draft-ietf-mile-jsoniodef-02.txt   draft-ietf-mile-jsoniodef-03.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft NICT Internet-Draft NICT
Intended status: Standards Track R. Danyliw Intended status: Standards Track R. Danyliw
Expires: July 15, 2018 CERT Expires: September 19, 2018 CERT
M. Suzuki M. Suzuki
NICT NICT
January 11, 2018 March 18, 2018
JSON binding of IODEF JSON binding of IODEF
draft-ietf-mile-jsoniodef-02 draft-ietf-mile-jsoniodef-03
Abstract Abstract
RFC 7970 [RFC7970] provides XML-based data representation on incident RFC7970 specified an information model and a corresponding XML data
information, but the use of the IODEF data model is not limited to model for exchanging incident and indicator information. This draft
XML. JSON representation is sometimes preferred since it is easy to provides an alternative data model implementation in JSON.
handle from certain programming environments. This draft represents
the IODEF data model in JSON.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 15, 2018. This Internet-Draft will expire on September 19, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 4 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 4
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 4 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 4
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 5 2.2.2. Software . . . . . . . . . . . . . . . . . . . . . . 5
2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 5 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 5
2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 5 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 5
2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 5 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 5
2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 5 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 16
2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 5 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 6 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 17
2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 6 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 17
2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 6 5. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 19
2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 38
2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 6 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
2.13. Uniform Resource Locator Strings . . . . . . . . . . . . 6 8. Security Considerations . . . . . . . . . . . . . . . . . . . 38
2.14. Identifiers and Identifier References . . . . . . . . . . 7 9. Normative References . . . . . . . . . . . . . . . . . . . . 38
2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38
2.16. StructuredInfo . . . . . . . . . . . . . . . . . . . . . 7
3. The IODEF Information Model in JSON . . . . . . . . . . . . . 8
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 8
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 8
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 9
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 9
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 9
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 9
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 10
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 10
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 11
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 11
3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 11
3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 12
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 12
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 12
3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 13
3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 13
3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 14
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 14
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 15
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 15
3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 15
3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 16
3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 16
3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 17
3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 17
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 17
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 18
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 18
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 19
3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 19
3.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 20
3.17.1. Address Class . . . . . . . . . . . . . . . . . . . 20
3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 20
3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21
3.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 21
3.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 22
3.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 22
3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 22
3.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 23
3.19.2. EmailData Class . . . . . . . . . . . . . . . . . . 23
3.19.3. RecordData Class . . . . . . . . . . . . . . . . . . 24
3.19.4. RecordPattern Class . . . . . . . . . . . . . . . . 24
3.20. WindowsRegistryKeysModified Class . . . . . . . . . . . . 24
3.20.1. Key Class . . . . . . . . . . . . . . . . . . . . . 25
3.21. CertificateData Class . . . . . . . . . . . . . . . . . . 25
3.21.1. Certificate Class . . . . . . . . . . . . . . . . . 26
3.22. FileData Class . . . . . . . . . . . . . . . . . . . . . 26
3.22.1. File Class . . . . . . . . . . . . . . . . . . . . . 26
3.23. HashData Class . . . . . . . . . . . . . . . . . . . . . 27
3.23.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 27
3.23.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 27
3.24. Indicator Class . . . . . . . . . . . . . . . . . . . . . 28
3.24.1. IndicatorID Class . . . . . . . . . . . . . . . . . 29
3.24.2. AlternativeIndicatorID Class . . . . . . . . . . . . 29
3.24.3. Observable Class . . . . . . . . . . . . . . . . . . 29
3.24.4. BulkObservable Class . . . . . . . . . . . . . . . . 30
3.24.5. BulkObservableFormat Class . . . . . . . . . . . . . 30
3.24.6. IndicatorExpression Class . . . . . . . . . . . . . 31
3.24.7. IndicatorReference Class . . . . . . . . . . . . . . 31
3.24.8. AttackPhase Class . . . . . . . . . . . . . . . . . 31
4. Notable differences from RFC 7970 . . . . . . . . . . . . . . 32
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33
5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 33
6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 35
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 54
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54
9. Security Considerations . . . . . . . . . . . . . . . . . . . 54
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 54
10.1. Normative References . . . . . . . . . . . . . . . . . . 54
10.2. Informative References . . . . . . . . . . . . . . . . . 54
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55
1. Introduction 1. Introduction
RFC 7970 [RFC7970] defines an data model for sharing incident [RFC7970] defines a data representation for security incident reports
information. It facilitates automated exchange of information among and indicators commonly exchanged by operational security teams. It
parties over networks. The data model can be implemented in a form facilitates the automated exchange of this information to enable
of XML, but it is not always suitable for implementation. JSON-based mitigation and watch-and-warning. Section 3 of [RFC7970] defined an
representation is often useful. information model using Unified Modeling Language (UML) and a
corresponding Extensible Markup Language (XML) schema data model in
Section 8. This UML-based information model and XML-based data model
are referred to as IODEF UML and IODEF XML, respectively in this
document.
Therefore, in this document, we provide a means to represent IODEF This document defines an alternate implementation of the IODEF UML
data model in JSON. information model by specifying a JavaScript Object Notation (JSON)
data model using JSON Schema [jsonschema]. This JSON data model is
referred to as IODEF JSON in this document.
IODEF JSON provides all of the expressivity of IODEF XML. It gives
implementers and operators an alternative format to exchange the same
information.
The normative IODEF JSON data model is found in Section 5. Section 2
and Section 3 describe the data types and elements of this data
model. Section 4 provides examples.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. IODEF Data Types 2. IODEF Data Types
The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the The abstract IODEF JSON implements the abstract data types specified
JSON IODEF, with some syntax changes for some of the types. in Section 2 of [RFC7970].
2.1. Integers
An integer is represented in the information model by the INTEGER 2.1. Abstract Data Type to JSON Data Type Mapping
data type. Integer data MUST be encoded in Base 10, and is
implemented as an "integer" type per JSON schema [jsonschema].
2.2. Real Numbers IODEF JSON uses native and derived JSON data types. Figure 1
describes the mapping between the abstract data types in Section 2 of
[RFC7970] and their corresponding implementations in IODEF JSON.
