/restriction", 2595 "default": "private"}, 2596 "ext-restriction": {"type": "string"}, 2597 "HistoryItem": { 2598 "type": "array", 2599 "items": {"$ref": "#/definitions/HistoryItem"}, 2600 "minItems": 1}}, 2601 "required": ["HistoryItem"], 2602 "additionalProperties": false}, 2603 "HistoryItem": { 2604 "type": "object", 2605 "properties": { 2606 "action": {"$ref": "#/definitions/action","default": "other"}, 2607 "ext-action": {"type": "string"}, 2608 "restriction": {"$ref": "#/definitions/restriction", 2609 "default": "private"}, 2610 "ext-restriction": {"type": "string"}, 2611 "observable-id": {"$ref": "#/definitions/IDtype"}, 2612 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2613 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2614 "Contact": {"$ref": "#/definitions/Contact"}, 2615 "Description": { 2616 "type": "array", 2617 "items": {"$ref": "#/definitions/MLStringType"}, 2618 "minItems": 1}, 2619 "DefinedCOA": { 2620 "type": "array", 2621 "items": {"type": "string"}, 2622 "minItems": 1}, 2623 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2624 "required": ["DateTime","action"], 2625 "additionalProperties": false}, 2626 "EventData": { 2627 "type": "object", 2628 "properties": { 2629 "restriction": {"$ref": "#/definitions/restriction", 2630 "default": "private"}, 2631 "ext-restriction": {"type": "string"}, 2632 "observable-id": {"$ref": "#/definitions/IDtype"}, 2633 "Description": {"type": "array", 2634 "items": { "$ref":"#/definitions/MLStringType"}}, 2635 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2636 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2637 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2638 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2639 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2640 "Contact": { 2641 "type": "array", 2642 "items": {"$ref": "#/definitions/Contact"}, 2643 "minItems": 1}, 2644 "Discovery": { 2645 "type": "array", 2646 "items": {"$ref": "#/definitions/Discovery"}, 2647 "minItems": 1}, 2648 "Assessment": {"$ref": "#/definitions/Assessment"}, 2649 "Method": { 2650 "type": "array", 2651 "items": {"$ref": "#/definitions/Method"}, 2652 "minItems": 1}, 2653 "System": { 2654 "type": "array", 2655 "items": {"$ref": "#/definitions/System"}, 2656 "minItems": 1}, 2657 "Expectation": { 2658 "type": "array", 2659 "items": {"$ref": "#/definitions/Expectation"}, 2660 "minItems": 1}, 2661 "RecordData": { 2662 "type": "array", 2663 "items": {"$ref": "#/definitions/RecordData"}, 2664 "minItems": 1}, 2665 "EventData": { 2666 "type": "array", 2667 "items": {"$ref": "#/definitions/EventData"}, 2668 "minItems": 1}, 2669 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2670 "required": [], 2671 "additionalProperties": false}, 2672 "Expectation": { 2673 "type": "object", 2674 "properties": { 2675 "action": {"$ref":"#/definitions/action","default": "other"}, 2676 "ext-action": {"type": "string"}, 2677 "severity": {"enum": ["low","medium","high"]}, 2678 "restriction": {"$ref": "#/definitions/restriction", 2679 "default": "default"}, 2680 "ext-restriction": {"type": "string"}, 2681 "observable-id": {"$ref": "#/definitions/IDtype"}, 2682 "Description": { 2683 "type": "array", 2684 "items": {"$ref": "#/definitions/MLStringType"}, 2685 "minItems": 1}, 2686 "DefinedCOA": { 2687 "type": "array", 2688 "items": {"type": "string"}, 2689 "minItems": 1}, 2690 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2691 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2692 "Contact": {"$ref": "#/definitions/Contact"}}, 2693 "required": [], 2694 "additionalProperties": false}, 2695 "System": { 2696 "type": "object", 2697 "properties": { 2698 "category": { 2699 "enum": ["source","target","intermediate","sensor", 