idnits 2.17.1 draft-ietf-mile-jsoniodef-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 18 instances of too long lines in the document, the longest one being 165 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 1, 2020) is 1515 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 7203' is mentioned on line 161, but not defined == Missing Reference: '0-9' is mentioned on line 2417, but not defined == Missing Reference: '0-4' is mentioned on line 2417, but not defined == Missing Reference: '0-5' is mentioned on line 2417, but not defined ** Obsolete normative reference: RFC 7049 (Obsoleted by RFC 8949) Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE T. Takahashi 3 Internet-Draft NICT 4 Intended status: Standards Track R. Danyliw 5 Expires: September 2, 2020 CERT 6 M. Suzuki 7 NICT 8 March 1, 2020 10 JSON binding of IODEF 11 draft-ietf-mile-jsoniodef-14 13 Abstract 15 The Incident Object Description Exchange Format defined in RFC 7970 16 provides an information model and a corresponding XML data model for 17 exchanging incident and indicator information. This draft gives 18 implementers and operators an alternative format to exchange the same 19 information by defining an alternative data model implementation in 20 JSON and its encoding in CBOR. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on September 2, 2020. 39 Copyright Notice 41 Copyright (c) 2020 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (https://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 58 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 59 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 60 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 61 2.2.1. Integer . . . . . . . . . . . . . . . . . . . . . . . 5 62 2.2.2. Multilingual Strings . . . . . . . . . . . . . . . . 5 63 2.2.3. Enum . . . . . . . . . . . . . . . . . . . . . . . . 6 64 2.2.4. Software and Software Reference . . . . . . . . . . . 6 65 2.2.5. Structured Information . . . . . . . . . . . . . . . 6 66 2.2.6. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 67 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 68 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 8 69 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 18 70 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 19 71 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 19 72 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 22 73 5. Mapkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 74 6. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 30 75 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 76 8. Security Considerations . . . . . . . . . . . . . . . . . . . 50 77 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50 78 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 50 79 10.1. Normative References . . . . . . . . . . . . . . . . . . 50 80 10.2. Informative References . . . . . . . . . . . . . . . . . 51 81 Appendix A. Data Types used in this document . . . . . . . . . . 51 82 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 52 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 85 1. Introduction 87 The Incident Object Description Exchange Format (IODEF) [RFC7970] 88 defines a data representation for security incident reports and 89 indicators commonly exchanged by operational security teams. It 90 facilitates the automated exchange of this information to enable 91 mitigation and watch-and-warning. Section 3 of [RFC7970] defined an 92 information model using Unified Modeling Language (UML) and a 93 corresponding Extensible Markup Language (XML) schema data model in 94 Section 8. This UML-based information model and XML-based data model 95 are referred to as IODEF UML and IODEF XML, respectively in this 96 document. 98 IODEF documents are structured and thus suitable for machine 99 processing. They will streamline incident response operations. 100 Another well-used and structured format that is suitable for machine 101 processing is JavaScript Object Notation (JSON) [RFC8259]. To 102 facilitate the automation of incident response operations, IODEF 103 documents and implementations should support JSON representation and 104 it encoding in Concise Binary Object Representation (CBOR) [RFC7049]. 106 This document defines an alternate implementation of the IODEF UML 107 information model by specifying a JavaScript Object Notation (JSON) 108 data model using Concise Data Definition Language (CDDL) [RFC8610] 109 and JSON Schema [I-D.handrews-json-schema-validation]. This JSON 110 data model is referred to as IODEF JSON in this document. IODEF JSON 111 provides all of the expressivity of IODEF XML. It gives implementers 112 and operators an alternative format to exchange the same information. 114 The normative IODEF JSON data model is found in Section 6. Section 2 115 and Section 3 describe the data types and elements of this data 116 model. Section 4 provides examples. 118 1.1. Requirements Language 120 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 121 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 122 "OPTIONAL" in this document are to be interpreted as described in BCP 123 14 [RFC2119][RFC8174] when, and only when, they appear in all 124 capitals, as shown here. 126 2. IODEF Data Types 128 IODEF JSON implements the abstract data types specified in Section 2 129 of [RFC7970]. 131 2.1. Abstract Data Type to JSON Data Type Mapping 133 IODEF JSON uses native and derived JSON data types. Figure 1 134 describes the mapping between the abstract data types in Section 2 of 135 [RFC7970] and their corresponding implementations in IODEF JSON. 137 +-----------------+-------------------+-------------------------------+ 138 | IODEF Data Type | [RFC7970] | JSON Data Type | 139 | | Reference | | 140 +-----------------+-------------------+-------------------------------+ 141 | INTEGER | Section 2.1 | integer, see Section 2.2.1 | 142 | REAL | Section 2.2 | "number" per [RFC8259] | 143 | CHARACTER | Section 2.3 | "string" per [RFC8259] | 144 | STRING | Section 2.3 | "string" per [RFC8259] | 145 | ML_STRING | Section 2.4 | see Section 2.2.2 | 146 | BYTE | Section 2.5.1 | "string" per [RFC8259] | 147 | BYTE[] | Section 2.5.1 | "string" per [RFC8259] | 148 | HEXBIN | Section 2.5.2 | "string" per [RFC8259] | 149 | HEXBIN[] | Section 2.5.2 | "string" per [RFC8259] | 150 | ENUM | Section 2.6 | see Section 2.2.3 | 151 | DATETIME | Section 2.7 | "string" per [RFC8259] | 152 | TIMEZONE | Section 2.8 | "string" per [RFC8259] | 153 | PORTLIST | Section 2.9 | "string" per [RFC8259] | 154 | POSTAL | Section 2.10 | ML_STRING, Section 2.2.2 | 155 | PHONE | Section 2.11 | "string" per [RFC8259] | 156 | EMAIL | Section 2.12 | "string" per [RFC8259] | 157 | URL | Section 2.13 | "string" per [RFC8259] | 158 | ID | Section 2.14 | "string" per [RFC8259] | 159 | IDREF | Section 2.14 | "string" per [RFC8259] | 160 | SOFTWARE | Section 2.15 | see Section 2.2.4 | 161 | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.5 | 162 | EXTENSION | Section 2.16 | see Section 2.2.6 | 163 +-----------------+-------------------+-------------------------------+ 165 Figure 1: JSON Data Types 167 +-----------------+------------------+---------------------------------+ 168 | IODEF Data Type | CBOR Data Type | CDDL prelude | 169 | | | [RFC8610] | 170 +-----------------+------------------+---------------------------------+ 171 | INTEGER | 0, 1, 6 tag 2, | integer | 172 | | 6 tag 3 | | 173 | REAL | 7 bits 26 | float32 | 174 | CHARACTER | 3 | text | 175 | STRING | 3 | text | 176 | ML_STRING | 5 | Maps/Structs (Section 3.5.1) | 177 | BYTE | 6 tag 22 | eb64legacy | 178 | BYTE[] | 6 tag 22 | eb64legacy | 179 | HEXBIN | 6 tag 23 | eb16 | 180 | HEXBIN[] | 6 tag 23 | eb16 | 181 | ENUM | - | Choices (Section 2.2.2) | 182 | DATETIME | 6 tag 0 | tdate | 183 | TIMEZONE | 3 | text | 184 | PORTLIST | 3 | text | 185 | POSTAL | 3 | ML_STRING (Section 2.2.1) | 186 | PHONE | 3 | text | 187 | EMAIL | 3 | text | 188 | URL | 6 tag 32 | uri | 189 | ID | 3 | text | 190 | IDREF | 3 | text | 191 | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | 192 | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | 193 | EXTENSION | 5 | Maps/Structs (Section 3.5.1) | 194 +-----------------+------------------+---------------------------------+ 196 Figure 2: CBOR Data Types 198 2.2. Complex JSON Types 200 2.2.1. Integer 202 An integer is a subset of "number" type of JSON, which represents 203 signed digits encoded in Base 10. The definition of this integer is 204 "[ minus ] int" in [RFC8259] Section 6 manner. 206 2.2.2. Multilingual Strings 208 A string that needs to be represented in a human-readable language 209 different from the default encoding of the document is represented in 210 the information model by the ML_STRING data type. This data type is 211 implemented as either an object with "value", "lang", and 212 "translation-id" elements or a text string as defined in Section 6. 213 An example is shown below. 215 "MLStringType": { 216 "value": "free-form text", # STRING 217 "lang": "en", # ENUM 218 "translation-id": "jp2en0023" # STRING 219 } 221 Note that in figures throughout this document, some supplementary 222 information follows "#", but these are not valid syntax in JSON, but 223 are intended to facilitate reader understanding. 225 2.2.3. Enum 227 Enum is an ordered list of acceptable string values. Each value has 228 a representative keyword. Within the data model, the enumerated type 229 keywords are used as attribute values. 231 2.2.4. Software and Software Reference 233 A particular version of software is represented in the information 234 model by the SOFTWARE data type. This software can be described by 235 using a reference, a Uniform Resource Locator (URL) [RFC3986], or 236 with free-form text. The SOFTWARE data type is implemented as an 237 object with "SoftwareReference", "URL", and "Description" elements as 238 defined in Section 6. Examples are shown below. 240 "SoftwareType": { 241 "SoftwareReference": {...}, # SoftwareReference 242 "Description": ["MS Windows"] # STRING 243 } 245 SoftwareReference class is a reference to a particular version of 246 software. Examples are shown below. 248 "SoftwareReference": { 249 "value": "cpe:/a:google:chrome:59.0.3071.115", # STRING 250 "spec-name": "cpe", # ENUM 251 "dtype": "string" # ENUM 252 } 254 2.2.5. Structured Information 256 Information provided in a form of structured string, such as ID, or 257 structured information, such as XML documents, is represented in the 258 information model by the STRUCTUREDINFO data type. Note that this 259 type was originally specified in Section 4.4 of [RFC7203] as a basic 260 structure of its extension classes. The STRUCTUREDINFO data type is 261 implemented as an object with "SpecID", "ext-SpecID", "ContentID", 262 "RawData", and "Reference" elements. An example for embedding a 263 structured ID is shown below. 265 "StructuredInfo": { 266 "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM 267 "ContentID": "CWE-89" # STRING 268 } 270 When embedding the raw data, it should be encoded as a BYTE type 271 object, as shown below. 273 "StructuredInfo": { 274 "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM 275 "RawData": "<<< encoded structured data >>>" # BYTE 276 } 278 When embedding the raw data, base64 encoding defined in Section 4 of 279 [RFC4648] MUST be used for JSON IODEF while binary representation 280 MUST be used for CBOR IODEF. 282 2.2.6. EXTENSION 284 Information not otherwise represented in the IODEF can be added using 285 the EXTENSION data type. This data type is a generic extension 286 mechanism. The EXTENSION data type is implemented as an 287 ExtensionType object with "value", "name", "dtype", "ext-dtype", 288 "meaning", "formatid", "restriction", "ext-restriction", and 289 "observable-id" elements. An example for embedding a structured ID 290 is shown below. 292 "ExtensionType": { 293 "value": "xxxxxxx", # STRING 294 "name": "Syslog", # STRING 295 "dtype": "string", # ENUM 296 "meaning": "Syslog from the security appliance X" # STRING 297 } 299 Note that this data type is specified in [RFC7970] as its generic 300 extension mechanism. If a data item has internal structure that is 301 intended to be processed outside of the IODEF framework, one may 302 consider using StructuredInfo data type mentioned in Section 2.2.5. 304 3. IODEF JSON Data Model 305 3.1. Classes and Elements 307 The following table shows the list of IODEF Classes, their elements, 308 and the corresponding section in [RFC7970]. Note that the complete 309 JSON schema is defined in Section 6 using CDDL. 311 +-----------------------------+--------------------+---------------+ 312 | IODEF Class | Class | Corresponding | 313 | | Elements and | Section | 314 | | Attribute | in [RFC7970] | 315 +-----------------------------+--------------------+---------------+ 316 | IODEF-Document | version | 3.1 | 317 | | lang? | | 318 | | format-id? | | 319 | | private-enum-name? | | 320 | | private-enum-id? | | 321 | | Incident+ | | 322 | | AdditionalData* | | 323 +-----------------------------+--------------------+---------------+ 324 | Incident | purpose | 3.2 | 325 | | ext-purpose? | | 326 | | status? | | 327 | | ext-status? | | 328 | | lang? | | 329 | | restriction? | | 330 | | ext-restriction? | | 331 | | observable-id? | | 332 | | IncidentID | | 333 | | AlternativeID? | | 334 | | RelatedActivity* | | 335 | | DetectTime? | | 336 | | StartTime? | | 337 | | EndTime? | | 338 | | RecoveryTime? | | 339 | | ReportTime? | | 340 | | GenerationTime | | 341 | | Description* | | 342 | | Discovery* | | 343 | | Assessment* | | 344 | | Method* | | 345 | | Contact+ | | 346 | | EventData* | | 347 | | Indicator* | | 348 | | History? | | 349 | | AdditionalData* | | 350 +-----------------------------+--------------------+---------------+ 351 | IncidentID | id | 3.4 | 352 | | name | | 353 | | instance? | | 354 | | restriction? | | 355 | | ext-restriction? | | 356 +-----------------------------+--------------------+---------------+ 357 | AlternativeID | restriction? | 3.5 | 358 | | ext-restriction? | | 359 | | IncidentID+ | | 360 +-----------------------------+--------------------+---------------+ 361 | RelatedActivity | restriction? | 3.6 | 362 | | ext-restriction? | | 363 | | IncidentID* | | 364 | | URL* | | 365 | | ThreatActor* | | 366 | | Campaign* | | 367 | | IndicatorID* | | 368 | | Confidence? | | 369 | | Description* | | 370 | | AdditionalData* | | 371 +-----------------------------+--------------------+---------------+ 372 | ThreatActor | restriction? | 3.7 | 373 | | ext-restriction? | | 374 | | ThreatActorID* | | 375 | | URL* | | 376 | | Description* | | 377 | | AdditionalData* | | 378 +-----------------------------+--------------------+---------------+ 379 | Campaign | restriction? | | 380 | | ext-restriction? | | 381 | | CampaignID* | | 382 | | URL* | | 383 | | Description* | | 384 | | AdditionalData* | 3.8 | 385 +-----------------------------+--------------------+---------------+ 386 | Contact | role | | 387 | | ext-role? | | 388 | | type | | 389 | | ext-type? | | 390 | | restriction? | | 391 | | ext-restriction? | | 392 | | ContactName*, | | 393 | | ContactTitle* | | 394 | | Description* | | 395 | | RegistryHandle* | | 396 | | PostalAddress* | | 397 | | Email* | | 398 | | Telephone* | | 399 | | Timezone? | | 400 | | Contact* | | 401 | | AdditionalData* | 3.9 | 402 +-----------------------------+--------------------+---------------+ 403 | RegistryHandle | handle | | 404 | | registry | | 405 | | ext-registry? | 3.9.1 | 406 +-----------------------------+--------------------+---------------+ 407 | PostalAddress | type? | | 408 | | ext-type? | | 409 | | PAddress | | 410 | | Description* | 3.9.2 | 411 +-----------------------------+--------------------+---------------+ 412 | Email | type? | | 413 | | ext-type? | | 414 | | EmailTo | | 415 | | Description* | 