A real (floating-point) number is represented in the information +-----------------+-------------------+-------------------------------+
model by the REAL data type. Real data MUST be encoded in Base 10, | IODEF Data Type | [RFC7970] | JSON Data Type |
and is implemented in the data model as an "number" type per JSON | | Reference | |
schema [jsonschema]. +-----------------+-------------------+-------------------------------+
| INTEGER | Section 2.1 | "integer" per [jsonschema] |
| REAL | Section 2.2 | "number" per [jsonschema] |
| CHARACTER | Section 2.3 | "string" per [jsonschema] |
| STRING | Section 2.3 | "string" per [jsonschema] |
| ML_STRING | Section 2.4 | see Section 2.2.1 |
| BYTE | Section 2.5.1 | "string" per [jsonschema] |
| BYTE[] | Section 2.5.1 | "string" per [jsonschema] |
| HEXBIN | Section 2.5.2 | "string" per [jsonschema] |
| HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] |
| ENUM | Section 2.6 | "enum" array per [jsonschema] |
| DATETIME | Section 2.7 | "string" per [jsonschema] |
| TIMEZONE | Section 2.8 | "string" per [jsonschema] |
| PORTLIST | Section 2.9 | "string" per [jsonschema] |
| POSTAL | Section 2.10 | "string" per [jsonschema] |
| POSTAL_ML | Section 2.10 | see ML_STRING, Section 2.2.1 |
| PHONE | Section 2.11 | "string" per [jsonschema] |
| EMAIL | Section 2.12 | "string" per [jsonschema] |
| URL | Section 2.13 | "string" per [jsonschema] |
| IDREF | Section 2.14 | "string" per [jsonschema] |
| SOFTWARE | Section 2.15 | see Section 2.2.2 |
| STRUCTURED | N/A | see Section 2.2.3 |
+-----------------+-------------------+-------------------------------+
2.3. Characters and Strings Figure 1
A single character is represented in the information model by the 2.2. Complex JSON Types
CHARACTER data type. A string is represented by the STRING data
type. Special characters MUST be encoded using entity references.The
CHARACTER and STRING data types are implemented in the data model as
an "string" type per JSON schema [jsonschema].
2.4. Multilingual Strings 2.2.1. Multilingual Strings
A string that needs to be represented in a human-readable language A string that needs to be represented in a human-readable language
different than the default encoding of the document is represented in different than the default encoding of the document is represented in
the information model by the ML_STRING data type. This data type is the information model by the ML_STRING data type. This data type is
implemented as an object with "value", "lang", and "translation-id" implemented as an object with "value", "lang", and "translation-id"
elements as defined in Section 6. Examples are shown below. elements as defined in Section 5. Examples are shown below.
"MLStringType": { "MLStringType": {
"value": "free-form text", //STRING "value": "free-form text", //STRING
"lang": "en", //ENUM "lang": "en", //ENUM
"translation-id": "jp2en0023" //STRING "translation-id": "jp2en0023" //STRING
} }
2.5. Binary Strings 2.2.2. Software
2.5.1. Base64 Bytes
A binary octet encoded with base64 is represented in the information
model by the BYTE data type. A sequence of these octets is of the
BYTE[] data type. The BYTE and BYTE[] data types are implemented in
the data model as an "string" type per JSON schema [jsonschema].
2.5.2. Hexadecimal Bytes
A binary octet encoded as a character tuple consistent of two
hexadecimal digits is represented in the information model by the
HEXBIN data type. A sequence of these octets is of the HEXBIN[] data
type. The HEXBIN and HEXBIN[] data types are implemented in the data
model as an "string" type per JSON schema [jsonschema].
2.6. Enumerated Types
An enumerated type is represented in the information model by the
ENUM data type. It is an ordered list of acceptable string values.
Each value has a representative keyword. The ENUM data type is
implemented in the data model as values of an enum array per JSON
schema [jsonschema].
2.7. Date-Time String
A date-time string that describes a particular instant in time is
represented in the information model by the DATETIME data type.
Ranges are not supported. The DATETIME data type is implemented in
the data model as an "string" type per JSON schema [jsonschema].
2.8. Timezone String
A timezone offset from UTC is represented in the information model by
the TIMEZONE data type. It is formatted according to the following
regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". The
TIMEZONE data type is implemented in the data model as an "string"
type per JSON schema [jsonschema].
2.9. Port Lists
A list of network ports is represented in the information model by
the PORTLIST data type. A PORTLIST consists of a comma-separated
list of numbers and ranges (N-M means ports N through M, inclusive).
It is formatted according to the following regular expression:
"\d+(\-\d+)?(,\d+(\-\d+)?)*". For example,
"2,5-15,30,32,40-50,55-60". The PORTLIST data type is implemented in
the data model as an "string" type per JSON schema [jsonschema]
2.10. Postal Address
A postal address is represented in the information model by the
POSTAL data type. The format of the POSTAL data type is documented
in Section 2.23 of [RFC4519] as a free-form multi-line string
separated by the "$" character. The POSTAL data type is implemented
in the data model as the aforementioned ML_STRING type.
2.11. Telephone Number
A telephone number is represented in the information model by the
PHONE data type. The format of the PHONE data type is documented in
[E.164]. The PHONE data type is implemented in the data model as an
"string" type per JSON schema [jsonschema].
2.12. Email String
An email address is represented in the information model by the EMAIL
data type. The format of the EMAIL data type is documented in
Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531]. The EMAIL
data type is implemented in the data model as an "string" type per
JSON schema [jsonschema].
2.13. Uniform Resource Locator Strings
A uniform resource locator (URL) is represented in the information
model by the URL data type. The format of the URL data type is
documented in [RFC3986].
The URL data type is implemented as an "string" type per JSON schema
[jsonschema].
2.14. Identifiers and Identifier References
An identifier unique to the IODEF document is represented in the
information model by the ID data type. A reference to this
identifier is represented by the IDREF data type. These data types
are implemented in the model as an "string" type per JSON schema
[jsonschema].
2.15. Software
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a URL, or with free-form text. The SOFTWARE data using a reference, a URL, or with free-form text. The SOFTWARE data
type is implemented as an object with "SoftwareReference", "URL", type is implemented as an object with "SoftwareReference", "URL",
"Description", and "Description_ML" elements as defined in Section 6. "Description", and "Description_ML" elements as defined in Section 5.
Examples are shown below. Examples are shown below.
"SoftwareType": { "SoftwareType": {
"SoftwareReference": {...}, //SoftwareReference "SoftwareReference": {...}, //SoftwareReference
"Description": ["MS Windows"], //STRING "Description": ["MS Windows"] //STRING
} }
2.16. StructuredInfo 2.2.3. StructuredInfo
Information provided in a form of structured string, such as ID, or Information provided in a form of structured string, such as ID, or
structured information, such as XML documents, is represented in the structured information, such as XML documents, is represented in the
information model by the StructuredInfo data type. Note that this information model by the StructuredInfo data type. Note that this
type was originally specified in RFC7203. The StructuredInfo data type was originally specified in RFC7203. The StructuredInfo data
type is implemented as an object with "SpecID", "ext-SpecID", type is implemented as an object with "SpecID", "ext-SpecID",
"ContentID", "RawData", "Reference" elements. An example for "ContentID", "RawData", "Reference" elements. An example for
embedding a structured ID is shown below. embedding a structured ID is shown below.
"StructuredInformation": { "StructuredInformation": {
"SpecID": "cve", //ENUM "SpecID": "cve", //ENUM
"ContentID": "CVE-2007-5000", //STRING "ContentID": "CVE-2007-5000" //STRING
} }
When embedding the raw data, base64 conversion should be used for When embedding the raw data, base64 conversion should be used for
encoding the data, as shown below. encoding the data, as shown below.