2700 "infrastructure","ext-value"]}, 2701 "ext-category": {"type": "string"}, 2702 "interface": {"type": "string"}, 2703 "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, 2704 "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, 2705 "ownership": { 2706 "enum":["organization","personal","partner","customer", 2707 "no-relationship","unknown","ext-value"]}, 2709 "ext-ownership": {"type": "string"}, 2710 "restriction": {"$ref": "#/definitions/restriction", 2711 "default": "private"}, 2712 "ext-restriction": {"type": "string"}, 2713 "observable-id": {"$ref": "#/definitions/IDtype"}, 2714 "Node": {"$ref": "#/definitions/Node"}, 2715 "NodeRole": { 2716 "type": "array", 2717 "items": {"$ref": "#/definitions/NodeRole"}, 2718 "minItems": 1}, 2719 "Service": { 2720 "type": "array", 2721 "items": {"$ref": "#/definitions/Service"}, 2722 "minItems": 1}, 2723 "OperatingSystem": { 2724 "type": "array", 2725 "items": {"$ref": "#/definitions/SoftwareType"}, 2726 "minItems": 1}, 2727 "Counter": { 2728 "type": "array", 2729 "items": {"$ref": "#/definitions/Counter"}, 2730 "minItems": 1}, 2731 "AssetID": { 2732 "type": "array", 2733 "items": {"type": "string"}, 2734 "minItems": 1}, 2735 "Description": { 2736 "type": "array", 2737 "items": {"$ref": "#/definitions/MLStringType"}, 2738 "minItems": 1}, 2739 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2740 "required": ["Node"], 2741 "additionalProperties": false}, 2742 "Node": { 2743 "type": "object", 2744 "properties": { 2745 "DomainData": { 2746 "type": "array", 2747 "items": {"$ref": "#/definitions/DomainData"}, 2748 "minItems": 1}, 2749 "Address": { 2750 "type": "array", 2751 "items": {"$ref": "#/definitions/Address"}, 2752 "minItems": 1}, 2753 "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, 2754 "Location": { 2755 "type": "array", 2756 "items": {"$ref": "#/definitions/MLStringType"}, 2757 "minItems": 1}, 2758 "Counter": { 2759 "type":"array", 2760 "items":{"$ref":"#/definitions/Counter"}, 2761 "minItems": 1}}, 2762 "anyOf": [ 2763 {"required": ["DomainData"]}, 2764 {"required": ["Address"]} 2765 ], 2766 "additionalProperties": false}, 2767 "Address": { 2768 "type": "object", 2769 "properties": { 2770 "value": {"type": "string"}, 2771 "category": { 2772 "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", 2773 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 2774 "ipv6-net-masked","mac","site-uri","ext-value"], 2775 "default": "ipv6-addr"}, 2776 "ext-category": {"type": "string"}, 2777 "vlan-name": {"type": "string"}, 2778 "vlan-num": {"type": "number"}, 2779 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2780 "required": ["value","category"], 2781 "additionalProperties": false}, 2782 "NodeRole": { 2783 "type": "object", 2784 "properties": { 2785 "category": { 2786 "enum":["client","client-enterprise","client-partner", 2787 "client-remote","client-kiosk","client-mobile", 2788 "server-internal","server-public","www","mail","webmail", 2789 "messaging","streaming","voice","file","ftp","p2p","name", 2790 "directory","credential","print","application","database", 2791 "backup","dhcp","assessment","source-control", 2792 "config-management","monitoring","infra","infra-firewall", 2793 "infra-router","infra-switch","camera","proxy", 2794 "remote-access","log","virtualization","pos", "scada", 2795 "scada-supervisory","sinkhole","honeypot","anomyzation", 2796 "c2-server","malware-distribution","drop-server", 2797 "hop-point","reflector","phishing-site", 2798 "spear-phishing-site","recruiting-site","fraudulent-site", 2799 "ext-value"]}, 2800 "ext-category": {"type": "string"}, 2801 "Description": { 2802 "type": "array", 2803 "items": {"$ref": "#/definitions/MLStringType"}, 2804 "minItems": 1}}, 2806 "required": ["category"], 2807 "additionalProperties": false}, 2808 "Counter": { 2809 "type": "object", 2810 "properties": { 2811 "value": {"type": "number"}, 2812 "type": {"enum": ["count","peak","average","ext-value"]}, 2813 "ext-type": {"type": "string"}, 2814 "unit":{"enum":["byte","mbit","packet","flow","session","alert", 2815 "message","event","host","site","organization","ext-value"]}, 2816 "ext-unit": {"type": "string"}, 2817 "meaning": {"type": "string"}, 2818 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2819 "ext-duration": {"type": "string"}}, 2820 "required": ["value","type","unit"], 2821 "additionalProperties": false}, 2822 "DomainData": { 2823 "type": "object", 2824 "properties": { 2825 "system-status": { 2826 "enum": ["spoofed","fraudulent","innocent-hacked", 2827 "innocent-hijacked","unknown","ext-value"]}, 2828 "ext-system-status": {"type": "string"}, 2829 "domain-status": { 2830 "enum": [ "reservedDelegation","assignedAndActive", 2831 "assignedAndInactive","assignedAndOnHold","revoked", 2832 "transferPending","registryLock","registrarLock", 2833 "other","unknown","ext-value"]}, 2834 "ext-domain-status": {"type": "string"}, 2835 "observable-id": {"$ref": "#/definitions/IDtype"}, 2836 "Name": {"type": "string"}, 2837 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 2838 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 2839 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 2840 "RelatedDNS": { 2841 "type": "array", 2842 "items": {"$ref": "#/definitions/ExtensionType"}, 2843 "minItems": 1}, 2844 "NameServers": { 2845 "type": "array", 2846 "items": {"$ref": "#/definitions/NameServers"}, 2847 "minItems": 1}, 2848 "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, 2849 "required": ["Name","system-status","domain-status"], 2850 "additionalProperties": false}, 2851 "NameServers": { 2852 "type": "object", 2853 "properties": { 2854 "Server": {"type": "string"}, 2855 "Address": { 2856 "type":"array", 2857 "items":{"$ref":"#/definitions/Address"}, 2858 "minItems": 1}}, 2859 "required": ["Server","Address"], 2860 "additionalProperties": false}, 2861 "DomainContacts": { 2862 "type": "object", 2863 "properties": { 2864 "SameDomainContact": {"type": "string"}, 2865 "Contact": { 2866 "type":"array", 2867 "items":{"$ref":"#/definitions/Contact"}, 2868 "minItems": 1}}, 2869 "oneOf": [ 2870 {"required": ["SameDomainContact"]}, 2871 {"required": ["Contact"]}], 2872 "additionalProperties": false}, 2873 "Service": { 2874 "type": "object", 2875 "properties": { 2876 "ip-protocol": {"type": "number"}, 2877 "observable-id": {"$ref": "#/definitions/IDtype"}, 2878 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 2879 "Port": {"type": "number"}, 2880 "Portlist": {"$ref": "#/definitions/PortlistType"}, 2881 "ProtoCode": {"type": "number"}, 2882 "ProtoType": {"type": "number"}, 2883 "ProtoField": {"type": "number"}, 2884 "ApplicationHeaderField":{ 2885 "$ref":"#/definitions/ExtensionTypeList"}, 2886 "EmailData": {"$ref": "#/definitions/EmailData"}, 2887 "Application": {"$ref": "#/definitions/SoftwareType"}}, 2888 "required": [], 2889 "additionalProperties": false}, 2890 "ServiceName": { 2891 "type": "object", 2892 "properties": { 2893 "IANAService": {"type": "string"}, 2894 "URL": { 2895 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 2896 "Description": { 2897 "type": "array", 2898 "items": {"$ref": "#/definitions/MLStringType"}, 2899 "minItems": 1}}, 2900 "required": [], 2901 "additionalProperties": false}, 2903 "EmailData": { 2904 "type": "object", 2905 "properties": { 2906 "observable-id": {"$ref": "#/definitions/IDtype"}, 2907 "EmailTo": { 2908 "type": "array", 2909 "items": {"type": "string"}, 2910 "minItems": 1}, 2911 "EmailFrom": {"type": "string"}, 2912 "EmailSubject": {"type": "string"}, 2913 "EmailX-Mailer": {"type": "string"}, 2914 "EmailHeaderField": { 2915 "type": "array", 2916 "items": {"$ref": "#/definitions/ExtensionType"}, 2917 "minItems": 1}, 2918 "EmailHeaders": {"type": "string"}, 2919 "EmailBody": {"type": "string"}, 2920 "EmailMessage": {"type": "string"}, 2921 "HashData": { 2922 "type": "array", 2923 "items": {"$ref": "#/definitions/HashData"}, 2924 "minItems": 1}, 2925 "Signature": { 2926 "type": "array", 2927 "items": {"$ref": "#/definitions/BYTE"}, 2928 "minItems": 1}}, 2929 "required": [], 2930 "additionalProperties": false}, 2931 "RecordData": { 2932 "type": "object", 2933 "properties": { 2934 "restriction": {"$ref": "#/definitions/restriction", 2935 "default": "private"}, 2936 "ext-restriction": {"type": "string"}, 2937 "observable-id": {"$ref": "#/definitions/IDtype"}, 2938 "DateTime": {"$ref": "#/definitions/DATETIME"}, 2939 "Description": { 2940 "type": "array", 2941 "items": {"$ref": "#/definitions/MLStringType"}, 2942 "minItems": 1}, 2943 "Application": {"$ref": "#/definitions/SoftwareType"}, 2944 "RecordPattern": { 2945 "type": "array", 2946 "items": {"$ref": "#/definitions/RecordPattern"}, 2947 "minItems": 1}, 2948 "RecordItem": { 2949 "type": "array", 2950 "items": {"$ref": "#/definitions/ExtensionType"}, 2951 "minItems": 1}, 2952 "URL": { 2953 "type": "array", 2954 "items": {"$ref": "#/definitions/URLtype"}, 2955 "minItems": 1}, 2956 "FileData": { 2957 "type": "array", 2958 "items": {"$ref": "#/definitions/FileData"}, 2959 "minItems": 1}, 2960 "WindowsRegistryKeysModified": { 2961 "type": "array", 2962 "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, 2963 "minItems": 1}, 2964 "CertificateData": { 2965 "type":"array", 2966 "items":{"$ref":"#/definitions/CertificateData"}, 2967 "minItems": 1}, 2968 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2969 "required": [], 2970 "additionalProperties": false}, 2971 "RecordPattern": { 2972 "type": "object", 2973 "properties": { 2974 "value": {"type": "string"}, 2975 "type": {"enum": ["regex","binary","xpath","ext-value"], 2976 "default": "regex"}, 2977 "ext-type": {"type": "string"}, 2978 "offset": {"type": "number"}, 2979 "offsetunit": {"enum":["line","byte","ext-value"] , 2980 "default": "line"}, 2981 "ext-offsetunit": {"type": "string"}, 2982 "instance": {"type": "number"}}, 2983 "required": ["value","type"], 2984 "additionalProperties": false}, 2985 "WindowsRegistryKeysModified": { 2986 "type": "object", 2987 "properties": { 2988 "observable-id": {"$ref": "#/definitions/IDtype"}, 2989 "Key": { 2990 "type": "array", 2991 "items": {"$ref": "#/definitions/Key"}, 2992 "minItems": 1}}, 2993 "required": ["Key"], 2994 "additionalProperties": false}, 2995 "Key": { 2996 "type": "object", 2997 "properties": { 2998 "registryaction": {"enum": ["add-key","add-value","delete-key", 2999 "delete-value","modify-key","modify-value", 3000 "ext-value"]}, 3001 "ext-registryaction": {"type": "string"}, 3002 "observable-id": {"$ref": "#/definitions/IDtype"}, 3003 "KeyName": {"type":"string"}, 3004 "KeyValue": {"type": "string"}}, 3005 "required": ["KeyName"], 3006 "additionalProperties": false}, 3007 "CertificateData": { 3008 "type": "object", 3009 "properties": { 3010 "restriction": {"$ref": "#/definitions/restriction", 3011 "default": "private"}, 3012 "ext-restriction": {"type": "string"}, 3013 "observable-id": {"$ref": "#/definitions/IDtype"}, 3014 "Certificate": { 3015 "type": "array", 3016 "items": {"$ref": "#/definitions/Certificate"}, 3017 "minItems": 1}}, 3018 "required": ["Certificate"], 3019 "additionalProperties": false}, 3020 "Certificate": { 3021 "type": "object", 3022 "properties": { 3023 "observable-id": {"$ref": "#/definitions/IDtype"}, 3024 "X509Data": {"$ref": "#/definitions/BYTE"}, 3025 "Description": { 3026 "type": "array", 3027 "items": {"$ref": "#/definitions/MLStringType"}, 3028 "minItems": 1}}, 3029 "required": ["X509Data"], 3030 "additionalProperties": false}, 3031 "FileData": { 3032 "type": "object", 3033 "properties": { 3034 "restriction": {"$ref": "#/definitions/restriction"}, 3035 "ext-restriction": {"type": "string"}, 3036 "observable-id": {"$ref": "#/definitions/IDtype"}, 3037 "File": { 3038 "type": "array", 3039 "items": {"$ref": "#/definitions/File"}, 3040 "minItems": 1}}, 3041 "required": ["File"], 3042 "additionalProperties": false}, 3043 "File": { 3044 "type": "object", 3045 "properties": { 3046 "observable-id": {"$ref": "#/definitions/IDtype"}, 3047 "FileName": {"type": "string"}, 3048 "FileSize": {"type": "number"}, 3049 "FileType": {"type": "string"}, 3050 "URL": { 3051 "type": "array", 3052 "items": {"$ref": "#/definitions/URLtype"}, 3053 "minItems": 1}, 3054 "HashData": {"$ref": "#/definitions/HashData"}, 3055 "Signature": { 3056 "type": "array", 3057 "items": {"$ref": "#/definitions/BYTE"}, 3058 "minItems": 1}, 3059 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 3060 "FileProperties": { 3061 "type":"array", 3062 "items":{"$ref":"#/definitions/ExtensionType"}, 3063 "minItems": 1}}, 3064 "required": [], 3065 "additionalProperties": false}, 3066 "HashData": { 3067 "type": "object", 3068 "properties": { 3069 "scope": {"enum": ["file-contents","file-pe-section", 3070 "file-pe-iat","file-pe-resource","file-pdf-object", 3071 "email-hash","email-headers-hash","email-body-hash", 3072 "ext-value"]}, 3073 "HashTargetID": {"type": "string"}, 3074 "Hash": { 3075 "type": "array", 3076 "items": {"$ref": "#/definitions/Hash"}, 3077 "minItems": 1}, 3078 "FuzzyHash": { 3079 "type": "array", 3080 "items": {"$ref": "#/definitions/FuzzyHash"}, 3081 "minItems": 1}}, 3082 "required": ["scope"], 3083 "additionalProperties": false}, 3084 "Hash": { 3085 "type": "object", 3086 "properties": { 3087 "DigestMethod": {"$ref": "#/definitions/BYTE"}, 3088 "DigestValue": {"$ref": "#/definitions/BYTE"}, 3089 "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"}, 3090 "Application": {"$ref": "#/definitions/SoftwareType"}}, 3091 "required": ["DigestMethod","DigestValue"], 3092 "additionalProperties": false}, 3093 "FuzzyHash": { 3094 "type": "object", 3095 "properties": { 3096 "FuzzyHashValue": { 3097 "type": "array", 3098 "items": {"$ref": "#/definitions/ExtensionType"}, 3099 "minItems": 1}, 3100 "Application": {"$ref": "#/definitions/SoftwareType"}, 3101 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3102 "required": ["FuzzyHashValue"], 3103 "additionalProperties": false}, 3104 "Indicator": { 3105 "type": "object", 3106 "properties": { 3107 "restriction": {"$ref": "#/definitions/restriction", 3108 "default": "private"}, 3109 "ext-restriction": {"type": "string"}, 3110 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 3111 "AlternativeIndicatorID": { 3112 "type": "array", 3113 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, 3114 "minItems": 1}, 3115 "Description": { 3116 "type": "array", 3117 "items": {"$ref": "#/definitions/MLStringType"}, 3118 "minItems": 1}, 3119 "StartTime": {"$ref": "#/definitions/DATETIME"}, 3120 "EndTime": {"$ref": "#/definitions/DATETIME"}, 3121 "Confidence": {"$ref": "#/definitions/Confidence"}, 3122 "Contact": { 3123 "type": "array", 3124 "items": {"$ref": "#/definitions/Contact"}, 3125 "minItems": 1}, 3126 "Observable": {"$ref": "#/definitions/Observable"}, 3127 "uid-ref": {"$ref": "#/definitions/IDREFType"}, 3128 "IndicatorExpression":{ 3129 "$ref":"#/definitions/IndicatorExpression"}, 