draft-ietf-mile-jsoniodef-04.txt   draft-ietf-mile-jsoniodef-05.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft NICT Internet-Draft NICT
Intended status: Standards Track R. Danyliw Intended status: Standards Track R. Danyliw
Expires: January 18, 2019 CERT Expires: April 25, 2019 CERT
M. Suzuki M. Suzuki
NICT NICT
July 17, 2018 October 22, 2018
JSON binding of IODEF CBOR/JSON binding of IODEF
draft-ietf-mile-jsoniodef-04 draft-ietf-mile-jsoniodef-05
Abstract Abstract
RFC7970 specified an information model and a corresponding XML data RFC7970 specified an information model and a corresponding XML data
model for exchanging incident and indicator information. This draft model for exchanging incident and indicator information. This draft
provides an alternative data model implementation in JSON. provides an alternative data model implementation in JSON.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 18, 2019. This Internet-Draft will expire on April 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 13
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3
2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 4 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5
2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 4 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5
2.2.2. Software and SoftwareReference . . . . . . . . . . . 5 2.2.2. Software and SoftwareReference . . . . . . . . . . . 6
2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 5 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 6
2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 6 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7
3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 6 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7
3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 6 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7
3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 16 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 17
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 17 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18
4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 18 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 18
5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 20 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 20
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
8. Security Considerations . . . . . . . . . . . . . . . . . . . 35 8. Security Considerations . . . . . . . . . . . . . . . . . . . 35
9. Normative References . . . . . . . . . . . . . . . . . . . . 35 9. Normative References . . . . . . . . . . . . . . . . . . . . 35
Appendix A. The IODEF Data Model (JSON Schema) . . . . . . . . . 35 Appendix A. The IODEF Data Model (JSON Schema) . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54
1. Introduction 1. Introduction
[RFC7970] defines a data representation for security incident reports [RFC7970] defines a data representation for security incident reports
and indicators commonly exchanged by operational security teams. It and indicators commonly exchanged by operational security teams. It
facilitates the automated exchange of this information to enable facilitates the automated exchange of this information to enable
mitigation and watch-and-warning. Section 3 of [RFC7970] defined an mitigation and watch-and-warning. Section 3 of [RFC7970] defined an
information model using Unified Modeling Language (UML) and a information model using Unified Modeling Language (UML) and a
corresponding Extensible Markup Language (XML) schema data model in corresponding Extensible Markup Language (XML) schema data model in
Section 8. This UML-based information model and XML-based data model Section 8. This UML-based information model and XML-based data model
are referred to as IODEF UML and IODEF XML, respectively in this are referred to as IODEF UML and IODEF XML, respectively in this
document. document.
This document defines an alternate implementation of the IODEF UML This document defines an alternate implementation of the IODEF UML
information model by specifying a JavaScript Object Notation (JSON) information model by specifying a JavaScript Object Notation (JSON)
data model using JSON Schema [jsonschema]. This JSON data model is data model using CDDL and JSON Schema [jsonschema]. This JSON data
referred to as IODEF JSON in this document. model is referred to as IODEF JSON in this document.
IODEF JSON provides all of the expressivity of IODEF XML. It gives IODEF JSON provides all of the expressivity of IODEF XML. It gives
implementers and operators an alternative format to exchange the same implementers and operators an alternative format to exchange the same
information. information.
The normative IODEF JSON data model is found in Section 5. Section 2 The normative IODEF JSON data model is found in Section 5. Section 2
and Section 3 describe the data types and elements of this data and Section 3 describe the data types and elements of this data
model. Section 4 provides examples. model. Section 4 provides examples.
1.1. Requirements Language 1.1. Requirements Language
skipping to change at page 4, line 23 skipping to change at page 4, line 23
| ML_STRING | Section 2.4 | see Section 2.2.1 | | ML_STRING | Section 2.4 | see Section 2.2.1 |
| BYTE | Section 2.5.1 | "string" per [jsonschema] | | BYTE | Section 2.5.1 | "string" per [jsonschema] |
| BYTE[] | Section 2.5.1 | "string" per [jsonschema] | | BYTE[] | Section 2.5.1 | "string" per [jsonschema] |
| HEXBIN | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN | Section 2.5.2 | "string" per [jsonschema] |
| HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] |
| ENUM | Section 2.6 | "enum" array per [jsonschema] | | ENUM | Section 2.6 | "enum" array per [jsonschema] |
| DATETIME | Section 2.7 | "string" per [jsonschema] | | DATETIME | Section 2.7 | "string" per [jsonschema] |
| TIMEZONE | Section 2.8 | "string" per [jsonschema] | | TIMEZONE | Section 2.8 | "string" per [jsonschema] |
| PORTLIST | Section 2.9 | "string" per [jsonschema] | | PORTLIST | Section 2.9 | "string" per [jsonschema] |
| POSTAL | Section 2.10 | "string" per [jsonschema] | | POSTAL | Section 2.10 | "string" per [jsonschema] |
| POSTAL_ML | Section 2.10 | see ML_STRING, Section 2.2.1 | | | | / ML_STRING, Section 2.2.1 |
| PHONE | Section 2.11 | "string" per [jsonschema] | | PHONE | Section 2.11 | "string" per [jsonschema] |
| EMAIL | Section 2.12 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] |
| URL | Section 2.13 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] |
| ID | Section 2.14 | "string" per [jsonschema] | | ID | Section 2.14 | "string" per [jsonschema] |
| IDREF | Section 2.14 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] |
| SOFTWARE | Section 2.15 | see Section 2.2.2 | | SOFTWARE | Section 2.15 | see Section 2.2.2 |
| STRUCTURED | RFC 7213 | see Section 2.2.3 | | STRUCTURED | RFC 7213 | see Section 2.2.3 |
| EXTENSION | Section 2.16 | see Section 2.2.4 | | EXTENSION | Section 2.16 | see Section 2.2.4 |
+-----------------+-------------------+-------------------------------+ +-----------------+-------------------+-------------------------------+
Figure 1 Figure 1
+-----------------+------------------+-------------------------------------+
| IODEF Data Type | CBOR Data Type | CDDL prelude |
| | | [draft-ietf-cbor-cddl-05] Reference |
+-----------------+------------------+-------------------------------------+
| INTEGER | 6 tag 2, 6 tag 3 | integer |
| REAL | 7 bits 26 | float32 |
| CHARACTER | 3 text string | text |
| STRING | 3 text string | text |
| ML_STRING | 5 map | see Maps/Structs, Section 3.5.1 |
| BYTE | 6 tag 22 | eb64legacy |
| BYTE[] | 6 tag 22 | eb64legacy |
| HEXBIN | 2 byte string | bytes |
| HEXBIN[] | 2 byte string | bytes |
| ENUM | - | see Choices, Section 2.2.2 |
| DATETIME | 6 tag 0 | tdate |
| TIMEZONE | 3 text string | text |
| PORTLIST | 3 text string | text |
| POSTAL | 3 text string | text |
| | | / see Maps/Structs, Section 3.5.1 |
| PHONE | 3 text string | text |
| EMAIL | 3 text string | text |
| URL | 6 tag 32 | uri |
| ID | 3 text string | text |
| IDREF | 3 text string | text |
| SOFTWARE | 5 map | see Maps/Structs, Section 3.5.1 |
| STRUCTURED | 5 map | see Maps/Structs, Section 3.5.1 |
| EXTENSION | 5 map | see Maps/Structs, Section 3.5.1 |
+-----------------+------------------+-------------------------------------+
Figure 2
2.2. Complex JSON Types 2.2. Complex JSON Types
2.2.1. Multilingual Strings 2.2.1. Multilingual Strings
A string that needs to be represented in a human-readable language A string that needs to be represented in a human-readable language
different than the default encoding of the document is represented in different than the default encoding of the document is represented in
the information model by the ML_STRING data type. This data type is the information model by the ML_STRING data type. This data type is
implemented as an object with "value", "lang", and "translation-id" implemented as an object with "value", "lang", and "translation-id"
elements as defined in Section 5. Examples are shown below. elements as defined in Section 5. Examples are shown below.
