MILE T. Takahashi Internet-Draft M. Suzuki Intended status: Standards Track NICT Expires:March 30,May 14, 2018September 26,November 10, 2017 JSON binding of IODEFdraft-ietf-mile-jsoniodef-00draft-ietf-mile-jsoniodef-01 Abstract RFC 7970 [RFC7970] provides XML-based data representation on incident information, but the use of the IODEF data model is not limited to XML. JSON representation is sometimes preferred since it is easy to handle from certain programming environments. This draft represents the IODEF data model in JSON.Note that this 00 version draft is prepared for the purpose of encouraging discussion on the need for JSON representation.Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onMarch 30,May 14, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . .34 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 2.TheIODEFInformation Model in JSONData Types . . . . . . . . . . . . .4 2.1. IODEF-Document Class. . . . . . . . . 4 2.1. Integers . . . . . . . . .4 2.2. Incident Class. . . . . . . . . . . . . . . 4 2.2. Real Numbers . . . . . .4 2.3. Common Attributes. . . . . . . . . . . . . . . . 4 2.3. Characters and Strings . . . .5 2.3.1. restriction Attribute. . . . . . . . . . . . . 4 2.4. Multilingual Strings . . .5 2.3.2. observable-id Attribute. . . . . . . . . . . . . . . 52.4. IncidentID Class2.5. Binary Strings . . . . . . . . . . . . . . . . . . . .6 2.5. AlternativeID Class. 5 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . .6 2.6. RelatedActivity Class. . 5 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . .6 2.7. ThreatActor Class. . 5 2.6. Enumerated Types . . . . . . . . . . . . . . . . . .7 2.8. Campaign Class. . 5 2.7. Date-Time String . . . . . . . . . . . . . . . . . . .7 2.9. Contact Class. 5 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . .7 2.9.1. RegistryHandle Class6 2.9. Port Lists . . . . . . . . . . . . . . . .8 2.9.2. PostalAddress Class. . . . . . . 6 2.10. Postal Address . . . . . . . . . .8 2.9.3. Email Class. . . . . . . . . . . 6 2.11. Telephone Number . . . . . . . . . .8 2.9.4. Telephone Class. . . . . . . . . . 6 2.12. Email String . . . . . . . . .9 2.10. Discovery Class. . . . . . . . . . . . . 6 2.13. Uniform Resource Locator Strings . . . . . . . .9 2.10.1. DetectionPattern Class. . . . 6 2.14. Identifiers and Identifier References . . . . . . . . . . 7 2.15. Software .9 2.11. Method Class. . . . . . . . . . . . . . . . . . . . . .9 2.11.1. Reference Class. 7 2.16. StructuredInfo . . . . . . . . . . . . . . . . .10 2.12. Assessment Class. . . . 7 3. The IODEF Information Model in JSON . . . . . . . . . . . . . 8 3.1. IODEF-Document Class . . .10 2.12.1. SystemImpact Class. . . . . . . . . . . . . . . 8 3.2. Incident Class . .10 2.12.2. BusinessImpact Class. . . . . . . . . . . . . . . .10 2.12.3. TimeImpact Class. . . 8 3.3. Common Attributes . . . . . . . . . . . . . . .11 2.12.4. MonetaryImpact Class. . . . . 9 3.3.1. restriction Attribute . . . . . . . . . . .11 2.12.5. Confidence Class. . . . . 9 3.3.2. observable-id Attribute . . . . . . . . . . . . .11 2.13. History Class. . 9 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . .11 2.13.1. HistoryItem9 3.5. AlternativeID Class . . . . . . . . . . . . . . . . .12 2.14. EventData Class .. . 10 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . .12 2.15. Expectation10 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . .13 2.16. System11 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . .. 13 2.17. Node11 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . .. 13 2.17.1. Address11 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . .. . . 14 2.17.2. NodeRole12 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 12 3.9.3. Email Class . .14 2.17.3. Counter Class. . . . . . . . . . . . . . . . . . .14 2.18. DomainData12 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . .. 14 2.18.1. Nameserver13 3.10. Discovery Class . . . . . . . . . . . . . . . . . .15 2.18.2. DomainContacts Class. . . 13 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . .15 2.19. Service14 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . .15 2.19.1. ServiceName14 3.11.1. Reference Class . . . . . . . . . . . . . . . . .16 2.19.2. ApplicationHeader. 15 3.12. Assessment Class . . . . . . . . . . . . . .16 2.20. EmailData Class. . . . . . 15 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . .16 2.21. Record. 15 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 16 3.12.3. TimeImpact Class . . . . . .16 2.21.1. RecordPattern Class. . . . . . . . . . . . 16 3.12.4. MonetaryImpact Class . . . .17 2.22. WindowsRegistryKeysModified Class. . . . . . . . . . . . 172.22.1. Key3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 17 3.13. History Class . . . .17 2.23. CertificateData Class. . . . . . . . . . . . . . . . . . 172.23.1. Certificate3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 182.24. FileData3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 182.24.1. File3.15. Expectation Class . . . . . . . . . . . . . . . . . . . ..192.25. HashData3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 192.25.1. Hash3.17. Node Class . . . . . . . . . . . . . . . . . . . . .19 2.25.2. FuzzyHash. . 20 3.17.1. Address Class . . . . . . . . . . . . . . . . . .19 2.26. SignatureData. 20 3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 202.27. Indicator3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21 3.18. DomainData Class . . . .20 2.27.1. IndicatorID. . . . . . . . . . . . . . . . 21 3.18.1. Nameserver Class . . . . . . . . . . . . . . . . .20 2.27.2. AlternativeIndicatorID. 22 3.18.2. DomainContacts Class . . . . . . . . . . . .21 2.27.3. Observable. . . . 22 3.19. Service Class . . . . . . . . . . . . . . . . . .21 2.27.4. IndicatorExpression. . . . 22 3.19.1. ServiceName Class . . . . . . . . . . . . .21 2.27.5. ObservableReference. . . . 23 3.19.2. ApplicationHeader Class . . . . . . . . . . . . .22 2.27.6. IndicatorReference. 23 3.20. EmailData Class . . . . . . . . . . . . . .22 2.27.7. AttackPhase. . . . . . . 23 3.21. Record Class . . . . . . . . . . . . . . . . .22 3. Notable differences from RFC 7970 (to be deleted). . . . . 24 3.21.1. RecordData Class .22 4. Examples. . . . . . . . . . . . . . . . . 24 3.21.2. RecordPattern Class . . . . . . . . .22 4.1. Minimal Example. . . . . . . 25 3.22. WindowsRegistryKeysModified Class . . . . . . . . . . . . 25 3.22.1. Key Class . .23 4.2. Indicators from a Campaign. . . . . . . . . . . . . . .23 5. The IODEF Data Model (JSON Schema). . . . 25 3.23. CertificateData Class . . . . . . . . .25 6. Acknowledgements. . . . . . . . . 26 3.23.1. Certificate Class . . . . . . . . . . . . .58 7. IANA Considerations. . . . 26 3.24. FileData Class . . . . . . . . . . . . . . . . .59 8. Security Considerations. . . . 27 3.24.1. File Class . . . . . . . . . . . . . . .59 9. References. . . . . . 27 3.25. HashData Class . . . . . . . . . . . . . . . . . . .59 9.1. Normative References. . 27 3.25.1. Hash Class . . . . . . . . . . . . . . . .59 9.2. Informative References. . . . . 28 3.25.2. FuzzyHash Class . . . . . . . . . . . .59 Authors' Addresses. . . . . . 28 3.26. SignatureData Class . . . . . . . . . . . . . . . . .60 1. Introduction RFC 7970 [RFC7970] defines an data model for sharing incident information. It facilitates automated exchange of information among parties over networks. The data model can be implemented in a form of XML, but it is not always suitable for implementation. JSON-based representation is often useful. Therefore, in this document, we provide a means to. . 28 3.27. Indicator Class . . . . . . . . . . . . . . . . . . . . . 29 3.27.1. IndicatorID Class . . . . . . . . . . . . . . . . . 30 3.27.2. AlternativeIndicatorID Class . . . . . . . . . . . . 30 3.27.3. Observable Class . . . . . . . . . . . . . . . . . . 30 3.27.4. BulkObservable Class . . . . . . . . . . . . . . . . 31 3.27.5. BulkObservableFormat Class . . . . . . . . . . . . . 31 3.27.6. IndicatorExpression Class . . . . . . . . . . . . . 32 3.27.7. ObservableReference Class . . . . . . . . . . . . . 32 3.27.8. IndicatorReference Class . . . . . . . . . . . . . . 32 3.27.9. AttackPhase Class . . . . . . . . . . . . . . . . . 33 4. Notable differences from RFC 7970 (to be deleted) . . . . . . 33 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33 5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 34 6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 36 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 55 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 9. Security Considerations . . . . . . . . . . . . . . . . . . . 55 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 10.1. Normative References . . . . . . . . . . . . . . . . . . 55 10.2. Informative References . . . . . . . . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 1. Introduction RFC 7970 [RFC7970] defines an data model for sharing incident information. It facilitates automated exchange of information among parties over networks. The data model can be implemented in a form of XML, but it is not always suitable for implementation. JSON-based representation is often useful. Therefore, in this document, we provide a means to represent IODEF data model inJSON. 1.1. Requirements LanguageJSON. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. IODEF Data Types The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the JSON IODEF, with some syntax changes for some of the types. 2.1. Integers An integer is represented in the information model by the INTEGER data type. Integer data MUST be encoded in Base 10, and is implemented as an "integer" type per JSON schema [jsonschema]. 2.2. Real Numbers A real (floating-point) number is represented in the information model by the REAL data type. Real data MUST be encoded in Base 10, and is implemented in the data model as an "number" type per JSON schema [jsonschema]. 2.3. Characters and Strings A single character is represented in the information model by the CHARACTER data type. A string is represented by the STRING data type. Special characters MUST be encoded using entity references.The CHARACTER and STRING data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.4. Multilingual Strings A string that needs to be represented in a human-readable language different than the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as an object with "value", "lang", and "translation-id" elements as defined in Section 6. Examples are shown below. "MLStringType": { "value": "free-form text", //STRING "lang": "en", //ENUM "translation-id": "jp2en0023" //STRING } 2.5. Binary Strings 2.5.1. Base64 Bytes A binary octet encoded with base64 is represented in the information model by the BYTE data type. A sequence of these octets is of the BYTE[] data type. The BYTE and BYTE[] data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.5.2. Hexadecimal Bytes A binary octet encoded as a character tuple consistent of two hexadecimal digits is represented in the information model by the HEXBIN data type. A sequence of these octets is of the HEXBIN[] data type. The HEXBIN and HEXBIN[] data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.6. Enumerated Types An enumerated type is represented in the information model by the ENUM data type. It is an ordered list of acceptable string values. Each value has a representative keyword. The ENUM data type is implemented in the data model as values of an enum array per JSON schema [jsonschema]. 