"StructuredInformation": { "StructuredInformation": {
"SpecID": "oval", //ENUM "SpecID": "oval", //ENUM
"RawData": "<<<strings encoded with base64>>>", //BYTE "RawData": "<<<strings encoded with base64>>>" //BYTE
}
3. The IODEF Information Model in JSON
The data model of IODEF is defined in RFC 7970 [RFC7970], and this
section illustrates their representations in JSON. Note that the
complete JSON schema is defined in Section 6.
3.1. IODEF-Document Class
This class is the top level class in the IODEF data model. Its class
elements and an example are shown below. See Section 3.1 of RFC 7970
[RFC7970] for the intended meanings of these elements.
Class elements:
version, lang?, format-id?, private-enum-name?, private-enum-id?,
Incident+, AdditionalData*
Example:
"IODEF-Document": {
"version": "2.1", //STRING
"lang": "en", //ENUM
"format-id": "RFC7970-json", //STRING
"Incident": [ ... ] //Incident
}
3.2. Incident Class
The Incident class describes commonly exchanged information when
reporting or sharing derived analysis from security incidents. Its
class elements and an example are shown below. See Section 3.2 of
RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
purpose, ext-purpose?, status?, ext-status?, lang?, restriction?,
ext-restriction?, observable-id?, IncidentID, AlternativeID?,
RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?,
ReportTime?, GenrationTime?, Description*, Description_ML*,
Discovery*, Assessment*, Method*, Contact+, EventData*, Indicator*,
History?, AdditionalData*
Example:
"Incident": {
"purpose": "reporting", //ENUM
"lang": "en", //STRING
"restriction": "green", //ENUM
"IncidentID": { ... }, //IncidentID Class
"RelatedActivity": [ ... ], //RelatedActivity Class
"GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime
"Description": ["Incident in the HQ"], //STRING
"Assessment": [ ... ], //Assessment
"Method": [ ... ], //Method
"Contact": [ ... ] //Contact
"EventData": [ ... ], //EventData
"Indicator": { ... } //Indicator
"History": { ... }, //History
"AdditionalData": [ ... ], //AdditionalData
}
3.3. Common Attributes
There are a number of recurring attributes used in the information
model. They are documented in this section.
3.3.1. restriction Attribute
RFC 7970 [RFC7970] defines the restriction Attribute as one of common
attributes. It is defined as below:
"restriction":{"enum": ["public", "partner", "need-to-know", "private",
"default", "white", "green", "amber", "red", "ext-value"]}
Note that you must use "ext-restriction" field (STRING type) when the
value of "restriction" field is set to "ext-value".
3.3.2. observable-id Attribute
RFC 7970 [RFC7970] defines the observable-id attribute as one of
common attributes. The value of this attribute is a unique
identifier, in string type, in the scope of the document.It is
defined as below:
3.4. IncidentID Class
The class elements and an example are shown below. See Section 3.4
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
id, name, instance?, restriction?, ext-restriction?
Example:
"IncidentID": {
"id": "nict20150518-0001", // STRING
"name": "NICT_cert", // STRING
"instance": "cyberlab" // STRING
"restriction": "ext-value" // ENUM
"ext-restriction": "registration required" // STRING
}
3.5. AlternativeID Class
The class elements and an example are shown below. See Section 3.5
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
restriction?, ext-restriction?, IncidentID+
Example:
"AltervativeID": {
"restriction": "private", //ENUM
"IncidentID": [<<<omitted>>>] //IncidentID
}
3.6. RelatedActivity Class
The class elements and an example are shown below. See Section 3.6
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*,
Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData*
Example:
"RelatedActivity": {
"restriction": "private", //ENUM
"ThreatActor": [{...}], //ThreatActor class
"Campaign": [{...}] //Campaign class
}
3.7. ThreatActor Class
The class elements and an example are shown below. See Section 3.7
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
restriction?, ext-restriction?, ThreatActorID*, URL*, Description*,
Description_ML*, AdditionalData*
Example:
"ThreatActor": {
"ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING
"Description": ["Aggressive Butterfly"] //STRING
}
3.8. Campaign Class
The class elements and an example are shown below. See Section 3.8
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
restriction?, ext-restriction?, CampaignID*, URL*, Description*,
Description_ML*, AdditionalData*
Example:
"Campaign": {
"CampaignID": "C-2015-59405", //STRING
"Description": ["Orange Giraffe"] //STRING
}
3.9. Contact Class
The class elements and an example are shown below. See Section 3.9
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
role, ext-role?, type, ext-type?, restriction?, ext-restriction?,
ContactName*,ContactName_ML*, ContactTitle*, ContactTitle_ML*,
Description*, Description_ML*, RegistryHandle*, PostalAddress*,
Email*, Telephone*, Timezone?, Contact*, AdditionalData*
Example:
"Contact": {
"role": "creator", //ENUM
"type": "organization", //ENUM
"ContactName": {"value":"CSIRT for example.com"}, //STRING
"ContactTitle": {"value":"Senior Research Engineer"} //STRING
"email": {...}, //Email Class
"Telephone": {...}, //Telephone Class
"Timezone": "+09:00" //TIMEZONE
}
3.9.1. RegistryHandle Class
The class elements and an example are shown below. See Section 3.9.1
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
handle, registry, ext-registry?