skipping to change at page 5, line 10 skipping to change at page 6, line 10
"value": "free-form text", //STRING "value": "free-form text", //STRING
"lang": "en", //ENUM "lang": "en", //ENUM
"translation-id": "jp2en0023" //STRING "translation-id": "jp2en0023" //STRING
} }
2.2.2. Software and SoftwareReference 2.2.2. Software and SoftwareReference
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a URL, or with free-form text. The SOFTWARE data using a reference, a URL, or with free-form text. The SOFTWARE data
type is implemented as an object with "SoftwareReference", "URL", type is implemented as an object with "SoftwareReference", "URL", and
"Description", and "Description_ML" elements as defined in Section 5. "Description" elements as defined in Section 5. Examples are shown
Examples are shown below. below.
"SoftwareType": { "SoftwareType": {
"SoftwareReference": {...}, //SoftwareReference "SoftwareReference": {...}, //SoftwareReference
"Description": ["MS Windows"] //STRING "Description": ["MS Windows"] //STRING
} }
SoftwareReference class is a reference to a particular version of SoftwareReference class is a reference to a particular version of
software. Examples are shown below. software. Examples are shown below.
"SoftwareReference": { "SoftwareReference": {
skipping to change at page 6, line 28 skipping to change at page 7, line 28
"dtype": "string", //String "dtype": "string", //String
"meaning": "Syslog from the security appliance X", //String "meaning": "Syslog from the security appliance X", //String
} }
3. IODEF JSON Data Model 3. IODEF JSON Data Model
3.1. Classes and Elements 3.1. Classes and Elements
The following table shows the list of IODEF Classes, their elements, The following table shows the list of IODEF Classes, their elements,
and the corresponding section in [RFC7970]. Note that the complete and the corresponding section in [RFC7970]. Note that the complete
JSON schema is defined in Section 5. JSON schema is defined in Section 5 usind CDDL.
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IODEF Class | Class | Corresponding | | IODEF Class | Class | Corresponding |
| | Elements and | Section | | | Elements and | Section |
| | Attribute | in [RFC7970] | | | Attribute | in [RFC7970] |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IODEF-Document | version | 3.1 | | IODEF-Document | version | 3.1 |
| | lang? | | | | lang? | |
| | format-id? | | | | format-id? | |
| | private-enum-name? | | | | private-enum-name? | |
skipping to change at page 7, line 12 skipping to change at page 8, line 12
| | IncidentID | | | | IncidentID | |
| | AlternativeID? | | | | AlternativeID? | |
| | RelatedActivity* | | | | RelatedActivity* | |
| | DetectTime? | | | | DetectTime? | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | RecoveryTime? | | | | RecoveryTime? | |
| | ReportTime? | | | | ReportTime? | |
| | GenerationTime | | | | GenerationTime | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | Discovery* | | | | Discovery* | |
| | Assessment* | | | | Assessment* | |
| | Method* | | | | Method* | |
| | Contact+ | | | | Contact+ | |
| | EventData* | | | | EventData* | |
| | Indicator* | | | | Indicator* | |
| | History? | | | | History? | |
| | AdditionalData* | | | | AdditionalData* | |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IncidentID | id | 3.4 | | IncidentID | id | 3.4 |
skipping to change at page 7, line 48 skipping to change at page 8, line 47
| | IndicatorID* | | | | IndicatorID* | |
| | Confidence? | | | | Confidence? | |
| | Description* | | | | Description* | |
| | AdditionalData* | | | | AdditionalData* | |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| ThreatActor | restriction? | 3.7 | | ThreatActor | restriction? | 3.7 |
| | ext-restriction? | | | | ext-restriction? | |
| | ThreatActorID* | | | | ThreatActorID* | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | AdditionalData* | | | | AdditionalData* | |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Campaign | restriction? | | | Campaign | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | CampaignID* | | | | CampaignID* | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | AdditionalData* | 3.8 | | | AdditionalData* | 3.8 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Contact | role | | | Contact | role | |
| | ext-role? | | | | ext-role? | |
| | type | | | | type | |
| | ext-type? | | | | ext-type? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | ContactName*, | | | | ContactName*, | |
| | ContactName_ML*, | |
| | ContactTitle* | | | | ContactTitle* | |
| | ContactTitle_ML* | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | RegistryHandle* | | | | RegistryHandle* | |
| | PostalAddress* | | | | PostalAddress* | |
| | Email* | | | | Email* | |
| | Telephone* | | | | Telephone* | |
| | Timezone? | | | | Timezone? | |
| | Contact* | | | | Contact* | |
| | AdditionalData* | 3.9 | | | AdditionalData* | 3.9 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| RegistryHandle | handle | | | RegistryHandle | handle | |
| | registry | | | | registry | |
| | ext-registry? | 3.9.1 | | | ext-registry? | 3.9.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| PostalAddress | type? | | | PostalAddress | type? | |
| | ext-type? | | | | ext-type? | |
| | PAddress | | | | PAddress | |
| | Description* | | | | Description* | 3.9.2 |
| | Description_ML* | 3.9.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Email | type? | | | Email | type? | |
| | ext-type? | | | | ext-type? | |
| | EmailTo | | | | EmailTo | |
| | Description* | | | | Description* | 3.9.3 |
| | Description_ML* | 3.9.3 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Telephone | type? | | | Telephone | type? | |
| | ext-type? | | | | ext-type? | |
| | TelephoneNumber | | | | TelephoneNumber | |
| | Description* | | | | Description* | 3.9.4 |
| | Description_ML* | 3.9.4 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Discovery | source? | | | Discovery | source? | |
| | ext-source? | | | | ext-source? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | Contact* | | | | Contact* | |
| | DetectionPattern* | 3.10 | | | DetectionPattern* | 3.10 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| DetectionPattern | restriction? | 3.10.1 | | DetectionPattern | restriction? | 3.10.1 |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | Application | | | | Application | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | DetectionConfiguration* | | | | DetectionConfiguration* | |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Method | restriction? | | | Method | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | Reference* | | | | Reference* | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | AttackPattern* | | | | AttackPattern* | |
| | Vulnerability* | | | | Vulnerability* | |
| | Weakness* | | | | Weakness* | |