3.9.3 | 416 +-----------------------------+--------------------+---------------+ 417 | Telephone | type? | | 418 | | ext-type? | | 419 | | TelephoneNumber | | 420 | | Description* | 3.9.4 | 421 +-----------------------------+--------------------+---------------+ 422 | Discovery | source? | | 423 | | ext-source? | | 424 | | restriction? | | 425 | | ext-restriction? | | 426 | | Description* | | 427 | | Contact* | | 428 | | DetectionPattern* | 3.10 | 429 +-----------------------------+--------------------+---------------+ 430 | DetectionPattern | restriction? | 3.10.1 | 431 | | ext-restriction? | | 432 | | observable-id? | | 433 | | Application | | 434 | | Description* | | 435 | | DetectionConfiguration* | | 436 +-----------------------------+--------------------+---------------+ 437 | Method | restriction? | | 438 | | ext-restriction? | | 439 | | Reference* | | 440 | | Description* | | 441 | | AttackPattern* | | 442 | | Vulnerability* | | 443 | | Weakness* | | 444 | | AdditionalData* | 3.11 | 445 +-----------------------------+--------------------+---------------+ 446 | Weakness (TBD) | restriction? | | 447 | | ext-restriction? | | 448 +-----------------------------+--------------------+---------------+ 449 | Reference | observable-id? | | 450 | | ReferenceName? | | 451 | | URL* | | 452 | | Description* | 3.11.1 | 453 +-----------------------------+--------------------+---------------+ 454 | Assessment | occurence? | | 455 | | restriction? | | 456 | | ext-restriction? | | 457 | | observable-id? | | 458 | | IncidentCategory* | | 459 | | SystemImpact* | | 460 | | BusinessImpact* | | 461 | | TimeImpact* | | 462 | | MonetaryImpact* | | 463 | | IntendedImpact* | | 464 | | Counter* | | 465 | | MitigatingFactor* | | 466 | | Cause* | | 467 | | Confidence? | | 468 | | AdditionalData* | 3.12 | 469 +-----------------------------+--------------------+---------------+ 470 | SystemImpact | severity? | | 471 | | completion? | | 472 | | type | | 473 | | ext-type? | | 474 | | Description* | 3.12.1 | 475 +-----------------------------+--------------------+---------------+ 476 | BusinessImpact | severity? | | 477 | | ext-severity? | | 478 | | type | | 479 | | ext-type? | | 480 | | Description* | 3.12.2 | 481 +-----------------------------+--------------------+---------------+ 482 | TimeImpact | value | | 483 | | severity? | | 484 | | metric | | 485 | | ext-metric? | | 486 | | duration? | | 487 | | ext-duration? | 3.12.3 | 488 +-----------------------------+--------------------+---------------+ 489 | MonetaryImpact | value | | 490 | | severity? | | 491 | | currency? | 3.12.4 | 492 +-----------------------------+--------------------+---------------+ 493 | Confidence | value | | 494 | | rating | | 495 | | ext-rating? | 3.12.5 | 496 +-----------------------------+--------------------+---------------+ 497 | History | restriction? | | 498 | | ext-restriction? | | 499 | | HistoryItem+ | 3.13 | 500 +-----------------------------+--------------------+---------------+ 501 | HistoryItem | action | | 502 | | ext-action? | | 503 | | restriction? | | 504 | | ext-restriction? | | 505 | | observable-id? | | 506 | | DateTime | | 507 | | IncidentID? | | 508 | | Contact? | | 509 | | Description* | | 510 | | DefinedCOA* | | 511 | | AdditionalData* | 3.13.1 | 512 +-----------------------------+--------------------+---------------+ 513 | EventData | restriction? | | 514 | | ext-restriction? | | 515 | | observable-id? | | 516 | | Description* | | 517 | | DetectTime? | | 518 | | StartTime? | | 519 | | EndTime? | | 520 | | RecoveryTime? | | 521 | | ReportTime? | | 522 | | Contact* | | 523 | | Discovery* | | 524 | | Assessment? | | 525 | | Method* | | 526 | | System* | | 527 | | Expectation* | | 528 | | RecordData* | | 529 | | EventData* | | 530 | | AdditionalData* | 3.14 | 531 +-----------------------------+--------------------+---------------+ 532 | Expectation | action? | | 533 | | ext-action? | | 534 | | severity? | | 535 | | restriction? | | 536 | | ext-restriction? | | 537 | | observable-id? | | 538 | | Description* | | 539 | | DefinedCOA* | | 540 | | StartTime? | | 541 | | EndTime? | | 542 | | Contact? | 3.15 | 543 +-----------------------------+--------------------+---------------+ 544 | System | category? | | 545 | | ext-category? | | 546 | | interface? | | 547 | | spoofed? | | 548 | | virtual? | | 549 | | ownership? | | 550 | | ext-ownership? | | 551 | | restriction? | | 552 | | ext-restriction? | | 553 | | Node | | 554 | | NodeRole* | | 555 | | Service* | | 556 | | OperatingSystem* | | 557 | | Counter* | | 558 | | AssetID* | | 559 | | Description* | | 560 | | AdditionalData* | 3.17 | 561 +-----------------------------+--------------------+---------------+ 562 | Node | DomainData* | | 563 | | Address* | | 564 | | PostalAddress? | | 565 | | Location* | | 566 | | Counter* | 3.18 | 567 +-----------------------------+--------------------+---------------+ 568 | Address | value | | 569 | | category | | 570 | | ext-category? | | 571 | | vlan-name? | | 572 | | vlan-num? | | 573 | | observable-id? | 3.18.1 | 574 +-----------------------------+--------------------+---------------+ 575 | NodeRole | category | | 576 | | ext-category? | | 577 | | Description* | 3.18.2 | 578 +-----------------------------+--------------------+---------------+ 579 | Counter | value | | 580 | | type | | 581 | | ext-type? | | 582 | | unit | | 583 | | ext-unit? | | 584 | | meaning? | | 585 | | duration? | | 586 | | ext-duration? | 3.18.3 | 587 +-----------------------------+--------------------+---------------+ 588 | DomainData | system-status | | 589 | | ext-system-status? | | 590 | | domain-status | | 591 | | ext-domain-status? | | 592 | | observable-id? | | 593 | | Name | | 594 | | DateDomainWasChecked?| | 595 | | RegistrationDate? | | 596 | | ExpirationDate? | | 597 | | RelatedDNS* | | 598 | | Nameservers* | | 599 | | DomainContacts? | 3.19 | 600 +-----------------------------+--------------------+---------------+ 601 | Nameserver | Server | | 602 | | Address* | 3.19.1 | 603 +-----------------------------+--------------------+---------------+ 604 | DomainContacts | SameDomainContact? | | 605 | | Contact+ | 3.19.2 | 606 +-----------------------------+--------------------+---------------+ 607 | Service | ip-protocol? | | 608 | | observable-id? | | 609 | | ServiceName? | | 610 | | Port? | | 611 | | Portlist? | | 612 | | ProtoCode? | | 613 | | ProtoType? | | 614 | | ProtoField? | | 615 | | ApplicationHeaderField*| | 616 | | EmailData? | | 617 | | Application? | 3.20 | 618 +-----------------------------+--------------------+---------------+ 619 | ServiceName | IANAService? | | 620 | | URL* | | 621 | | Description* | 3.20.1 | 622 +-----------------------------+--------------------+---------------+ 623 | EmailData | observable-id? | | 624 | | EmailTo* | | 625 | | EmailFrom? | | 626 | | EmailSubject? | | 627 | | EmailX-Mailer? | | 628 | | EmailHeaderField* | | 629 | | EmailHeaders? | | 630 | | EmailBody? | | 631 | | EmailMessage? | | 632 | | HashData* | | 633 | | Signature* | 3.21 | 634 +-----------------------------+--------------------+---------------+ 635 | RecordData | restriction? | | 636 | | ext-restriction? | | 637 | | observable-id? | | 638 | | DateTime? | | 639 | | Description* | | 640 | | Application? | | 641 | | RecordPattern* | | 642 | | RecordItem* | | 643 | | URL* | | 644 | | FileData* | | 645 | | WindowsRegistryKeysModified*| | 646 | | CertificateData* | | 647 | | AdditionalData* | 3.22.1 | 648 +-----------------------------+--------------------+---------------+ 649 | RecordPattern | type | | 650 | | ext-type? | | 651 | | offset? | | 652 | | offsetunit? | | 653 | | ext-offsetunit? | | 654 | | instance? | | 655 | | value | 3.22.2 | 656 +-----------------------------+--------------------+---------------+ 657 | WindowsRegistryKeysModified | observable-id? | 3.23 | 658 | | Key+ | | 659 +-----------------------------+--------------------+---------------+ 660 | Key | registryaction? | | 661 | | ext-registryaction?| | 662 | | observable-id? | | 663 | | KeyName | | 664 | | KeyValue? | 3.23.1 | 665 +-----------------------------+--------------------+---------------+ 666 | CertificateData | restriction? | | 667 | | ext-restriction? | | 668 | | observable-id? | | 669 | | Certificate+ | 3.24 | 670 +-----------------------------+--------------------+---------------+ 671 | Certificate | observable-id? | | 672 | | X509Data | | 673 | | Description* | 3.24.1 | 674 +-----------------------------+--------------------+---------------+ 675 | FileData | restriction? | | 676 | | ext-restriction? | | 677 | | observable-id? | | 678 | | File+ | 3.25 | 679 +-----------------------------+--------------------+---------------+ 680 | File | observable-id? | | 681 | | FileName? | | 682 | | FileSize? | | 683 | | FileType? | | 684 | | URL* | | 685 | | HashData? | | 686 | | Signature* | | 687 | | AssociatedSoftware?| | 688 | | FileProperties* | 3.25.1 | 689 +-----------------------------+--------------------+---------------+ 690 | HashData | scope | | 691 | | HashTargetID? | | 692 | | Hash* | | 693 | | FuzzyHash* | 3.26 | 694 +-----------------------------+--------------------+---------------+ 695 | Hash | DigestMethod | | 696 | | DigestValue | | 697 | | CanonicalizationMethod?| | 698 | | Application? | 3.26.1 | 699 +-----------------------------+--------------------+---------------+ 700 | FuzzyHash | FuzzyHashValue+ | | 701 | | Application? | | 702 | | AdditionalData* | 3.26.2 | 703 +-----------------------------+--------------------+---------------+ 704 | Indicator | restriction? | | 705 | | ext-restriction? | | 706 | | IndicatorID | | 707 | | AlternativeIndicatorID*| | 708 | | Description* | | 709 | | StartTime? | | 710 | | EndTime? | | 711 | | Confidence? | | 712 | | Contact* | | 713 | | Observable? | | 714 | | uid-ref? | | 715 | | IndicatorExpression?| | 716 | | IndicatorReference?| | 717 | | NodeRole* | | 718 | | AttackPhase* | | 719 | | Reference* | | 720 | | AdditionalData* | 3.29 | 721 +-----------------------------+--------------------+---------------+ 722 | IndicatorID | id | | 723 | | name | | 724 | | version | 3.29.1 | 725 +-----------------------------+--------------------+---------------+ 726 | AlternativeIndicatorID | restriction? | | 727 | | ext-restriction? | | 728 | | IndicatorID+ | 3.29.2 | 729 +-----------------------------+--------------------+---------------+ 730 | Observable | restriction? | | 731 | | ext-restriction? | | 732 | | System? | | 733 | | Address? | | 734 | | DomainData? | | 735 | | Service? | | 736 | | EmailData? | | 737 | | WindowsRegistryKeysModified?| | 738 | | FileData? | | 739 | | CertificateData? | | 740 | | RegistryHandle? | | 741 | | RecordData? | | 742 | | EventData? | | 743 | | Incident? | | 744 | | Expectation? | | 745 | | Reference? | | 746 | | Assessment? | | 747 | | DetectionPattern? | | 748 | | HistoryItem? | | 749 | | BulkObservable? | | 750 | | AdditionalData* | 3.29.3 | 751 +-----------------------------+--------------------+---------------+ 752 | BulkObservable | type? | | 753 | | ext-type? | | 754 | | BulkObservableFormat?| | 755 | | BulkObservableList | | 756 | | AdditionalData* | 3.29.4 | 757 +-----------------------------+--------------------+---------------+ 758 | BulkObservableFormat | Hash? | | 759 | | AdditionalData* | 3.29.5 | 760 +-----------------------------+--------------------+---------------+ 761 | IndicatorExpression | operator? | | 762 | | ext-operator? | | 763 | | IndicatorExpression*| | 764 | | Observable* | | 765 | | uid-ref* | | 766 | | IndicatorReference*| | 767 | | Confidence? | | 768 | | AdditionalData* | 3.29.6 | 769 +-----------------------------+--------------------+---------------+ 770 | IndicatorReference | uid-ref? | | 771 | | euid-ref? | | 772 | | version? | 3.29.7 | 773 +-----------------------------+--------------------+---------------+ 774 | AttackPhase | AttackPhaseID* | | 775 | | URL* | | 776 | | Description* | | 777 | | AdditionalData* | 3.29.8 | 778 +-----------------------------+--------------------+---------------+ 780 Figure 3: IODEF Classes 782 3.2. Mapping between JSON and XML IODEF 784 o Attributes and elements of each class in XML IODEF document are 785 both presented as JSON attributes in JSON IODEF document, and the 786 order of their appearances is ignored. 788 o Flow class is deleted, and classes with its instances now directly 789 have instances of EventData class that used to belong to the Flow 790 class. 792 o ApplicationHeader class is deleted, and classes with its instances 793 now directly have instances of ApplicationHeaderField class that 794 used to belong to the ApplicationHeader class. 796 o SignatureData class is deleted, and classes with its instances now 797 directly have instance of Signature class that used to belong to 798 the SignatureData class. 800 o IndicatorData class is deleted, and classes with its instances now 801 directly have the instances of Indicator class that used to belong 802 to the IndicatorData class. 804 o ObservableReference class is deleted, and classes with its 805 instances now directly have uid-ref as an element. 807 o Record class is deleted, and classes with its instances now 808 directly have the instances of RecordData class that used to 809 belong to the Record class. 811 o The MLStringType were modified to support simple string by 812 allowing the type to have not only a predefined object type but 813 also text type, in order to allow simple descriptions of elements 814 of the type. Implementations need to be capable of parsing 815 MLStringType that could take form of both text and object. 817 o The elements of ML_STRING type in XML IODEF document are presented 818 as either STRING type or ML_STRING type in JSON IODEF document. 819 When converting from XML IODEF document to JSON one or vice versa, 820 the information contained in the original data of ML_STRING type 821 must be preserved. When STRING is used instead of ML_STRING, 822 parsers can assume that its "xml:lang" is set to "en". 824 o Data models of the extension classes defined by [RFC7203] and 825 referenced by [RFC7970] are represented by StructuredInfo class 826 defined in this document. 828 o Signature, X509Data, and RawData are encoded using base64 encoding 829 for JSON IODEF and binary representation for CBOR IODEF to 830 represent them as BYTE object. 832 o EmailBody represents an whole message body including MIME 833 structure in the same manner defined in [RFC7970]. In case of an 834 email composed of MIME multipart, the EmailBody contains multiple 835 body parts separated by boundary strings. 837 o The "ipv6-net-mask" type attribute of BulkObservable class remains 838 available for the backward compatibility purpose, but the use of 839 this attribute is not recommended because IPV6 does not use 840 netmask any more. 842 o ENUM values in this document is extensible and is managed by IANA, 843 as with [RFC7970]. The values in the table are used both by 844 [RFC7970] implementations and by their JSON (and CBOR) bindings as 845 specified by this document. 847 o This document uses JSON's "number" type to represent integers that 848 only has full precision for integer values between -2**53 and 849 2**53. When dealing with integers outside the range, this issue 850 needs to be considered. 852 o Binaries are encoded in bytes. Note that XML IODEF in [RFC7970] 853 uses HEXBIN due to the incapability of XML for embedding binaries 854 as they are. 856 4. Examples 858 This section provides examples of IODEF documents. These examples do 859 not represent the full capabilities of the data model or the only way 860 to encode particular information. 862 4.1. Minimal Example 864 A document containing only the mandatory elements and attributes is 865 shown below in JSON and CBOR, respectively. 