2.7. Date-Time String A date-time string that describes a particular instant in time is represented in the information model by the DATETIME data type. Ranges are not supported. The DATETIME data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.8. Timezone String A timezone offset from UTC is represented in the information model by the TIMEZONE data type. It is formatted according to the following regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". The TIMEZONE data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.9. Port Lists A list of network ports is represented in the information model by the PORTLIST data type. A PORTLIST consists of a comma-separated list of numbers and ranges (N-M means ports N through M, inclusive). It is formatted according to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, "2,5-15,30,32,40-50,55-60". The PORTLIST data type is implemented in the data model as an "string" type per JSON schema [jsonschema] 2.10. Postal Address A postal address is represented in the information model by the POSTAL data type. The format of the POSTAL data type is documented in Section 2.23 of [RFC4519] as a free-form multi-line string separated by the "$" character. The POSTAL data type is implemented in the data model as the aforementioned ML_STRING type. 2.11. Telephone Number A telephone number is represented in the information model by the PHONE data type. Thekey words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",format of the PHONE data type is documented in [E.164]. The PHONE data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.12. Email String An email address is represented in the information model by the EMAIL data type. The format of the EMAIL data type is documented in Section 3.4.1 of [RFC5322] and"OPTIONAL"Section 3.3 of [RFC6531]. The EMAIL data type is implemented inthisthe data model as an "string" type per JSON schema [jsonschema]. 2.13. Uniform Resource Locator Strings A uniform resource locator (URL) is represented in the information model by the URL data type. The format of the URL data type is documented in [RFC3986]. The URL data type is implemented as an "string" type per JSON schema [jsonschema]. 2.14. Identifiers and Identifier References An identifier unique to the IODEF documentareis represented in the information model by the ID data type. A reference tobe interpretedthis identifier is represented by the IDREF data type. These data types are implemented in the model as an "string" type per JSON schema [jsonschema]. 2.15. Software A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a URL, or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined inRFC 2119 [RFC2119]. 2.Section 6. Examples are shown below. "SoftwareType": { "SoftwareReference": {...}, //SoftwareReference "Description": {"value":"MS Windows"}, //ML_STRING } 2.16. StructuredInfo Information provided in a form of structured string, such as ID, or structured information, such as XML documents, is represented in the information model by the StructuredInfo data type. Note that this type was originally specified in RFC7203. The StructuredInfo data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", "Reference" elements. An example for embedding a structured ID is shown below. "StructuredInformation": { "SpecID": "cve", //ENUM "ContentID": "CVE-2007-5000", //STRING } When embedding the raw data, base64 conversion should be used for encoding the data, as shown below. "StructuredInformation": { "SpecID": "oval", //ENUM "RawData": "<<<strings encoded with base64>>>", //STRING } 3. The IODEF Information Model in JSON The data model of IODEF is defined in RFC 7970 [RFC7970], and this section illustrates their representations in JSON. Note that the complete JSON schema is defined in Section5. 2.1.6. 3.1. IODEF-Document ClassThe IODEF-DocumentThis class is the top level class in the IODEF data model.ThisIts classis defined in Section 3.1 of RFC 7970 [RFC7970] and has the following fields: "version", "lang", "format-id", "private-enum-name", "private-enum-id", "Incident",elements and"AdditionalData". Anan example are shown below. See Section 3.1 ofthis class in JSON is as follows. Note that JSON representation in this draft treats attributes and elements of each class defined inRFC 7970 [RFC7970]equally and is agnostic onfor theorderintended meanings oftheir appearances.these elements. Class elements: version, lang?, format-id?, private-enum-name?, private-enum-id?, Incident+, AdditionalData* Example: "IODEF-Document": { "version":"2.0","2.1", //STRING "lang": "en", //ENUM "format-id":"RFC7970","RFC7970-json", //STRING "Incident": [ ... ] //Incident }Figure 1: IODEF-Document Class in JSON 2.2.3.2. Incident Class The Incident class describes commonly exchanged information when reporting or sharing derived analysis from security incidents.ThisIts classis defined inelements and an example are shown below. See Section 3.2 of RFC 7970[RFC7970]. It has[RFC7970] for thefollowing fields: "purpose", "lang", "restriction", "ext- restriction", "IncidentID", "RelatedActivity", "GenrationTime", "Description", "Assessment", "Methods", "Contact", "EventData", "IndicatorData", "History", and "AdditionalData". An exampleintended meanings ofthis class in JSON is as follows.these elements. Class elements: purpose, ext-purpose?, status?, ext-status?, lang?, restriction?, ext-restriction?, observable-id?, IncidentID, AlternativeID?, RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?, GenrationTime?, Description*, Discovery*, Assessment*, Method*, Contact+, EventData*, IndicatorData?, History?, AdditionalData* Example: "Incident": { "purpose": "reporting", //ENUM "lang": "en", //STRING "restriction": "green", //ENUM "IncidentID": { ... }, //IncidentID Class "RelatedActivity": [ ... ], //RelatedActivity Class "GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime "Description":["Incident class description field"],[{"value":"Incident in the HQ"}], //ML_STRING "Assessment": [ ... ], //Assessment "Method": [ ... ], //Method "Contact": [ ... ] //Contact "EventData": [ ... ], //EventData "IndicatorData": { ... } //IndicatorData "History": { ... }, //History "AdditionalData": [ ... ], //AdditionalData }Figure 2: Incident Class in JSON 2.3.3.3. Common Attributes There are a number of recurring attributes used in the information model. They are documented in this section.2.3.1.3.3.1. restriction Attribute RFC 7970 [RFC7970] defines the restriction Attribute as one of common attributes. It is defined as below: "restriction":{"enum": ["public", "partner", "need-to-know", "private", "default", "white", "green", "amber", "red", "ext-value"]}Figure 3: restrition in JSONNote that you must use "ext-restriction" field (STRING type) when the value of "restriction" field is set to "ext-value".The example on the use of the "ext-restriction" field is shown below. "restriction": "ext-value" // ENUM "ext-restriction": "registration required" // STRING Figure 4: ext-restrition in JSON 2.3.2.3.3.2. observable-id Attribute RFC 7970 [RFC7970] defines the observable-id attribute as one of common attributes. The value of this attribute is a uniqueidentifieridentifier, in string type, in the scope of the document.It is defined as below:"observable-id": {"type": "string"}, Figure 5: observable-id in JSON 2.4.3.4. IncidentID ClassThisThe classis defined inelements and an example are shown below. See Section 3.4 of RFC 7970[RFC7970]. It has[RFC7970] for thefollowing fields: "IncidentID", "id", "name", "instance", "restriction", and "ext-restriction". The example below represents how to describe this class in JSON.intended meanings of these elements. Class elements: id, name, instance?, restriction?, ext-restriction? Example: "IncidentID": { "id": "nict20150518-0001", // STRING "name": "NICT_cert", // STRING "instance": "cyberlab" // STRING "restriction": "ext-value" // ENUM "ext-restriction": "registration required" // STRING }Figure 6: IncidentID Class in JSON 2.5.3.5. AlternativeID ClassThisThe classis defined inelements and an example are shown below. See Section 3.5 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, IncidentID+ Example: "AltervativeID": { "restriction": "private", //ENUM "IncidentID": [<<<omitted>>>] //IncidentID }Figure 7: AlternativeID Class in JSON 2.6.3.6. RelatedActivity ClassThisThe classis defined inelements and an example are shown below. See Section 3.6 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*, Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData* Example: "RelatedActivity": { "restriction": "private", //ENUM "ThreatActor":[[{...}], //ThreatActor{ "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", "Description": "Aggressive Butterfly" } ],class "Campaign":[[{...}] //Campaign{ "CampaignID": "C-2015-59405", "Description": "Orange Giraffe" } ]class }Figure 8: RelatedActivity Class in JSON 2.7.3.7. ThreatActor ClassThisThe classis defined inelements and an example are shown below. See Section 3.7 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, ThreatActorID*, URL*, Description*, AdditionalData* Example: "ThreatActor": { "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING "Description":"Aggressive Butterfly"{"value":"Aggressive Butterfly"} //ML_STRING }Figure 9: ThreatActor Class in JSON 2.8.3.8. Campaign ClassThisThe classis defined inelements and an example are shown below. See Section 3.8 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, CampaignID*, URL*, Description*, AdditionalData* Example: "Campaign": { "CampaignID": "C-2015-59405", //STRING "Description":"Orange Giraffe"{"value":"Orange Giraffe"} //ML_STRING }Figure 10: Campaign Class in JSON 2.9.3.9. Contact ClassThisThe classis defined inelements and an example are shown below. See Section 3.9 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: role, ext-role?, type, ext-type?, restriction?, ext-restriction?, ContactName*, ContactTitle*, Description*, RegistryHandle*, PostalAddress*, Email*, Telephone*, Timezone?, Contact*, AdditionalData* Example: "Contact": {"type": "organization","role": "creator", //ENUM "type": "organization", //ENUM "ContactName":"CSIRT{"value":"CSIRT forexample.com",example.com"}, //ML_STRING "ContactTitle": {"value":"Senior Research Engineer"} //ML_STRING "email":{ "emailTo": "contact@csirt.example.com" } } Figure 11: Contact{...