| | AdditionalData* | 3.11 | | | AdditionalData* | 3.11 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Reference | observable-id? | | | Reference | observable-id? | |
| | ReferenceName? | | | | ReferenceName? | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | 3.11.1 |
| | Description_ML* | 3.11.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Assessment | occurence? | | | Assessment | occurence? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | IncidentCategory* | | | | IncidentCategory* | |
| | SystemImpact* | | | | SystemImpact* | |
| | BusinessImpact* | | | | BusinessImpact* | |
| | TimeImpact* | | | | TimeImpact* | |
| | MonetaryImpact* | | | | MonetaryImpact* | |
| | IntendedImpact* | | | | IntendedImpact* | |
| | Counter* | | | | Counter* | |
| | MitigatingFactor* | | | | MitigatingFactor* | |
| | MitigatingFactor_ML*| |
| | Cause* | | | | Cause* | |
| | Cause_ML* | |
| | Confidence? | | | | Confidence? | |
| | AdditionalData* | 3.12 | | | AdditionalData* | 3.12 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| SystemImpact | severity? | | | SystemImpact | severity? | |
| | completion? | | | | completion? | |
| | type | | | | type | |
| | ext-type? | | | | ext-type? | |
| | Description* | | | | Description* | 3.12.1 |
| | Description_ML* | 3.12.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| BusinessImpact | severity? | | | BusinessImpact | severity? | |
| | ext-severity? | | | | ext-severity? | |
| | type | | | | type | |
| | ext-type? | | | | ext-type? | |
| | Description* | | | | Description* | 3.12.2 |
| | Description_ML* | 3.12.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| TimeImpact | value | | | TimeImpact | value | |
| | severity? | | | | severity? | |
| | metric | | | | metric | |
| | ext-metric? | | | | ext-metric? | |
| | duration? | | | | duration? | |
| | ext-duration? | 3.12.3 | | | ext-duration? | 3.12.3 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| MonetaryImpact | value | | | MonetaryImpact | value | |
| | severity? | | | | severity? | |
skipping to change at page 10, line 50 skipping to change at page 11, line 33
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| HistoryItem | action | | | HistoryItem | action | |
| | ext-action? | | | | ext-action? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | DateTime | | | | DateTime | |
| | IncidentID? | | | | IncidentID? | |
| | Contact? | | | | Contact? | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | DefinedCOA* | | | | DefinedCOA* | |
| | AdditionalData* | 3.13.1 | | | AdditionalData* | 3.13.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| EventData | restriction? | | | EventData | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | DetectTime? | | | | DetectTime? | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | RecoveryTime? | | | | RecoveryTime? | |
| | ReportTime? | | | | ReportTime? | |
| | Contact* | | | | Contact* | |
| | Discovery* | | | | Discovery* | |
| | Assessment? | | | | Assessment? | |
| | Method* | | | | Method* | |
| | System* | | | | System* | |
skipping to change at page 11, line 32 skipping to change at page 12, line 13
| | RecordData* | | | | RecordData* | |
| | EventData* | | | | EventData* | |
| | AdditionalData* | 3.14 | | | AdditionalData* | 3.14 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Expectation | action? | | | Expectation | action? | |
| | ext-action? | | | | ext-action? | |
| | severity? | | | | severity? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | DefinedCOA* | | | | DefinedCOA* | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | Contact? | 3.15 | | | Contact? | 3.15 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| System | category? | | | System | category? | |
| | ext-category? | | | | ext-category? | |
| | interface? | | | | interface? | |
| | spoofed? | | | | spoofed? | |
| | virtual? | | | | virtual? | |
skipping to change at page 12, line 6 skipping to change at page 12, line 34
| | ext-ownership? | | | | ext-ownership? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | Node | | | | Node | |
| | NodeRole* | | | | NodeRole* | |
| | Service* | | | | Service* | |
| | OperatingSystem* | | | | OperatingSystem* | |
| | Counter* | | | | Counter* | |
| | AssetID* | | | | AssetID* | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | AdditionalData* | 3.16 | | | AdditionalData* | 3.16 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Node | DomainData* | | | Node | DomainData* | |
| | Address* | | | | Address* | |
| | PostalAddress? | | | | PostalAddress? | |
| | Location* | | | | Location* | |
| | Location_ML* | |
| | Counter* | 3.17 | | | Counter* | 3.17 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Address | value | | | Address | value | |
| | category | | | | category | |
| | ext-category? | | | | ext-category? | |
| | vlan-name? | | | | vlan-name? | |
| | vlan-num? | | | | vlan-num? | |
| | observable-id? | 3.17.1 | | | observable-id? | 3.17.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| NodeRole | category | | | NodeRole | category | |
| | ext-category? | | | | ext-category? | |
| | Description* | | | | Description* | 3.17.2 |
| | Description_ML* | 3.17.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Counter | value | | | Counter | value | |
| | type | | | | type | |
| | ext-type? | | | | ext-type? | |
| | unit | | | | unit | |
| | ext-unit? | | | | ext-unit? | |
| | meaning? | | | | meaning? | |
| | meaning_ML? | |
| | duration? | | | | duration? | |
| | ext-duration? | 3.17.3 | | | ext-duration? | 3.17.3 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| DomainData | system-status | | | DomainData | system-status | |
| | ext-system-status? | | | | ext-system-status? | |
| | domain-status | | | | domain-status | |
| | ext-domain-status? | | | | ext-domain-status? | |
| | observable-id? | | | | observable-id? | |
| | Name | | | | Name | |
| | DateDomainWasChecked?| | | | DateDomainWasChecked?| |
skipping to change at page 13, line 23 skipping to change at page 13, line 47
| | Portlist? | | | | Portlist? | |
| | ProtoCode? | | | | ProtoCode? | |
| | ProtoType? | | | | ProtoType? | |
| | ProtoField? | | | | ProtoField? | |
| | ApplicationHeaderField*| | | | ApplicationHeaderField*| |
| | EmailData? | | | | EmailData? | |
| | Application? | 3.19 | | | Application? | 3.19 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| ServiceName | IANAService? | | | ServiceName | IANAService? | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | 3.19.1 |
| | Description_ML* | 3.19.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| EmailData | observable-id? | | | EmailData | observable-id? | |
| | EmailTo* | | | | EmailTo* | |
| | EmailFrom? | | | | EmailFrom? | |
| | EmailSubject? | | | | EmailSubject? | |
| | EmailX-Mailer? | | | | EmailX-Mailer? | |
| | EmailHeaderField* | | | | EmailHeaderField* | |