Example:
"RegistryHandle": {
"handle": "MyAPNIC", //STRING
"registry": "apnic", //ENUM
}
3.9.2. PostalAddress Class
The class elements and an example are shown below. See Section 3.9.2
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
type?, ext-type?, PAddress, Description*, Description_ML*
Example:
"PostalAddress": {
"type": "mailing", //ENUM
"PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan", //POSTAL
"Description": ["Office address"] //STRING
},
3.9.3. Email Class
The class elements and an example are shown below. See Section 3.9.3
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
type?, ext-type?, EmailTo, Description*, Description_ML*
Example:
"Email": {
"type": "direct", //ENUM
"emailTo": "contact@csirt.example.com", //EMAIL
"Description": ["Administrator's address"] //STRING
},
3.9.4. Telephone Class
The class elements and an example are shown below. See Section 3.9.4
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
type?, ext-type?, TelephoneNumber, Description*, Description_ML*
Example:
"Telephone": {
"type": "wired", //ENUM
"TelephoneNumber": "+818012345678", //PHONE
"Description": ["Admin's moble"] //STRING
},
3.10. Discovery Class
The class elements and an example are shown below. See Section 3.10
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
source?, ext-source?, restriction?, ext-restriction?, Description*,
Description_ML*, Contact*, DetectionPattern*
Example:
"Discovery": {
"source": "nidps", //ENUM
"restriction": "need-to-know" //ENUM
"Contact": {...}, //Contact class
"DetectionPattern": {...}, //DetectionPattern class
"Description":["IDS provided an alert"] //STRING
}
}
3.10.1. DetectionPattern Class
The class elements and an example are shown below. See
Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
restriction?, ext-restriction?, observable-id?, Application,
Description*, Description_ML*, DetectionConfiguration*
Example:
"DetectionPattern": {
"Application": {...}, //SOFTWARE
"Description": ["The specified application
needs to be reviewed"], //STRING
}
}
3.11. Method Class
The class elements and an example are shown below. See Section 3.11
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
restriction?, ext-restriction?, Reference*, Description*,
Description_ML*, AttackPattern*, Vulnerability*, Weakness*
Example:
"Method": {
"AttackPattern": {...} //StructuredInfo
"Vulnerability": {...} //StructuredInfo
}
3.11.1. Reference Class
The class elements and an example are shown below. See
Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
observable-id?, ReferenceName?, URL*, Description*, Description_ML*
Example:
"Reference":{
"URL":"http://www.nict.go.jp" //URL
}
3.12. Assessment Class
The class elements and an example are shown below. See Section 3.12
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
occurence?, restriction?, ext-restriction?, observable-id?,
IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*,
MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*,
MitigationFactor_ML*, Cause*, Cause_ML*, Confidence?, AdditionalData*
Example:
"Assessment": {
"SystemImpact": {...}, //SystemImpact class
"BusinessImpact": {...}, //BusinessImpact class
"TimeImpact": {...}, //TimeImpact class
"MonetaryImpact": {...}, //MonetaryImpact class
"IntendedImpact": {...}, //IntendedImpact class
"Counter": "5", //Counter class
"MitigationFactor": ["Rebooting is required"] //STRING
"Cause": ["Malware Infection"] //STRING
}
}
3.12.1. SystemImpact Class
The class elements and an example are shown below. See
Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
severity?, completion?, type, ext-type?, Description*,
Description_ML*
Example:
"SystemImpact":{
"severity":"high", //ENUM
"completion": "successful" //ENUM
"type":"integrity-data" //ENUM
"Description": ["The web page was falsified"] //STRING
},
3.12.2. BusinessImpact Class
The class elements and an example are shown below. See
Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
severity?, ext-severity?, type, ext-type?, Description*,
Description_ML*
Example:
"BusinessImpact": {
"severity":"medium", //ENUM
"completion": "successful" //ENUM
"type": "degraded-reputation" //ENUM
"Description": ["The web page was falsified"] //STRING
}
3.12.3. TimeImpact Class
The class elements and an example are shown below. See
Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
value, severity?, metric, ext-metric?, duration?, ext-duration?
Example:
"TimeImpact":{
"time": "240" //REAL
"metric": "elapsed" //ENUM
"duration": "minutes" //ENUM
}
3.12.4. MonetaryImpact Class
The class elements and an example are shown below. See
Section 3.12.4 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
value, severity?, currency?
Example:
"MonetaryImpact":{
"money": "10000", //REAL
"severity": "medium", //ENUM
"currency": "USD", //STRING
}
3.12.5. Confidence Class
The class elements and an example are shown below. See
Section 3.12.5 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
value, rating, ext-rating?
Example:
"Confidence": {
"value": "5" //REAL
"rating": "medium" //ENUM
}
3.13. History Class
The class elements and an example are shown below. See Section 3.13
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
restriction?, ext-restriction?, HistoryItem+
Example:
"History": {
"restriction": "need-to-know" //ENUM
"HistoryItem": { ... } //HistoryItem class
},
3.13.1. HistoryItem Class
The class elements and an example are shown below. See
Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
action, ext-action?, restriction?, ext-restriction?, observable-id?,
DateTime, IncidentID?, Contact?, Description*, Description_ML*,
DefinedCOA*, AdditionalData*
Example:
"HistoryItem": {
"action": "investigate" //ENUM
"restriction": "need-to-know" //ENUM
"DateTime": "2015-10-15T11:18:00-05:00", //DateTime
"IncidentID" { ...}, //IncidentID class
}
3.14. EventData Class
The class elements and an example are shown below. See Section 3.14
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
restriction?, ext-restriction?, observable-id?, Description*,
Description_ML*, DetectTime?, StartTime?, EndTime?, RecoveryTime?,
ReportTime?, Contact*, Discovery*, Assessment?, Method*,
Expectation*, RecordData*, EventData*, AdditionalData*
Example:
"EventData": {
"ReportTime": "2016-06-01 18:05:33",
"Contact": { ...}, //Contact class
"Assessment": { ...}, //Assessment class
"Method": { ...}, //Method class
"System": { ... }, //System class
"Expectation": { ...}, //Expectation class
3.15. Expectation Class
The class elements and an example are shown below. See Section 3.15
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
action?, ext-action?, severity?, restriction?, ext-restriction?,
Description*, Description_ML*, DefinedCOA*, StartTime?, EndTime?,
Contact?
Example:
"Expectation": {
"action": "investigate" //ENUM
"severity": "medium" //ENUM
"restriction": "need-to-know" //ENUM
},
3.16. System Class
The class elements and an example are shown below. See Section 3.17
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
category?, ext-category?, interface?, spoofed?, virtual?, ownership?,
ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*,
Service*, OperatingSystem*, Counter*, AssetID*, Description*,
Description_ML*, AdditionalData*
Example:
"System": {
"category": "source", //ENUM
"Node": { ... }, //Node class
"Service": { ... }, //Service class
},
3.17. Node Class
The class elements and an example are shown below. See Section 3.18
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
DomainData*, Address*, PostalAddress?, Location*, Location_ML*,
Counter*
Example:
"Node": {
"Address": { ... }, //Address class
"Location": ["OrgID=7"] //STRING
}
3.17.1. Address Class
The class elements and an example are shown below. See
Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
value, category, ext-category?, vlan-name?, vlan-num?, observable-id?
Example:
"Address": {
"value": """192.228.139.118", //STRING
"category": "ipv4-addr", //ENUM
},
3.17.2. NodeRole Class
The class elements and an example are shown below. See
Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
category, ext-category?, Description*, Description_ML*
Example:
"NodeRole": {
"category": "client" //ENUM
"Description": ["The computer at room A"] //STRING
},
3.17.3. Counter Class
The class elements and an example are shown below. See
Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
value, type, ext-type?, unit, ext-unit?, meaning?, meaning_ML?,
duration?, ext-duration?
Example:
"Counter": {
"value": "3", //REAL
"type": "count", //ENUM
"unit": "packet", //ENUM
"meaning": "The number of scan packets are counted" //STRING
}
3.18. DomainData Class
The class elements and an example are shown below. See Section 3.19
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
system-status, ext-system-status?, domain-status, ext-domain-status?,
observable-id?, Name, DateDomainWasChecked?, RegistrationDate?,
ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts?
Example:
"DomainData": {
"system-status": "innocent-hacked", //ENUM
"domain-status": "assignedAndInactive", //STRING
"Name": "temp1.nict.go.jp" //STRING
},
3.18.1. Nameserver Class
This class is defined in Section 3.19.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
Server, Address*
Example:
"NameServers": {
"Server": "vgw.nict.go.jp", //STRING
"Address": {
"AddressValue": "133.243.18.5", //STRING
"category": "ipv4-addr" //ENUM
}
}
3.18.2. DomainContacts Class
This class is defined in Section 3.19.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
SameDomainContact?, Contact+
Example:
"DomainContacts": {
"Contact": {
"role": "user", //ENUM
"type": "organization" //ENUM
}
}
3.19. Service Class
This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?,
ProtoCode?, ProtoType?, ProtoField?, ApplicationHeaderField+,
EmailData?, Application?