867 { 868 "version": "2.0", 869 "lang": "en", 870 "Incident": [{ 871 "purpose": "reporting", 872 "restriction": "private", 873 "IncidentID": { 874 "id": "492382", 875 "name": "csirt.example.com" 876 }, 877 "GenerationTime": "2015-07-18T09:00:00-05:00", 878 "Contact": [{ 879 "type": "organization", 880 "role": "creator", 881 "Email": [{"EmailTo": "contact@csirt.example.com"}] 882 }] 883 }] 884 } 886 Figure 4: A Minimal Example in JSON 888 A3 # map(3) 889 37 # negative(23) 890 63 # text(3) 891 322E30 # "2.0" 892 36 # negative(22) 893 62 # text(2) 894 656E # "en" 895 32 # negative(18) 896 81 # array(1) 897 A5 # map(5) 898 21 # negative(1) 899 69 # text(9) 900 7265706F7274696E67 # "reporting" 901 29 # negative(9) 902 67 # text(7) 903 70726976617465 # "private" 904 02 # unsigned(2) 905 A2 # map(2) 906 12 # unsigned(18) 907 66 # text(6) 908 343932333832 # "492382" 909 2E # negative(14) 910 71 # text(17) 911 63736972742E6578616D706C652E636F6D # "csirt.example.com" 912 0A # unsigned(10) 913 78 19 # text(25) 914 323031352D30372D31385430393A30303A30302D30353A3030 915 # "2015-07-18T09:00:00-05:00" 916 0E # unsigned(14) 917 81 # array(1) 918 A3 # map(3) 919 18 1C # unsigned(28) 920 6C # text(12) 921 6F7267616E697A6174696F6E # "organization" 922 18 1A # unsigned(26) 923 67 # text(7) 924 63726561746F72 # "creator" 925 18 22 # unsigned(34) 926 81 # array(1) 927 A1 # map(1) 928 18 29 # unsigned(41) 929 78 19 # text(25) 930 636F6E746163744063736972742E6578616D706C652E636F6D 931 # "contact@csirt.example.com" 933 Figure 5: A Minimal Example in CBOR 935 4.2. Indicators from a Campaign 937 An example of C2 domains from a given campaign is shown below in JSON 938 and CBOR, respectively. 940 { 941 "version": "2.0", 942 "lang": "en", 943 "Incident": [{ 944 "purpose": "watch", 945 "restriction": "green", 946 "IncidentID": { 947 "id": "897923", 948 "name": "csirt.example.com" 949 }, 950 "RelatedActivity": [{ 951 "ThreatActor": [{ 952 "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], 953 "Description": ["Aggressive Butterfly"]}], 954 "Campaign": [{ 955 "CampaignID": ["C-2015-59405"], 956 "Description": ["Orange Giraffe"] 957 }] 958 }], 959 "GenerationTime": "2015-10-02T11:18:00-05:00", 960 "Description": ["Summarizes the Indicators of Compromise for the 961 Orange Giraffe campaign of the Aggressive Butterfly crime gang."], 962 "Assessment": [{ 963 "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] 964 }], 965 "Contact": [{ 966 "type": "organization", 967 "role": "creator", 968 "ContactName": ["CSIRT for example.com"], 969 "Email": [{ 970 "EmailTo": "contact@csirt.example.com" 971 }] 972 }], 973 "Indicator": [{ 974 "IndicatorID": { 975 "id": "G90823490", 976 "name": "csirt.example.com", 977 "version": "1" 978 }, 979 "Description": ["C2 domains"], 980 "StartTime": "2014-12-02T11:18:00-05:00", 981 "Observable": { 982 "BulkObservable": { 983 "type": "domain-name", 984 "BulkObservableList": "kj290023j09r34.example.com"} 985 } 986 }] 987 }] 988 } 990 Figure 6: Indicators from a Campaign in JSON 992 A3 # map(3) 993 37 # negative(23) 994 63 # text(3) 995 322E30 # "2.0" 996 36 # negative(22) 997 62 # text(2) 998 656E # "en" 999 32 # negative(18) 1000 81 # array(1) 1001 A9 # map(9) 1002 21 # negative(1) 1003 65 # text(5) 1004 7761746368 # "watch" 1005 29 # negative(9) 1006 65 # text(5) 1007 677265656E # "green" 1008 02 # unsigned(2) 1009 A2 # map(2) 1010 12 # unsigned(18) 1011 66 # text(6) 1012 383937393233 # "897923" 1013 2E # negative(14) 1014 71 # text(17) 1015 63736972742E6578616D706C652E636F6D 1016 # "csirt.example.com" 1017 04 # unsigned(4) 1018 81 # array(1) 1019 A2 # map(2) 1020 14 # unsigned(20) 1021 81 # array(1) 1022 A2 # map(2) 1023 18 18 # unsigned(24) 1024 81 # array(1) 1025 78 1A # text(26) 1026 54412D31322D414747524553534956452D425554544552464C59 1027 # "TA-12-AGGRESSIVE-BUTTERFLY" 1028 24 # negative(4) 1029 81 # array(1) 1030 74 # text(20) 1031 4167677265737369766520427574746572666C79 1032 # "Aggressive Butterfly" 1033 15 # unsigned(21) 1034 81 # array(1) 1035 A2 # map(2) 1036 18 19 # unsigned(25) 1037 81 # array(1) 1038 6C # text(12) 1039 432D323031352D3539343035 1040 # "C-2015-59405" 1041 24 # negative(4) 1042 81 # array(1) 1043 6E # text(14) 1044 4F72616E67652047697261666665 1045 # "Orange Giraffe" 1046 0A # unsigned(10) 1047 78 19 # text(25) 1048 323031352D31302D30325431313A31383A30302D30353A3030 1049 # "2015-10-02T11:18:00-05:00" 1050 24 # negative(4) 1051 81 # array(1) 1052 78 6F # text(111) 1053 53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F7220746865204F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E 1054 # "Summarizes the Indicators of 1055 # Compromise for the Orange Giraffe 1056 # campaign of the Aggressive 1057 # Butterfly crime gang." 1058 0C # unsigned(12) 1059 81 # array(1) 1060 A1 # map(1) 1061 18 3F # unsigned(63) 1062 81 # array(1) 1063 A1 # map(1) 1064 18 41 # unsigned(65) 1065 A1 # map(1) 1066 18 1C # unsigned(28) 1067 72 # text(18) 1068 6272656163682D70726F7072696574617279 1069 # "breach-proprietary" 1070 0E # unsigned(14) 1071 81 # array(1) 1072 A4 # map(4) 1073 18 1C # unsigned(28) 1074 6C # text(12) 1075 6F7267616E697A6174696F6E 1076 # "organization" 1077 18 1A # unsigned(26) 1078 67 # text(7) 1079 63726561746F72 # "creator" 1080 18 1E # unsigned(30) 1081 81 # array(1) 1082 75 # text(21) 1083 435349525420666F72206578616D706C652E636F6D 1084 # "CSIRT for example.com" 1085 18 22 # unsigned(34) 1086 81 # array(1) 1087 A1 # map(1) 1088 18 29 # unsigned(41) 1089 78 19 # text(25) 1090 636F6E746163744063736972742E6578616D706C652E636F6D 1091 # "contact@csirt.example.com" 1092 10 # unsigned(16) 1093 81 # array(1) 1094 A4 # map(4) 1095 16 # unsigned(22) 1096 A3 # map(3) 1097 12 # unsigned(18) 1098 69 # text(9) 1099 473930383233343930 # "G90823490" 1100 2E # negative(14) 1101 71 # text(17) 1102 63736972742E6578616D706C652E636F6D 1103 # "csirt.example.com" 1104 37 # negative(23) 1105 61 # text(1) 1106 31 # "1" 1107 24 # negative(4) 1108 81 # array(1) 1109 6A # text(10) 1110 433220646F6D61696E73 # "C2 domains" 1111 06 # unsigned(6) 1112 78 19 # text(25) 1113 323031342D31322D30325431313A31383A30302D30353A3030 1114 # "2014-12-02T11:18:00-05:00" 1115 18 AB # unsigned(171) 1116 A1 # map(1) 1117 18 B0 # unsigned(176) 1118 A2 # map(2) 1119 18 1C # unsigned(28) 1120 6B # text(11) 1121 646F6D61696E2D6E616D65 1122 # "domain-name" 1123 18 B2 # unsigned(178) 1124 78 1A # text(26) 1125 6B6A3239303032336A30397233342E6578616D706C652E636F6D 1126 # "kj290023j09r34.example.com" 1128 Figure 7: Indicators from a Campaign in CBOR 1130 5. Mapkeys 1132 The mapkeys are provided in Table Figure 8 for minimizing the CBOR 1133 size. 1135 +-----------------------------------+-------+ 1136 |mapkey |cborkey| 1137 +-----------------------------------+-------+ 1138 | iodef-version | -24 | 1139 | iodef-lang | -23 | 1140 | iodef-format-id | -22 | 1141 | iodef-private-enum-name | -21 | 1142 | iodef-private-enum-id | -20 | 1143 | iodef-Incident | -19 | 1144 | iodef-AdditionalData | -18 | 1145 | iodef-value | -17 | 1146 | iodef-translation-id | -16 | 1147 | iodef-name | -15 | 1148 | iodef-dtype | -14 | 1149 | iodef-ext-dtype | -13 | 1150 | iodef-meaning | -12 | 1151 | iodef-formatid | -11 | 1152 | iodef-restriction | -10 | 1153 | iodef-ext-restriction | -9 | 1154 | iodef-observable-id | -8 | 1155 | iodef-SoftwareReference | -7 | 1156 | iodef-URL | -6 | 1157 | iodef-Description | -5 | 1158 | iodef-spec-name | -4 | 1159 | iodef-ext-spec-name | -3 | 1160 | iodef-purpose | -2 | 1161 | iodef-ext-purpose | -1 | 1162 | iodef-status | 0 | 1163 | iodef-ext-status | 1 | 1164 | iodef-IncidentID | 2 | 1165 | iodef-AlternativeID | 3 | 1166 | iodef-RelatedActivity | 4 | 1167 | iodef-DetectTime | 5 | 1168 | iodef-StartTime | 6 | 1169 | iodef-EndTime | 7 | 1170 | iodef-RecoveryTime | 8 | 1171 | iodef-ReportTime | 9 | 1172 | iodef-GenerationTime | 10 | 1173 | iodef-Discovery | 11 | 1174 | iodef-Assessment | 12 | 1175 | iodef-Method | 13 | 1176 | iodef-Contact | 14 | 1177 | iodef-EventData | 15 | 1178 | iodef-Indicator | 16 | 1179 | iodef-History | 17 | 1180 | iodef-id | 18 | 1181 | iodef-instance | 19 | 1182 | iodef-ThreatActor | 20 | 1183 | iodef-Campaign | 21 | 1184 | iodef-IndicatorID | 22 | 1185 | iodef-Confidence | 23 | 1186 | iodef-ThreatActorID | 24 | 1187 | iodef-CampaignID | 25 | 1188 | iodef-role | 26 | 1189 | iodef-ext-role | 27 | 1190 | iodef-type | 28 | 1191 | iodef-ext-type | 29 | 1192 | iodef-ContactName | 30 | 1193 | iodef-ContactTitle | 31 | 1194 | iodef-RegistryHandle | 32 | 1195 | iodef-PostalAddress | 33 | 1196 | iodef-Email | 34 | 1197 | iodef-Telephone | 35 | 1198 | iodef-Timezone | 36 | 1199 | iodef-handle | 37 | 1200 | iodef-registry | 38 | 1201 | iodef-ext-registry | 39 | 1202 | iodef-PAddress | 40 | 1203 | iodef-EmailTo | 41 | 1204 | iodef-TelephoneNumber | 42 | 1205 | iodef-source | 43 | 1206 | iodef-ext-source | 44 | 1207 | iodef-DetectionPattern | 45 | 1208 | iodef-DetectionConfiguration | 46 | 1209 | iodef-Application | 47 | 1210 | iodef-Reference | 48 | 1211 | iodef-AttackPattern | 49 | 1212 | iodef-Vulnerability | 50 | 1213 | iodef-Weakness | 51 | 1214 | iodef-SpecID | 52 | 1215 | iodef-ext-SpecID | 53 | 1216 | iodef-ContentID | 54 | 1217 | iodef-RawData | 55 | 1218 | iodef-Platform | 56 | 1219 | iodef-Scoring | 57 | 1220 | iodef-ReferenceName | 58 | 1221 | iodef-specIndex | 59 | 1222 | iodef-ID | 60 | 1223 | iodef-occurrence | 61 | 1224 | iodef-IncidentCategory | 62 | 1225 | iodef-Impact | 63 | 1226 | iodef-SystemImpact | 64 | 1227 | iodef-BusinessImpact | 65 | 1228 | iodef-TimeImpact | 66 | 1229 | iodef-MonetaryImpact | 67 | 1230 | iodef-IntendedImpact | 68 | 1231 | iodef-Counter | 69 | 1232 | iodef-MitigatingFactor | 70 | 1233 | iodef-Cause | 71 | 1234 | iodef-severity | 72 | 1235 | iodef-completion | 73 | 1236 | iodef-ext-severity | 74 | 1237 | iodef-metric | 75 | 1238 | iodef-ext-metric | 76 | 1239 | iodef-duration | 77 | 1240 | iodef-ext-duration | 78 | 1241 | iodef-currency | 79 | 1242 | iodef-rating | 80 | 1243 | iodef-ext-rating | 81 | 1244 | iodef-HistoryItem | 82 | 1245 | iodef-action | 83 | 1246 | iodef-ext-action | 84 | 1247 | iodef-DateTime | 85 | 1248 | iodef-DefinedCOA | 86 | 1249 | iodef-System | 87 | 1250 | iodef-Expectation | 88 | 1251 | iodef-RecordData | 89 | 1252 | iodef-category | 90 | 1253 | iodef-ext-category | 91 | 1254 | iodef-interface | 92 | 1255 | iodef-spoofed | 93 | 1256 | iodef-virtual | 94 | 1257 | iodef-ownership | 95 | 1258 | iodef-ext-ownership | 96 | 1259 | iodef-Node | 97 | 1260 | iodef-NodeRole | 98 | 1261 | iodef-Service | 99 | 1262 | iodef-OperatingSystem | 100 | 1263 | iodef-AssetID | 101 | 1264 | iodef-DomainData | 102 | 1265 | iodef-Address | 103 | 1266 | iodef-Location | 104 | 1267 | iodef-vlan-name | 105 | 1268 | iodef-vlan-num | 106 | 1269 | iodef-unit | 107 | 1270 | iodef-ext-unit | 108 | 1271 | iodef-system-status | 109 | 1272 | iodef-ext-system-status | 110 | 1273 | iodef-domain-status | 111 | 1274 | iodef-ext-domain-status | 112 | 1275 | iodef-Name | 113 | 1276 | iodef-DateDomainWasChecked | 114 | 1277 | iodef-RegistrationDate | 115 | 1278 | iodef-ExpirationDate | 116 | 1279 | iodef-RelatedDNS | 117 | 1280 | iodef-NameServers | 118 | 1281 | iodef-DomainContacts | 119 | 1282 | iodef-Server | 120 | 1283 | iodef-SameDomainContact | 121 | 1284 | iodef-ip-protocol | 122 | 1285 | iodef-ServiceName | 123 | 1286 | iodef-Port | 124 | 1287 | iodef-Portlist | 125 | 1288 | iodef-ProtoCode | 126 | 1289 | iodef-ProtoType | 127 | 1290 | iodef-ProtoField | 128 | 1291 | iodef-ApplicationHeaderField | 129 | 1292 | iodef-EmailData | 130 | 1293 | iodef-IANAService | 131 | 1294 | iodef-EmailFrom | 132 | 1295 | iodef-EmailSubject | 133 | 1296 | iodef-EmailX-Mailer | 134 | 1297 | iodef-EmailHeaderField | 135 | 1298 | iodef-EmailHeaders | 136 | 1299 | iodef-EmailBody | 137 | 1300 | iodef-EmailMessage | 138 | 1301 | iodef-HashData | 139 | 1302 | iodef-Signature | 140 | 1303 | iodef-RecordPattern | 141 | 1304 | iodef-RecordItem | 142 | 1305 | iodef-FileData | 143 | 1306 | iodef-WindowsRegistryKeysModified | 169 | 1307 | iodef-CertificateData | 145 | 1308 | iodef-offset | 146 | 1309 | iodef-offsetunit | 147 | 1310 | iodef-ext-offsetunit | 148 | 1311 | iodef-Key | 149 | 1312 | iodef-registryaction | 150 | 1313 | iodef-ext-registryaction | 151 | 1314 | iodef-KeyName | 152 | 1315 | iodef-KeyValue | 153 | 1316 | iodef-Certificate | 154 | 1317 | iodef-X509Data | 155 | 1318 | iodef-File | 156 | 1319 | iodef-FileName | 157 | 1320 | iodef-FileSize | 158 | 1321 | iodef-FileType | 159 | 1322 | iodef-AssociatedSoftware | 160 | 1323 | iodef-FileProperties | 161 | 1324 | iodef-scope | 162 | 1325 | iodef-HashTargetID | 163 | 1326 | iodef-Hash | 164 | 1327 | iodef-FuzzyHash | 165 | 1328 | iodef-DigestMethod | 166 | 1329 | iodef-DigestValue | 167 | 1330 | iodef-CanonicalizationMethod | 168 | 1331 | iodef-FuzzyHashValue | 169 | 1332 | iodef-AlternativeIndicatorID | 170 | 1333 | iodef-Observable | 171 | 1334 | iodef-uid-ref | 172 | 1335 | iodef-IndicatorExpression | 173 | 1336 | iodef-IndicatorReference | 174 | 1337 | iodef-AttackPhase | 175 | 1338 | iodef-BulkObservable | 176 | 1339 | iodef-BulkObservableFormat | 177 | 1340 | iodef-BulkObservableList | 178 | 1341 | iodef-operator | 179 | 1342 | iodef-ext-operator | 180 | 1343 | iodef-euid-ref | 181 | 1344 | iodef-AttackPhaseID | 182 | 1345 +-----------------------------------+-------+ 1347 Figure 8: Mapkeys 1349 6. The IODEF Data Model (CDDL) 1351 This section provides the IODEF data model. Note that mapkeys are 1352 described at the beginning of the CDDL data model for better 1353 readability. 1355 start = iodef 1357 ;;; iodef.json: IODEF-Document 1359 iodef-version = -24 1360 iodef-lang = -23 1361 iodef-format-id = -22 1362 iodef-private-enum-name = -21 1363 iodef-private-enum-id = -20 1364 iodef-Incident = -19 1365 iodef-AdditionalData = -18 1366 iodef-value = -17 1367 iodef-translation-id = -16 1368 iodef-name = -15 1369 iodef-dtype = -14 1370 iodef-ext-dtype = -13 1371 iodef-meaning = -12 1372 iodef-formatid = -11 1373 iodef-restriction = -10 1374 iodef-ext-restriction = -9 1375 iodef-observable-id = -8 1376 iodef-SoftwareReference = -7 1377 iodef-URL = -6 1378 iodef-Description = -5 1379 iodef-spec-name = -4 1380 iodef-ext-spec-name = -3 1381 iodef-purpose = -2 1382 iodef-ext-purpose = -1 1383 iodef-status = 0 1384 iodef-ext-status = 1 1385 iodef-IncidentID = 2 1386 iodef-AlternativeID = 3 1387 iodef-RelatedActivity = 4 1388 iodef-DetectTime = 5 1389 iodef-StartTime = 6 1390 iodef-EndTime = 7 1391 iodef-RecoveryTime = 8 1392 iodef-ReportTime = 9 1393 iodef-GenerationTime = 10 1394 iodef-Discovery = 11 1395 iodef-Assessment = 12 1396 iodef-Method = 13 1397 iodef-Contact = 14 1398 iodef-EventData = 15 1399 iodef-Indicator = 16 1400 iodef-History = 17 1401 iodef-id = 18 1402 iodef-instance = 19 1403 iodef-ThreatActor = 20 1404 iodef-Campaign = 21 1405 iodef-IndicatorID = 22 1406 iodef-Confidence = 23 1407 iodef-ThreatActorID = 24 1408 iodef-CampaignID = 25 1409 iodef-role = 26 1410 iodef-ext-role = 27 1411 iodef-type = 28 1412 iodef-ext-type = 29 1413 iodef-ContactName = 30 1414 iodef-ContactTitle = 31 1415 iodef-RegistryHandle = 32 1416 iodef-PostalAddress = 33 1417 iodef-Email = 34 1418 iodef-Telephone = 35 1419 iodef-Timezone = 36 1420 iodef-handle = 37 1421 iodef-registry = 38 1422 iodef-ext-registry = 39 1423 iodef-PAddress = 40 1424 iodef-EmailTo = 41 1425 iodef-TelephoneNumber = 42 1426 iodef-source = 43 1427 iodef-ext-source = 44 1428 iodef-DetectionPattern = 45 1429 iodef-DetectionConfiguration = 46 1430 iodef-Application = 47 1431 iodef-Reference = 48 1432 iodef-AttackPattern = 49 1433 iodef-Vulnerability = 50 1434 iodef-Weakness = 51 1435 iodef-SpecID = 52 1436 iodef-ext-SpecID = 53 1437 iodef-ContentID = 54 1438 iodef-RawData = 55 1439 iodef-Platform = 56 1440 iodef-Scoring = 57 1441 iodef-ReferenceName = 58 1442 iodef-specIndex = 59 1443 iodef-ID = 60 1444 iodef-occurrence = 61 1445 iodef-IncidentCategory = 62 1446 iodef-Impact = 63 1447 iodef-SystemImpact = 64 1448 iodef-BusinessImpact = 65 1449 iodef-TimeImpact = 66 1450 iodef-MonetaryImpact = 67 1451 iodef-IntendedImpact = 68 1452 iodef-Counter = 69 1453 iodef-MitigatingFactor = 70 1454 iodef-Cause = 71 1455 iodef-severity = 72 1456 iodef-completion = 73 1457 iodef-ext-severity = 74 1458 iodef-metric = 75 1459 iodef-ext-metric = 76 1460 iodef-duration = 77 1461 iodef-ext-duration = 78 1462 iodef-currency = 79 1463 iodef-rating = 80 1464 iodef-ext-rating = 81 1465 iodef-HistoryItem = 82 1466 iodef-action = 83 1467 iodef-ext-action = 84 1468 iodef-DateTime = 85 1469 iodef-DefinedCOA = 86 1470 iodef-System = 87 1471 iodef-Expectation = 88 1472 iodef-RecordData = 89 1473 iodef-category = 90 1474 iodef-ext-category = 91 1475 iodef-interface = 92 1476 iodef-spoofed = 93 1477 iodef-virtual = 94 1478 iodef-ownership = 95 1479 iodef-ext-ownership = 96 1480 iodef-Node = 97 1481 iodef-NodeRole = 98 1482 iodef-Service = 99 1483 iodef-OperatingSystem = 100 1484 iodef-AssetID = 101 1485 iodef-DomainData = 102 1486 iodef-Address = 103 1487 iodef-Location = 104 1488 iodef-vlan-name = 105 1489 iodef-vlan-num = 106 1490 iodef-unit = 107 1491 iodef-ext-unit = 108 1492 iodef-system-status = 109 1493 iodef-ext-system-status = 110 1494 iodef-domain-status = 111 1495 iodef-ext-domain-status = 112 1496 iodef-Name = 113 1497 iodef-DateDomainWasChecked = 114 1498 iodef-RegistrationDate = 115 1499 iodef-ExpirationDate = 116 1500 iodef-RelatedDNS = 117 1501 iodef-NameServers = 118 1502 iodef-DomainContacts = 119 1503 iodef-Server = 120 1504 iodef-SameDomainContact = 121 1505 iodef-ip-protocol = 122 1506 iodef-ServiceName = 123 1507 iodef-Port = 124 1508 iodef-Portlist = 125 1509 iodef-ProtoCode = 126 1510 iodef-ProtoType = 127 1511 iodef-ProtoField = 128 1512 iodef-ApplicationHeaderField = 129 1513 iodef-EmailData = 130 1514 iodef-IANAService = 131 1515 iodef-EmailFrom = 132 1516 iodef-EmailSubject = 133 1517 iodef-EmailX-Mailer = 134 1518 iodef-EmailHeaderField = 135 1519 iodef-EmailHeaders = 136 1520 iodef-EmailBody = 137 1521 iodef-EmailMessage = 138 1522 iodef-HashData = 139 1523 iodef-Signature = 140 1524 iodef-RecordPattern = 141 1525 iodef-RecordItem = 142 1526 iodef-FileData = 143 1527 iodef-WindowsRegistryKeysModified = 169 1528 iodef-CertificateData = 145 1529 iodef-offset = 146 1530 iodef-offsetunit = 147 1531 iodef-ext-offsetunit = 148 1532 iodef-Key = 149 1533 iodef-registryaction = 150 1534 iodef-ext-registryaction = 151 1535 iodef-KeyName = 152 1536 iodef-KeyValue = 153 1537 iodef-Certificate = 154 1538 iodef-X509Data = 155 1539 iodef-File = 156 1540 iodef-FileName = 157 1541 iodef-FileSize = 158 1542 iodef-FileType = 159 1543 iodef-AssociatedSoftware = 160 1544 iodef-FileProperties = 161 1545 iodef-scope = 162 1546 iodef-HashTargetID = 163 1547 iodef-Hash = 164 1548 iodef-FuzzyHash = 165 1549 iodef-DigestMethod = 166 1550 iodef-DigestValue = 167 1551 iodef-CanonicalizationMethod = 168 1552 iodef-FuzzyHashValue = 169 1553 iodef-AlternativeIndicatorID = 170 1554 iodef-Observable = 171 1555 iodef-uid-ref = 172 1556 iodef-IndicatorExpression = 173 1557 iodef-IndicatorReference = 174 1558 iodef-AttackPhase = 175 1559 iodef-BulkObservable = 176 1560 iodef-BulkObservableFormat = 177 1561 iodef-BulkObservableList = 178 1562 iodef-operator = 179 1563 iodef-ext-operator = 180 1564 iodef-euid-ref = 181 1565 iodef-AttackPhaseID = 182 1567 iodef = { 1568 iodef-version => text, 1569 ? iodef-lang => lang, 1570 ? iodef-format-id => text 1571 ? iodef-private-enum-name => text, 1572 ? iodef-private-enum-id => text, 1573 iodef-Incident => [+ Incident], 1574 ? iodef-AdditionalData => [+ ExtensionType] 1575 } 1577 duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / 1578 "year" / "ext-value" 1579 lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" 1581 restriction = "public" / "partner" / "need-to-know" / "private" / 1582 "default" / "white" / "green" / "amber" / "red" / 1583 "ext-value" 1584 SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" 1585 IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" 1586 IDREFType = IDtype 1587 URLtype = uri 1588 TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]" 1589 PortlistType = text .regexp "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*" 1590 action = "nothing" / "contact-source-site" / "contact-target-site" / 1591 "contact-sender" / "investigate" / "block-host" / 1592 "block-network" / "block-port" / "rate-limit-host" / 1593 "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / 1594 "honeypot" / "upgrade-software" / "rebuild-asset" / 1595 "harden-asset" / "remediate-other" / "status-triage" / 1596 "status-new-info" / "watch-and-report" / "training" / 1597 "defined-coa" / "other" / "ext-value" 1599 DATETIME = tdate 1601 BYTE = eb64legacy 1603 MLStringType = { 1604 iodef-value => text, 1605 ? iodef-lang => lang, 1606 ? iodef-translation-id => text 1607 } / text 1608 PositiveFloatType = float32 .gt 0 1610 PAddressType = MLStringType 1612 ExtensionType = { 1613 iodef-value => text, 1614 ? iodef-name => text, 1615 iodef-dtype => "boolean" / "byte" / "bytes" / "character" / "date-time" / 1616 "ntpstamp" / "integer" / "portlist" / "real" / "string" / 1617 "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json" / 1618 "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" 1619 .default "string" 1620 ? iodef-ext-dtype => text, 1621 ? iodef-meaning => text, 1622 ? iodef-formatid => text, 1623 ? iodef-restriction => restriction .default "private", 1624 ? iodef-ext-restriction => text, 1625 ? iodef-observable-id => IDtype, 1626 } 1628 SoftwareType = { 1629 ? iodef-SoftwareReference => SoftwareReference, 1630 ? iodef-URL => [+ URLtype], 1631 ? iodef-Description => [+ MLStringType] 1632 } 1634 SoftwareReference = { 1635 ? iodef-value => text, 1636 iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value", 1637 ? iodef-ext-spec-name => text, 1638 ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" / 1639 "ext-value" .default "string", 1640 ? iodef-ext-dtype => text 1641 } 1643 Incident = { 1644 iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" / 1645 "other" / "ext-value", 1646 ? iodef-ext-purpose => text, 1647 ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" / 1648 "future" / "ext-value", 1649 ? iodef-ext-status => text, 1650 ? iodef-lang => lang, 1651 ? iodef-restriction => restriction .default "private", 1652 ? iodef-ext-restriction => text, 1653 ? iodef-observable-id => IDtype, 1654 iodef-IncidentID => IncidentID, 1655 ? iodef-AlternativeID => AlternativeID, 1656 ? iodef-RelatedActivity => [+ RelatedActivity], 1657 ? iodef-DetectTime => DATETIME, 1658 ? iodef-StartTime => DATETIME, 1659 ? iodef-EndTime => DATETIME, 1660 ? iodef-RecoveryTime => DATETIME, 1661 ? iodef-ReportTime => DATETIME, 1662 iodef-GenerationTime => DATETIME, 1663 ? iodef-Description => [+ MLStringType], 1664 ? iodef-Discovery => [+ Discovery], 1665 ? iodef-Assessment => [+ Assessment], 1666 ? iodef-Method => [+ Method], 1667 iodef-Contact => [+ Contact], 1668 ? iodef-EventData => [+ EventData], 1669 ? iodef-Indicator f=> [+ Indicator], 1670 ? iodef-History => History, 1671 ? iodef-AdditionalData => [+ ExtensionType] 1672 } 1674 IncidentID = { 1675 iodef-id => text, 1676 iodef-name => text, 1677 ? iodef-instance => text, 1678 ? iodef-restriction => restriction .default "private", 1679 ? iodef-ext-restriction => text 1680 } 1682 AlternativeID = { 1683 ? iodef-restriction => restriction .default "private", 1684 ? iodef-ext-restriction => text, 1685 iodef-IncidentID => [+ IncidentID] 1686 } 1688 RelatedActivity = { 1689 ? iodef-restriction => restriction .default "private", 1690 ? iodef-ext-restriction => text, 1691 ? iodef-IncidentID => [+ IncidentID], 1692 ? iodef-URL => [+ URLtype], 1693 ? iodef-ThreatActor => [+ ThreatActor], 1694 ? iodef-Campaign => [+ Campaign], 1695 ? iodef-IndicatorID => [+ IndicatorID], 1696 ? iodef-Confidence => Confidence, 1697 ? iodef-Description => [+ text], 1698 ? iodef-AdditionalData => [+ ExtensionType] 1699 } 1701 ThreatActor = { 1702 ? iodef-restriction => restriction .default "private", 1703 ? iodef-ext-restriction => text, 1704 ? iodef-ThreatActorID => [+ text], 1705 ? iodef-URL => [+ URLtype], 1706 ? iodef-Description => [+ MLStringType], 1707 ? iodef-AdditionalData => [+ ExtensionType] 1708 } 1710 Campaign = { 1711 ? iodef-restriction => restriction .default "private", 1712 ? iodef-ext-restriction => text, 1713 ? iodef-CampaignID => [+ text], 1714 ? iodef-URL => [+ URLtype], 1715 ? iodef-Description => [+ MLStringType], 1716 ? iodef-AdditionalData => [+ ExtensionType] 1717 } 1719 Contact = { 1720 iodef-role => "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /, 1721 "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / 1722 "vendor" / "vendor-support" / "victim" / "victim-notified" / 1723 "ext-value", 1724 ? iodef-ext-role => text, 1725 iodef-type => "person" / "organization" / "ext-value", 1726 ? iodef-ext-type => text, 1727 ? iodef-restriction => restriction .default "private", 1728 ? iodef-ext-restriction => text, 1729 ? iodef-ContactName => [+ MLStringType], 1730 ? iodef-ContactTitle => [+ MLStringType], 1731 ? iodef-Description => [+ MLStringType], 1732 ? iodef-RegistryHandle => [+ RegistryHandle], 1733 ? iodef-PostalAddress => [+ PostalAddress], 1734 ? iodef-Email => [+ Email], 1735 ? iodef-Telephone => [+ Telephone], 1736 ? iodef-Timezone => TimeZonetype, 1737 ? iodef-Contact => [+ Contact], 1738 ? iodef-AdditionalData => [+ ExtensionType] 1739 } 1741 RegistryHandle = { 1742 iodef-handle => text, 1743 iodef-registry => "internic" / "apnic" / "arin" / "lacnic" / "ripe" / 1744 "afrinic" / "local" / "ext-value", 1745 ? iodef-ext-registry => text 1746 } 1748 PostalAddress = { 1749 ? iodef-type => "street" / "mailing" / "ext-value", 1750 ? iodef-ext-type => text, 1751 iodef-PAddress => PAddressType, 1752 ? iodef-Description => [+ MLStringType] 1753 } 1755 Email = { 1756 ? iodef-type => "direct" / "hotline" / "ext-value", 1757 ? iodef-ext-type => text, 1758 iodef-EmailTo => text, 1759 ? iodef-Description => [+ MLStringType] 1760 } 1762 Telephone = { 1763 ? iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value", 1764 ? iodef-ext-type => text, 1765 iodef-TelephoneNumber => text, 1766 ? iodef-Description => [+ MLStringType] 1767 } 1769 Discovery = { 1770 ? iodef-source => "nidps" /"hips" /"siem" /"av" /"third-party-monitoring" / 1771 "incident" / "os-log" / "application-log" / "device-log" / 1772 "network-flow" / "passive-dns" / "investigation" / "audit" / 1773 "internal-notification" / "external-notification" / 1774 "leo" / "partner" / "actor" / "unknown" / "ext-value", 1775 ? iodef-ext-source => text, 1776 ? iodef-restriction => restriction .default "private", 1777 ? iodef-ext-restriction => text, 1778 ? iodef-Description => [+ MLStringType], 1779 ? iodef-Contact => [+ Contact], 1780 ? iodef-DetectionPattern => [+ DetectionPattern] 1781 } 1783 DetectionPattern = { 1784 ? iodef-restriction => restriction .default "private", 1785 ? iodef-ext-restriction => text, 1786 ? iodef-observable-id => IDtype, 1787 (iodef-Description => [+ MLStringType] // iodef-DetectionConfiguration => [+ text]), 1788 iodef-Application => SoftwareType 1789 } 1791 Method = { 1792 ? iodef-restriction => restriction .default "private", 1793 ? iodef-ext-restriction => text, 1794 ? iodef-Reference => [+ Reference], 1795 ? iodef-Description => [+ MLStringType], 1796 ? iodef-AttackPattern => [+ StructuredInfo], 1797 ? iodef-Vulnerability => [+ StructuredInfo], 1798 ? iodef-Weakness => [+ StructuredInfo], 1799 ? iodef-AdditionalData => [+ ExtensionType] 1801 } 1803 StructuredInfo = { 1804 iodef-SpecID => SpecID, 1805 ? iodef-ext-SpecID => text, 1806 ? iodef-ContentID => text, 1807 ? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]), 1808 ? iodef-Platform => [+ Platform], 1809 ? iodef-Scoring => [+ Scoring] 1810 } 1812 Platform = { 1813 iodef-SpecID => SpecID, 1814 ? iodef-ext-SpecID => text, 1815 ? iodef-ContentID => text, 1816 ? iodef-RawData => [+ BYTE], 1817 ? iodef-Reference => [+ Reference] 1818 } 1819 Scoring = { 1820 iodef-SpecID => SpecID, 1821 ? iodef-ext-SpecID => text, 1822 ? iodef-ContentID => text, 1823 ? iodef-RawData => [+ BYTE], 1824 ? iodef-Reference => [+ Reference] 1825 } 1826 Reference = { 1827 ? iodef-observable-id => IDtype, 1828 ? iodef-ReferenceName => ReferenceName, 1829 ? iodef-URL => [+ URLtype], 1830 ? iodef-Description => [+ MLStringType] 1831 } 1833 ReferenceName = { 1834 iodef-specIndex => integer, 1835 iodef-ID => IDtype 1836 } 1838 Assessment = { 1839 ? iodef-occurrence => "actual" / "potential", 1840 ? iodef-restriction => restriction .default "private", 1841 ? iodef-ext-restriction => text, 1842 ? iodef-observable-id => IDtype, 1843 ? iodef-IncidentCategory => [+ MLStringType], 1844 iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} / 1845 {iodef-BusinessImpact => BusinessImpact / 1846 {iodef-TimeImpact => TimeImpact} / 1847 {iodef-MonetaryImpact => MonetaryImpact} / 1848 {iodef-IntendedImpact => BusinessImpact}], 1850 ? iodef-Counter => [+ Counter], 1851 ? iodef-MitigatingFactor => [+ MLStringType], 1852 ? iodef-Cause => [+ MLStringType], 1853 ? iodef-Confidence => Confidence, 1854 ? iodef-AdditionalData => [+ ExtensionType] 1855 } 1857 SystemImpact = { 1858 ? iodef-severity => "low" / "medium" / "high", 1859 ? iodef-completion => "failed" / "succeeded", 1860 iodef-type => "takeover-account" / "takeover-service" / "takeover-system" / 1861 "cps-manipulation" / "cps-damage" / "availability-data" / 1862 "availability-account" / "availability-service" / 1863 "availability-system" / "damaged-system" / "damaged-data" / 1864 "breach-proprietary" / "breach-privacy" / "breach-credential" / 1865 "breach-configuration" / "integrity-data" / 1866 "integrity-configuration" / "integrity-hardware" / 1867 "traffic-redirection" / "monitoring-traffic" / "monitoring-host" / 1868 "policy" / "unknown" / "ext-value" .default "unknown", 1869 ? iodef-ext-type => text, 1870 ? iodef-Description => [+ MLStringType] 1871 } 1873 BusinessImpact = { 1874 ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" / 1875 "ext-value" .default "unknown", 1876 ? iodef-ext-severity => text, 1877 iodef-type => "breach-proprietary" / "breach-privacy" / 1878 "breach-credential" / "loss-of-integrity" / "loss-of-service" / 1879 "theft-financial" / "theft-service" / "degraded-reputation" / 1880 "asset-damage" / "asset-manipulation" / "legal" / "extortion" / 1881 "unknown" / "ext-value" .default "unknown", 1882 ? iodef-ext-type => text, 1883 ? iodef-Description => [+ MLStringType] 1884 } 1886 TimeImpact = { 1887 iodef-value => PositiveFloatType, 1888 ? iodef-severity => "low" / "medium" / "high", 1889 iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value", 1890 ? iodef-ext-metric => text, 1891 ? iodef-duration => duration .default "hour", 1892 ? iodef-ext-duration => text 1893 } 1895 MonetaryImpact = { 1896 iodef-value => PositiveFloatType, 1897 ? iodef-severity => "low" / "medium" / "high", 1898 ? iodef-currency => text 1899 } 1901 Confidence = { 1902 iodef-value => float32, 1903 iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value", 1904 ? iodef-ext-rating => text 1905 } 1907 History = { 1908 ? iodef-restriction => restriction .default "private", 1909 ? iodef-ext-restriction => text, 1910 iodef-HistoryItem => [+ HistoryItem] 1911 } 1913 HistoryItem = { 1914 iodef-action => action .default "other", 1915 ? iodef-ext-action => text, 1916 ? iodef-restriction => restriction .default "private", 1917 ? iodef-ext-restriction => text, 1918 ? iodef-observable-id => IDtype, 1919 iodef-DateTime => DATETIME, 1920 ? iodef-IncidentID => IncidentID, 1921 ? iodef-Contact => Contact, 1922 ? iodef-Description => [+ MLStringType], 1923 ? iodef-DefinedCOA => [+ text], 1924 ? iodef-AdditionalData => [+ ExtensionType] 1925 } 1927 EventData = { 1928 ? iodef-restriction => restriction .default "default", 1929 ? iodef-ext-restriction => text, 1930 ? iodef-observable-id => IDtype, 1931 ? iodef-Description => [+ MLStringType], 1932 ? iodef-DetectTime => DATETIME, 1933 ? iodef-StartTime => DATETIME, 1934 ? iodef-EndTime => DATETIME, 1935 ? iodef-RecoveryTime => DATETIME, 1936 ? iodef-ReportTime => DATETIME, 1937 ? iodef-Contact => [+ Contact], 1938 ? iodef-Discovery => [+ Discovery], 1939 ? iodef-Assessment => Assessment, 1940 ? iodef-Method => [+ Method], 1941 ? iodef-System => [+ System], 1942 ? iodef-Expectation => [+ Expectation], 1943 ? iodef-RecordData => [+ RecordData], 1944 ? iodef-EventData => [+ EventData], 1945 ? iodef-AdditionalData => [+ ExtensionType] 1947 } 1949 Expectation = { 1950 ? iodef-action => action .default "other", 1951 ? iodef-ext-action => text, 1952 ? iodef-severity => "low" / "medium" / "high", 1953 ? iodef-restriction => restriction .default "default", 1954 ? iodef-ext-restriction => text, 1955 ? iodef-observable-id => IDtype, 1956 ? iodef-Description => [+ MLStringType], 1957 ? iodef-DefinedCOA => [+ text], 1958 ? iodef-StartTime => DATETIME, 1959 ? iodef-EndTime => DATETIME, 1960 ? iodef-Contact => Contact 1961 } 1963 System = { 1964 ? iodef-category => "source" / "target" / "intermediate" / "sensor" / 1965 "infrastructure" / "ext-value", 1966 ? iodef-ext-category => text, 1967 ? iodef-interface => text, 1968 ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown", 1969 ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown", 1970 ? iodef-ownership => "organization" / "personal" / "partner" / "customer" / 1971 "no-relationship" / "unknown" / "ext-value", 1972 ? iodef-ext-ownership => text, 1973 ? iodef-restriction => restriction .default "private", 1974 ? iodef-ext-restriction => text, 1975 ? iodef-observable-id => IDtype, 1976 iodef-Node => Node, 1977 ? iodef-NodeRole => [+ NodeRole], 1978 ? iodef-Service => [+ Service], 1979 ? iodef-OperatingSystem => [+ SoftwareType], 1980 ? iodef-Counter => [+ Counter], 1981 ? iodef-AssetID => [+ text], 1982 ? iodef-Description => [+ MLStringType], 1983 ? iodef-AdditionalData => [+ ExtensionType] 1984 } 1986 Node = { 1987 (iodef-DomainData => [+ DomainData] // iodef-Address => [+ Address]), 1988 ? iodef-PostalAddress => PostalAddress, 1989 ? iodef-Location => [+ MLStringType], 1990 ? iodef-Counter => [+ Counter] 1991 } 1993 Address = { 1994 iodef-value => text, 1995 iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 1996 "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / 1997 "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / 1998 "ext-value" .default "ipv6-addr", 1999 ? iodef-ext-category => text, 2000 ? iodef-vlan-name => text, 2001 ? iodef-vlan-num => integer, 2002 ? iodef-observable-id => IDtype 2003 } 2005 NodeRole = { 2006 iodef-category => "client" / "client-enterprise" / "client-partner" / 2007 "client-remote" / "client-kiosk" / "client-mobile" / 2008 "server-internal" / "server-public" / "www" / "mail" / 2009 "webmail" / "messaging" / "streaming" / "voice" / "file" / 2010 "ftp" / "p2p" / "name" / "directory" / "credential" / 2011 "print" / "application" / "database" / "backup" / "dhcp" / 2012 "assessment" / "source-control" / "config-management" / 2013 "monitoring" / "infra" / "infra-firewall" / "infra-router" / 2014 "infra-switch" / "camera" / "proxy" / "remote-access" / 2015 "log" / "virtualization" / "pos" / "scada" / 2016 "scada-supervisory" / "sinkhole" / "honeypot" / 2017 "anomyzation" / "c2-server" / "malware-distribution" / 2018 "drop-server" / "hop-point" / "reflector" / 2019 "phishing-site" / "spear-phishing-site" / "recruiting-site" / 2020 "fraudulent-site" / "ext-value", 2021 ? iodef-ext-category => text, 2022 ? iodef-Description => [+ MLStringType] 2023 } 2025 Counter = { 2026 iodef-value => float32, 2027 iodef-type => "count" / "peak" / "average" / "ext-value", 2028 ? iodef-ext-type => text, 2029 iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / 2030 "message" / "event" / "host" / "site" / "organization" / 2031 "ext-value", 2032 ? iodef-ext-unit => text, 2033 ? iodef-meaning => text, 2034 ? iodef-duration => duration .default "hour", 2035 ? iodef-ext-duration => text 2036 } 2038 DomainData = { 2039 iodef-system-status => "spoofed" / "fraudulent" / "innocent-hacked" / 2040 "innocent-hijacked" / "unknown" / "ext-value", 2041 ? iodef-ext-system-status => text, 2042 iodef-domain-status => "reservedDelegation" / "assignedAndActive" / 2044 "assignedAndInactive" / "assignedAndOnHold" / 2045 "revoked" / "transferPending" / "registryLock" / 2046 "registrarLock" / "other" / "unknown" / "ext-value", 2047 ? iodef-ext-domain-status => text, 2048 ? iodef-observable-id => IDtype, 2049 iodef-Name => text, 2050 ? iodef-DateDomainWasChecked => DATETIME, 2051 ? iodef-RegistrationDate => DATETIME, 2052 ? iodef-ExpirationDate => DATETIME, 2053 ? iodef-RelatedDNS => [+ ExtensionType], 2054 ? iodef-NameServers => [+ NameServers], 2055 ? iodef-DomainContacts => DomainContacts 2056 } 2058 NameServers = { 2059 iodef-Server => text, 2060 iodef-Address => [+ Address] 2061 } 2063 DomainContacts = { 2064 (iodef-SameDomainContact => text // iodef-Contact => [+ Contact]) 2065 } 2067 Service = { 2068 ? iodef-ip-protocol => integer, 2069 ? iodef-observable-id => IDtype, 2070 ? iodef-ServiceName => ServiceName, 2071 ? iodef-Port => integer, 2072 ? iodef-Portlist => PortlistType, 2073 ? iodef-ProtoCode => integer, 2074 ? iodef-ProtoType => integer, 2075 ? iodef-ProtoField => integer, 2076 ? iodef-ApplicationHeaderField => [+ ExtensionType], 2077 ? iodef-EmailData => EmailData, 2078 ? iodef-Application => SoftwareType 2079 } 2081 ServiceName = { 2082 ? iodef-IANAService => text, 2083 ? iodef-URL => [+ URLtype], 2084 ? iodef-Description => [+ MLStringType] 2085 } 2087 EmailData = { 2088 ? iodef-observable-id => IDtype, 2089 ? iodef-EmailTo => [+ text], 2090 ? iodef-EmailFrom => text, 2091 ? iodef-EmailSubject => text, 2092 ? iodef-EmailX-Mailer => text, 2093 ? iodef-EmailHeaderField => [+ ExtensionType], 2094 ? iodef-EmailHeaders => text, 2095 ? iodef-EmailBody => text, 2096 ? iodef-EmailMessage => text, 2097 ? iodef-HashData => [+ HashData], 2098 ? iodef-Signature => [+ BYTE] 2099 } 2101 RecordData = { 2102 ? iodef-restriction => restriction .default "private", 2103 ? iodef-ext-restriction => text, 2104 ? iodef-observable-id => IDtype, 2105 ? iodef-DateTime => DATETIME, 2106 ? iodef-Description => [+ MLStringType], 2107 ? iodef-Application => SoftwareType, 2108 ? iodef-RecordPattern => [+ RecordPattern], 2109 ? iodef-RecordItem => [+ ExtensionType], 2110 ? iodef-URL => [+ URLtype], 2111 ? iodef-FileData => [+ FileData], 2112 ? iodef-WindowsRegistryKeysModified => [+ WindowsRegistryKeysModified], 2113 ? iodef-CertificateData => [+ CertificateData], 2114 ? iodef-AdditionalData => [+ ExtensionType] 2115 } 2117 RecordPattern = { 2118 iodef-value => text, 2119 iodef-type => "regex" / "binary" / "xpath" / "ext-value" .default "regex", 2120 ? iodef-ext-type => text, 2121 ? iodef-offset => integer, 2122 ? iodef-offsetunit => "line" / "byte" / "ext-value" .default "line", 2123 ? iodef-ext-offsetunit => text, 2124 ? iodef-instance => integer 2125 } 2127 WindowsRegistryKeysModified = { 2128 ? iodef-observable-id => IDtype, 2129 iodef-Key => [+ Key] 2130 } 2132 Key = { 2133 ? iodef-registryaction => "add-key" / "add-value" / "delete-key" / 2134 "delete-value" / "modify-key" / "modify-value" / 2135 "ext-value", 2136 ? iodef-ext-registryaction => text, 2137 ? iodef-observable-id => IDtype, 2138 iodef-KeyName => text, 2139 ? iodef-KeyValue => text 2141 } 2143 CertificateData = { 2144 ? iodef-restriction => restriction .default "private", 2145 ? iodef-ext-restriction => text, 2146 ? iodef-observable-id => IDtype, 2147 iodef-Certificate => [+ Certificate] 2148 } 2150 Certificate = { 2151 ? iodef-observable-id => IDtype, 2152 iodef-X509Data => BYTE, 2153 ? iodef-Description => [+ MLStringType] 2154 } 2156 FileData = { 2157 ? iodef-restriction => restriction .default "private", 2158 ? iodef-ext-restriction => text, 2159 ? iodef-observable-id => IDtype, 2160 iodef-File => [+ File] 2161 } 2163 File = { 2164 ? iodef-observable-id => IDtype, 2165 ? iodef-FileName => text, 2166 ? iodef-FileSize => integer, 2167 ? iodef-FileType => text, 2168 ? iodef-URL => [+ URLtype], 2169 ? iodef-HashData => HashData, 2170 ? iodef-Signature => [+ BYTE], 2171 ? iodef-AssociatedSoftware => SoftwareType, 2172 ? iodef-FileProperties => [+ ExtensionType] 2173 } 2175 HashData = { 2176 iodef-scope => "file-contents" / "file-pe-section" / "file-pe-iat" / 2177 "file-pe-resource" / "file-pdf-object" / "email-hash" / 2178 "email-headers-hash" / "email-body-hash" / "ext-value", 2179 ? iodef-HashTargetID => text, 2180 ? iodef-Hash => [+ Hash], 2181 ? iodef-FuzzyHash => [+ FuzzyHash] 2182 } 2184 Hash = { 2185 iodef-DigestMethod => BYTE, 2186 iodef-DigestValue => BYTE, 2187 ? iodef-CanonicalizationMethod => BYTE, 2188 ? iodef-Application => SoftwareType 2190 } 2192 FuzzyHash = { 2193 iodef-FuzzyHashValue => [+ ExtensionType], 2194 ? iodef-Application => SoftwareType, 2195 ? iodef-AdditionalData => [+ ExtensionType] 2196 } 2198 Indicator = { 2199 ? iodef-restriction => restriction .default "private", 2200 ? iodef-ext-restriction => text, 2201 iodef-IndicatorID => IndicatorID, 2202 ? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID], 2203 ? iodef-Description => [+ MLStringType], 2204 ? iodef-StartTime => DATETIME, 2205 ? iodef-EndTime => DATETIME, 2206 ? iodef-Confidence => Confidence, 2207 ? iodef-Contact => [+ Contact], 2208 (iodef-Observable => Observable // iodef-uid-ref => IDREFType // 2209 iodef-IndicatorExpression => IndicatorExpression // 2210 iodef-IndicatorReference => IndicatorReference), 2211 ? iodef-NodeRole => [+ NodeRole], 2212 ? iodef-AttackPhase => [+ AttackPhase], 2213 ? iodef-Reference => [+ Reference], 2214 ? iodef-AdditionalData => [+ ExtensionType] 2215 } 2217 IndicatorID = { 2218 iodef-id => IDtype, 2219 iodef-name => text, 2220 iodef-version => text 2221 } 2223 AlternativeIndicatorID = { 2224 ? iodef-restriction => restriction .default "private", 2225 ? iodef-ext-restriction => text, 2226 iodef-IndicatorID => [+ IndicatorID] 2227 } 2229 Observable = { 2230 ? iodef-restriction => restriction .default "private", 2231 ? iodef-ext-restriction => text, 2232 ? (iodef-System => System // iodef-Address => Address // 2233 iodef-DomainData => DomainData // iodef-EmailData => EmailData // 2234 iodef-Service => Service // 2235 iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified // 2236 iodef-FileData => FileData //iodef-CertificateData => CertificateData // 2237 iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>RecordData // 2238 iodef-EventData => EventData // iodef-Incident => Incident // 2239 iodef-Expectation => Expectation // iodef-Reference => Reference // 2240 iodef-Assessment => Assessment // 2241 iodef-DetectionPattern => DetectionPattern // 2242 iodef-HistoryItem => HistoryItem // 2243 iodef-BulkObservable => BulkObservable // 2244 iodef-AdditionalData => [+ ExtensionType]) 2245 } 2247 BulkObservable = { 2248 ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / 2249 "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / 2250 "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / 2251 "domain-to-ipv6" / "domain-to-ipv4-timestamp" / 2252 "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / 2253 "windows-reg-key" / "file-hash" / "email-x-mailer" / 2254 "email-subject" / "http-user-agent" / "http-request-uri" / 2255 "mutex" / "file-path" / "user-name" / "ext-value", 2256 ? iodef-ext-type => text, 2257 ? iodef-BulkObservableFormat => BulkObservableFormat, 2258 iodef-BulkObservableList => text, 2259 ? iodef-AdditionalData => [+ ExtensionType] 2260 } 2262 BulkObservableFormat = { 2263 (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType]) 2264 } 2266 IndicatorExpression = { 2267 ? iodef-operator => "not" / "and" / "or" / "xor" .default "and", 2268 ? iodef-ext-operator => text, 2269 ? iodef-IndicatorExpression => [+ IndicatorExpression], 2270 ? iodef-Observable => [+ Observable], 2271 ? iodef-uid-ref => [+ IDREFType], 2272 ? iodef-IndicatorReference => [+ IndicatorReference], 2273 ? iodef-Confidence => Confidence, 2274 ? iodef-AdditionalData => [+ ExtensionType] 2275 } 2277 IndicatorReference = { 2278 (iodef-uid-ref => IDREFType // iodef-euid-ref => text), 2279 ? iodef-version => text 2280 } 2282 AttackPhase = { 2283 ? iodef-AttackPhaseID => [+ text], 2284 ? iodef-URL => [+ URLtype], 2285 ? iodef-Description => [+ MLStringType], 2286 ? iodef-AdditionalData => [+ ExtensionType] 2287 } 2289 Figure 9: Data Model in CDDL 2291 7. IANA Considerations 2293 This document does not require any IANA actions. 2295 8. Security Considerations 2297 This document provides a mapping from XML IODEF defined in [RFC7970] 2298 to JSON, and Section 3.2 describes several issues that arise when 2299 converting XML IODEF and JSON IODEF. Though it does not provide any 2300 further security considerations than the one described in [RFC7970], 2301 impelementers of this document should be aware of those issues to 2302 avoid any unintended outcome. 2304 9. Acknowledgments 2306 We would like to thank Henk Birkholz, Carsten Bormann, Benjamin 2307 Kaduk, Alexey Melnikov, Yasuaki Morita, and Takahiko Nagata for their 2308 insightful comments on this document and CDDL. 2310 10. References 2312 10.1. Normative References 2314 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2315 Requirement Levels", BCP 14, RFC 2119, 2316 DOI 10.17487/RFC2119, March 1997, 2317 . 2319 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 2320 Resource Identifier (URI): Generic Syntax", STD 66, 2321 RFC 3986, DOI 10.17487/RFC3986, January 2005, 2322 . 2324 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 2325 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 2326 . 2328 [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object 2329 Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, 2330 October 2013, . 2332 [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An 2333 Incident Object Description Exchange Format (IODEF) 2334 Extension for Structured Cybersecurity Information", 2335 RFC 7203, DOI 10.17487/RFC7203, April 2014, 2336 . 2338 [RFC7970] Danyliw, R., "The Incident Object Description Exchange 2339 Format Version 2", RFC 7970, DOI 10.17487/RFC7970, 2340 November 2016, . 2342 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2343 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2344 May 2017, . 2346 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 2347 Interchange Format", STD 90, RFC 8259, 2348 DOI 10.17487/RFC8259, December 2017, 2349 . 2351 [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data 2352 Definition Language (CDDL): A Notational Convention to 2353 Express Concise Binary Object Representation (CBOR) and 2354 JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, 2355 June 2019, . 2357 10.2. Informative References 2359 [I-D.handrews-json-schema-validation] 2360 Wright, A., Andrews, H., and B. Hutton, "JSON Schema 2361 Validation: A Vocabulary for Structural Validation of 2362 JSON", draft-handrews-json-schema-validation-02 (work in 2363 progress), September 2019. 2365 Appendix A. Data Types used in this document 2367 The CDDL prelude used in this document is mapped to JSON as shown in 2368 the table below. 2370 +-----------------+-------------------+----------------------------+ 2371 | CDDL Prelude | Use of JSON | Instance | Validation | 2372 +-----------------+-------------------+----------------------------+ 2373 | bytes | n/a | string | tool available | 2374 | text | string | string | unnecessary | 2375 | tdate | n/a | string | 7.3.1 date-time | 2376 | integer | n/a | number | integer | 2377 | eb64legacy | n/a | string | tool available | 2378 | uri | n/a | string | 7.3.6 uri | 2379 | float32 | float32 | number | unnecessary | 2380 +-----------------+-------------------+----------------------------+ 2382 Figure 10: CDDL Prelude mapping in JSON 2384 Appendix B. The IODEF Data Model (JSON Schema) 2386 This section provides a JSON schema 2387 [I-D.handrews-json-schema-validation] that defines the IODEF Data 2388 Model defined in this draft. Note that this section is Informative. 