| | EmailHeaders? | | | | EmailHeaders? | |
| | EmailBody? | | | | EmailBody? | |
| | EmailMessage? | | | | EmailMessage? | |
| | HashData* | | | | HashData* | |
| | Signature* | 3.19.2 | | | Signature* | 3.19.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| RecordData | restriction? | | | RecordData | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | DateTime? | | | | DateTime? | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | Application? | | | | Application? | |
| | RecordPattern* | | | | RecordPattern* | |
| | RecordItem* | | | | RecordItem* | |
| | URL* | | | | URL* | |
| | FileData* | | | | FileData* | |
| | WindowsRegistryKeysModified*| | | | WindowsRegistryKeysModified*| |
| | CertificateData* | | | | CertificateData* | |
| | AdditionalData* | 3.19.3 | | | AdditionalData* | 3.19.3 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| RecordPattern | type | | | RecordPattern | type | |
skipping to change at page 14, line 29 skipping to change at page 14, line 51
| | KeyName | | | | KeyName | |
| | KeyValue? | 3.20.1 | | | KeyValue? | 3.20.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| CertificateData | restriction? | | | CertificateData | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | Certificate+ | 3.21 | | | Certificate+ | 3.21 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Certificate | observable-id? | | | Certificate | observable-id? | |
| | X509Data | | | | X509Data | |
| | Description* | | | | Description* | 3.21.1 |
| | Description_ML* | 3.21.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| FileData | restriction? | | | FileData | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | File+ | 3.22 | | | File+ | 3.22 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| File | observable-id? | | | File | observable-id? | |
| | FileName? | | | | FileName? | |
| | FileSize? | | | | FileSize? | |
| | FileType? | | | | FileType? | |
skipping to change at page 15, line 18 skipping to change at page 15, line 39
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| FuzzyHash | FuzzyHashValue+ | | | FuzzyHash | FuzzyHashValue+ | |
| | Application? | | | | Application? | |
| | AdditionalData* | 3.23.2 | | | AdditionalData* | 3.23.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Indicator | restriction? | | | Indicator | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | IndicatorID | | | | IndicatorID | |
| | AlternativeIndicatorID*| | | | AlternativeIndicatorID*| |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | Confidence? | | | | Confidence? | |
| | Contact* | | | | Contact* | |
| | Observable? | | | | Observable? | |
| | uid-ref? | | | | uid-ref? | |
| | IndicatorExpression?| | | | IndicatorExpression?| |
| | IndicatorReference?| | | | IndicatorReference?| |
| | NodeRole* | | | | NodeRole* | |
| | AttackPhase* | | | | AttackPhase* | |
skipping to change at page 16, line 39 skipping to change at page 17, line 11
| | Confidence? | | | | Confidence? | |
| | AdditionalData* | 3.24.6 | | | AdditionalData* | 3.24.6 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IndicatorReference | uid-ref? | | | IndicatorReference | uid-ref? | |
| | euid-ref? | | | | euid-ref? | |
| | version? | 3.24.7 | | | version? | 3.24.7 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| AttackPhase | AttackPhaseID* | | | AttackPhase | AttackPhaseID* | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | |
| | Description_ML* | |
| | AdditionalData* | 3.24.8 | | | AdditionalData* | 3.24.8 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
3.2. Mapping between JSON and XML IODEF 3.2. Mapping between JSON and XML IODEF
o This document treats attributes and elements of each class defined o This document treats attributes and elements of each class defined
in [RFC7970] equally and is agnostic on the order of their in [RFC7970] equally and is agnostic on the order of their
appearances. appearances.
o Flow class is deleted, and classes with its instances now directly o Flow class is deleted, and classes with its instances now directly
skipping to change at page 20, line 26 skipping to change at page 20, line 35
? lang: lang ? lang: lang
? format-id: text ? format-id: text
? private-enum-name: text ? private-enum-name: text
? private-enum-id: text ? private-enum-id: text
Incident: [+ Incident] Incident: [+ Incident]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" /
"year" / "ext-value" "year" / "ext-value"
lang = "en" / "jp" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
restriction = "public" / "partner" / "need-to-know" / "private" / restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" / "default" / "white" / "green" / "amber" / "red" /
"ext-value" "ext-value"
DATETIME = text IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
URLtype = text IDREFType = IDtype
IDtype = text TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp "\d+(\-\d+)?(,\d+(\-\d+)?)*"
action = "nothing" / "contact-source-site" / "cotact-target-site" / action = "nothing" / "contact-source-site" / "cotact-target-site" /
"contact-sender" / "investigate" / "block-host" / "contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" / "block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" / "honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" / "harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" / "status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value" "defined-coa" / "other" / "ext-value"
MLStringType = {
value: text
?lang: lang
?translation-id: text
}
PositiveFloatType = {
value: float32 .gt 0
}
PAddressType = MLStringType
ExtensionType = { ExtensionType = {
value: text
? Name: text ? Name: text
? dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" / "ntpstamp" / "integer" / "portlist" / "real" / "string" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string"
? ext-dtype: text ? ext-dtype: text
? meaning: text ? meaning: text
? formatid: text ? formatid: text
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
} }
SoftwareType = { SoftwareType = {
? SoftwareReference: SoftwareReference ? SoftwareReference: SoftwareReference
? URL: URLtype ? URL: [+ uri]
? Description: text ? Description: [+ text / MLStringType]
} }
SoftwareReference = { SoftwareReference = {
? value: text ? value: text
spec-name: "custom" / "cpe" / "swid" / "ext-value" spec-name: "custom" / "cpe" / "swid" / "ext-value"
? ext-spec-name: text ? ext-spec-name: text
? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string"
? ext-dtype: text ? ext-dtype: text
} }
Incident = { Incident = {
purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" /
"ext-value" "ext-value"
? ext-purpose: text ? ext-purpose: text
? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" /
"ext-value" "ext-value"
? ext-status: text ? ext-status: text
? lang: lang ? lang: lang
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