}, //Email Classin JSON 2.9.1."Telephone": {...}, //Telephone Class "Timezone": "+09:00" //TIMEZONE } 3.9.1. RegistryHandle ClassThisThe classis defined inelements and an example are shown below. See Section 3.9.1 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: handle, registry, ext-registry? Example: "RegistryHandle": {"RegistryHandleName":"handle": "MyAPNIC", //STRING "registry": "apnic", //ENUM }Figure 12: RegistryHandle Class in JSON 2.9.2.3.9.2. PostalAddress ClassThisThe classis defined inelements and an example are shown below. See Section 3.9.2 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: type?, ext-type?, PAddress, Description* Example: "PostalAddress": { "type": "mailing", //ENUM "PAddress":"184-8795", "Description": "4-2-1 Nukui-Kitamachi"1-2-3 Kitamachi Koganei Tokyo,Japan"Japan", //POSTAL "Description": {"value":"Office address"} //ML_STRING },Figure 13: PostalAddress Class in JSON 2.9.3.3.9.3. Email ClassThisThe classis defined inelements and an example are shown below. See Section 3.9.3 ofRFC 7970 [RFC7970]. The example below represents how to describe this class in JSON.RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: type?, ext-type?, EmailTo, Description* Example: "Email": { "type": "direct", //ENUM "emailTo":"contact@csirt.example.com""contact@csirt.example.com", //EMAIL "Description": {"value":"Administrator's address"} //ML_STRING },Figure 14: Email Class in JSON 2.9.4.3.9.4. Telephone ClassThisThe classis defined inelements and an example are shown below. See Section 3.9.4 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: type?, ext-type?, TelephoneNumber, Description* Example: "Telephone": { "type": "wired", //ENUM "TelephoneNumber":"+81423275862""+818012345678", //PHONE "Description": {"value":"Admin's moble"} //ML_STRING },Figure 15: Telephone Class in JSON 2.10.3.10. Discovery ClassThisThe classis defined inelements and an example are shown below. See Section 3.10 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: source?, ext-source?, restriction?, ext-restriction?, Description*, Contact*, DetectionPattern* Example: "Discovery": { "source": "nidps", //ENUM "restriction": "need-to-know" //ENUM "Contact": {...}, //Contact class "DetectionPattern":{ "Application": { "Description": "Microsoft Win" }{...}, //DetectionPattern class "Description":{"value":"IDS provided an alert"} //ML_STRING } }Figure 16: Discovery Class in JSON 2.10.1.3.10.1. DetectionPattern ClassThisThe classis defined inelements and an example are shown below. See Section 3.10.1 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, observable-id?, Application, Description*, DetectionConfiguration* Example: "DetectionPattern": { "Application":{{...}, //SOFTWARE "Description":"Microsoft Win"{"value":"The specified application needs to be reviewed"}, //ML_STRING } }Figure 17: DetectionPattern Class in JSON 2.11.3.11. Method ClassThisThe classis defined inelements and an example are shown below. See Section 3.11 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, Reference*, Description*, AttackPattern*, Vulnerability*, Weakness* Example: "Method": { "AttackPattern": {...} //StructuredInfo "Vulnerability":{}{...} //StructuredInfo }Figure 18: Method Class in JSON 2.11.1.3.11.1. Reference ClassThisThe classis defined inelements and an example are shown below. See Section 3.11.1 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: observable-id?, ReferenceName?, URL*, Description* Example: "Reference":{ "URL":"http://www.nict.go.jp" //URL }Figure 19: Reference Class in JSON 2.12.3.12. Assessment ClassThis class is defined in Section 3.12 of RFC 7970 [RFC7970].Theexample below represents how to describe thisclassin JSON.elements and an example are shown below. See Section 3.12 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: occurence?, restriction?, ext-restriction?, observable-id?, IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*, MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*, Cause*, Confidence?, AdditionalData* Example: "Assessment": { "SystemImpact": {...}, //SystemImpact class "BusinessImpact":{ "type": "breach-proprietary"{...}, //BusinessImpact class "TimeImpact": {...}, //TimeImpact class "MonetaryImpact": {...}, //MonetaryImpact class "IntendedImpact": {...}, //IntendedImpact class "Counter": "5", //Counter class "MitigationFactor": {"value":"Rebooting is required"}//ML_STRING "Cause": {"value":"Malware Infection"} //ML_STRING } }Figure 20: Assessment Class in JSON 2.12.1.3.12.1. SystemImpact ClassThisThe classis defined inelements and an example are shown below. See Section 3.12.1 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: severity?, completion?, type, ext-type?, Description* Example: "SystemImpact":{"severity":"low", "type":"unknown""severity":"high", //ENUM "completion": "successful" //ENUM "type":"integrity-data" //ENUM "Description":{"value":"The web page was falsified"} //ML_STRING },Figure 21: SystemImpact Class in JSON 2.12.2.3.12.2. BusinessImpact ClassThisThe classis defined inelements and an example are shown below. See Section 3.12.2 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: severity?, ext-severity?, type, ext-type?, Description* Example: "BusinessImpact": { "severity":"medium", //ENUM "completion": "successful" //ENUM "type":"breach-proprietary""degraded-reputation" //ENUM "Description":{"value":"The web page was falsified"} //ML_STRING }Figure 22: BusinessImpact Class in JSON 2.12.3.3.12.3. TimeImpact ClassThisThe classis defined inelements and an example are shown below. See Section 3.12.3 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: value, severity?, metric, ext-metric?, duration?, ext-duration? Example: "TimeImpact":{"value":"5 hours", "metric":"elapsed""time": "240" //REAL "metric": "elapsed" //ENUM "duration": "minutes" //ENUM }Figure 23: TimeImpact Class in JSON 2.12.4.3.12.4. MonetaryImpact ClassThisThe classis defined inelements and an example are shown below. See Section 3.12.4 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON. "MonetaryImpact":{} Figure 24: MonetaryImpact[RFC7970] for the intended meanings of these elements. Classin JSON 2.12.5.elements: value, severity?, currency? Example: "MonetaryImpact":{ "money": "10000", //REAL "severity": "medium", //ENUM "currency": "USD", //STRING } 3.12.5. Confidence ClassThisThe classis defined inelements and an example are shown below. See Section 3.12.5 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: value, rating, ext-rating? Example: "Confidence": { "value": "5" //REAL "rating": "medium" //ENUM }Figure 25: Confidence Class in JSON 2.13.3.13. History ClassThisThe classis defined inelements and an example are shown below. See Section 3.13 of RFC7970 [RFC7970]. The example below represents how to describe this class in JSON.7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, HistoryItem+ Example: "History": { "restriction": "need-to-know" //ENUM "HistoryItem": {"DateTime": "2015-10-15T11:18:00-05:00", "action": "investigate"... } //HistoryItem class },Figure 26: History Class in JSON 2.13.1.3.13.1. HistoryItem ClassThisThe classis defined inelements and an example are shown below. See Section 3.13.1 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: action, ext-action?, restriction?, ext-restriction?, observable-id?, DateTime, IncidentID?, Contact?, Description*, DefinedCOA*, AdditionalData* Example: "HistoryItem": {"DateTime": "2015-10-15T11:18:00-05:00","action": "investigate" //ENUM "restriction": "need-to-know" //ENUM "DateTime": "2015-10-15T11:18:00-05:00", //DateTime "IncidentID" { ...}, //IncidentID class }Figure 27: HistoryItem Class in JSON 2.14.3.14. EventData ClassThisThe classis defined inelements and an example are shown below. See Section 3.14 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, observable-id?, Description*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?, Contact*, Discovery*, Assessment?, Method*, Flow*, Expectation*, Record?, EventData*, AdditionalData* Example: "EventData": { "ReportTime": "2016-06-01 18:05:33","System":"Contact": {"category": "source", "Node":...}, //Contact class "Assessment": {"Address":...}, //Assessment class "Method": {"category": "ipv4-addr", "AddressValue": "192.228.139.118" }, "Location": "OrgID=7" }, "Service":...}, //Method class "System": {"ip-protocol": 6, "Port": 49183 }... },Figure 28: EventData Class in JSON 2.15.//System class "Expectation": { ...}, //Expectation class 3.15. Expectation ClassThisThe classis defined inelements and an example are shown below. See Section 3.15 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: action?, ext-action?, severity?, restriction?, ext-restriction?, Description*, DefinedCOA*, StartTime?, EndTime?, Contact? Example: "Expectation": { "action": "investigate" //ENUM "severity": "medium" //ENUM "restriction": "need-to-know" //ENUM },Figure 29: Expectation Class in JSON 2.16.3.16. System ClassThisThe classis defined inelements and an example are shown below. See Section 3.17 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: category?, ext-category?, interface?, spoofed?, virtual?, ownership?, ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*, Service*, OperatingSystem*, Counter*, AssetID*, Description*, AdditionalData* Example: "System": { "category": "source", //ENUM "Node": {"Address": { "category": "ipv4-addr", "AddressValue": "192.228.139.118" }, "Location": "OrgID=7"... }, //Node class "Service": {"ip-protocol": 6, "Port": 49183 } Figure 30: System Class in JSON 2.17.... }, //Service class }, 3.17. Node ClassThis class is defined in Section 3.18 of RFC 7970 [RFC7970].Theexample below represents how to describe thisclassin JSON.elements and an example are shown below. See Section 3.18 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: DomainData*, Address*, PostalAddress?, Location*, Counter* Example: "Node": { "Address": {"category": "ipv4-addr", "AddressValue": "192.228.139.118"... },Figure 31: Node Class in JSON 2.17.1.