Example:
"Service": {
"ServiceName": {
"Description": ["It seems to be a scan from an infected machine."]
},
"ip-protocol": 6, //INTEGER
"Port": 49183 //INTEGER
}
3.19.1. ServiceName Class
This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
IANAService?, URL*, Description*, Description_ML*
Example:
"ServiceName": {
"IANAService": "telnet" //STRING
"URL": "https://en.wikipedia.org/wiki/Telnet" //STRING
"Description":["It is a scan from an infected machine."]//STRING
},
3.19.2. EmailData Class
This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?,
EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?,
HashData*, Signature*
Example:
"EmailData":{
"EmailTo": "user1@example.org" //EMAIL
"EmailFrom": "user2@example.com" //EMAIL
"EmailSubject": "example email" //STRING
"EmailX-Mailer": "example mailer v1.1.0" //STRING
"EmailBody": "example email" //STRING
}
Note that Signature element in this class contains base64 encoded
form of signature as described in Section 4.2 of [W3C.XMLSIG].
3.19.3. RecordData Class
This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
restriction?, ext-restriction?, observable-id?, DateTime?,
Description*, Description_ML*, Application?, RecordPattern*,
RecordItem*, URL*, FileData*, WindowsRegistryKeysModified*,
CertificateData*, AdditionalData*
Example:
"RecordData": {
"RecordPattern": {
"type": "regex",
"value": "[0-9][A-Z]"
}
},
3.19.4. RecordPattern Class
This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?,
value
Example:
"RecordPattern": {
"type": "regex",
"value": "[0-9][A-Z]"
},
3.20. WindowsRegistryKeysModified Class
This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
observable-id?, Key+
Example:
"WindowsRegistryKeysModified": {
"Key": {
"KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING
"KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING
}
}
3.20.1. Key Class
This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
registryaction?, ext-registryaction?, observable-id?, KeyName,
KeyValue?
Example:
"Key": {
"KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING
"KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING
}
3.21. CertificateData Class
This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
restriction?, ext-restriction?, observable-id?, Certificate+
Example:
"CertificateData": {
"Certificate": {
"X509Data": "xxxxxxxx" //STRING
}
}
3.21.1. Certificate Class
This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The
X509Data class contains base64 encoded form of X.509 certificate or
chain as described in Section 4.4.4 of [W3C.XMLSIG]. The example
below represents how to describe this class in JSON.
Class elements:
observable-id?, X509Data, Description*, Description_ML*
Example:
"Certificate": {
"X509Data": "xxxxxxxx" //STRING
}
3.22. FileData Class
This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
restriction?, ext-restriction?, observable-id?, File+
Example:
"FileData": {
"File": {
"FileName": "dummy.exe" //STRING
}
},
3.22.1. File Class
This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?,
Signature*, AssociatedSoftware?, FileProperties*
Example:
"File": {
"FileName": "dummy.exe" //STRING
}
Note that Signature element in this class contains base64 encoded
form of signature as described in Section 4.2 of [W3C.XMLSIG].
3.23. HashData Class
This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
scope, HashTargetID?, Hash*, FuzzyHash*
Example:
"HashData": {
"scope": "file-contents", //ENUM
"Hash": {
"DigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1", //STRING
"DigestValue": "xxxxxxxxxxx" //STRING
}
}
3.23.1. Hash Class
This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
DigestMethod, DigestValue, CanonicalizationMethod?, Application?
Example:
"Hash": {
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
"DigestValue": "xxxxxxxxxxx" //STRING
}
3.23.2. FuzzyHash Class
This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
FuzzyHashValue+, Application?, AdditionalData?
Example:
"FuzzyHash": {
"FuzzyHashValue": {}
}
3.24. Indicator Class
This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*,
Description*, Description_ML*, StartTime?, EndTime?, Confidence?,
Contact*, Observable?, uid-ref?, IndicatorExpression?,
IndicatorReference?, NodeRole*, AttackPhase*, Reference*,
AdditionalData*
Example:
"Indicator": {
"IndicatorID": {
"id": "G90823490", //STRING
"name": "csirt.example.com", //STRING
"version": "1" //STRING
},
"Description": ["C2 domains"], //STRING
"StartTime": "2014-12-02T11:18:00-05:00", //Datetime
"Observable": {
"BulkObservable": {
"type": "fqdn" //ENUM
},
"BulkObservableList": [
"kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRING
]
}
}
3.24.1. IndicatorID Class
This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
id, name, version
Example:
"IndicatorID": {
"id": "G90823490", //STRING
"name": "csirt.example.com", //STRING
"version": "1" //STRING
}
3.24.2. AlternativeIndicatorID Class
This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
restriction?, ext-restriction?, IndicatorReference+
Example:
"AlternativeIndicatorID": {
"IndicatorReference": {
"uid-ref": "xxxxx"
}
},
3.24.3. Observable Class
This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
restriction?, ext-restriction?, System?, Address?, DomainData?,
Service?, EmailData?, WindowsRegistryKeysModified?, FileData?,
CertificateData?, RegistryHandle?, RecordData?, EventData?,
Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?,
HistoryItem?, BulkObservable?, AdditionalData*
Example:
"Observable": {
"BulkObservable": {
"type": "fqdn" //ENUM
},
"BulkObservableList": [
"kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRING
]
}
3.24.4. BulkObservable Class
This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
type?, ext-type?, BulkObservableFormat?, BulkObservableList,
AdditionalData*
Example:
"BulkObservable": {
"type": "fqdn" //ENUM
},
"BulkObservableList": [
"kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRING
]
3.24.5. BulkObservableFormat Class
This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970].
The example below represents how to describe this class in JSON.
Class elements:
Hash?, AdditionalData*
Example:
"BulkObservableFormat": {
"Hash": {
"DigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1",//STRING
"DigestValue": "xxxxxxxxxxx" //STRING
}
}
3.24.6. IndicatorExpression Class
This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
operator?, ext-operator?, IndicatorExpression*, Observable*, uid-
ref*, IndicatorReference*, Confidence?, AdditionalData*
Example:
"IndicatorExpression": {
"uid-ref": "xxxxx"
}
3.24.7. IndicatorReference Class
This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
uid-ref?, euid-ref?, version?
Example:
"IndicatorReference": {
"uid-ref": "xxxxx"
} }
3.24.8. AttackPhase Class 3. IODEF JSON Data Model
This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
AttackPhaseID*, URL*, Description*, Description_ML*, AdditionalData* 3.1. Classes and Elements
Example: The following table shows the list of IODEF Classes, their elements,
and the corresponding section in [RFC7970]. Note that the complete
JSON schema is defined in Section 5.