IncidentID: IncidentID IncidentID: IncidentID
? AlternativeID: AlternativeID ? AlternativeID: AlternativeID
? RelatedActivity: [+ RelatedActivity] ? RelatedActivity: [+ RelatedActivity]
? DetectTime: text ? DetectTime: tdate
? StartTime: text ? StartTime: tdate
? EndTime: text ? EndTime: tdate
? RecoveryTime: text ? RecoveryTime: tdate
? ReportTime: text ? ReportTime: tdate
GenerationTime: text GenerationTime: tdate
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? Discovery: [+ Discovery] ? Discovery: [+ Discovery]
? Assessment: [+ Assessment] ? Assessment: [+ Assessment]
? Method: [+ Method] ? Method: [+ Method]
Contact: [+ Contact] Contact: [+ Contact]
? EventData: [+ EventData] ? EventData: [+ EventData]
? Indicator: [+ Indicator] ? Indicator: [+ Indicator]
? History: History ? History: History
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
IncidentID = { IncidentID = {
id: text id: text
name: text name: text
? instance: text ? instance: text
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
} }
AlternativeID = { AlternativeID = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
IncidentID: [+ IncidentID] IncidentID: [+ IncidentID]
} }
RelatedActivity = { RelatedActivity = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? IncidentID: [+ IncidentID] ? IncidentID: [+ IncidentID]
? URL: [+ URLtype] ? URL: [+ uri]
? ThreatActor: [+ ThreatActor] ? ThreatActor: [+ ThreatActor]
? Campaign: [+ Campaign] ? Campaign: [+ Campaign]
? IndicatorID: [+ IndicatorID] ? IndicatorID: [+ IndicatorID]
? Confidence: Confidence ? Confidence: Confidence
? Description: [+ text] ? Description: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
ThreatActor = { ThreatActor = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? ThreatActorID: [+ text] ? ThreatActorID: [+ text]
? URL: [+ URLtype] ? URL: [+ uri]
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Campaign = { Campaign = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? CampaignID: [+ text] ? CampaignID: [+ text]
? URL: [+ URLtype] ? URL: [+ uri]
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Contact = { Contact = {
role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
"vendor" / "vendor-support" / "victim" / "victim-notified" / "vendor" / "vendor-support" / "victim" / "victim-notified" /
"ext-value" "ext-value"
? ext-role: text ? ext-role: text
type: "person" / "organization" / "ext-value" type: "person" / "organization" / "ext-value"
? ext-type: text ? ext-type: text
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? ContactName: [+ text] ? ContactName: [+ text / MLStringType]
? ContactName_ML: [+ text] ? ContactTitle: [+ text / MLStringType]
? ContactTitle: [+ text] ? Description: [+ text / MLStringType]
? ContactTitle_ML: [+ text]
? Description: [+ text]
? Description_ML: [+ text]
? RegistryHandle: [+ RegistryHandle] ? RegistryHandle: [+ RegistryHandle]
? PostalAddress: [+ PostalAddress] ? PostalAddress: [+ PostalAddress]
? Email: [+ Email] ? Email: [+ Email]
? Telephone: [+ Telephone] ? Telephone: [+ Telephone]
? Timezone: text ? Timezone: TimeZonetype
? Contact: [+ Contact] ? Contact: [+ Contact]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
RegistryHandle = { RegistryHandle = {
handle: text handle: text
registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" /
"local" / "ext-value" "local" / "ext-value"
? ext-registry: text ? ext-registry: text
} }
PostalAddress = { PostalAddress = {
? type: text ? type: text
? ext-type: text ? ext-type: text
PAddress: text PAddress: PAddressType
? Description: [+ text] ? Description: [+ text / MLStringTYpe]
? Description_ML: [+ text]
} }
Email = { Email = {
? type: "direct" / "hotline" / "ext-value" ? type: "direct" / "hotline" / "ext-value"
? ext-type: text ? ext-type: text
EmailTo: text EmailTo: text
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
} }
Telephone = { Telephone = {
? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value"
? ext-type: text ? ext-type: text
TelephoneNumber: text TelephoneNumber: text
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
} }
Discovery = { Discovery = {
? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
"incident" / "os-log" / "application-log" / "device-log" / "incident" / "os-log" / "application-log" / "device-log" /
"network-flow" / "passive-dns" / "investiation" / "audit" / "network-flow" / "passive-dns" / "investiation" / "audit" /
"international-notification" / "external-notification" / "international-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value" "leo" / "partner" / "actor" / "unknown" / "ext-value"
? ext-source: text ? ext-source: text
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? Contact: [+ Contact] ? Contact: [+ Contact]
? DetectionPattern: [+ DetectionPattern] ? DetectionPattern: [+ DetectionPattern]
} }
DetectionPattern = { DetectionPattern = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
Application: SoftwareType Application: SoftwareType
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? DetectionConfiguration: [+ text] ? DetectionConfiguration: [+ text]
} }
Method = { Method = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? Reference: [+ Reference] ? Reference: [+ Reference]
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? AttackPattern: [+ StructuredInformation] ? AttackPattern: [+ StructuredInformation]
? Vulnerability: [+ StructuredInformation] ? Vulnerability: [+ StructuredInformation]
? Weakness: [+ StructuredInformation] ? Weakness: [+ StructuredInformation]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
StructuredInformation = { StructuredInformation = {
specID: text specID: text
? ext-specID: text ? ext-specID: text
? contentID: text ? contentID: text
? RawData: any ? RawData: any
? URL: URLtype ? URL: uri
} }
Reference = { Reference = {
? observable-id: IDtype ? observable-id: IDtype
? ReferenceName: ReferenceName ? ReferenceName: ReferenceName
? URL: [+ URLtype] ? URL: [+ uri]
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
} }
ReferenceName = { ReferenceName = {
specIndex: int specIndex: integer
ID: text ID: IDtype
} }
Assessment = { Assessment = {
? occurrence: "actual" / "potential" ? occurrence: "actual" / "potential"
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? IncidentCategory: [+ text] ? IncidentCategory: [+ text / MLStringType]
? SystemImpact: [+ SystemImpact] Impact: [+ {SystemImpact: SystemImpact} / {BusinessImpact: BusinessImpact} /
? BusinessImpact: [+ BusinessImpact] {TimeImpact: TimeImpact} / {MonetaryImpact: MonetaryImpact} /
? TimeImpact: [+ TimeImpact] {MonetaryImpact: MonetaryImpact} / {IntendedImpact: BusinessImpact}]
? MonetaryImpact: [+ MonetaryImpact]
? IntendedImpact: [+ BusinessImpact]
? Counter: [+ Counter] ? Counter: [+ Counter]
? MitigatingFactor: [+ text] ? MitigatingFactor: [+ text / MLStringType]
? MitigatingFactor_ML: [+ text] ? Cause: [+ text / MLStringType]