//Address class "Location": {"value":"OrgID=7"} //ML_STRING } 3.17.1. Address ClassThisThe classis defined inelements and an example are shown below. See Section 3.18.1 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: value, category, ext-category?, vlan-name?, vlan-num?, observable-id? Example: "Address": { "value": """192.228.139.118", //STRING "category": "ipv4-addr","AddressValue": "192.228.139.118"//ENUM },Figure 32: Address Class in JSON 2.17.2.3.17.2. NodeRole ClassThisThe classis defined inelements and an example are shown below. See Section 3.18.2 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: category, ext-category?, Description* Example: "NodeRole": { "category": "client" //ENUM "Description": {"value":"The computer at room A"} //ML_STRING },Figure 33: NodeRole Class in JSON 2.17.3.3.17.3. Counter ClassThisThe classis defined inelements and an example are shown below. See Section 3.18.3 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: value, type, ext-type?, unit, ext-unit?, meaning?, duration?, ext- duration? Example: "Counter": { "value": "3", //REAL "type": "count", //ENUM "unit": "packet" //ENUM "meaning": {"value":"The number of scan packets are counted"}, //ML_STRING }Figure 34: Counter Class in JSON 2.18.3.18. DomainData ClassThisThe classis defined inelements and an example are shown below. See Section 3.19 of RFC 7970[RFC7970]. The example below represents how to describe this class in JSON.[RFC7970] for the intended meanings of these elements. Class elements: system-status, ext-system-status?, domain-status, ext-domain-status?, observable-id?, Name, DateDomainWasChecked?, RegistrationDate?, ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts? Example: "DomainData": { "system-status": "innocent-hacked", //ENUM "domain-status": "assignedAndInactive", //STRING "Name": "temp1.nict.go.jp" //STRING },Figure 35: DomainData Class in JSON 2.18.1.3.18.1. Nameserver Class This class is defined in Section 3.19.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Server, Address* Example: "NameServers": { "Server": "vgw.nict.go.jp", //STRING "Address": { "AddressValue": "133.243.18.5", //STRING "category": "ipv4-addr" //ENUM } }Figure 36: Nameserver Class in JSON 2.18.2.3.18.2. DomainContacts Class This class is defined in Section 3.19.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: SameDomainContact?, Contact+ Example: "DomainContacts": { "Contact": { "role": "user", //ENUM "type": "organization" //ENUM } }Figure 37: DomainContacts Class in JSON 2.19.3.19. Service Class This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?, ProtoCode?, ProtoType?, ProtoField?, ApplicationHeader?, EmailData?, Application? Example: "Service": { "ServiceName": { "Description": "It seems to be a scan from an infected machine." }, "ip-protocol": 6, //INTEGER "Port": 49183 //INTEGER }Figure 38: Service Class in JSON 2.19.1.3.19.1. ServiceName Class This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: IANAService?, URL*, Description* Example: "ServiceName": { "IANAService": "telnet" //STRING "URL": "https://en.wikipedia.org/wiki/Telnet" //STRING "Description": "It seems to be a scan from an infected machine." //STRING },Figure 39: ServiceName Class in JSON 2.19.2.3.19.2. ApplicationHeader Class This class is defined in Section 3.20.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: ApplicationHeaderField+ Example: "ApplicationHeader": { "ApplicationHeaderField": {}Figure 40: ApplicationHeader} 3.20. EmailData Class This class is defined inJSON 2.20. EmailDataSection 3.21 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?, EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?, HashData*, SignatureData* Example: "EmailData":{ "EmailTo": "user1@example.org" //EMAIL "EmailFrom": "user2@example.com" //EMAIL "EmailSubject": "example email" //STRING "EmailX-Mailer": "example mailer v1.1.0" //STRING "EmailBody": "example email" //STRING } 3.21. Record Class This class is defined in Section3.213.22 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON."EmailData":{} Figure 41: EmailDataClassin JSON 2.21. Recordelements: restriction?, ext-restriction?, RecordData+ Example: "Record": { "RecordData": { "RecordPattern": { "type": "regex", //ENUM "value": "[0-9][A-Z]" } }, "RecordItem": {} }, 3.21.1. RecordData Class This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON."Record":Class elements: restriction?, ext-restriction?, observable-id?, DateTime?, Description*, Application?, RecordPattern*, RecordItem*, URL*, FileData*, WindowsRegistryKeysModified*, CertificateData*, AdditionalData* Example: "RecordData": { "RecordPattern": { "type": "regex", "value": "[0-9][A-Z]" } },"RecordItem": {} }, Figure 42: Record Class in JSON 2.21.1.3.21.2. RecordPattern Class This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?, value Example: "RecordPattern": { "type": "regex", "value": "[0-9][A-Z]" },Figure 43: RecordPattern Class in JSON 2.22.3.22. WindowsRegistryKeysModified Class This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: observable-id?, Key+ Example: "WindowsRegistryKeysModified": { "Key": { "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING } }Figure 44: WindowsRegistryKeysModified Class in JSON 2.22.1.3.22.1. Key Class This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: registryaction?, ext-registryaction?, observable-id?, KeyName, KeyValue? Example: "Key": { "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING }Figure 45: Key Class in JSON 2.23.3.23. CertificateData Class This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, observable-id?, Certificate+ Example: "CertificateData": { "Certificate": { "X509Data":{ "X509IssuerSerial": { "X509IssuerName": "CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP", "X509SerialNumber": "12345678" }, "X509SKI": "31d97bd7" }"xxxxxxxx" //STRING } }Figure 46: CertificateData Class in JSON 2.23.1.3.23.1. Certificate Class This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The X509Data class contains base64 encoded form of X.509 certificate or chain as described in Section 4.4.4 of [W3C.XMLSIG]. The example below represents how to describe this class in JSON. Class elements: observable-id?, X509Data, Description* Example: "Certificate": { "X509Data":{ "X509IssuerSerial": { "X509IssuerName": "CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP", "X509SerialNumber": "12345678" }, "X509SKI": "31d97bd7" }"xxxxxxxx" //STRING }Figure 47: Certificate Class in JSON 2.24.3.24. FileData Class This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, observable-id?, File+ Example: "FileData": { "File": { "FileName": "dummy.exe" //STRING } },Figure 48: FileData Class in JSON 2.24.1.3.24.1. File Class This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?, SignatureData?, AssociatedSoftware?, FileProperties* Example: "File": { "FileName": "dummy.exe" //STRING }Figure 49: File Class in JSON 2.25.3.25. HashData Class This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: scope, HashTargetID?, Hash*, FuzzyHash* Example: "HashData": { "scope": "file-contents", //ENUM "Hash": { "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestValue": "xxxxxxxxxxx" //STRING } }Figure 50: HashData Class in JSON 2.25.1.3.25.1. Hash Class This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: DigestMethod, DigestValue, CanonicalizationMethod?, Application? Example: "Hash": { "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestValue": "xxxxxxxxxxx" //STRING }Figure 51: Hash Class in JSON 2.25.2.3.25.2. FuzzyHash Class This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: FuzzyHashValue+, Application?, AdditionalData? Example: "FuzzyHash": { "FuzzyHashValue": {} }Figure 52: FuzzyHash Class in JSON 2.26.3.26. SignatureData Class This class is defined in Section 3.27 of RFC 7970 [RFC7970]. The Signature class contains base64 encoded form of signature as described in Section 4.2 of [W3C.XMLSIG]. The example below represents how to describe this class in JSON. Class elements: Signature+ Example: "SignatureData": { "Signature": "xxxxxxxx" //STRING }Figure 53: SignatureData Class in JSON 2.27.3.27. Indicator Class This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*, Description*, StartTime?, EndTime?, Confidence?, Contact*, Observable?, ObservableReference?, IndicatorExpression?, IndicatorReference?, NodeRole*, AttackPhase*, Reference*, AdditionalData* Example: "Indicator": { "IndicatorID": { "id": "G90823490", //STRING "name": "csirt.example.com", //STRING "version": "1" //STRING }, "Description": "C2 domains", //ML_STRING "StartTime": "2014-12-02T11:18:00-05:00", //Datetime "Observable": { "BulkObservable": { "type": "fqdn" //ENUM }, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org" //STRIN ] } }Figure 54: Indicator Class in JSON 2.27.1.3.27.1. IndicatorID Class This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: id, name, version Example: "IndicatorID": { "id": "G90823490", //STRING "name": "csirt.example.com", //STRING "version": "1"}, Figure 55: IndicatorID Class in JSON 2.27.2.//STRING } 3.27.2. AlternativeIndicatorID Class This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, IndicatorReference+ Example: "AlternativeIndicatorID": { "IndicatorReference": { "uid-ref": "xxxxx" } },Figure 56: AlternativeIndicatorID Class in JSON 2.27.3.3.27.3. Observable Class This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, System?, Address?, DomainData?, Service?, EmailData?, WindowsRegistryKeysModified?, FileData?, CertificateData?, RegistryHandle?, RecordData?, EventData?, Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?, HistoryItem?, BulkObservable?, AdditionalData* Example: "Observable": { "BulkObservable": { "type": "fqdn" //ENUM }, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org" //STRING ] } 3.27.4. BulkObservable Class This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: type?, ext-type?, BulkObservableFormat?, BulkObservableList, AdditionalData* Example: "BulkObservable": { "type": "fqdn" //ENUM }, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org" //STRING ] 3.27.5. BulkObservableFormat Class This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Hash?, AdditionalData* Example: "BulkObservableFormat": { "Hash": { "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestValue": "xxxxxxxxxxx" //STRING }Figure 57: Observable Class in JSON 2.27.4.