2390 { "$schema": "http://json-schema.org/draft-04/schema#", 2391 "definitions": { 2392 "action": {"enum": ["nothing","contact-source-site", 2393 "contact-target-site","contact-sender","investigate", 2394 "block-host","block-network","block-port","rate-limit-host", 2395 "rate-limit-network","rate-limit-port","redirect-traffic", 2396 "honeypot","upgrade-software","rebuild-asset","harden-asset", 2397 "remediate-other","status-triage","status-new-info", 2398 "watch-and-report","training","defined-coa","other", 2399 "ext-value"]}, 2400 "duration":{"enum":["second","minute","hour","day","month", 2401 "quarter","year","ext-value"]}, 2402 "SpecID":{ 2403 "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, 2404 "lang": { 2405 "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, 2406 "purpose": {"enum": ["traceback","mitigation","reporting","watch", 2407 "other","ext-value"]}, 2408 "restriction":{"enum":["public","partner","need-to-know","private", 2409 "default","white","green","amber","red","ext-value"]}, 2410 "status": {"enum": ["new","in-progress","forwarded","resolved", 2411 "future","ext-value"]}, 2412 "DATETIME": {"type": "string","format": "date-time"}, 2413 "BYTE": {"type": "string"}, 2414 "PortlistType": { 2415 "type": "string","pattern": "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"}, 2416 "TimeZonetype": { 2417 "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, 2419 "URLtype": { 2420 "type": "string", 2421 "pattern": 2422 "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, 2423 "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, 2424 "IDREFType": {"$ref": "#/definitions/IDtype"}, 2425 "MLStringType": { 2426 "oneOf": [{"type": "string"}, 2427 {"type": "object", 2428 "properties": { 2429 "value": {"type": "string"}, 2430 "lang": {"$ref": "#/definitions/lang"}, 2431 "translation-id": {"type": "string"}}, 2432 "required": ["value"], 2433 "additionalProperties":false}]}, 2434 "PositiveFloatType": {"type": "number","minimum": 0}, 2435 "PAddressType": {"$ref": "#/definitions/MLStringType"}, 2436 "ExtensionType": { 2437 "type": "object", 2438 "properties": { 2439 "value": {"type": "string"}, 2440 "name": {"type": "string"}, 2441 "dtype":{"enum":["boolean","byte","bytes","character", "json", 2442 "date-time","ntpstamp","integer","portlist","real","string", 2443 "file","path","frame","packet","ipv4-packet","ipv6-packet", 2444 "url", "csv","winreg","xml","ext-value"],"default": "string"}, 2445 "ext-dtype": {"type": "string"}, 2446 "meaning": {"type": "string"}, 2447 "formatid": {"type": "string"}, 2448 "restriction": { 2449 "$ref": "#/definitions/restriction","default": "private"}, 2450 "ext-restriction": {"type": "string"}, 2451 "observable-id": {"$ref": "#/definitions/IDtype"}}, 2452 "required": ["value","dtype"], 2453 "additionalProperties":false}, 2454 "ExtensionTypeList": { 2455 "type": "array", 2456 "items": {"$ref": "#/definitions/ExtensionType"}, 2457 "minItems": 1}, 2458 "SoftwareType": { 2459 "type": "object", 2460 "properties": { 2461 "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, 2462 "URL": { 2463 "type": "array", 2464 "items": {"$ref": "#/definitions/URLtype", 2465 "minItems": 1}}, 2466 "Description": { 2467 "type": "array", 2468 "items": {"$ref": "#/definitions/MLStringType"}, 2469 "minItems": 1 }}, 2470 "required": [], 2471 "additionalProperties": false}, 2472 "SoftwareReference": { 2473 "type": "object", 2474 "properties": { 2475 "value": {"type": "string"}, 2476 "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, 2477 "ext-spec-name": {"type": "string"}, 2478 "dtype": {"enum": ["bytes","integer","real","string","xml", 2479 "ext-value"] , "default": "string"}, 2480 "ext-dtype": {"type": "string"}}, 2481 "required": ["spec-name"], 2482 "additionalProperties": false}, 2483 "StructuredInfo": { 2484 "type": "object", 2485 "properties": { 2486 "SpecID": {"$ref":"#/definitions/SpecID"}, 2487 "ext-SpecID": {"type": "string"}, 2488 "ContentID": {"type": "string"}, 2489 "RawData": { 2490 "type": "array", 2491 "items": {"$ref":"#/definitions/BYTE"}, 2492 "minItems": 1 2493 }, 2494 "Reference": { 2495 "type": "array", 2496 "items": {"$ref": "#/definitions/Reference"}, 2497 "minItems": 1 2498 }, 2499 "Platform": { 2500 "type": "array", 2501 "items": {"$ref": "#/definitions/Platform"}, 2502 "minItems": 1 2503 }, 2504 "Scoring": { 2505 "type": "array", 2506 "items": {"$ref": "#/definitions/Scoring"}, 2507 "minItems": 1}}, 2508 "allOf": [ 2509 {"required": ["SpecID"]}, 2510 {"anyOf": [ 2511 {"oneOf": [ 2512 {"required":["Reference"]}, 2513 {"required":["RawData"]}]}, 2514 { "not" : {"required":["Reference", "RawData"]}}]}], 2516 "additionalProperties": false}, 2517 "Platform": { 2518 "type": "object", 2519 "properties": { 2520 "SpecID": {"$ref":"#/definitions/SpecID"}, 2521 "ext-SpecID": {"type": "string"}, 2522 "ContentID": {"type": "string"}, 2523 "RawData": { 2524 "type": "array", 2525 "items": {"$ref":"#/definitions/BYTE"}, 2526 "minItems": 1 2527 }, 2528 "Reference": { 2529 "type": "array", 2530 "items": {"$ref": "#/definitions/Reference"}, 2531 "minItems": 1}}, 2532 "required": ["SpecID"], 2533 "additionalProperties": false}, 2534 "Scoring": { 2535 "type": "object", 2536 "properties": { 2537 "SpecID": {"$ref":"#/definitions/SpecID"}, 2538 "ext-SpecID": {"type": "string"}, 2539 "ContentID": {"type": "string"}, 2540 "RawData": { 2541 "type": "array", 2542 "items": {"$ref":"#/definitions/BYTE"}, 2543 "minItems": 1 2544 }, 2545 "Reference": { 2546 "type": "array", 2547 "items": {"$ref": "#/definitions/Reference"}, 2548 "minItems": 1}}, 2549 "required": ["SpecID"], 2550 "additionalProperties": false}, 2551 "Incident": { 2552 "title": "Incident", 2553 "description": "JSON schema for Incident class", 2554 "type": "object", 2555 "properties": { 2556 "purpose": {"$ref": "#/definitions/purpose"}, 2557 "ext-purpose": {"type": "string"}, 2558 "status": {"$ref": "#/definitions/status"}, 2559 "ext-status": {"type": "string"}, 2560 "lang": {"$ref": "#/definitions/lang"}, 2561 "restriction": {"$ref": "#/definitions/restriction", 2562 "default": "private"}, 2563 "ext-restriction": {"type": "string"}, 2564 "observable-id": {"$ref": "#/definitions/IDtype"}, 2565 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 2566 "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, 2567 "RelatedActivity": { 2568 "type": "array", 2569 "items": {"$ref": "#/definitions/RelatedActivity"}, 2570 "minItems": 1}, 2571 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 2572 "StartTime": {"$ref": "#/definitions/DATETIME"}, 2573 "EndTime": {"$ref": "#/definitions/DATETIME"}, 2574 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 2575 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 2576 "GenerationTime": {"$ref": "#/definitions/DATETIME"}, 2577 "Description": { 2578 "type": "array", 2579 "items": {"$ref": "#/definitions/MLStringType"}, 2580 "minItems": 1}, 2581 "Discovery": { 2582 "type": "array", 2583 "items": {"$ref": "#/definitions/Discovery"}, 2584 "minItems": 1}, 2585 "Assessment": { 2586 "type": "array", 2587 "items": {"$ref": "#/definitions/Assessment"}, 2588 "minItems": 1}, 2589 "Method": { 2590 "type": "array", 2591 "items": {"$ref": "#/definitions/Method"}, 2592 "minItems": 1}, 2593 "Contact": { 2594 "type": "array", 2595 "items": {"$ref": "#/definitions/Contact"}, 2596 "minItems": 1}, 2597 "EventData": { 2598 "type": "array", 2599 "items": {"$ref": "#/definitions/EventData"}, 2600 "minItems": 1}, 2601 "Indicator": { 2602 "type": "array", 2603 "items": {"$ref": "#/definitions/Indicator"}, 2604 "minItems": 1}, 2605 "History": {"$ref": "#/definitions/History"}, 2606 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2607 "required": ["IncidentID","GenerationTime","Contact","purpose"], 2608 "additionalProperties": false}, 2609 "IncidentID": { 2610 "title": "IncidentID", 2611 "description": "JSON schema for IncidentID class", 2612 "type": "object", 2613 "properties": { 2614 "id": {"type": "string"}, 2615 "name": {"type": "string"}, 2616 "instance": {"type": "string"}, 2617 "restriction": {"$ref": "#/definitions/restriction", 2618 "default": "private"}, 2619 "ext-restriction": {"type": "string"}}, 2620 "required": ["id","name"], 2621 "additionalProperties": false}, 2622 "AlternativeID": { 2623 "title": "AlternativeID", 2624 "description": "JSON schema for AlternativeID class", 2625 "type": "object", 2626 "properties": { 2627 "IncidentID": { 2628 "type": "array", 2629 "items":{"$ref": "#/definitions/IncidentID"}, 2630 "minItems": 1}, 2631 "restriction": {"$ref": "#/definitions/restriction", 2632 "default": "private"}, 2633 "ext-restriction": {"type": "string"}}, 2634 "required": ["IncidentID"], 2635 "additionalProperties": false}, 2636 "RelatedActivity": { 2637 "properties": { 2638 "restriction": {"$ref": "#/definitions/restriction", 2639 "default": "private"}, 2640 "ext-restriction": {"type": "string"}, 2641 "IncidentID": { 2642 "type": "array", 2643 "items": {"$ref": "#/definitions/IncidentID"}, 2644 "minItems": 1}, 2645 "URL": { 2646 "type": "array", 2647 "items": {"$ref": "#/definitions/URLtype"}, 2648 "minItems": 1}, 2649 "ThreatActor": { 2650 "type": "array", 2651 "items": {"$ref": "#/definitions/ThreatActor"}, 2652 "minItems": 1}, 2653 "Campaign": { 2654 "type": "array", 2655 "items": {"$ref": "#/definitions/Campaign"}, 2656 "minItems": 1}, 2657 "IndicatorID": { 2658 "type": "array", 2659 "items": {"$ref": "#/definitions/IndicatorID"}, 2660 "minItems": 1}, 2661 "Confidence": {"$ref": "#/definitions/Confidence"}, 2662 "Description": { 2663 "type": "array", 2664 "items": {"type": "string"}, 2665 "minItems": 1}, 2666 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2667 "additionalProperties": false}, 2668 "ThreatActor": { 2669 "properties": { 2670 "restriction": {"$ref": "#/definitions/restriction", 2671 "default": "private"}, 2672 "ext-restriction": {"type": "string"}, 2673 "ThreatActorID": { 2674 "type": "array", 2675 "items": {"type": "string"}, 2676 "minItems": 1}, 2677 "Description": { 2678 "type": "array", 2679 "items": {"$ref": "#/definitions/MLStringType"}, 2680 "minItems": 1}, 2681 "URL": { 2682 "type":"array", 2683 "items":{"$ref":"#/definitions/URLtype"}, 2684 "minItems": 1}, 2685 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2686 "additionalProperties": false}, 2687 "Campaign": { 2688 "properties": { 2689 "restriction": {"$ref": "#/definitions/restriction", 2690 "default": "private"}, 2691 "ext-restriction": {"type": "string"}, 2692 "CampaignID": { 2693 "type": "array", 2694 "items": {"type": "string"}, 2695 "minItems": 1}, 2696 "URL": { 2697 "type":"array", 2698 "items":{"$ref":"#/definitions/URLtype"}, 2699 "minItems": 1}, 2700 "Description": { 2701 "type": "array", 2702 "items": {"$ref": "#/definitions/MLStringType"}, 2703 "minItems": 1}, 2704 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, 2705 "Contact": { 2706 "type": "object", 2707 "properties": { 2708 "role": { 2709 "enum":["creator","reporter","admin","tech","provider","user", 2710 "billing","legal","irt","abuse","cc","cc-irt","leo", 2711 "vendor","vendor-support","victim","victim-notified", 2712 "ext-value"]}, 2713 "ext-role": {"type": "string"}, 2714 "type": {"enum": ["person","organization","ext-value"]}, 2715 "ext-type": {"type": "string"}, 2716 "restriction": {"$ref": "#/definitions/restriction", 2717 "default": "private"}, 2718 "ext-restriction": {"type": "string"}, 2719 "ContactName": { 2720 "type": "array", 2721 "items": {"$ref": "#/definitions/MLStringType"}, 2722 "minItems": 1}, 2723 "ContactTitle": { 2724 "type": "array", 2725 "items": {"$ref": "#/definitions/MLStringType"}, 2726 "minItems": 1}, 2727 "Description": { 2728 "type": "array", 2729 "items": {"$ref": "#/definitions/MLStringType"}, 2730 "minItems": 1}, 2731 "RegistryHandle": { 2732 "type":"array", 2733 "items":{"$ref":"#/definitions/RegistryHandle"}, 2734 "minItems": 1}, 2735 "PostalAddress": { 2736 "type":"array", 2737 "items":{"$ref":"#/definitions/PostalAddress"}, 2738 "minItems": 1}, 2739 "Email": { 2740 "type": "array", 2741 "items": {"$ref": "#/definitions/Email"}, 2742 "minItems": 1}, 2743 "Telephone": { 2744 "type": "array", 2745 "items": {"$ref": "#/definitions/Telephone"}, 2746 "minItems": 1}, 2747 "Timezone": {"$ref": "#/definitions/TimeZonetype"}, 2748 "Contact": { 2749 "type": "array", 2750 "items": {"$ref": "#/definitions/Contact"}, 2751 "minItems": 1}, 2752 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2753 "required": ["role","type"], 2754 "additionalProperties": false}, 2755 "RegistryHandle": { 2756 "type": "object", 2757 "properties": { 2758 "handle": {"type": "string"}, 2759 "registry": { 2760 "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", 2761 "local","ext-value"]}, 2762 "ext-registry": {"type": "string"}}, 2763 "required": ["handle","registry"], 2764 "additionalProperties": false}, 2765 "PostalAddress": { 2766 "type": "object", 2767 "properties": { 2768 "type": { 2769 "enum": ["street","mailing","ext-value"]}, 2770 "ext-type": {"type": "string"}, 2771 "PAddress": {"$ref": "#/definitions/PAddressType"}, 2772 "Description": { 2773 "type": "array", 2774 "items": {"$ref": "#/definitions/MLStringType"}, 2775 "minItems": 1}}, 2776 "required": ["PAddress"], 2777 "additionalProperties": false}, 2778 "Email": { 2779 "type": "object", 2780 "properties": { 2781 "type": { 2782 "enum":["direct","hotline","ext-value"]}, 2783 "ext-type": {"type": "string"}, 2784 "EmailTo": {"type": "string"}, 2785 "Description": { 2786 "type": "array", 2787 "items": {"$ref": "#/definitions/MLStringType"}, 2788 "minItems": 1}}, 2789 "required": ["EmailTo"], 2790 "additionalProperties": false}, 2791 "Telephone": { 2792 "type": "object", 2793 "properties": { 2794 "type": { 2795 "enum":["wired","mobile","fax","hotline","ext-value"]}, 2796 "ext-type": {"type": "string"}, 2797 "TelephoneNumber": {"type": "string"}, 2798 "Description": { 2799 "type": "array", 2800 "items": {"$ref": "#/definitions/MLStringType"}, 2801 "minItems": 1}}, 2802 "required": ["TelephoneNumber"], 2803 "additionalProperties": false}, 2805 "Discovery": { 2806 "type": "object", 2807 "properties": { 2808 "source": { 2809 "enum":["nidps","hips","siem","av","third-party-monitoring", 2810 "incident","os-log","application-log","device-log", 2811 "network-flow","passive-dns","investigation","audit", 2812 "internal-notification","external-notification","leo", 2813 "partner","actor","unknown","ext-value"]}, 2814 "ext-source": {"type": "string"}, 2815 "restriction": {"$ref": "#/definitions/restriction", 2816 "default": "private"}, 2817 "ext-restriction": {"type": "string"}, 2818 "Description": { 2819 "type": "array", 2820 "items": {"$ref": "#/definitions/MLStringType"}, 2821 "minItems": 1}, 2822 "Contact": { 2823 "type": "array", 2824 "items": {"$ref": "#/definitions/Contact"}, 2825 "minItems": 1}, 2826 "DetectionPattern": { 2827 "type":"array", 2828 "items":{"$ref":"#/definitions/DetectionPattern"}, 2829 "minItems": 1}}, 2830 "required": [], 2831 "additionalProperties": false}, 2832 "DetectionPattern": { 2833 "type": "object", 2834 "properties": { 2835 "restriction": {"$ref": "#/definitions/restriction", 2836 "default": "private"}, 2837 "ext-restriction": {"type": "string"}, 2838 "observable-id": {"$ref": "#/definitions/IDtype"}, 2839 "Application": {"$ref": "#/definitions/SoftwareType"}, 2840 "Description": { 2841 "type": "array", 2842 "items": {"$ref": "#/definitions/MLStringType"}, 2843 "minItems": 1}, 2844 "DetectionConfiguration": { 2845 "type": "array", 2846 "items": {"type": "string"}, 2847 "minItems": 1}}, 2848 "allOf": [ 2849 {"required": ["Application"]}, 2850 {"oneOf": [ 2851 {"required":["Description"]}, 2852 {"required":["DetectionConfiguration"]}]}], 