? Cause: [+ text]
? Cause_ML: [+ text]
? Confidence: Confidence ? Confidence: Confidence
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
SystemImpact = { SystemImpact = {
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
? completion: "failed" / "succeeded" ? completion: "failed" / "succeeded"
type: "takeover-account" / "takeover-service" / "takeover-system" / type: "takeover-account" / "takeover-service" / "takeover-system" /
"cps-manipulation" / "cps-damage" / "availability-data" / "cps-manipulation" / "cps-damage" / "availability-data" /
"availability-account" / "availability-service" / "availability-account" / "availability-service" /
"availability-system" / "damaged-system" / "damaged-data" / "availability-system" / "damaged-system" / "damaged-data" /
"breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-proprietary" / "breach-privacy" / "breach-credential" /
"breack-configuration" / "integrity-data" / "breack-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" / "integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" / "traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" "policy" / "unknown" / "ext-value" .default "unknown"
? ext-type: text ? ext-type: text
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
} }
BusinessImpact = { BusinessImpact = {
? severity: "none" / "low" / "medium" / "high" / "unknown" / "ext-value" ? severity: "none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown"
? ext-severity: text ? ext-severity: text
type: "breach-proprietary" / "breach-privacy" / "breach-credential" / type: "breach-proprietary" / "breach-privacy" / "breach-credential" /
"loss-of-integrity" / "loss-of-service" / "theft-financial" / "loss-of-integrity" / "loss-of-service" / "theft-financial" /
"theft-service" / "degraded-reputation" / "asset-damage" / "theft-service" / "degraded-reputation" / "asset-damage" /
"asset-manipulation" / "legal" / "extortion" / "unknown" / "asset-manipulation" / "legal" / "extortion" / "unknown" /
"ext-value" "ext-value" .default "unknown"
? ext-type: text ? ext-type: text
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
} }
TimeImpact = { TimeImpact = {
value: int value: PositiveFloatType
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
metric: "labor" / "elapsed" / "downtime" / "ext-value" metric: "labor" / "elapsed" / "downtime" / "ext-value"
? ext-metric: text ? ext-metric: text
? duration: duration ? duration: duration .default "hour"
? ext-duration: text ? ext-duration: text
} }
MonetaryImpact = { MonetaryImpact = {
value: int value: PositiveFloatType
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
? currency: text ? currency: text
} }
Confidence = { Confidence = {
value: int value: float32
rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value"
? ext-rating: text ? ext-rating: text
} }
History = { History = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
HistoryItem: [+ HistoryItem] HistoryItem: [+ HistoryItem]
} }
HistoryItem = { HistoryItem = {
action: action action: action .default "other"
? ext-action: text ? ext-action: text
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
DateTime: DATETIME DateTime: tdate
? IncidentID: IncidentID ? IncidentID: IncidentID
? Contact: Contact ? Contact: Contact
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? DefinedCOA: [+ text] ? DefinedCOA: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
EventData = { EventData = {
? restriction: restriction ? restriction: restriction .default "default"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text] ? DetectTime: tdate
? DetectTime: DATETIME ? StartTime: tdate
? StartTime: DATETIME ? EndTime: tdate
? EndTime: DATETIME ? RecoveryTime: tdate
? RecoveryTime: DATETIME ? ReportTime: tdate
? ReportTime: DATETIME
? Contact: [+ Contact] ? Contact: [+ Contact]
? Discovery: [+ Discovery] ? Discovery: [+ Discovery]
? Assessment: Assessment ? Assessment: Assessment
? Method: [+ Method] ? Method: [+ Method]
? System: [+ System] ? System: [+ System]
? Expectation: [+ Expectation] ? Expectation: [+ Expectation]
? RecordData: [+ RecordData] ? RecordData: [+ RecordData]
? EventData: [+ EventData] ? EventData: [+ EventData]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Expectation = { Expectation = {
? action: action ? action: action .default "other"
? ext-action: text ? ext-action: text
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
? restriction: restriction ? restriction: restriction .default "default"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? DefinedCOA: [+ text] ? DefinedCOA: [+ text]
? StartTime: DATETIME ? StartTime: tdate
? EndTime: DATETIME ? EndTime: tdate
? Contact: Contact ? Contact: Contact
} }
System = { System = {
? category: "source" / "target" / "intermediate" / "sensor" / ? category: "source" / "target" / "intermediate" / "sensor" /
"infrastructure" / "ext-value" "infrastructure" / "ext-value"
? ext-category: text ? ext-category: text
? interface: text ? interface: text
? spoofed: "unknown" / "yes" / "no" ? spoofed: "unknown" / "yes" / "no" .default "unknown"
? virtual: "yes" / "no" / "unknown" ? virtual: "yes" / "no" / "unknown" .default "unknown"
? ownership: "organization" / "personal" / "partner" / "customer" / ? ownership: "organization" / "personal" / "partner" / "customer" /
"no-relationship" / "unknown" / "ext-value" "no-relationship" / "unknown" / "ext-value"
? ext-ownership: text ? ext-ownership: text
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
Node: Node Node: Node
? NodeRole: [+ NodeRole] ? NodeRole: [+ NodeRole]
? Service: [+ Service] ? Service: [+ Service]
? OperatingSystem: [+ SoftwareType] ? OperatingSystem: [+ SoftwareType]
? Counter: [+ Counter] ? Counter: [+ Counter]
? AssetID: [+ text] ? AssetID: [+ text]
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Node = { Node = {
? DomainData: [+ DomainData] ? DomainData: [+ DomainData]
? Address: [+ Address] ? Address: [+ Address]
? PostalAddress: PostalAddress ? PostalAddress: PAddressType
? Location: [+ text] ? Location: [+ text / MLSTringType]
? Location_ML: [+ text]
? Counter: [+ Counter] ? Counter: [+ Counter]
} }
Address = { Address = {
value: text value: text
category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" /
"ext-value" "ext-value" .default "ipv6-addr"
? ext-category: text ? ext-category: text
? vlan-name: text ? vlan-name: text
? vlan-num: int ? vlan-num: integer
? observable-id: IDtype ? observable-id: IDtype
} }
NodeRole = { NodeRole = {
category: "client" / "client-enterprise" / "clent-partner" / category: "client" / "client-enterprise" / "clent-partner" /
"client-remote" / "client-kiosk" / "client-mobile" / "client-remote" / "client-kiosk" / "client-mobile" /
"server-internal" / "server-public" / "www" / "mail" / "server-internal" / "server-public" / "www" / "mail" /