"AttackPhase": { +-----------------------------+--------------------+---------------+
"Description": ["Currently, the infected host is scanning arbitrary hosts to find next targets."] //STRING | IODEF Class | Class | Corresponding |
} | | Elements and | Section |
| | Attribute | in [RFC7970] |
+-----------------------------+--------------------+---------------+
| IODEF-Document | version | 3.1 |
| | lang? | |
| | format-id? | |
| | private-enum-name? | |
| | private-enum-id? | |
| | Incident+ | |
| | AdditionalData* | |
+-----------------------------+--------------------+---------------+
| Incident | purpose | 3.2 |
| | ext-purpose? | |
| | status? | |
| | ext-status? | |
| | lang? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | IncidentID | |
| | AlternativeID? | |
| | RelatedActivity* | |
| | DetectTime? | |
| | StartTime? | |
| | EndTime? | |
| | RecoveryTime? | |
| | ReportTime? | |
| | GenrationTime? | |
| | Description* | |
| | Description_ML* | |
| | Discovery* | |
| | Assessment* | |
| | Method* | |
| | Contact+ | |
| | EventData* | |
| | Indicator* | |
| | History? | |
| | AdditionalData* | |
+-----------------------------+--------------------+---------------+
| IncidentID | id | 3.4 |
| | name | |
| | instance? | |
| | restriction? | |
| | ext-restriction? | |
+-----------------------------+--------------------+---------------+
| AlternativeID | restriction? | 3.5 |
| | ext-restriction? | |
| | IncidentID+ | |
+-----------------------------+--------------------+---------------+
| RelatedActivity | restriction? | 3.6 |
| | ext-restriction? | |
| | IncidentID* | |
| | URL* | |
| | ThreatActor* | |
| | Campaign* | |
| | IndicatorID* | |
| | Confidence? | |
| | Description* | |
| | AdditionalData* | |
+-----------------------------+--------------------+---------------+
| ThreatActor | restriction? | 3.7 |
| | ext-restriction? | |
| | ThreatActorID* | |
| | URL* | |
| | Description* | |
| | Description_ML* | |
| | AdditionalData* | |
+-----------------------------+--------------------+---------------+
| Campaign | restriction? | |
| | ext-restriction? | |
| | CampaignID* | |
| | URL* | |
| | Description* | |
| | Description_ML* | |
| | AdditionalData* | 3.8 |
+-----------------------------+--------------------+---------------+
| Contact | role | |
| | ext-role? | |
| | type | |
| | ext-type? | |
| | restriction? | |
| | ext-restriction? | |
| | ContactName*,ContactName_ML* | |
| | ContactTitle* | |
| | ContactTitle_ML* | |
| | Description* | |
| | Description_ML* | |
| | RegistryHandle* | |
| | PostalAddress* | |
| | Email* | |
| | Telephone* | |
| | Timezone? | |
| | Contact* | |
| | AdditionalData* | 3.9 |
+-----------------------------+--------------------+---------------+
| RegistryHandle | handle| | |
| | registry| | |
| | ext-registry? | 3.9.1 |
+-----------------------------+--------------------+---------------+
| PostalAddress | type?| | |
| | ext-type?| | |
| | PAddress| | |
| | Description*| | |
| | Description_ML* | 3.9.2 |
+-----------------------------+--------------------+---------------+
| Email | type? | |
| | ext-type? | |
| | EmailTo | |
| | Description* | |
| | Description_ML* | 3.9.3 |
+-----------------------------+--------------------+---------------+
| Telephone | type? | |
| | ext-type? | |
| | TelephoneNumber | |
| | Description* | |
| | Description_ML* | 3.9.4 |
+-----------------------------+--------------------+---------------+
| Discovery | source? | |
| | ext-source? | |
| | restriction? | |
| | ext-restriction? | |
| | Description* | |
| | Description_ML* | |
| | Contact* | |
| | DetectionPattern* | 3.10 |
+-----------------------------+--------------------+---------------+
| DetectionPattern | restriction? | 3.10.1 |
| | ext-restriction? | |
| | observable-id? | |
| | Application | |
| | Description* | |
| | Description_ML* | |
| | DetectionConfiguration* | |
+-----------------------------+--------------------+---------------+
| Method | restriction? | |
| | ext-restriction? | |
| | Reference* | |
| | Description* | |
| | Description_ML* | |
| | AttackPattern* | |
| | Vulnerability* | |
| | Weakness* | 3.11 |
+-----------------------------+--------------------+---------------+
| Reference | observable-id? | |
| | ReferenceName? | |
| | URL* | |
| | Description* | |
| | Description_ML* | 3.11.1 |
+-----------------------------+--------------------+---------------+
| Assessment | occurence? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | IncidentCategory* | |
| | SystemImpact* | |
| | BusinessImpact* | |
| | TimeImpact* | |
| | MonetaryImpact* | |
| | IntendedImpact* | |
| | Counter* | |
| | MitigationFactor* | |
| | MitigationFactor_ML*| |
| | Cause* | |
| | Cause_ML* | |
| | Confidence? | |
| | AdditionalData* | 3.12 |
+-----------------------------+--------------------+---------------+
| SystemImpact | severity? | |
| | completion? | |
| | type | |
| | ext-type? | |
| | Description* | |
| | Description_ML* | 3.12.1 |
+-----------------------------+--------------------+---------------+
| BusinessImpact | severity? | |
| | ext-severity? | |
| | type | |
| | ext-type? | |
| | Description* | |
| | Description_ML* | 3.12.2 |
+-----------------------------+--------------------+---------------+
| TimeImpact | value | |
| | severity? | |
| | metric | |
| | ext-metric? | |
| | duration? | |
| | ext-duration? | 3.12.3 |
+-----------------------------+--------------------+---------------+
| MonetaryImpact | value | |
| | severity? | |
| | currency? | 3.12.4 |
+-----------------------------+--------------------+---------------+
| Confidence | value | |
| | rating | |
| | ext-rating? | 3.12.5 |
+-----------------------------+--------------------+---------------+
| History | restriction? | |
| | ext-restriction? | |
| | HistoryItem+ | 3.13 |
+-----------------------------+--------------------+---------------+
| HistoryItem | action | |
| | ext-action? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | DateTime | |
| | IncidentID? | |
| | Contact? | |
| | Description* | |
| | Description_ML* | |
| | DefinedCOA* | |
| | AdditionalData* | 3.13.1 |
+-----------------------------+--------------------+---------------+
| EventData | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | Description* | |
| | Description_ML* | |
| | DetectTime? | |
| | StartTime? | |
| | EndTime? | |
| | RecoveryTime? | |
| | ReportTime? | |
| | Contact* | |
| | Discovery* | |
| | Assessment? | |
| | Method* | |
| | Expectation* | |
| | RecordData* | |
| | EventData* | |
| | AdditionalData* | 3.14 |
+-----------------------------+--------------------+---------------+
| Expectation | action? | |
| | ext-action? | |
| | severity? | |
| | restriction? | |
| | ext-restriction? | |
| | Description* | |
| | Description_ML* | |
| | DefinedCOA* | |
| | StartTime? | |
| | EndTime? | |
| | Contact? | 3.15 |
+-----------------------------+--------------------+---------------+
| System | category? | |
| | ext-category? | |
| | interface? | |
| | spoofed? | |
| | virtual? | |
| | ownership? | |
| | ext-ownership? | |
| | restriction? | |
| | ext-restriction? | |
| | Node | |
| | NodeRole* | |
| | Service* | |
| | OperatingSystem* | |