2854 "additionalProperties": false}, 2855 "Method": { 2856 "type": "object", 2857 "properties": { 2858 "restriction": {"$ref": "#/definitions/restriction", 2859 "default": "private"}, 2860 "ext-restriction": {"type": "string"}, 2861 "Reference": { 2862 "type": "array", 2863 "items": {"$ref": "#/definitions/Reference"}, 2864 "minItems": 1}, 2865 "Description": { 2866 "type": "array", 2867 "items": {"$ref": "#/definitions/MLStringType"}, 2868 "minItems": 1}, 2869 "AttackPattern": { 2870 "type":"array", 2871 "items":{"$ref":"#/definitions/StructuredInfo"}, 2872 "minItems": 1}, 2873 "Vulnerability": { 2874 "type":"array", 2875 "items":{"$ref":"#/definitions/StructuredInfo"}, 2876 "minItems": 1}, 2877 "Weakness": { 2878 "type":"array", 2879 "items":{"$ref":"#/definitions/StructuredInfo"}, 2880 "minItems": 1}, 2881 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2882 "required": [], 2883 "additionalProperties": false}, 2884 "Reference": { 2885 "type": "object", 2886 "properties": { 2887 "observable-id": {"$ref": "#/definitions/IDtype"}, 2888 "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, 2889 "URL":{ 2890 "type":"array", 2891 "items":{"$ref":"#/definitions/URLtype"}, 2892 "minItems": 1}, 2893 "Description": { 2894 "type": "array", 2895 "items": {"$ref": "#/definitions/MLStringType"}, 2896 "minItems": 1}}, 2897 "required": [], 2898 "additionalProperties": false}, 2899 "ReferenceName" : { 2900 "type": "object", 2901 "properties": { 2902 "specIndex": {"type": "number"}, 2903 "ID": {"$ref":"#/definitions/IDtype"}}, 2904 "required": ["specIndex","ID"], 2905 "additionalProperties": false}, 2906 "Assessment": { 2907 "type": "object", 2908 "properties": { 2909 "occurrence": {"enum":["actual","potential"]}, 2910 "restriction": {"$ref": "#/definitions/restriction", 2911 "default": "private"}, 2912 "ext-restriction": {"type": "string"}, 2913 "observable-id": {"$ref": "#/definitions/IDtype"}, 2914 "IncidentCategory": { 2915 "type": "array", 2916 "items": {"$ref": "#/definitions/MLStringType"}, 2917 "minItems": 1}, 2918 "Impact": { 2919 "type": "array", 2920 "items": { 2921 "properties": { 2922 "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, 2923 "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, 2924 "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, 2925 "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, 2926 "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, 2927 "additionalProperties":false}, 2928 "minItems" : 1 2929 }, 2930 "Counter": { 2931 "type": "array", 2932 "items": {"$ref": "#/definitions/Counter"}, 2933 "minItems": 1}, 2934 "MitigatingFactor": { 2935 "type": "array", 2936 "items": {"$ref": "#/definitions/MLStringType"}, 2937 "minItems": 1}, 2938 "Cause": { 2939 "type": "array", 2940 "items": {"$ref": "#/definitions/MLStringType"}, 2941 "minItems": 1}, 2942 "Confidence": {"$ref": "#/definitions/Confidence"}, 2943 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 2944 "required": ["Impact"], 2945 "additionalProperties": false}, 2946 "SystemImpact": { 2947 "type": "object", 2948 "properties": { 2949 "severity": {"enum":["low","medium","high"]}, 2950 "completion": {"enum":["failed","succeeded"]}, 2951 "type": { 2952 "enum":["takeover-account","takeover-service", 2953 "takeover-system","cps-manipulation","cps-damage", 2954 "availability-data","availability-account", 2955 "availability-service","availability-system", 2956 "damaged-system","damaged-data","breach-proprietary", 2957 "breach-privacy","breach-credential", 2958 "breach-configuration","integrity-data", 2959 "integrity-configuration","integrity-hardware", 2960 "traffic-redirection","monitoring-traffic", 2961 "monitoring-host","policy","unknown","ext-value"]}, 2962 "ext-type": {"type": "string"}, 2963 "Description": { 2964 "type": "array", 2965 "items": {"$ref": "#/definitions/MLStringType"}, 2966 "minItems": 1}}, 2967 "required": ["type"], 2968 "additionalProperties": false}, 2969 "BusinessImpact": { 2970 "type": "object", 2971 "properties": { 2972 "severity": {"enum":["none","low","medium","high","unknown", 2973 "ext-value"],"default": "unknown"}, 2974 "ext-severity": {"type":"string"}, 2975 "type": {"enum":["breach-proprietary","breach-privacy", 2976 "breach-credential","loss-of-integrity","loss-of-service", 2977 "theft-financial","theft-service","degraded-reputation", 2978 "asset-damage","asset-manipulation","legal","extortion", 2979 "unknown","ext-value"]}, 2980 "ext-type": {"type": "string"}, 2981 "Description": { 2982 "type": "array", 2983 "items": {"$ref": "#/definitions/MLStringType"}, 2984 "minItems": 1}}, 2985 "required": ["type"], 2986 "additionalProperties": false}, 2987 "TimeImpact": { 2988 "type": "object", 2989 "properties": { 2990 "value": {"$ref": "#/definitions/PositiveFloatType"}, 2991 "severity": {"enum": ["low","medium","high"]}, 2992 "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, 2993 "ext-metric": {"type": "string"}, 2994 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 2995 "ext-duration": {"type": "string"}}, 2996 "required": ["value","metric"], 2997 "additionalProperties": false}, 2999 "MonetaryImpact": { 3000 "type": "object", 3001 "properties": { 3002 "value": {"$ref": "#/definitions/PositiveFloatType"}, 3003 "severity": {"enum":["low","medium","high"]}, 3004 "currency": {"type": "string"}}, 3005 "required": ["value"], 3006 "additionalProperties": false}, 3007 "Confidence": { 3008 "type": "object", 3009 "properties": { 3010 "value": {"type": "number"}, 3011 "rating": {"enum": ["low","medium","high","numeric","unknown", 3012 "ext-value"]}, 3013 "ext-rating": {"type":"string"}}, 3014 "required": ["value","rating"], 3015 "additionalProperties": false}, 3016 "History": { 3017 "type": "object", 3018 "properties": { 3019 "restriction": {"$ref": "#/definitions/restriction", 3020 "default": "private"}, 3021 "ext-restriction": {"type": "string"}, 3022 "HistoryItem": { 3023 "type": "array", 3024 "items": {"$ref": "#/definitions/HistoryItem"}, 3025 "minItems": 1}}, 3026 "required": ["HistoryItem"], 3027 "additionalProperties": false}, 3028 "HistoryItem": { 3029 "type": "object", 3030 "properties": { 3031 "action": {"$ref": "#/definitions/action","default": "other"}, 3032 "ext-action": {"type": "string"}, 3033 "restriction": {"$ref": "#/definitions/restriction", 3034 "default": "private"}, 3035 "ext-restriction": {"type": "string"}, 3036 "observable-id": {"$ref": "#/definitions/IDtype"}, 3037 "DateTime": {"$ref": "#/definitions/DATETIME"}, 3038 "IncidentID": {"$ref": "#/definitions/IncidentID"}, 3039 "Contact": {"$ref": "#/definitions/Contact"}, 3040 "Description": { 3041 "type": "array", 3042 "items": {"$ref": "#/definitions/MLStringType"}, 3043 "minItems": 1}, 3044 "DefinedCOA": { 3045 "type": "array", 3046 "items": {"type": "string"}, 3047 "minItems": 1}, 3048 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3049 "required": ["DateTime","action"], 3050 "additionalProperties": false}, 3051 "EventData": { 3052 "type": "object", 3053 "properties": { 3054 "restriction": {"$ref": "#/definitions/restriction", 3055 "default": "private"}, 3056 "ext-restriction": {"type": "string"}, 3057 "observable-id": {"$ref": "#/definitions/IDtype"}, 3058 "Description": {"type": "array", 3059 "items": { "$ref":"#/definitions/MLStringType"}}, 3060 "DetectTime": {"$ref": "#/definitions/DATETIME"}, 3061 "StartTime": {"$ref": "#/definitions/DATETIME"}, 3062 "EndTime": {"$ref": "#/definitions/DATETIME"}, 3063 "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, 3064 "ReportTime": {"$ref": "#/definitions/DATETIME"}, 3065 "Contact": { 3066 "type": "array", 3067 "items": {"$ref": "#/definitions/Contact"}, 3068 "minItems": 1}, 3069 "Discovery": { 3070 "type": "array", 3071 "items": {"$ref": "#/definitions/Discovery"}, 3072 "minItems": 1}, 3073 "Assessment": {"$ref": "#/definitions/Assessment"}, 3074 "Method": { 3075 "type": "array", 3076 "items": {"$ref": "#/definitions/Method"}, 3077 "minItems": 1}, 3078 "System": { 3079 "type": "array", 3080 "items": {"$ref": "#/definitions/System"}, 3081 "minItems": 1}, 3082 "Expectation": { 3083 "type": "array", 3084 "items": {"$ref": "#/definitions/Expectation"}, 3085 "minItems": 1}, 3086 "RecordData": { 3087 "type": "array", 3088 "items": {"$ref": "#/definitions/RecordData"}, 3089 "minItems": 1}, 3090 "EventData": { 3091 "type": "array", 3092 "items": {"$ref": "#/definitions/EventData"}, 3093 "minItems": 1}, 3094 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3096 "required": [], 3097 "additionalProperties": false}, 3098 "Expectation": { 3099 "type": "object", 3100 "properties": { 3101 "action": {"$ref":"#/definitions/action","default": "other"}, 3102 "ext-action": {"type": "string"}, 3103 "severity": {"enum": ["low","medium","high"]}, 3104 "restriction": {"$ref": "#/definitions/restriction", 3105 "default": "default"}, 3106 "ext-restriction": {"type": "string"}, 3107 "observable-id": {"$ref": "#/definitions/IDtype"}, 3108 "Description": { 3109 "type": "array", 3110 "items": {"$ref": "#/definitions/MLStringType"}, 3111 "minItems": 1}, 3112 "DefinedCOA": { 3113 "type": "array", 3114 "items": {"type": "string"}, 3115 "minItems": 1}, 3116 "StartTime": {"$ref": "#/definitions/DATETIME"}, 3117 "EndTime": {"$ref": "#/definitions/DATETIME"}, 3118 "Contact": {"$ref": "#/definitions/Contact"}}, 3119 "required": [], 3120 "additionalProperties": false}, 3121 "System": { 3122 "type": "object", 3123 "properties": { 3124 "category": { 3125 "enum": ["source","target","intermediate","sensor", 3126 "infrastructure","ext-value"]}, 3127 "ext-category": {"type": "string"}, 3128 "interface": {"type": "string"}, 3129 "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, 3130 "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, 3131 "ownership": { 3132 "enum":["organization","personal","partner","customer", 3133 "no-relationship","unknown","ext-value"]}, 3134 "ext-ownership": {"type": "string"}, 3135 "restriction": {"$ref": "#/definitions/restriction", 3136 "default": "private"}, 3137 "ext-restriction": {"type": "string"}, 3138 "observable-id": {"$ref": "#/definitions/IDtype"}, 3139 "Node": {"$ref": "#/definitions/Node"}, 3140 "NodeRole": { 3141 "type": "array", 3142 "items": {"$ref": "#/definitions/NodeRole"}, 3143 "minItems": 1}, 3145 "Service": { 3146 "type": "array", 3147 "items": {"$ref": "#/definitions/Service"}, 3148 "minItems": 1}, 3149 "OperatingSystem": { 3150 "type": "array", 3151 "items": {"$ref": "#/definitions/SoftwareType"}, 3152 "minItems": 1}, 3153 "Counter": { 3154 "type": "array", 3155 "items": {"$ref": "#/definitions/Counter"}, 3156 "minItems": 1}, 3157 "AssetID": { 3158 "type": "array", 3159 "items": {"type": "string"}, 3160 "minItems": 1}, 3161 "Description": { 3162 "type": "array", 3163 "items": {"$ref": "#/definitions/MLStringType"}, 3164 "minItems": 1}, 3165 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3166 "required": ["Node"], 3167 "additionalProperties": false}, 3168 "Node": { 3169 "type": "object", 3170 "properties": { 3171 "DomainData": { 3172 "type": "array", 3173 "items": {"$ref": "#/definitions/DomainData"}, 3174 "minItems": 1}, 3175 "Address": { 3176 "type": "array", 3177 "items": {"$ref": "#/definitions/Address"}, 3178 "minItems": 1}, 3179 "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, 3180 "Location": { 3181 "type": "array", 3182 "items": {"$ref": "#/definitions/MLStringType"}, 3183 "minItems": 1}, 3184 "Counter": { 3185 "type":"array", 3186 "items":{"$ref":"#/definitions/Counter"}, 3187 "minItems": 1}}, 3188 "anyOf": [ 3189 {"required": ["DomainData"]}, 3190 {"required": ["Address"]} 3191 ], 3192 "additionalProperties": false}, 3194 "Address": { 3195 "type": "object", 3196 "properties": { 3197 "value": {"type": "string"}, 3198 "category": { 3199 "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", 3200 "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", 3201 "ipv6-net-masked","mac","site-uri","ext-value"], 3202 "default": "ipv6-addr"}, 3203 "ext-category": {"type": "string"}, 3204 "vlan-name": {"type": "string"}, 3205 "vlan-num": {"type": "number"}, 3206 "observable-id": {"$ref": "#/definitions/IDtype"}}, 3207 "required": ["value","category"], 3208 "additionalProperties": false}, 3209 "NodeRole": { 3210 "type": "object", 3211 "properties": { 3212 "category": { 3213 "enum":["client","client-enterprise","client-partner", 3214 "client-remote","client-kiosk","client-mobile", 3215 "server-internal","server-public","www","mail","webmail", 3216 "messaging","streaming","voice","file","ftp","p2p","name", 3217 "directory","credential","print","application","database", 3218 "backup","dhcp","assessment","source-control", 3219 "config-management","monitoring","infra","infra-firewall", 3220 "infra-router","infra-switch","camera","proxy", 3221 "remote-access","log","virtualization","pos", "scada", 3222 "scada-supervisory","sinkhole","honeypot","anomyzation", 3223 "c2-server","malware-distribution","drop-server", 3224 "hop-point","reflector","phishing-site", 3225 "spear-phishing-site","recruiting-site","fraudulent-site", 3226 "ext-value"]}, 3227 "ext-category": {"type": "string"}, 3228 "Description": { 3229 "type": "array", 3230 "items": {"$ref": "#/definitions/MLStringType"}, 3231 "minItems": 1}}, 3232 "required": ["category"], 3233 "additionalProperties": false}, 3234 "Counter": { 3235 "type": "object", 3236 "properties": { 3237 "value": {"type": "number"}, 3238 "type": {"enum": ["count","peak","average","ext-value"]}, 3239 "ext-type": {"type": "string"}, 3240 "unit":{"enum":["byte","mbit","packet","flow","session","alert", 3241 "message","event","host","site","organization","ext-value"]}, 3243 "ext-unit": {"type": "string"}, 3244 "meaning": {"type": "string"}, 3245 "duration": {"$ref":"#/definitions/duration","default": "hour"}, 3246 "ext-duration": {"type": "string"}}, 3247 "required": ["value","type","unit"], 3248 "additionalProperties": false}, 3249 "DomainData": { 3250 "type": "object", 3251 "properties": { 3252 "system-status": { 3253 "enum": ["spoofed","fraudulent","innocent-hacked", 3254 "innocent-hijacked","unknown","ext-value"]}, 3255 "ext-system-status": {"type": "string"}, 3256 "domain-status": { 3257 "enum": [ "reservedDelegation","assignedAndActive", 3258 "assignedAndInactive","assignedAndOnHold","revoked", 3259 "transferPending","registryLock","registrarLock", 3260 "other","unknown","ext-value"]}, 3261 "ext-domain-status": {"type": "string"}, 3262 "observable-id": {"$ref": "#/definitions/IDtype"}, 3263 "Name": {"type": "string"}, 3264 "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, 3265 "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, 3266 "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, 3267 "RelatedDNS": { 3268 "type": "array", 3269 "items": {"$ref": "#/definitions/ExtensionType"}, 3270 "minItems": 1}, 3271 "NameServers": { 3272 "type": "array", 3273 "items": {"$ref": "#/definitions/NameServers"}, 3274 "minItems": 1}, 3275 "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, 3276 "required": ["Name","system-status","domain-status"], 3277 "additionalProperties": false}, 3278 "NameServers": { 3279 "type": "object", 3280 "properties": { 3281 "Server": {"type": "string"}, 3282 "Address": { 3283 "type":"array", 3284 "items":{"$ref":"#/definitions/Address"}, 3285 "minItems": 1}}, 3286 "required": ["Server","Address"], 3287 "additionalProperties": false}, 3288 "DomainContacts": { 3289 "type": "object", 3290 "properties": { 3291 "SameDomainContact": {"type": "string"}, 3292 "Contact": { 3293 "type":"array", 3294 "items":{"$ref":"#/definitions/Contact"}, 3295 "minItems": 1}}, 3296 "oneOf": [ 3297 {"required": ["SameDomainContact"]}, 3298 {"required": ["Contact"]}], 3299 "additionalProperties": false}, 3300 "Service": { 3301 "type": "object", 3302 "properties": { 3303 "ip-protocol": {"type": "number"}, 3304 "observable-id": {"$ref": "#/definitions/IDtype"}, 3305 "ServiceName": {"$ref": "#/definitions/ServiceName"}, 