"webmail" / "messaging" / "streaming" / "voice" / "file" / "webmail" / "messaging" / "streaming" / "voice" / "file" /
"ftp" / "p2p" / "name" / "directory" / "credential" / "ftp" / "p2p" / "name" / "directory" / "credential" /
"print" / "application" / "database" / "backup" / "dhcp" / "print" / "application" / "database" / "backup" / "dhcp" /
"assessment" / "source-control" / "config-management" / "assessment" / "source-control" / "config-management" /
"monitoring" / "infra" / "infra-firewall" / "infra-router" / "monitoring" / "infra" / "infra-firewall" / "infra-router" /
"infra-switch" / "camera" / "proxy" / "remote-access" / "infra-switch" / "camera" / "proxy" / "remote-access" /
"log" / "virtualization" / "pos" / "scada" / "log" / "virtualization" / "pos" / "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" / "scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" / "anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hot-point" / "reflector" / "drop-server" / "hot-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" / "phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value" "fraudulent-site" / "ext-value"
? ext-category: text ? ext-category: text
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
} }
Counter = { Counter = {
value: text value: float32
type: "count" / "peak" / "average" / "ext-value" type: "count" / "peak" / "average" / "ext-value"
? ext-type: text ? ext-type: text
unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
"message" / "event" / "host" / "site" / "organization" / "message" / "event" / "host" / "site" / "organization" /
"ext-value" "ext-value"
? ext-unit: text ? ext-unit: text
? meaning: text ? meaning: text / MLStringTYpe
? meaning_ML: text ? duration: duration .default "hour"
? duration: duration
? ext-duration: text ? ext-duration: text
} }
DomainData = { DomainData = {
system-status: "spoofed" / "fraudulent" / "innocent-hacked" / system-status: "spoofed" / "fraudulent" / "innocent-hacked" /
"innocent-hijacked" / "unknown" / "ext-value" "innocent-hijacked" / "unknown" / "ext-value"
? ext-system-status: text ? ext-system-status: text
domain-status: "reservedDelegation" / "assignedAndActive" / domain-status: "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" / "assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" / "revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value" "registrarLock" / "other" / "unknown" / "ext-value"
? ext-domain-status: text ? ext-domain-status: text
? observable-id: IDtype ? observable-id: IDtype
Name: text Name: text
? DateDomainWasChecked: DATETIME ? DateDomainWasChecked: tdate
? RegistrationDate: DATETIME ? RegistrationDate: tdate
? ExpirationDate: DATETIME ? ExpirationDate: tdate
? RelatedDNS: [+ ExtensionType] ? RelatedDNS: [+ ExtensionType]
? NameServers: [+ NameServers] ? NameServers: [+ NameServers]
? DomainContacts: DomainContacts ? DomainContacts: DomainContacts
} }
NameServers = { NameServers = {
Server: text Server: text
? Address: [+ Address] Address: [+ Address]
} }
DomainContacts = { DomainContacts = {
? SameDomainContact: text ? SameDomainContact: text
Contact: [+ Contact] Contact: [+ Contact]
} }
Service = { Service = {
? ip-protocol: int ? ip-protocol: integer
? observable-id: IDtype ? observable-id: IDtype
? ServiceName: ServiceName ? ServiceName: ServiceName
? Port: int ? Port: integer
? Portlist: text ? Portlist: PortlistType
? ProtoCode: int ? ProtoCode: integer
? ProtoType: int ? ProtoType: integer
? ProtoField: int ? ProtoField: integer
? ApplicationHeaderField: [+ ExtensionType] ? ApplicationHeaderField: [+ ExtensionType]
? EmailData: EmailData ? EmailData: EmailData
? Application: SoftwareType ? Application: SoftwareType
} }
ServiceName = { ServiceName = {
? IANAService: text ? IANAService: text
? URL: [+ URLtype] ? URL: [+ uri]
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
} }
EmailData = { EmailData = {
? observable-id: IDtype ? observable-id: IDtype
? EmailTo: [+ text] ? EmailTo: [+ text]
? EmailFrom: text ? EmailFrom: text
? EmailSubject: text ? EmailSubject: text
? EmailX-Mailer: text ? EmailX-Mailer: text
? EmailHeaderField: [+ ExtensionType] ? EmailHeaderField: [+ ExtensionType]
? EmailHeaders: text ? EmailHeaders: text
skipping to change at page 31, line 6 skipping to change at page 31, line 4
? EmailFrom: text ? EmailFrom: text
? EmailSubject: text ? EmailSubject: text
? EmailX-Mailer: text ? EmailX-Mailer: text
? EmailHeaderField: [+ ExtensionType] ? EmailHeaderField: [+ ExtensionType]
? EmailHeaders: text ? EmailHeaders: text
? EmailBody: text ? EmailBody: text
? EmailMessage: text ? EmailMessage: text
? HashData: [+ HashData] ? HashData: [+ HashData]
? Signature: [+ text] ? Signature: [+ text]
} }
RecordData = { RecordData = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? DateTime: DATETIME ? DateTime: tdate
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? Applicadtion: SoftwareType ? Applicadtion: SoftwareType
? RecordPattern: [+ RecordPattern] ? RecordPattern: [+ RecordPattern]
? RecordItem: [+ ExtensionType] ? RecordItem: [+ ExtensionType]
? URL: [+ URLtype] ? URL: [+ uri]
? FileData: [+ FileData] ? FileData: [+ FileData]
? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified]
? CertificateData: [+ CertificateData] ? CertificateData: [+ CertificateData]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
RecordPattern = { RecordPattern = {
value: text value: text
type: "regex" / "binary" / "xpath" / "ext-value" type: "regex" / "binary" / "xpath" / "ext-value" .default "regex"
? ext-type: text ? ext-type: text
? offset: int ? offset: integer
? offsetunit: "line" / "byte" / "ext-value" ? offsetunit: "line" / "byte" / "ext-value" .default "line"
? ext-offsetunit: text ? ext-offsetunit: text
? instance: int ? instance: integer
} }
WindowsRegistryKeysModified = { WindowsRegistryKeysModified = {
? observable-id: IDtype ? observable-id: IDtype
Key: [+ Key] Key: [+ Key]
} }
Key = { Key = {
? registryaction: "add-key" / "add-value" / "delete-key" / ? registryaction: "add-key" / "add-value" / "delete-key" /
"delete-value" / "modify-key" / "modify-value" / "delete-value" / "modify-key" / "modify-value" /
"ext-value" "ext-value"
? ext-registryaction: text ? ext-registryaction: text
? observable-id: IDtype ? observable-id: IDtype
KeyName: text KeyName: text
? KeyValue: text ? KeyValue: text
} }
CertificateData = { CertificateData = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
Certificate: [+ Certificate] Certificate: [+ Certificate]
} }
Certificate = { Certificate = {
? observable-id: IDtype ? observable-id: IDtype
X509Data: text X509Data: text
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
} }
FileData = { FileData = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
File: [+ File] File: [+ File]
} }
File = { File = {
? observable-id: IDtype ? observable-id: IDtype
? FileName: text ? FileName: text