| | Counter* | |
| | AssetID* | |
| | Description* | |
| | Description_ML* | |
| | AdditionalData* | 3.16 |
+-----------------------------+--------------------+---------------+
| Node | DomainData* | |
| | Address* | |
| | PostalAddress? | |
| | Location* | |
| | Location_ML* | |
| | Counter* | 3.17 |
+-----------------------------+--------------------+---------------+
| Address | value | |
| | category | |
| | ext-category? | |
| | vlan-name? | |
| | vlan-num? | |
| | observable-id? | 3.17.1 |
+-----------------------------+--------------------+---------------+
| NodeRole | category | |
| | ext-category? | |
| | Description* | |
| | Description_ML* | 3.17.2 |
+-----------------------------+--------------------+---------------+
| Counter | value | |
| | type | |
| | ext-type? | |
| | unit | |
| | ext-unit? | |
| | meaning? | |
| | meaning_ML? | |
| | duration? | |
| | ext-duration? | 3.17.3 |
+-----------------------------+--------------------+---------------+
| DomainData | system-status | |
| | ext-system-status? | |
| | domain-status | |
| | ext-domain-status? | |
| | observable-id? | |
| | Name | |
| | DateDomainWasChecked?| |
| | RegistrationDate? | |
| | ExpirationDate ?| |
| | RelatedDNS* | |
| | Nameservers* | |
| | DomainContacts? | 3.18 |
+-----------------------------+--------------------+---------------+
| Nameserver | Server | |
| | Address* | 3.18.1 |
+-----------------------------+--------------------+---------------+
| DomainContacts | SameDomainContact? | |
| | Contact+ | 3.18.2 |
+-----------------------------+--------------------+---------------+
| Service | ip-protocol? | |
| | observable-id? | |
| | ServiceName? | |
| | Port? | |
| | Portlist? | |
| | ProtoCode? | |
| | ProtoType? | |
| | ProtoField? | |
| | ApplicationHeaderField+| |
| | EmailData? | |
| | Application? | 3.19 |
+-----------------------------+--------------------+---------------+
| ServiceName | IANAService? | |
| | URL* | |
| | Description* | |
| | Description_ML* | 3.19.1 |
+-----------------------------+--------------------+---------------+
| EmailData | observable-id? | |
| | EmailTo* | |
| | EmailFrom? | |
| | EmailSubject? | |
| | EmailX-Mailer? | |
| | EmailHeaderField* | |
| | EmailHeaders? | |
| | EmailBody? | |
| | EmailMessage? | |
| | HashData* | |
| | Signature* | 3.19.2 |
+-----------------------------+--------------------+---------------+
| RecordData | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | DateTime? | |
| | Description* | |
| | Description_ML* | |
| | Application? | |
| | RecordPattern* | |
| | RecordItem* | |
| | URL* | |
| | FileData* | |
| | WindowsRegistryKeysModified*| |
| | CertificateData* | |
| | AdditionalData* | 3.19.3 |
+-----------------------------+--------------------+---------------+
| RecordPattern | type | |
| | ext-type? | |
| | offset? | |
| | offsetunit? | |
| | ext-offsetunit? | |
| | instance? | |
| | value | 3.19.4 |
+-----------------------------+--------------------+---------------+
| WindowsRegistryKeysModified | observable-id? | 3.20 |
| | Key+ | |
+-----------------------------+--------------------+---------------+
| Key | registryaction? | |
| | ext-registryaction?| |
| | observable-id? | |
| | KeyName | |
| | KeyValue? | 3.20.1 |
+-----------------------------+--------------------+---------------+
| CertificateData | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | Certificate+ | 3.21 |
+-----------------------------+--------------------+---------------+
| Certificate | observable-id? | |
| | X509Data | |
| | Description* | |
| | Description_ML* | 3.21.1 |
+-----------------------------+--------------------+---------------+
| FileData | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | File+ | 3.22 |
+-----------------------------+--------------------+---------------+
| File | observable-id? | |
| | FileName? | |
| | FileSize? | |
| | FileType? | |
| | URL* | |
| | HashData? | |
| | Signature* | |
| | AssociatedSoftware?| |
| | FileProperties* | 3.22.1 |
+-----------------------------+--------------------+---------------+
| HashData | scope | |
| | HashTargetID? | |
| | Hash* | |
| | FuzzyHash* | 3.23 |
+-----------------------------+--------------------+---------------+
| Hash | DigestMethod | |
| | DigestValue | |
| | CanonicalizationMethod?| |
| | Application? | 3.23.1 |
+-----------------------------+--------------------+---------------+
| FuzzyHash | FuzzyHashValue+ | |
| | Application? | |
| | AdditionalData? | 3.23.2 |
+-----------------------------+--------------------+---------------+
| Indicator | restriction? | |
| | ext-restriction? | |
| | IndicatorID | |
| | AlternativeIndicatorID*| |
| | Description* | |
| | Description_ML* | |
| | StartTime? | |
| | EndTime? | |
| | Confidence? | |
| | Contact* | |
| | Observable? | |
| | uid-ref? | |
| | IndicatorExpression?| |
| | IndicatorReference?| |
| | NodeRole* | |
| | AttackPhase* | |
| | Reference* | |
| | AdditionalData* | 3.24 |
+-----------------------------+--------------------+---------------+
| IndicatorID | id | |
| | name | |
| | version | 3.24.1 |
+-----------------------------+--------------------+---------------+
| AlternativeIndicatorID | restriction? | |
| | ext-restriction? | |
| | IndicatorReference+| 3.24.2 |
+-----------------------------+--------------------+---------------+
| Observable | restriction? | |
| | ext-restriction? | |
| | System? | |
| | Address? | |
| | DomainData? | |
| | Service? | |
| | EmailData? | |
| | WindowsRegistryKeysModified?| |
| | FileData? | |
| | CertificateData? | |
| | RegistryHandle? | |
| | RecordData? | |
| | EventData? | |
| | Incident? | |
| | Expectation? | |
| | Reference? | |
| | Assessment? | |
| | DetectionPattern? | |
| | HistoryItem? | |
| | BulkObservable? | |
| | AdditionalData* | 3.24.3 |
+-----------------------------+--------------------+---------------+
| BulkObservable | type? | |
| | ext-type? | |
| | BulkObservableFormat?| |
| | BulkObservableList | |
| | AdditionalData* | 3.24.4 |
+-----------------------------+--------------------+---------------+
| BulkObservableFormat | Hash? | |
| | AdditionalData* | 3.24.5 |
+-----------------------------+--------------------+---------------+
| IndicatorExpression | operator? | |
| | ext-operator? | |
| | IndicatorExpression*| |
| | Observable* | |
| | uid-ref* | |
| | IndicatorReference*| |
| | Confidence? | |
| | AdditionalData* | 3.24.6 |
+-----------------------------+--------------------+---------------+
| IndicatorReference | uid-ref? | |
| | euid-ref? | |
| | version? | 3.24.7 |
+-----------------------------+--------------------+---------------+
| AttackPhase | AttackPhaseID* | |
| | URL* | |
| | Description* | |
| | Description_ML* | |
| | AdditionalData* | 3.24.8 |
+-----------------------------+--------------------+---------------+
4. Notable differences from RFC 7970 3.2. Mapping between JSON and XML IODEF
o This document treats attributes and elements of each class defined o This document treats attributes and elements of each class defined
in RFC 7970 [RFC7970] equally and is agnostic on the order of in [RFC7970] equally and is agnostic on the order of their
their appearances. appearances.