3130 "IndicatorReference":{ 3131 "$ref": "#/definitions/IndicatorReference"}, 3132 "NodeRole": { 3133 "type": "array", 3134 "items": {"$ref": "#/definitions/NodeRole"}, 3135 "minItems": 1}, 3136 "AttackPhase": { 3137 "type": "array", 3138 "items": {"$ref": "#/definitions/AttackPhase"}, 3139 "minItems": 1}, 3140 "Reference": { 3141 "type": "array", 3142 "items": {"$ref": "#/definitions/Reference"}, 3143 "minItems": 1}, 3144 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3145 "allOf": [ 3146 {"required": ["IndicatorID"]}, 3147 {"oneOf": [ 3148 {"required":["Observable"]}, 3149 {"required":["uid-ref"]}, 3150 {"required":["IndicatorExpression"]}, 3151 {"required":["IndicatorReference"]}]}], 3152 "additionalProperties": false}, 3153 "IndicatorID": { 3154 "type": "object", 3155 "properties": { 3156 "id": {"type": "string"}, 3157 "name": {"type": "string"}, 3158 "version": {"type": "string"}}, 3159 "required": ["id","name","version"], 3160 "additionalProperties": false}, 3161 "AlternativeIndicatorID": { 3162 "type": "object", 3163 "properties": { 3164 "restriction": {"$ref": "#/definitions/restriction", 3165 "default": "private"}, 3166 "ext-restriction": {"type": "string"}, 3167 "IndicatorID": { 3168 "type": "array", 3169 "items": {"$ref": "#/definitions/IndicatorID"}, 3170 "minItems": 1}}, 3171 "required": ["IndicatorID"], 3172 "additionalProperties": false}, 3173 "Observable": { 3174 "type": "object", 3175 "properties": { 3176 "restriction": {"$ref": "#/definitions/restriction", 3177 "default": "private"}, 3178 "ext-restriction": {"type": "string"}, 3179 "System": {"$ref": "#/definitions/System"}, 3180 "Address": {"$ref": "#/definitions/Address"}, 3181 "DomainData": {"$ref": "#/definitions/DomainData"}, 3182 "EmailData": {"$ref": "#/definitions/EmailData"}, 3183 "Service": {"$ref": "#/definitions/Service"}, 3184 "WindowsRegistryKeysModified": { 3185 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 3186 "FileData": {"$ref": "#/definitions/FileData"}, 3187 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 3188 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 3189 "RecordData": {"$ref": "#/definitions/RecordData"}, 3190 "EventData": {"$ref": "#/definitions/EventData"}, 3191 "Incident": {"$ref": "#/definitions/Incident"}, 3192 "Expectation": {"$ref": "#/definitions/Expectation"}, 3193 "Reference": {"$ref": "#/definitions/Reference"}, 3194 "Assessment": {"$ref": "#/definitions/Assessment"}, 3195 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 3196 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 3197 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 3198 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3199 "oneOf": [ 3200 {"required":["System"]}, 3201 {"required":["Address"]}, 3202 {"required":["DomainData"]}, 3203 {"required":["EmailData"]}, 3204 {"required":["Service"]}, 3205 {"required":["WindowsRegistryKeysModified"]}, 3206 {"required":["FileData"]}, 3207 {"required":["CertificateData"]}, 3208 {"required":["RegistryHandle"]}, 3209 {"required":["RecordData"]}, 3210 {"required":["EventData"]}, 3211 {"required":["Incident"]}, 3212 {"required":["Expectation"]}, 3213 {"required":["Reference"]}, 3214 {"required":["Assessment"]}, 3215 {"required":["DetectionPattern"]}, 3216 {"required":["HistoryItem"]}, 3217 {"required":["BulkObservable"]}, 3218 {"required":["AdditionalData"]}], 3219 "additionalProperties": false}, 3220 "BulkObservable": { 3221 "type": "object", 3222 "properties": { 3223 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 3224 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", 3225 "mac","site-uri","domain-name","domain-to-ipv4", 3226 "domain-to-ipv6","domain-to-ipv4-timestamp", 3227 "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", 3228 "windows-reg-key","file-hash","email-x-mailer", 3229 "email-subject","http-user-agent","http-request-url", 3230 "mutex","file-path","user-name","ext-value"]}, 3231 "ext-type": {"type": "string"}, 3232 "BulkObservableFormat":{ 3233 "$ref": "#/definitions/BulkObservableFormat"}, 3234 "BulkObservableList": {"type": "string"}, 3235 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3236 "required": ["BulkObservableList"], 3237 "additionalProperties": false}, 3238 "BulkObservableFormat": { 3239 "type": "object", 3240 "properties": { 3241 "Hash": {"$ref": "#/definitions/Hash"}, 3242 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3243 "oneOf": [ 3244 {"required": ["Hash"]}, 3245 {"required": ["AdditionalData"]} 3246 ], 3247 "additionalProperties": false}, 3248 "IndicatorExpression": { 3249 "type": "object", 3250 "properties": { 3251 "operator": {"enum": ["not","and","or","xor"],"default": "and"}, 3252 "ext-operator": {"type": "string"}, 3253 "IndicatorExpression": { 3254 "type": "array", 3255 "items": {"$ref": "#/definitions/IndicatorExpression"}, 3256 "minItems": 1}, 3257 "Observable": { 3258 "type": "array", 3259 "items": {"$ref": "#/definitions/Observable"}, 3260 "minItems": 1}, 3261 "uid-ref": { 3262 "type": "array", 3263 "items": {"$ref": "#/definitions/IDREFType"}, 3264 "minItems": 1}, 3265 "IndicatorReference": { 3266 "type": "array", 3267 "items": {"$ref": "#/definitions/IndicatorReference"}, 3268 "minItems": 1}, 3269 "Confidence": {"$ref":"#/definitions/Confidence"}, 3270 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3271 "required": [], 3272 "additionalProperties": false}, 3273 "IndicatorReference": { 3274 "type": "object", 3275 "properties": { 3276 "uid-ref": {"$ref":"#/definitions/IDREFType"}, 3277 "euid-ref": {"type": "string"}, 3278 "version": {"type": "string"}}, 3279 "oneOf": [ 3280 {"required": ["uid-ref"]}, 3281 {"required": ["euid-ref"]} 3282 ], 3283 "additionalProperties": false}, 3284 "AttackPhase": { 3285 "type": "object", 3286 "properties": { 3287 "AttackPhaseID": { 3288 "type": "array", 3289 "items": {"type": "string"}, 3290 "minItems": 1}, 3291 "URL": { 3292 "type": "array", 3293 "items": {"$ref": "#/definitions/URLtype"}, 3294 "minItems": 1}, 3295 "Description": { 3296 "type": "array", 3297 "items": {"$ref": "#/definitions/MLStringType"}, 3298 "minItems": 1}, 3299 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3300 "required": [], 3301 "additionalProperties": false}}, 3302 "title": "IODEF-Document", 3303 "description": "JSON schema for IODEF-Document class", 3304 "type": "object", 3305 "properties": { 3306 "version": {"type": "string"}, 3307 "lang": {"$ref": "#/definitions/lang"}, 3308 "format-id": {"type": "string"}, 3309 "private-enum-name": {"type": "string"}, 3310 "private-enum-id": {"type": "string"}, 3311 "Incident": { 3312 "type": "array", 3313 "items": {"$ref": "#/definitions/Incident"}, 3314 "minItems": 1}, 3315 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3316 "required": ["version","Incident"], 3317 "additionalProperties": false} 3319 Figure 10: JSON schema 3321 Authors' Addresses 3323 Takeshi Takahashi 3324 National Institute of Information and Communications Technology 3325 4-2-1 Nukui-Kitamachi 3326 Koganei, Tokyo 184-8795 3327 Japan 3329 Phone: +81 42 327 5862 3330 Email: takeshi_takahashi@nict.go.jp 3331 Roman Danyliw 3332 CERT, Software Engineering Institute, Carnegie Mellon University 3333 4500 Fifth Avenue 3334 Pittsburgh, PA 3335 USA 3337 Email: rdd@cert.org 3339 Mio Suzuki 3340 National Institute of Information and Communications Technology 3341 4-2-1 Nukui-Kitamachi 3342 Koganei, Tokyo 184-8795 3343 Japan 3345 Email: mio@nict.go.jp