} 3.27.6. IndicatorExpression Class This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON."IndicatorExpression": {} Figure 58: IndicatorExpressionClassin JSON 2.27.5.elements: operator?, ext-operator?, IndicatorExpression*, Observable*, ObservableReference*, IndicatorReference*, Confidence?, AdditionalData* Example: "IndicatorExpression": { "ObservableReference": { "uid-ref": "xxxxx" } } 3.27.7. ObservableReference Class This class is defined in Section 3.29.6 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: uid-ref Example: "ObservableReference": { "uid-ref": "xxxxx" },Figure 59: ObservableReference Class in JSON 2.27.6.3.27.8. IndicatorReference Class This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: uid-ref?, euid-ref?, version? Example: "IndicatorReference": { "uid-ref": "xxxxx" }Figure 60: IndicatorReference Class in JSON 2.27.7.3.27.9. AttackPhase Class This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: AttackPhaseID*, URL*, Description*, AdditionalData* Example: "AttackPhase": { "Description": "Currently, the infected host is scanning arbitrary hosts to find next targets." //ML_STRING }Figure 61: AttackPhase Class in JSON 3.4. Notable differences from RFC 7970 (to be deleted) o This document treats attributes and elements of each class defined in RFC 7970 [RFC7970] equally and is agnostic on the order of their appearances. o Flow class is deleted, and EventData class now has the instance of System class. o Record class is deleted, and the link to the Record class are directly connected to RecordData class, which is then renamed to Record class.4.5. Examples This section provides example of IODEF documents. These examples do not represent the full capabilities of the data model or the the only way to encode particular information.4.1.5.1. Minimal Example A document containing only the mandatory elements and attributes. { "version": "2.0", "lang": "en", "Incident": [ { "purpose": "reporting", "restriction": "private", "IncidentID": { "id": 492382, "name": "csirt.example.com" }, "GenerationTime": "2015-07-18T09:00:00-05:00", "Contact": [ { "type": "organization", "role": "creator", "email": { "emailTo": "contact@csirt.example.com" } } ] } ] }Figure 62: JSON representation example 1 4.2.5.2. Indicators from a Campaign An example of C2 domains from a given campaign. { "version": "2.0", "lang": "en", "Incidents": [ { "purpose": "watch", "restriction": "green", "IncidentID": { "id": "897923", "name": "csirt.example.com" }, "RelatedActivity": [ { "ThreatActor": [ { "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", "Description": "Aggressive Butterfly" } ], "Campaign": [ { "CampaignID": "C-2015-59405", "Description": "Orange Giraffe" } ] } ], "GenerationTime": "2015-10-02T11:18:00-05:00", "Description": [ "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." ], "Assessment": [ { "BusinessImpact": { "type": "breach-proprietary" } } ], "Contacts": [ { "type": "organization", "role": "creator", "ContactName": "CSIRT for example.com", "Email": { "emailTo": "contact@csirt.example.com" } } ], "IndicatorList": [ { "IndicatorID": { "id": "G90823490", "name": "csirt.example.com", "version": "1" }, "Description": "C2 domains", "StartTime": "2014-12-02T11:18:00-05:00", "Observable": { "BulkObservable": { "type": "fqdn" }, "BulkObservableList": [ "kj290023j09r34.example.com", "09ijk23jfj0k8.example.net", "klknjwfjiowjefr923.example.org", "oimireik79msd.example.org" ] } } ] } ] }Figure 63: JSON representation example 2 5.6. The IODEF Data Model (JSON Schema) {{"$schema": "http://json-schema.org/draft-04/schema#", "definitions": { "action": {"enum": ["nothing","contact-source-site","contact-target-site", "contact-sender", "investigate","block-host","block-network", "block-port","rate-limit-host","rate-limit-network", "rate-limit-port","redirect-traffic","honeypot", "upgrade-software","rebuild-asset","harden-asset", "remediate-other","status-triage","status-new-info", "watch-and-report","training","defined-coa","ext-value"]}, "duration": {"enum": ["second","minute","hour","day","month","quarter", "year","ext-value"]}, "lang":{ "enum": [ "en", "jp" ] },{"enum": ["en","jp"]}, "purpose": {"enum": ["traceback","mitigation","reporting","watch","other", "ext-value"]}, "restriction":{ "enum": [ "public", "partner", "need-to-know", "private", "default", "white", "green", "amber", "red", "ext-value" ] },{"enum": ["public","partner","need-to-know","private", "default","white","green","amber","red","ext-value"]}, "status": {"enum": ["new","in-progress","forwarded","resolved","future", "ext-value"]}, "DATETIME": {"type": "string"}, "PORTLIST": {"type": "string"}, "URLtype":{ "type": "string" },{"type": "string"}, "IDtype":{ "type": "string" },{"type": "string"}, "ExtensionType": { "type": "object", "properties": { "name":{ "type": "string" },{"type": "string"}, "dtype":{ "enum": [ "boolean", "byte", "bytes", "character", "date-time", "ntpstamp", "integer", "portlist", "real", "string", "file", "path", "frame", "packet", "ipv4-packet", "ipv6-packet", "url", "csv", "winreg", "xml", "ext-value" ] },{"enum": ["boolean","byte","bytes","character","date-time", "ntpstamp","integer","portlist","real","string","file", "path","frame","packet","ipv4-packet","ipv6-packet","url", "csv","winreg","xml","ext-value"]}, "ext-dtype":{ "type": "string" },{"type": "string"}, "meaning":{ "type": "string" },{"type": "string"}, "formatid":{ "type": "string" },{"type": "string"}, "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}}}, "ExtensionTypeList": {"$ref": "#/definitions/IDtype" } } },"type": "array", "items": {"$ref": "#/definitions/ExtensionType"}}, "SoftwareType": { "type": "object", "properties": { "SoftwareReference":{ "$ref": "#/definitions/SoftwareReference" },{"$ref": "#/definitions/SoftwareReference"}, "URL":{ "$ref": "#/definitions/URLtype" },{"$ref": "#/definitions/URLtype"}, "Description":{ "type": "string" } },{"type": "string"}}, "required": [], "additionalProperties":false },false}, "SoftwareReference": { "type": "object", "properties": { "value":{ "type": "string" },{"type": "string"}, "spec-name":{ "type": "string" },{"type": "string"}, "ext-spec-name":{ "type": "string" },{"type": "string"}, "dtype":{ "type": "string" },{"type": "string"}, "ext-dtype": {"type": "string"}}, "required": ["spec-name"], "additionalProperties": false}, "StructuredInfo": { "type":"string" } },"object", "properties": { "specID": {"type": "string"}, "ext-specID": {"type": "string"}, "contentID": {"type": "string"}, "RawData": {"type": "string"}, "URL": {"$ref": "#/definitions/URLtype"}}, "required":[ "spec-name" ],["specID"], "additionalProperties":false },false}, "Incident": { "title": "Incident", "description": "JSON schema for Incident class", "type": "object", "properties": { "purpose":{ "enum": [ "traceback", "mitigation", "reporting", "watch", "other", "ext-value" ] },{"$ref": "#/definitions/purpose"}, "ext-purpose":{ "type": "string" },{"type": "string"}, "status":{ "enum": [ "blabla" ] },{"$ref": "#/definitions/status"}, "ext-status":{ "type": "string" }, "lang": { "$ref": "#/definitions/lang" },{"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "IncidentID":{ "$ref": "#/definitions/IncidentID" },{"$ref": "#/definitions/IncidentID"}, "AlternativeID":{ "type": "object" },{"$ref": "#/definitions/AlternativeID"}, "RelatedActivity": { "type":"array", "items": { "$ref": "#/definitions/RelatedActivity" } },"array","items": {"$ref": "#/definitions/RelatedActivity"}}, "DetectTime":{ "type": "string" },{"type": "string"}, "StartTime":{ "type": "string" },{"type": "string"}, "EndTime":{ "type": "string" },{"type": "string"}, "RecoveryTime":{ "type": "string" },{"type": "string"}, "ReportTime":{ "type": "string" },{"type": "string"}, "GenerationTime":{ "type": "string" },{"type": "string"}, "Description":{ "type": "array", "items": { "type": "string" } },{"type": "array","items": {"type": "string"}}, "Discovery": { "type":"array", "items": { "$ref": "#/definitions/Discovery" } },"array","items": {"$ref": "#/definitions/Discovery"}}, "Assessment": { "type":"array", "items": { "$ref": "#/definitions/Assessment" } },"array","items": {"$ref": "#/definitions/Assessment"}}, "Methods": { "type":"array", "items": { "$ref": "#/definitions/Method" } },"array","items": {"$ref": "#/definitions/Method"}}, "Contacts": { "type":"array", "items": { "$ref": "#/definitions/Contact" } },"array","items": {"$ref": "#/definitions/Contact"}}, "EventData": { "type":"array", "items": { "$ref": "#/definitions/EventData" } },"array","items": {"$ref": "#/definitions/EventData"}}, "IndicatorList": { "type":"array", "items": { "$ref": "#/definitions/Indicator" }, },"array","items": {"$ref": "#/definitions/Indicator"}}, "History":{ "$ref": "#/definitions/History" },{"$ref": "#/definitions/History"}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required":[ "IncidentID", "GenerationTime", "Contacts", "purpose" ],["IncidentID","GenerationTime","Contacts","purpose"], "additionalProperties":false },false}, "IncidentID": { "title": "IncidentID", "description": "JSON schema for IncidentID class", "type": "object", "properties": { "id":{ "type": "string" },{"type": "string"}, "name":{ "type": "string" },{"type": "string"}, "instance": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}}, "required": ["name"], "additionalProperties": false}, "AlternativeID": { "title": "AlternativeID", "description": "JSON schema for AlternativeID class", "type":"string" }, "restriction":"object", "properties": {"$ref": "#/definitions/restriction" }, "ext-restriction":"IncidentID": { "type":"string" } },"array","items":{"$ref": "#/definitions/IncidentID"}}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}}, "required":[ "name" ],["IncidentID"], "additionalProperties":false },false}, "RelatedActivity": { "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "IncidentID": { "type":"array", "items": { "$ref": "#/definitions/IncidentID" } },"array","items": {"$ref": "#/definitions/IncidentID"}}, "URL": { "type":"array", "items": { "$ref": "#/definitions/URLtype" } },"array","items": {"$ref": "#/definitions/URLtype"}}, "ThreatActor": { "type":"array", "items": { "$ref": "#/definitions/ThreatActor" } },"array","items": {"$ref": "#/definitions/ThreatActor"}}, "Campaign": { "type":"array", "items": { "$ref": "#/definitions/Campaign" } },"array","items": {"$ref": "#/definitions/Campaign"}}, "IndicatorID": { "type":"array", "items": { "$ref": "#/definitions/IndicatorID" } },"array","items": {"$ref": "#/definitions/IndicatorID"}}, "Confidence":{ "$ref": "#/definitions/Confidence" },{"$ref": "#/definitions/Confidence"}, "Description": { "type":"array", "items": { "type": "string" } },"array","items": {"type": "string"}}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties":false },false}, "ThreatActor": { "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "ThreatActorID":{ "type": "string" },{"type": "array", "items": {"type": "string"}}, "Description":{ "type": "string" },{"type": "array", "items": {"type": "string"}}, "URL":{ "$ref": "#/definitions/URLtype" }, "AdditionalData": { "type":{"type": "array", "items":{ "$ref": "#/definitions/ExtensionType" } } },{"$ref": "#/definitions/URLtype"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties":false },false}, "Campaign": { "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "CampaignID":{},{"type": "array", "items": {"type": "string"}}, "URL":{ "$ref": "#/definitions/URLtype" },{"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "Description":{ "type": "string" }, "AdditionalData": { "type":{"type": "array", "items":{ "$ref": "#/definitions/ExtensionType" } } } },{"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "Contact": { "type": "object", "properties": { "role":{},{ "enum": ["creator","reporter","admin","tech","provider","user", "billing","legal","irt","abuse","cc","cc-irt","leo", "vendor","vendor-support","victim","victim-notified", "ext-value"]}, "ext-role":{},{"type": "string"}, "type":{},{"enum": ["person","organization","ext-value"]}, "ext-type":{},{"type": "string"}, "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "ContactName":{},{"type": "array", "items": {"type": "string"}}, "ContactTitle":{},{"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}}, "RegistryHandle": { "type":"string" }, "RegistryHandle": {},"array", "items": {"$ref": "#/definitions/RegistryHandle"}}, "PostalAddress":{},{ "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}}, "Email":{},{"type": "array", "items": {"$ref": "#/definitions/Email"}}, "Telephone": {"$ref": "#/definitions/Telephone" },"type": "array", "items": {"$ref": "#/definitions/Telephone"}}, "Timezone":{},{"type": "string"}, "Contact": {"$ref": "#/definitions/Contact" }, "AdditionalData": {"type": "array", "items":{ "$ref": "#/definitions/ExtensionType" } } },{"$ref": "#/definitions/Contact"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required":[ "role", "type" ],["role","type"], "additionalProperties":false },false}, "RegistryHandle": { "type": "object", "properties": {"RegistryHandleName": {},"handle": {"type": "string"}, "registry":{},{ "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local", "ext-value"]}, "ext-registry":{} },{"type": "string"}}, "required":[ "registry" ],["registry"], "additionalProperties":false },false}, "PostalAddress": { "type": "object", "properties": { "type":{ "type": "string" },{"type": "string"}, "ext-type":{ "type": "string" },{"type": "string"}, "PAddress":{ "type": "string" },{"type": "string"}, "Description":{ "type": "string" } },{"type": "array", "items": {"type": "string"}}}, "required":[ "PAddress" ],["PAddress"], "additionalProperties":false },false}, "Email": { "type": "object", "properties": { "type":{},{ "enum":["direct","hotline","ext-value"]}, "ext-type":{},{"type": "string"}, "EmailTo":{},{"type": "string"}, "Description":{ "type": "string" } },{"type": "array", "items": {"type": "string"}}}, "required":[ "EmailTo" ],["EmailTo"], "additionalProperties":false },false}, "Telephone": { "type": "object", "properties": { "type":{},{ "enum":["wired","mobile","fax","hotline","ext-value"]}, "ext-type":{},{"type": "string"}, "TelephoneNumber":{},{"type": "string"}, "Description":{ "type": "string" } },{"type": "array", "items": {"type": "string"}}}, "required":[ "TelephoneNumber" ],["TelephoneNumber"], "additionalProperties":false },false}, "Discovery": { "type": "object", "properties": { "source":{},{ "enum":["nidps","hips","siem","av","third-party-monitoring", "incident","os-log","application-log","device-log", "network-flow","passive-dns","investigation","audit", "internal-notification","external-notification","leo", "partner","actor","unknown","ext-value"]}, "ext-source":{},{"type": "string"}, "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "Description":{ "type": "string" },{"type": "array", "items": {"type": "string"}}, "Contact": {"$ref": "#/definitions/Contact" },"type": "array", "items": {"$ref": "#/definitions/Contact"}}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern" } },"type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}}, "required": [], "additionalProperties":false },false}, "DetectionPattern": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "Application":{ "$ref": "#/definitions/SoftwareType" },{"$ref": "#/definitions/SoftwareType"}, "Description": {"type": "array", "items": {"type": "string"}}, "DetectionConfiguration": { "type":"string" }, "DetectionConfiguration": {} },"array", "items": {"type": "string"}}}, "required":[ "Application" ],["Application"], "additionalProperties":false },false}, "Method": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "References": { "type": "array","items": {"$ref": "#/definitions/Reference"}}, "Description": {"type": "array", "items":{ "$ref": "#/definitions/Reference" } }, "Description":{"type": "string"}}, "AttackPattern": { "type":"string" }, "AttackPattern": {},"array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "Vulnerability":{}, "Weakness": {}, "AdditionalData":{ "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "Weakness": {"$ref": "#/definitions/ExtensionType" } } },"type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties":false },false}, "Reference": { "type": "object", "properties": { "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "ReferenceName":{},{"type": "string"}, "URL":{ "$ref": "#/definitions/URLtype" },{"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "Description":{ "type": "string" } },{"type": "array", "items": {"type": "string"}}}, "required": [], "additionalProperties":false },false}, "Assessment": { "type": "object", "properties": { "occurrence":{},{"enum":["actual","potential"]}, "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "IncidentCategory":{},{"type": "array", "items": {"type": "string"}}, "SystemImpact": {"$ref": "#/definitions/SystemImpact" },"type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, "BusinessImpact":{},{ "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, "TimeImpact": {"$ref": "#/definitions/TimeImpact" },"type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, "MonetaryImpact": {"$ref": "#/definitions/MonetaryImpact" },"type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}}, "IntendedImpact":{},{ "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, "Counter": {"$ref": "#/definitions/Counter" },"type": "array", "items": {"$ref": "#/definitions/Counter"}}, "MitigatingFactor":{}, "Cause": {}, "Confidence": { "$ref": "#/definitions/Confidence" }, "AdditionalData":{ "type": "array", "items":{ "$ref": "#/definitions/ExtensionType" } } },{"$type": "string"}}, "Cause": {"type": "array", "items": {"$type": "string"}}, "Confidence": {"$ref": "#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties":false },false}, "SystemImpact": { "type": "object", "properties": { "severity":{},{ "enum":["low","medium","high"]}, "completion":{},{"enum":["failed","succeeded"]}, "type":{},{ "enum":["takeover-account","takeover-service","takeover-system", "cps-manipulation","cps-damage","availability-data", "availability-account","availability-service", "availability-system","damaged-system","damaged-data", "breach-proprietary","breach-privacy","breach-credential", "breach-configuration","integrity-data", "integrity-configuration","integrity-hardware", "traffic-redirection","monitoring-traffic","monitoring-host", "policy","unknown","ext-value"]}, "ext-type":{},{"type": "string"}, "Description":{ "type": "string" } },{"type": "array","items": {"type": "string"}}}, "required":[ "type" ],["type"], "additionalProperties":false },false}, "BusinessImpact": { "type": "object", "properties": { "severity":{},{ "enum":["none","low","medium","high","unknown","ext-value"]}, "ext-severity":{},{"type":"string"}, "type":{},{ "enum":["breach-proprietary","breach-privacy","breach-credential", "loss-of-integrity","loss-of-service","theft-financial", "theft-service","degraded-reputation","asset-damage", "asset-manipulation","legal","extortion","unknown", "ext-value"]}, "ext-type":{},{"type": "string"}, "Description":{ "type": "string" } },{"type": "array","items": {"type": "string"}}}, "required":[ "type" ],["type"], "additionalProperties":false },false}, "TimeImpact": { "type": "object", "properties": { "value":{},{"type": "number"}, "severity":{},{"enum": ["low","medium","high"]}, "metric":{},{"enum": ["labor","elapsed","downtime","ext-value"]}, "ext-metric":{},{"type": "string"}, "duration":{},{"$ref":"#/definitions/duration"}, "ext-duration":{} },{"type": "string"}}, "required":[ "metric" ],["metric"], "additionalProperties":false },false}, "MonetaryImpact": { "type": "object", "properties": {"MonetaryImpactValue": {},"value": {"type": "number"}, "severity":{},{"enum":["low","medium","high"]}, "currency":{} },{"type": "string"}}, "required": [], "additionalProperties":false },false}, "Confidence": { "type": "object", "properties": {"ConfidenceValue": {},"value": {"type": "number"}, "rating":{},{ "enum": ["low","medium","high","numeric","unknown","ext-value"]}, "ext-rating":{} },{"type":"string"}}, "required":[ "rating" ],["rating"], "additionalProperties":false },false}, "History": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "HistoryItem": { "type":"string" }, "HistoryItem": {} },"array","items": {"$ref": "#/definitions/HistoryItem"}}}, "required":[ "HistoryItem" ],["HistoryItem"], "additionalProperties":false },false}, "HistoryItem": { "type": "object", "properties": { "action":{},{"$ref": "#/definitions/action"}, "ext-action":{},{"type": "string"}, "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" }, "observable-id": { "$ref": "#/definitions/IDtype" },{"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime":{},{"$ref": "#/definitions/DATETIME"}, "IncidentID":{},{"$ref": "#/definitions/IncidentID"}, "Contact":{ "$ref": "#/definitions/Contact" },{"$ref": "#/definitions/Contact"}, "Description":{ "type": "string" },{"type": "array","items": {"type": "string"}}, "DefinedCOA":{},{"type": "array","items": {"type": "string"}}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required":[ "DateTime", "action" ],["DateTime","action"], "additionalProperties":false },false}, "EventData": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "Description":{ "type": "string" },{"type": "array","items": {"type": "string"}}, "DetectTime":{},{"type": "string"}, "StartTime":{},{"type": "string"}, "EndTime":{},{"type": "string"}, "RecoveryTime":{},{"type": "string"}, "ReportTime":{ "type": "string" },{"type": "string"}, "Contact": {"$ref": "#/definitions/Contact" },"type": "array","items": {"$ref": "#/definitions/Contact"}}, "Discovery": {"$ref": "#/definitions/Discovery" },"type": "array","items": {"$ref": "#/definitions/Discovery"}}, "Assessment":{},{"$ref": "#/definitions/Assessment"}, "Method": {"$ref": "#/definitions/Method" },"type": "array","items": {"$ref": "#/definitions/Method"}}, "System": {"$ref": "#/definitions/System" },"type": "array","items": {"$ref": "#/definitions/System"}}, "Expectation": {"$ref": "#/definitions/Expectation" },"type": "array","items": {"$ref": "#/definitions/Expectation"}}, "Record":{ "$ref": "#/definitions/Record" },{"$ref": "#/definitions/Record"}, "EventData": {"$ref": "#/definitions/EventData" }, "AdditionalData": {"type":"array", "items": { "$ref": "#/definitions/ExtensionType" } } },"array","items": {"$ref": "#/definitions/EventData"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required":[ "ReportTime" ],["ReportTime"], "additionalProperties":false },false}, "Expectation": { "type": "object", "properties": { "action":{},{"$ref":"#/definitions/action"}, "ext-action":{},{"type": "string"}, "severity":{},{"enum": ["low","medium","high"]}, "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "Description":{ "type": "string" },{"type": "array","items": {"type": "string"}}, "DefinedCOA":{},{"type": "array","items": {"type": "string"}}, "StartTime":{},{"type": "string"}, "EndTime":{},{"type": "string"}, "Contact":{ "$ref": "#/definitions/Contact" } },{"$ref": "#/definitions/Contact"}}, "required": [], "additionalProperties":false },false}, "System": { "type": "object", "properties": { "category": { "enum":[ "source", "target", "intermediate", "sensor", "infrastructure", "ext-value" ] },["source","target","intermediate","sensor","infrastructure", "ext-value"]}, "ext-category":{},{"type": "string"}, "interface":{},{"type": "string"}, "spoofed":{},{"enum": ["unknown","yes","no"]}, "virtual":{},{"enum": ["yes","no","unknown"]}, "ownership":{},{ "enum":["organization","personal","partner","customer", "no-relationship","unknown","ext-value"]}, "ext-ownership":{},{"type": "string"}, "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "Node":{ "$ref": "#/definitions/Node" },{"$ref": "#/definitions/Node"}, "NodeRole": {"$ref": "#/definitions/NodeRole" },"type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "Service": {"$ref": "#/definitions/Service" },"type": "array","items": {"$ref": "#/definitions/Service"}}, "OperatingSystem":{},{ "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, "Counter": {"$ref": "#/definitions/Counter" },"type": "array","items": {"$ref": "#/definitions/Counter"}}, "AssetID":{},{"type": "array","items": {"type": "string"}}, "Description":{ "type": "string" },{"type": "array","items": {"type": "string"}}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required":[ "Node" ],["Node"], "additionalProperties":false },false}, "Node": { "type": "object", "properties": { "DomainData": {"$ref": "#/definitions/DomainData" },"type": "array","items": {"$ref": "#/definitions/DomainData"}}, "Address": {"$ref": "#/definitions/Address" },"type": "array","items": {"$ref": "#/definitions/Address"}}, "PostalAddress":{},{"type": "string"}, "Location":{ "type": "string" },{"type": "array","items": {"type": "string"}}, "Counter":{ "$ref": "#/definitions/Counter" } },{"type": "array","items":{"$ref":"#/definitions/Counter"}}}, "required": [], "additionalProperties":false },false}, "Address": { "type": "object", "properties": {"AddressValue": {},"value": {"type": "string"}, "category":{},{ "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv6-net-masked","mac","site-url","ext-value"]}, "ext-category":{},{"type": "string"}, "vlan-name":{},{"type": "string"}, "vlan-num":{ "type": "integer" },{"type": "integer"}, "observable-id":{ "$ref": "#/definitions/IDtype" } },{"$ref": "#/definitions/IDtype"}}, "required":[ "category" ],["category"], "additionalProperties":false },false}, "NodeRole": { "type": "object", "properties": { "category":{},{ "enum":["client","client-enterprise","clent-partner","client-remote", "client-kiosk","client-mobile","server-internal", "server-public","www","mail","webmail","messaging", "streaming","voice","file","ftp","p2p","name","directory", "credential","print","application","database","backup", "dhcp","assessment","source-control","config-management", "monitoring","infra","infra-firewall","infra-router", "infra-switch","camera","proxy","remote-access","log", "virtualization","pos", "scada", "scada-supervisory", "sinkhole","honeypot","anomyzation","c2-server", "malware-distribution","drop-server","hot-point","reflector", "phishing-site","spear-phishing-site","recruiting-site", "fraudulent-site","ext-value"]}, "ext-category":{},{"type": "string"}, "Description":{ "type": "string" } },{"type": "array","items": {"type": "string"}}}, "required":[ "category" ],["category"], "additionalProperties":false },false}, "Counter": { "type": "object", "properties": { "value":{ "type": "string" },{"type": "string"}, "type":{},{"enum": ["count","peak","average","ext-value"]}, "ext-type":{},{"type": "string"}, "unit":{},{"enum": ["byte","mbit","packet","flow","session","alert", "message","event","host","site","organization","ext-value"]}, "ext-unit":{},{"type": "string"}, "meaning":{},{"type": "string"}, "duration":{},{"$ref":"#/definitions/duration"}, "ext-duration":{} },{"type": "string"}}, "required":[ "type", "unit" ],["type","unit"], "additionalProperties":false },false}, "DomainData": { "type": "object", "properties": { "system-status":{},{ "enum": ["spoofed","fraudulent","innocent-hacked", "innocent-hijacked","unknown","ext-value"]}, "ext-system-status":{},{"type": "string"}, "domain-status":{},{ "enum": [ "reservedDelegation","assignedAndActive","assignedAndInactive", "assignedAndOnHold","revoked","transferPending","registryLock", "registrarLock","other","unknown","ext-value"]}, "ext-domain-status":{},{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "Name":{},{"type": "string"}, "DateDomainWasChecked":{},{"$ref": "#/definitions/DATETIME"}, "RegistrationDate":{},{"$ref": "#/definitions/DATETIME"}, "ExpirationDate":{},{"$ref": "#/definitions/DATETIME"}, "RelatedDNS":{},{ "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "NameServers": {"$ref": "#/definitions/NameServers" },"type": "array","items": {"$ref": "#/definitions/NameServers"}}, "DomainContacts": {"$ref": "#/definitions/DomainContacts" } },"type": "array","items": {"$ref": "#/definitions/DomainContacts"}}}, "required":[ "Name", "system-status", "domain-status" ],["Name","system-status","domain-status"], "additionalProperties":false },false}, "NameServers": { "type": "object", "properties": { "Server":{},{"type": "string"}, "Address":{ "$ref": "#/definitions/Address" } },{"type": "array","items":{"$ref":"#/definitions/Address"}}}, "required":[ "Server", "Address" ],["Server","Address"], "additionalProperties":false },false}, "DomainContacts": { "type": "object", "properties": { "SameDomainContact":{},{"type": "string"}, "Contact":{ "$ref": "#/definitions/Contact" } },{"type": "array","items":{"$ref":"#/definitions/Contact"}}}, "required":[ "Contact" ],["Contact"], "additionalProperties":false },false}, "Service": { "type": "object", "properties": { "ip-protocol":{},{"type": "integer"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "ServiceName":{},{"$ref": "#/definitions/ServiceName"}, "Port":{},{"type": "integer"}, "Portlist":{},{"$ref": "#/definitions/PORTLIST"}, "ProtoCode":{},{"type": "integer"}, "ProtoType":{},{"type": "integer"}, "ProtoField":{},{"type": "integer"}, "ApplicationHeader":{},{"$ref": "#/definitions/ApplicationHeader"}, "EmailData":{},{"$ref": "#/definitions/EmailData"}, "Application":{} },{"$ref": "#/definitions/SoftwareType"}}, "required": [], "additionalProperties":false },false}, "ServiceName": { "type": "object", "properties": { "IANAService":{},{"type": "string"}, "URL":{ "$ref": "#/definitions/URLtype" },{"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "Description":{ "type": "string" } },{"type": "array","items": {"type": "string"}}}, "required": [], "additionalProperties":false },false}, "ApplicationHeader": { "type": "object", "properties": { "ApplicationHeaderField":{} },{ "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, "required":[ "ApplictionHeaderField" ],["ApplicationHeaderField"], "additionalProperties":false },false}, "EmailData": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "EmailTo":{},{"type": "array","items": {"type": "string"}}, "EmailFrom":{},{"type": "string"}, "EmailSubject":{},{"type": "string"}, "EmailX-Mailer":{},{"type": "string"}, "EmailHeaderField":{},{ "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "EmailHeaders":{},{"type": "string"}, "EmailBody":{},{"type": "string"}, "EmailMessage":{},{"type": "string"}, "HashData": {"$ref": "#/definitions/HashData" },"type": "array","items": {"$ref": "#/definitions/HashData"}}, "SignatureData": {"$ref": "#/definitions/SignatureData" } },"type": "array","items": {"$ref": "#/definitions/SignatureData"}}}, "required": [], "additionalProperties":false }, "Record":false}, "Record":{ "type": "object", "properties":{ "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "RecordData": { "type": "array","items": {"$ref": "#/definitions/RecordData"}}}, "required":["RecordData"], "additionalProperties": false}, "RecordData": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "DateTime":{},{"$ref": "#/definitions/DATETIME"}, "Description":{ "type": "string" },{"type": "array","items": {"type": "string"}}, "Applicadtion":{},{"$ref": "#/definitions/SoftwareType"}, "RecordPattern":{},{ "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, "RecordItem":{},{ "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "URL": {"$ref": "#/definitions/URLtype" },"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "FileData": {"$ref": "#/definitions/FileData" },"type": "array","items": {"$ref": "#/definitions/FileData"}}, "WindowsRegistryKeysModified":{}, "CertificateData": { "$ref": "#/definitions/CertificateData" }, "AdditionalData":{ "type": "array", "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, "CertificateData": {"$ref": "#/definitions/ExtensionType" } } },"type": "array","items": {"$ref": "#/definitions/CertificateData"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false }, "RecordPattern": { "type": "object", "properties": {"RecordPatternValue": {},"value": {"type": "string"}, "type":{},{"enum": ["regex","binary","xpath","ext-value"]}, "ext-type":{},{"type": "string"}, "offset":{},{"type": "integer"}, "offsetunit":{},{"enum":["line","byte","ext-value"]}, "ext-offsetunit":{},{"type": "string"}, "instance":{ "type": "integer" } }, "required": [ "type" ],{"type": "integer"}}, "required": ["type"], "additionalProperties":false },false}, "WindowsRegistryKeysModified": { "type": "object", "properties": { "observabile-id":{},{"$ref": "#/definitions/IDtype"}, "Key":{} },{"type": "array","items": {"$ref": "#/definitions/Key"}}}, "required":[ "Key" ],["Key"], "additionalProperties":false },false}, "Key": { "type": "object", "properties": { "registryaction":{},{"enum": ["add-key","add-value","delete-key", "delete-value","modify-key","modify-value", "ext-value"]}, "ext-registryaction":{},{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "KeyName":{},{"type":"string"}, "KeyValue":{} },{"type": "string"}}, "required":[ "KeyName" ],["KeyName"], "additionalProperties":false },false}, "CertificateData": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "Certificate": {"$ref": "#/definitions/Certificate" } },"type": "array","items": {"$ref": "#/definitions/Certificate"}}}, "required":[ "Certificate" ],["Certificate"], "additionalProperties":false },false}, "Certificate": { "type": "object", "properties": { "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "X509Data":{},{type: "string"}, "Description":{ "type": "string" } },{"type": "array","items": {"type": "string"}}}, "required":[ "X509Data" ],["X509Data"], "additionalProperties":false },false}, "FileData": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "observable-id":{ "$ref": "#/definitions/IDtype" },{"$ref": "#/definitions/IDtype"}, "File":{ "$ref": "#/definitions/File" } },{"type": "array","items": {"$ref": "#/definitions/File"}}}, "required":[ "File" ],["File"], "additionalProperties":false },false}, "File": { "type": "object", "properties": { "FileName":{ "type": "string" },{"type": "string"}, "FileSize":{},{"type": "integer"}, "FileType":{},{"type": "string"}, "URL":{ "$ref": "#/definitions/URLtype" },{"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "HashData":{ "$ref": "#/definitions/HashData" },{"$ref": "#/definitions/HashData"}, "SignatureData":{ "$ref": "#/definitions/SignatureData" },{"$ref": "#/definitions/SignatureData"}, "AssociatedSoftware":{},{"$ref": "#/definitions/SoftwareType"}, "FileProperties":{} },{ "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, "required": [], "additionalProperties":false },false}, "HashData": { "type": "object", "properties": { "scope":{},{"enum": ["file-contents","file-pe-section","file-pe-iat", "file-pe-resource","file-pdf-object","email-hash", "email-hash-header","email-hash-body"]}, "HashTargetID":{},{"type": "string"}, "Hash":{ "$ref": "#/definitions/Hash" },{"type": "array","items": {"$ref": "#/definitions/Hash"}}, "FuzzyHash": {"$ref": "#/definitions/FuzzyHash" } },"type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, "required":[ "scope" ],["scope"], "additionalProperties":false },false}, "Hash": { "type": "object", "properties": { "DigestMethod":{ "type": "string" },{"type": "string"}, "DigestValue":{ "type": "string" },{"type": "string"}, "CanonicalizationMethod": {}, "Application":{} },{"$ref": "#/definitions/SoftwareType"}}, "required":[ "DigestMethod", "DigestValue" ],["DigestMethod","DigestValue"], "additionalProperties":false },false}, "FuzzyHash": { "type": "object", "properties": { "FuzzyHashValue": {"$ref": "#/definitions/ExtensionType" },"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "Application":{},{"$ref": "#/definitions/SoftwareType"}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required":[ "FuzzyHashValue" ],["FuzzyHashValue"], "additionalProperties":false },false}, "SignatureData": { "type": "object", "properties": { "Signature":{ "SignatureValue": "xxxxxxxx", "id": "xxxxxxxx" } },{"type": "array","items": {"type": "string"}}}, "required":[ "Signature" ],["Signature"], "additionalProperties":false },false}, "Indicator": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "IndicatorID":{ "$ref": "#/definitions/IndicatorID" },{"$ref": "#/definitions/IndicatorID"}, "AlternativeIndicatorID": {"$ref": "#/definitions/AlternativeIndicatorID" }, "Description": {"type":"string" },"array", "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, "Description": {"type": "array","items": {"type": "string"}}, "StartTime":{},{"$ref": "#/definitions/DATETIME"}, "EndTime":{},{"$ref": "#/definitions/DATETIME"}, "Confidence":{ "$ref": "#/definitions/Confidence" },{"$ref": "#/definitions/Confidence"}, "Contact": {"$ref": "#/definitions/Contact" },"type": "array","items": {"$ref": "#/definitions/Contact"}}, "Observable":{},{"$ref": "#/definitions/Observable"}, "ObservableReference":{ "$ref": "#/definitions/ObservableReference" },{"$ref": "#/definitions/ObservableReference"}, "IndicatorExpression":{ "$ref": "#/definitions/IndicatorExpression" },{"$ref": "#/definitions/IndicatorExpression"}, "IndicatorReference":{ "$ref": "#/definitions/IndicatorReference" },{"$ref": "#/definitions/IndicatorReference"}, "NodeRole": {"$ref": "#/definitions/NodeRole" },"type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "AttackPhase": {"$ref": "#/definitions/AttackPhase" },"type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, "Reference": {"$ref": "#/definitions/Reference" }, "AdditionalData": {"type":"array", "items": { "$ref": "#/definitions/ExtensionType" } } },"array","items": {"$ref": "#/definitions/Reference"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required":[ "IndicatorID" ],["IndicatorID"], "additionalProperties":false },false}, "IndicatorID": { "type": "object", "properties": { "id":{},{"type": "string"}, "name":{ "type": "string" },{"type": "string"}, "version":{ "type": "string" } },{"type": "string"}}, "required":[ "name", "version" ], "additionalProperties": false },["name","version"], "additionalProperties": false}, "AlternativeIndicatorID": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "IndicatorReference": {"$ref": "#/definitions/IndicatorReference" } },"type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}}}, "required":[ "IndicatorReference" ],["IndicatorReference"], "additionalProperties":false },false}, "Observable": { "type": "object", "properties": { "restriction":{ "$ref": "#/definitions/restriction" },{"$ref": "#/definitions/restriction"}, "ext-restriction":{ "type": "string" },{"type": "string"}, "System":{},{"$ref": "#/definitions/System"}, "Address":{},{"$ref": "#/definitions/Address"}, "DomainData":{ "$ref": "#/definitions/DomainData" },{"$ref": "#/definitions/DomainData"}, "EmailData":{},{"$ref": "#/definitions/EmailData"}, "Service":{ "$ref": "#/definitions/Service" },{"$ref": "#/definitions/Service"}, "WindowsRegistryKeysModified":{}, "FileData":{ "$ref":"#/definitions/FileData" },"#/definitions/WindowsRegistryKeysModified"}, "FileData": {"$ref": "#/definitions/FileData"}, "CertificateData":{ "$ref": "#/definitions/CertificateData" },{"$ref": "#/definitions/CertificateData"}, "RegistryHandle":{},{"$ref": "#/definitions/RegistryHandle"}, "Record":{ "$ref": "#/definitions/Record" },{"$ref": "#/definitions/Record"}, "EventData":{},{"$ref": "#/definitions/EventData"}, "Incident":{},{"$ref": "#/definitions/Incident"}, "Expectation":{ "$ref": "#/definitions/Expectation" },{"$ref": "#/definitions/Expectation"}, "Reference":{ "$ref": "#/definitions/Reference" },{"$ref": "#/definitions/Reference"}, "Assessment":{},{"$ref": "#/definitions/Assessment"}, "DetectionPattern":{},{"$ref": "#/definitions/DetectionPattern"}, "HistoryItem":{},{"$ref": "#/definitions/HistoryItem"}, "BulkObservable":{ "type": "string" },{"type": "string"}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties":false },false}, "BulkObservable": { "type": "object", "properties": { "type":{},{"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac", "site-url","domain-name","domain-to-ipv4","domain-to-ipv6", "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp", "ipv4-port","ipv6-port","windows-reg-key","file-hash", "email-x-mailer","email-subject","http-user-agent", "http-request-url","mutex","file-path","user-name", "ext-value"]}, "ext-type":{}, "BulkObservableFormant": {},{"type": "string"}, "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableList":{ "type": "string" },{"type": "string"}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties":false },false}, "BulkObservableFormat": { "type": "object", "properties": { "Hash":{ "$ref": "#/definitions/Hash" },{"$ref": "#/definitions/Hash"}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties":false },false}, "IndicatorExpression": { "type": "object", "properties": { "operator":{},{"enum": ["not","and","or","xor"]}, "ext-operator":{ "type": "string" },{"type": "string"}, "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression" },"type": "array", "items": {"$ref": "#/definitions/IndicatorExpression"}}, "Observable":{},{ "type": "array","items": {"$ref": "#/definitions/Observable"}}, "ObservableReference": {"$ref": "#/definitions/ObservableReference" },"type": "array", "items": {"$ref": "#/definitions/ObservableReference"}}, "IndicatorReference": {"$ref": "#/definitions/IndicatorReference" }, "AdditionalData": {"type": "array", "items":{ "$ref": "#/definitions/ExtensionType" } } },{"$ref": "#/definitions/IndicatorReference"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties":false },false}, "ObservableReference": { "type": "object", "properties":{ "uid-ref": {} },{"uid-ref": {"type": "string"}}, "required":[ "uid-ref" ],["uid-ref"], "additionalProperties":false },false}, "IndicatorReference": { "type": "object", "properties": { "uid-ref":{},{"type": "string"}, "euid-ref":{ "type": "string" },{"type": "string"}, "version":{ "type": "string" } },{"type": "string"}}, "required": [], "additionalProperties":false },false}, "AttackPhase": { "type": "object", "properties": { "AttackPhaseID":{ "type": "string" },{"type": "array","items": {"type": "string"}}, "URL":{ "$ref": "#/definitions/URLtype" },{"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "Description":{ "type": "string" },{"type": "array","items": {"type": "string"}}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties":false } },false}}, "title": "IODEF-Document", "description": "JSON schema for IODEF-Document class", "type": "object", "properties": { "version":{ "type": "string" },{"type": "string"}, "lang":{ "$ref": "#/definitions/lang" },{"$ref": "#/definitions/lang"}, "format-id":{ "type": "string" },{"type": "string"}, "private-enum-name":{ "type": "string" },{"type": "string"}, "private-enum-id": {"type": "string"}, "Incident": { "type":"string" }, "Incidents": { "type": "array", "items": { "$ref": "#/definitions/Incident" } },"array","items": {"$ref": "#/definitions/Incident"}}, "AdditionalData":{ "type": "array", "items": { "$ref": "#/definitions/ExtensionType" } } },{"$ref":"#/definitions/ExtensionTypeList"}}, "required":[ "version", "Incidents" ],["version","Incident"], "additionalProperties":false }false} Figure64:1: JSON schema6.7. Acknowledgements TBD.7.8. IANA Considerations This memo includes no request to IANA.8.9. Security Considerations This memo does not provide any further security considerations than the one described in RFC 7970 [RFC7970].9.10. References9.1.10.1. Normative References[min_ref] authSurName, authInitials., "Minimal Reference",[jsonschema] "JSON Schema", 2006. http://json-schema.org/ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, <https://www.rfc-editor.org/info/rfc7970>.9.2.10.2. Informative References [DOMINATION] Mad Dominators, Inc., "Ultimate Plan for Taking Over the World", 1984, <http://www.example.com/dominator.html>. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, DOI 10.17487/RFC2629, June 1999, <https://www.rfc-editor.org/info/rfc2629>. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, <https://www.rfc-editor.org/info/rfc3552>. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 5226, DOI 10.17487/RFC5226, May 2008, <https://www.rfc-editor.org/info/rfc5226>. Authors' Addresses Takeshi Takahashi NICT 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Phone: +81 42 327 5862 Email: takeshi_takahashi@nict.go.jp Mio Suzuki NICT 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Email: mio@nict.go.jp