? FileSize: int ? FileSize: integer
? FileType: text ? FileType: text
? URL: [+ URLtype] ? URL: [+ uri]
? HashData: HashData ? HashData: HashData
? Signature: [+ text] ? Signature: [+ text]
? AssociatedSoftware: SoftwareType ? AssociatedSoftware: SoftwareType
? FileProperties: [+ ExtensionType] ? FileProperties: [+ ExtensionType]
} }
HashData = { HashData = {
scope: "file-contents" / "file-pe-section" / "file-pe-iat" / scope: "file-contents" / "file-pe-section" / "file-pe-iat" /
"file-pe-resource" / "file-pdf-object" / "email-hash" / "file-pe-resource" / "file-pdf-object" / "email-hash" /
"email-hash-header" / "email-hash-body" "email-hash-header" / "email-hash-body"
skipping to change at page 33, line 9 skipping to change at page 33, line 4
? Application: SoftwareType ? Application: SoftwareType
} }
FuzzyHash = { FuzzyHash = {
FuzzyHashValue: [+ ExtensionType] FuzzyHashValue: [+ ExtensionType]
? Application: SoftwareType ? Application: SoftwareType
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Indicator = { Indicator = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
IndicatorID: IndicatorID IndicatorID: IndicatorID
? AlternativeIndicatorID: [+ AlternativeIndicatorID] ? AlternativeIndicatorID: [+ AlternativeIndicatorID]
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text] ? StartTime: tdate
? StartTime: DATETIME ? EndTime: tdate
? EndTime: DATETIME
? Confidence: Confidence ? Confidence: Confidence
? Contact: [+ Contact] ? Contact: [+ Contact]
? Observable: Observable ? Observable: Observable
? uid-ref: text ? uid-ref: IDREFType
? IndicatorExpression: IndicatorExpression ? IndicatorExpression: IndicatorExpression
? IndicatorReference: IndicatorReference ? IndicatorReference: IndicatorReference
? NodeRole: [+ NodeRole] ? NodeRole: [+ NodeRole]
? AttackPhase: [+ AttackPhase] ? AttackPhase: [+ AttackPhase]
? Reference: [+ Reference] ? Reference: [+ Reference]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
IndicatorID = { IndicatorID = {
id: IDtype id: IDtype
name: text name: text
version: text version: text
} }
AlternativeIndicatorID = { AlternativeIndicatorID = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
IndicatorReference: [+ IndicatorReference] IndicatorReference: [+ IndicatorReference]
} }
Observable = { Observable = {
? restriction: restriction ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? System: System ? System: System
? Address: Address ? Address: Address
? DomainData: DomainData ? DomainData: DomainData
? EmailData: EmailData ? EmailData: EmailData
? Service: Service ? Service: Service
? WindowsRegistryKeysModified: WindowsRegistryKeysModified ? WindowsRegistryKeysModified: WindowsRegistryKeysModified
? FileData: FileData ? FileData: FileData
? CertificateData: CertificateData ? CertificateData: CertificateData
? RegistryHandle: RegistryHandle ? RegistryHandle: RegistryHandle
skipping to change at page 34, line 28 skipping to change at page 34, line 22
? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
"mac" / "site-url" / "domain-name" / "domain-to-ipv4" / "mac" / "site-url" / "domain-name" / "domain-to-ipv4" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv6" / "domain-to-ipv4-timestamp" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
"windows-reg-key" / "file-hash" / "email-x-mailer" / "windows-reg-key" / "file-hash" / "email-x-mailer" /
"email-subject" / "http-user-agent" / "http-request-uri" / "email-subject" / "http-user-agent" / "http-request-uri" /
"mutex" / "file-path" / "user-name" / "ext-value" "mutex" / "file-path" / "user-name" / "ext-value"
? ext-type: text ? ext-type: text
? BulkObservableFormat: BulkObservableFormat ? BulkObservableFormat: BulkObservableFormat
BulkObservableList: [+ text] BulkObservableList: text
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
BulkObservableFormat = { BulkObservableFormat = {
? Hash: Hash ? Hash: Hash
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
IndicatorExpression = { IndicatorExpression = {
? operator: "not" / "and" / "or" / "xor" ? operator: "not" / "and" / "or" / "xor" .default "and"
? ext-operator: text ? ext-operator: text
? IndicatorExpression: [+ IndicatorExpression] ? IndicatorExpression: [+ IndicatorExpression]
? Observable: [+ Observable] ? Observable: [+ Observable]
? uid-ref: [+ text] ? uid-ref: [+ IDREFType]
? IndicatorReference: [+ IndicatorReference] ? IndicatorReference: [+ IndicatorReference]
? Confidence: Confidence ? Confidence: Confidence
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
IndicatorReference = { IndicatorReference = {
? uid-ref: text ? uid-ref: IDREFType
? euid-ref: text ? euid-ref: text
? version: text ? version: text
} }
AttackPhase = { AttackPhase = {
? AttackPhaseID: [+ text] ? AttackPhaseID: [+ text]
? URL: [+ URLtype] ? URL: [+ uri]
? Description: [+ text] ? Description: [+ text / MLStringType]
? Description_ML: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Figure 2: Data Model in CDDL Figure 3: Data Model in CDDL
6. Acknowledgements 6. Acknowledgements
We would like to thank Henk Birkholz and Carsten Bormann for their We would like to thank Yasuaki Morita, Henk Birkholz and Carsten
insightful comments on CDDL. Bormann for their insightful comments on CDDL.
7. IANA Considerations 7. IANA Considerations
This document registers a JSON schema. This document registers a JSON schema.
8. Security Considerations 8. Security Considerations
This memo does not provide any further security considerations than This memo does not provide any further security considerations than
the one described in [RFC7970]. the one described in [RFC7970].
skipping to change at page 54, line 48 skipping to change at page 54, line 41
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"format-id": {"type": "string"}, "format-id": {"type": "string"},
"private-enum-name": {"type": "string"}, "private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"}, "private-enum-id": {"type": "string"},
"Incident": { "Incident": {
"type": "array","items": {"$ref": "#/definitions/Incident"}}, "type": "array","items": {"$ref": "#/definitions/Incident"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version","Incident"], "required": ["version","Incident"],
"additionalProperties": false} "additionalProperties": false}
Figure 3: JSON schema Figure 4: JSON schema
Authors' Addresses Authors' Addresses
Takeshi Takahashi Takeshi Takahashi
National Institute of Information and Communications Technology National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi 4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795 Koganei, Tokyo 184-8795
Japan Japan
Phone: +81 42 327 5862 Phone: +81 42 327 5862
Email: takeshi_takahashi@nict.go.jp Email: takeshi_takahashi@nict.go.jp
Roman Danyliw Roman Danyliw
 End of changes. 143 change blocks. 
233 lines changed or deleted 216 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/