3306 "Port": {"type": "number"}, 3307 "Portlist": {"$ref": "#/definitions/PortlistType"}, 3308 "ProtoCode": {"type": "number"}, 3309 "ProtoType": {"type": "number"}, 3310 "ProtoField": {"type": "number"}, 3311 "ApplicationHeaderField":{ 3312 "$ref":"#/definitions/ExtensionTypeList"}, 3313 "EmailData": {"$ref": "#/definitions/EmailData"}, 3314 "Application": {"$ref": "#/definitions/SoftwareType"}}, 3315 "required": [], 3316 "additionalProperties": false}, 3317 "ServiceName": { 3318 "type": "object", 3319 "properties": { 3320 "IANAService": {"type": "string"}, 3321 "URL": { 3322 "type": "array","items": {"$ref": "#/definitions/URLtype"}}, 3323 "Description": { 3324 "type": "array", 3325 "items": {"$ref": "#/definitions/MLStringType"}, 3326 "minItems": 1}}, 3327 "required": [], 3328 "additionalProperties": false}, 3329 "EmailData": { 3330 "type": "object", 3331 "properties": { 3332 "observable-id": {"$ref": "#/definitions/IDtype"}, 3333 "EmailTo": { 3334 "type": "array", 3335 "items": {"type": "string"}, 3336 "minItems": 1}, 3337 "EmailFrom": {"type": "string"}, 3338 "EmailSubject": {"type": "string"}, 3339 "EmailX-Mailer": {"type": "string"}, 3340 "EmailHeaderField": { 3341 "type": "array", 3342 "items": {"$ref": "#/definitions/ExtensionType"}, 3343 "minItems": 1}, 3344 "EmailHeaders": {"type": "string"}, 3345 "EmailBody": {"type": "string"}, 3346 "EmailMessage": {"type": "string"}, 3347 "HashData": { 3348 "type": "array", 3349 "items": {"$ref": "#/definitions/HashData"}, 3350 "minItems": 1}, 3351 "Signature": { 3352 "type": "array", 3353 "items": {"$ref": "#/definitions/BYTE"}, 3354 "minItems": 1}}, 3355 "required": [], 3356 "additionalProperties": false}, 3357 "RecordData": { 3358 "type": "object", 3359 "properties": { 3360 "restriction": {"$ref": "#/definitions/restriction", 3361 "default": "private"}, 3362 "ext-restriction": {"type": "string"}, 3363 "observable-id": {"$ref": "#/definitions/IDtype"}, 3364 "DateTime": {"$ref": "#/definitions/DATETIME"}, 3365 "Description": { 3366 "type": "array", 3367 "items": {"$ref": "#/definitions/MLStringType"}, 3368 "minItems": 1}, 3369 "Application": {"$ref": "#/definitions/SoftwareType"}, 3370 "RecordPattern": { 3371 "type": "array", 3372 "items": {"$ref": "#/definitions/RecordPattern"}, 3373 "minItems": 1}, 3374 "RecordItem": { 3375 "type": "array", 3376 "items": {"$ref": "#/definitions/ExtensionType"}, 3377 "minItems": 1}, 3378 "URL": { 3379 "type": "array", 3380 "items": {"$ref": "#/definitions/URLtype"}, 3381 "minItems": 1}, 3382 "FileData": { 3383 "type": "array", 3384 "items": {"$ref": "#/definitions/FileData"}, 3385 "minItems": 1}, 3386 "WindowsRegistryKeysModified": { 3387 "type": "array", 3388 "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, 3389 "minItems": 1}, 3390 "CertificateData": { 3391 "type":"array", 3392 "items":{"$ref":"#/definitions/CertificateData"}, 3393 "minItems": 1}, 3394 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3395 "required": [], 3396 "additionalProperties": false}, 3397 "RecordPattern": { 3398 "type": "object", 3399 "properties": { 3400 "value": {"type": "string"}, 3401 "type": {"enum": ["regex","binary","xpath","ext-value"], 3402 "default": "regex"}, 3403 "ext-type": {"type": "string"}, 3404 "offset": {"type": "number"}, 3405 "offsetunit": {"enum":["line","byte","ext-value"] , 3406 "default": "line"}, 3407 "ext-offsetunit": {"type": "string"}, 3408 "instance": {"type": "number"}}, 3409 "required": ["value","type"], 3410 "additionalProperties": false}, 3411 "WindowsRegistryKeysModified": { 3412 "type": "object", 3413 "properties": { 3414 "observable-id": {"$ref": "#/definitions/IDtype"}, 3415 "Key": { 3416 "type": "array", 3417 "items": {"$ref": "#/definitions/Key"}, 3418 "minItems": 1}}, 3419 "required": ["Key"], 3420 "additionalProperties": false}, 3421 "Key": { 3422 "type": "object", 3423 "properties": { 3424 "registryaction": {"enum": ["add-key","add-value","delete-key", 3425 "delete-value","modify-key","modify-value", 3426 "ext-value"]}, 3427 "ext-registryaction": {"type": "string"}, 3428 "observable-id": {"$ref": "#/definitions/IDtype"}, 3429 "KeyName": {"type":"string"}, 3430 "KeyValue": {"type": "string"}}, 3431 "required": ["KeyName"], 3432 "additionalProperties": false}, 3433 "CertificateData": { 3434 "type": "object", 3435 "properties": { 3436 "restriction": {"$ref": "#/definitions/restriction", 3437 "default": "private"}, 3438 "ext-restriction": {"type": "string"}, 3439 "observable-id": {"$ref": "#/definitions/IDtype"}, 3440 "Certificate": { 3441 "type": "array", 3442 "items": {"$ref": "#/definitions/Certificate"}, 3443 "minItems": 1}}, 3444 "required": ["Certificate"], 3445 "additionalProperties": false}, 3446 "Certificate": { 3447 "type": "object", 3448 "properties": { 3449 "observable-id": {"$ref": "#/definitions/IDtype"}, 3450 "X509Data": {"$ref": "#/definitions/BYTE"}, 3451 "Description": { 3452 "type": "array", 3453 "items": {"$ref": "#/definitions/MLStringType"}, 3454 "minItems": 1}}, 3455 "required": ["X509Data"], 3456 "additionalProperties": false}, 3457 "FileData": { 3458 "type": "object", 3459 "properties": { 3460 "restriction": {"$ref": "#/definitions/restriction"}, 3461 "ext-restriction": {"type": "string"}, 3462 "observable-id": {"$ref": "#/definitions/IDtype"}, 3463 "File": { 3464 "type": "array", 3465 "items": {"$ref": "#/definitions/File"}, 3466 "minItems": 1}}, 3467 "required": ["File"], 3468 "additionalProperties": false}, 3469 "File": { 3470 "type": "object", 3471 "properties": { 3472 "observable-id": {"$ref": "#/definitions/IDtype"}, 3473 "FileName": {"type": "string"}, 3474 "FileSize": {"type": "number"}, 3475 "FileType": {"type": "string"}, 3476 "URL": { 3477 "type": "array", 3478 "items": {"$ref": "#/definitions/URLtype"}, 3479 "minItems": 1}, 3480 "HashData": {"$ref": "#/definitions/HashData"}, 3481 "Signature": { 3482 "type": "array", 3483 "items": {"$ref": "#/definitions/BYTE"}, 3484 "minItems": 1}, 3485 "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, 3486 "FileProperties": { 3487 "type":"array", 3488 "items":{"$ref":"#/definitions/ExtensionType"}, 3489 "minItems": 1}}, 3490 "required": [], 3491 "additionalProperties": false}, 3492 "HashData": { 3493 "type": "object", 3494 "properties": { 3495 "scope": {"enum": ["file-contents","file-pe-section", 3496 "file-pe-iat","file-pe-resource","file-pdf-object", 3497 "email-hash","email-headers-hash","email-body-hash", 3498 "ext-value"]}, 3499 "HashTargetID": {"type": "string"}, 3500 "Hash": { 3501 "type": "array", 3502 "items": {"$ref": "#/definitions/Hash"}, 3503 "minItems": 1}, 3504 "FuzzyHash": { 3505 "type": "array", 3506 "items": {"$ref": "#/definitions/FuzzyHash"}, 3507 "minItems": 1}}, 3508 "required": ["scope"], 3509 "additionalProperties": false}, 3510 "Hash": { 3511 "type": "object", 3512 "properties": { 3513 "DigestMethod": {"$ref": "#/definitions/BYTE"}, 3514 "DigestValue": {"$ref": "#/definitions/BYTE"}, 3515 "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"}, 3516 "Application": {"$ref": "#/definitions/SoftwareType"}}, 3517 "required": ["DigestMethod","DigestValue"], 3518 "additionalProperties": false}, 3519 "FuzzyHash": { 3520 "type": "object", 3521 "properties": { 3522 "FuzzyHashValue": { 3523 "type": "array", 3524 "items": {"$ref": "#/definitions/ExtensionType"}, 3525 "minItems": 1}, 3526 "Application": {"$ref": "#/definitions/SoftwareType"}, 3527 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3528 "required": ["FuzzyHashValue"], 3529 "additionalProperties": false}, 3530 "Indicator": { 3531 "type": "object", 3532 "properties": { 3533 "restriction": {"$ref": "#/definitions/restriction", 3534 "default": "private"}, 3535 "ext-restriction": {"type": "string"}, 3536 "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, 3537 "AlternativeIndicatorID": { 3538 "type": "array", 3539 "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, 3540 "minItems": 1}, 3541 "Description": { 3542 "type": "array", 3543 "items": {"$ref": "#/definitions/MLStringType"}, 3544 "minItems": 1}, 3545 "StartTime": {"$ref": "#/definitions/DATETIME"}, 3546 "EndTime": {"$ref": "#/definitions/DATETIME"}, 3547 "Confidence": {"$ref": "#/definitions/Confidence"}, 3548 "Contact": { 3549 "type": "array", 3550 "items": {"$ref": "#/definitions/Contact"}, 3551 "minItems": 1}, 3552 "Observable": {"$ref": "#/definitions/Observable"}, 3553 "uid-ref": {"$ref": "#/definitions/IDREFType"}, 3554 "IndicatorExpression":{ 3555 "$ref":"#/definitions/IndicatorExpression"}, 3556 "IndicatorReference":{ 3557 "$ref": "#/definitions/IndicatorReference"}, 3558 "NodeRole": { 3559 "type": "array", 3560 "items": {"$ref": "#/definitions/NodeRole"}, 3561 "minItems": 1}, 3562 "AttackPhase": { 3563 "type": "array", 3564 "items": {"$ref": "#/definitions/AttackPhase"}, 3565 "minItems": 1}, 3566 "Reference": { 3567 "type": "array", 3568 "items": {"$ref": "#/definitions/Reference"}, 3569 "minItems": 1}, 3570 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3571 "allOf": [ 3572 {"required": ["IndicatorID"]}, 3573 {"oneOf": [ 3574 {"required":["Observable"]}, 3575 {"required":["uid-ref"]}, 3576 {"required":["IndicatorExpression"]}, 3577 {"required":["IndicatorReference"]}]}], 3578 "additionalProperties": false}, 3580 "IndicatorID": { 3581 "type": "object", 3582 "properties": { 3583 "id": {"type": "string"}, 3584 "name": {"type": "string"}, 3585 "version": {"type": "string"}}, 3586 "required": ["id","name","version"], 3587 "additionalProperties": false}, 3588 "AlternativeIndicatorID": { 3589 "type": "object", 3590 "properties": { 3591 "restriction": {"$ref": "#/definitions/restriction", 3592 "default": "private"}, 3593 "ext-restriction": {"type": "string"}, 3594 "IndicatorID": { 3595 "type": "array", 3596 "items": {"$ref": "#/definitions/IndicatorID"}, 3597 "minItems": 1}}, 3598 "required": ["IndicatorID"], 3599 "additionalProperties": false}, 3600 "Observable": { 3601 "type": "object", 3602 "properties": { 3603 "restriction": {"$ref": "#/definitions/restriction", 3604 "default": "private"}, 3605 "ext-restriction": {"type": "string"}, 3606 "System": {"$ref": "#/definitions/System"}, 3607 "Address": {"$ref": "#/definitions/Address"}, 3608 "DomainData": {"$ref": "#/definitions/DomainData"}, 3609 "EmailData": {"$ref": "#/definitions/EmailData"}, 3610 "Service": {"$ref": "#/definitions/Service"}, 3611 "WindowsRegistryKeysModified": { 3612 "$ref": "#/definitions/WindowsRegistryKeysModified"}, 3613 "FileData": {"$ref": "#/definitions/FileData"}, 3614 "CertificateData": {"$ref": "#/definitions/CertificateData"}, 3615 "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, 3616 "RecordData": {"$ref": "#/definitions/RecordData"}, 3617 "EventData": {"$ref": "#/definitions/EventData"}, 3618 "Incident": {"$ref": "#/definitions/Incident"}, 3619 "Expectation": {"$ref": "#/definitions/Expectation"}, 3620 "Reference": {"$ref": "#/definitions/Reference"}, 3621 "Assessment": {"$ref": "#/definitions/Assessment"}, 3622 "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, 3623 "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, 3624 "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, 3625 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3626 "oneOf": [ 3627 {"required":["System"]}, 3628 {"required":["Address"]}, 3629 {"required":["DomainData"]}, 3630 {"required":["EmailData"]}, 3631 {"required":["Service"]}, 3632 {"required":["WindowsRegistryKeysModified"]}, 3633 {"required":["FileData"]}, 3634 {"required":["CertificateData"]}, 3635 {"required":["RegistryHandle"]}, 3636 {"required":["RecordData"]}, 3637 {"required":["EventData"]}, 3638 {"required":["Incident"]}, 3639 {"required":["Expectation"]}, 3640 {"required":["Reference"]}, 3641 {"required":["Assessment"]}, 3642 {"required":["DetectionPattern"]}, 3643 {"required":["HistoryItem"]}, 3644 {"required":["BulkObservable"]}, 3645 {"required":["AdditionalData"]}], 3646 "additionalProperties": false}, 3647 "BulkObservable": { 3648 "type": "object", 3649 "properties": { 3650 "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", 3651 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", 3652 "mac","site-uri","domain-name","domain-to-ipv4", 3653 "domain-to-ipv6","domain-to-ipv4-timestamp", 3654 "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", 3655 "windows-reg-key","file-hash","email-x-mailer", 3656 "email-subject","http-user-agent","http-request-url", 3657 "mutex","file-path","user-name","ext-value"]}, 3658 "ext-type": {"type": "string"}, 3659 "BulkObservableFormat":{ 3660 "$ref": "#/definitions/BulkObservableFormat"}, 3661 "BulkObservableList": {"type": "string"}, 3662 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3663 "required": ["BulkObservableList"], 3664 "additionalProperties": false}, 3665 "BulkObservableFormat": { 3666 "type": "object", 3667 "properties": { 3668 "Hash": {"$ref": "#/definitions/Hash"}, 3669 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3670 "oneOf": [ 3671 {"required": ["Hash"]}, 3672 {"required": ["AdditionalData"]} 3673 ], 3674 "additionalProperties": false}, 3675 "IndicatorExpression": { 3676 "type": "object", 3677 "properties": { 3678 "operator": {"enum": ["not","and","or","xor"],"default": "and"}, 3679 "ext-operator": {"type": "string"}, 3680 "IndicatorExpression": { 3681 "type": "array", 3682 "items": {"$ref": "#/definitions/IndicatorExpression"}, 3683 "minItems": 1}, 3684 "Observable": { 3685 "type": "array", 3686 "items": {"$ref": "#/definitions/Observable"}, 3687 "minItems": 1}, 3688 "uid-ref": { 3689 "type": "array", 3690 "items": {"$ref": "#/definitions/IDREFType"}, 3691 "minItems": 1}, 3692 "IndicatorReference": { 3693 "type": "array", 3694 "items": {"$ref": "#/definitions/IndicatorReference"}, 3695 "minItems": 1}, 3696 "Confidence": {"$ref":"#/definitions/Confidence"}, 3697 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3698 "required": [], 3699 "additionalProperties": false}, 3700 "IndicatorReference": { 3701 "type": "object", 3702 "properties": { 3703 "uid-ref": {"$ref":"#/definitions/IDREFType"}, 3704 "euid-ref": {"type": "string"}, 3705 "version": {"type": "string"}}, 3706 "oneOf": [ 3707 {"required": ["uid-ref"]}, 3708 {"required": ["euid-ref"]} 3709 ], 3710 "additionalProperties": false}, 3711 "AttackPhase": { 3712 "type": "object", 3713 "properties": { 3714 "AttackPhaseID": { 3715 "type": "array", 3716 "items": {"type": "string"}, 3717 "minItems": 1}, 3718 "URL": { 3719 "type": "array", 3720 "items": {"$ref": "#/definitions/URLtype"}, 3721 "minItems": 1}, 3722 "Description": { 3723 "type": "array", 3724 "items": {"$ref": "#/definitions/MLStringType"}, 3725 "minItems": 1}, 3726 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3727 "required": [], 3728 "additionalProperties": false}}, 3729 "title": "IODEF-Document", 3730 "description": "JSON schema for IODEF-Document class", 3731 "type": "object", 3732 "properties": { 3733 "version": {"type": "string"}, 3734 "lang": {"$ref": "#/definitions/lang"}, 3735 "format-id": {"type": "string"}, 3736 "private-enum-name": {"type": "string"}, 3737 "private-enum-id": {"type": "string"}, 3738 "Incident": { 3739 "type": "array", 3740 "items": {"$ref": "#/definitions/Incident"}, 3741 "minItems": 1}, 3742 "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, 3743 "required": ["version","Incident"], 3744 "additionalProperties": false} 3746 Figure 11: JSON schema 3748 Authors' Addresses 3750 Takeshi Takahashi 3751 National Institute of Information and Communications Technology 3752 4-2-1 Nukui-Kitamachi 3753 Koganei, Tokyo 184-8795 3754 Japan 3756 Phone: +81 42 327 5862 3757 Email: takeshi_takahashi@nict.go.jp 3759 Roman Danyliw 3760 CERT, Software Engineering Institute, Carnegie Mellon University 3761 4500 Fifth Avenue 3762 Pittsburgh, PA 3763 USA 3765 Email: rdd@cert.org 3766 Mio Suzuki 3767 National Institute of Information and Communications Technology 3768 4-2-1 Nukui-Kitamachi 3769 Koganei, Tokyo 184-8795 3770 Japan 3772 Email: mio@nict.go.jp