o Flow class is deleted, and classes with its instances now directly o Flow class is deleted, and classes with its instances now directly
have instances of EventData class that used to belong to the Flow have instances of EventData class that used to belong to the Flow
classs. classs.
o ApplicationHeader class is deleted, and classes with its instances o ApplicationHeader class is deleted, and classes with its instances
now directly have instances of ApplicationHeaderField class that now directly have instances of ApplicationHeaderField class that
used to belong to the ApplicationHeader class. used to belong to the ApplicationHeader class.
o SignatureData class is deleted, and classes with its instances now o SignatureData class is deleted, and classes with its instances now
skipping to change at page 32, line 38 skipping to change at page 16, line 41
directly have the instances of Indicator class that used to belong directly have the instances of Indicator class that used to belong
to the IndicatorData class. to the IndicatorData class.
o ObservableReference class is deleted, and classes with its o ObservableReference class is deleted, and classes with its
instances now directly have uid-ref as an element. instances now directly have uid-ref as an element.
o Record class is deleted, and classes with its instances now o Record class is deleted, and classes with its instances now
directly have the instances of RecordData class that used to directly have the instances of RecordData class that used to
belong to the Record class. belong to the Record class.
o The elements of ML_STRING type are prepared as two separatem o The elements of ML_STRING type are prepared as two separate
elements: one of STRING type and another of ML_STRING type, in elements: one of STRING type and another of ML_STRING type, in
order to maintain the simplicity of IODEF docuemnts when writing order to maintain the simplicity of IODEF documents when writing
with only STRING type characters. with only STRING type characters.
5. Examples 4. Examples
This section provides example of IODEF documents. These examples do This section provides example of IODEF documents. These examples do
not represent the full capabilities of the data model or the the only not represent the full capabilities of the data model or the the only
way to encode particular information. way to encode particular information.
5.1. Minimal Example 4.1. Minimal Example
A document containing only the mandatory elements and attributes. A document containing only the mandatory elements and attributes.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incident": [ "Incident": [
{ {
"purpose": "reporting", "purpose": "reporting",
"restriction": "private", "restriction": "private",
skipping to change at page 33, line 34 skipping to change at page 17, line 34
"role": "creator", "role": "creator",
"email": { "email": {
"emailTo": "contact@csirt.example.com" "emailTo": "contact@csirt.example.com"
} }
} }
] ]
} }
] ]
} }
5.2. Indicators from a Campaign 4.2. Indicators from a Campaign
An example of C2 domains from a given campaign. An example of C2 domains from a given campaign.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incidents": [ "Incidents": [
{ {
"purpose": "watch", "purpose": "watch",
"restriction": "green", "restriction": "green",
skipping to change at page 35, line 15 skipping to change at page 19, line 15
"klknjwfjiowjefr923.example.org", "klknjwfjiowjefr923.example.org",
"oimireik79msd.example.org" "oimireik79msd.example.org"
] ]
} }
} }
] ]
} }
] ]
} }
6. The IODEF Data Model (JSON Schema) 5. The IODEF Data Model (JSON Schema)
{ "$schema": "http://json-schema.org/draft-04/schema#", { "$schema": "http://json-schema.org/draft-04/schema#",
"definitions": { "definitions": {
"action": {"enum": ["nothing","contact-source-site","contact-target-site", "action": {"enum": ["nothing","contact-source-site","contact-target-site",
"contact-sender", "investigate","block-host","block-network", "contact-sender", "investigate","block-host","block-network",
"block-port","rate-limit-host","rate-limit-network", "block-port","rate-limit-host","rate-limit-network",
"rate-limit-port","redirect-traffic","honeypot", "rate-limit-port","redirect-traffic","honeypot",
"upgrade-software","rebuild-asset","harden-asset", "upgrade-software","rebuild-asset","harden-asset",
"remediate-other","status-triage","status-new-info", "remediate-other","status-triage","status-new-info",
"watch-and-report","training","defined-coa","ext-value"]}, "watch-and-report","training","defined-coa","ext-value"]},
skipping to change at page 54, line 4 skipping to change at page 38, line 4
"version": {"type": "string"}, "version": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"format-id": {"type": "string"}, "format-id": {"type": "string"},
"private-enum-name": {"type": "string"}, "private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"}, "private-enum-id": {"type": "string"},
"Incident": { "Incident": {
"type": "array","items": {"$ref": "#/definitions/Incident"}}, "type": "array","items": {"$ref": "#/definitions/Incident"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version","Incident"], "required": ["version","Incident"],
"additionalProperties": false} "additionalProperties": false}
Figure 1: JSON schema Figure 2: JSON schema
7. Acknowledgements 6. Acknowledgements
TBD. TBD.
8. IANA Considerations 7. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
9. Security Considerations 8. Security Considerations
This memo does not provide any further security considerations than This memo does not provide any further security considerations than
the one described in RFC 7970 [RFC7970]. the one described in [RFC7970].
10. References
10.1. Normative References 9. Normative References
[jsonschema] [jsonschema]
"JSON Schema", 2006. "JSON Schema", 2006.
http://json-schema.org/ http://json-schema.org/
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7970] Danyliw, R., "The Incident Object Description Exchange [RFC7970] Danyliw, R., "The Incident Object Description Exchange
Format Version 2", RFC 7970, DOI 10.17487/RFC7970, Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
November 2016, <https://www.rfc-editor.org/info/rfc7970>. November 2016, <https://www.rfc-editor.org/info/rfc7970>.
10.2. Informative References
[DOMINATION]
Mad Dominators, Inc., "Ultimate Plan for Taking Over the
World", 1984, <http://www.example.com/dominator.html>.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
DOI 10.17487/RFC2629, June 1999,
<https://www.rfc-editor.org/info/rfc2629>.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552,
DOI 10.17487/RFC3552, July 2003,
<https://www.rfc-editor.org/info/rfc3552>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<https://www.rfc-editor.org/info/rfc5226>.
Authors' Addresses Authors' Addresses
Takeshi Takahashi Takeshi Takahashi
National Institute of Information and Communications Technology National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi 4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795 Koganei, Tokyo 184-8795
Japan Japan
Phone: +81 42 327 5862 Phone: +81 42 327 5862
Email: takeshi_takahashi@nict.go.jp Email: takeshi_takahashi@nict.go.jp
 End of changes. 41 change blocks. 
1374 lines changed or deleted 600 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/