--- 1/draft-ietf-mile-jsoniodef-05.txt 2018-11-03 23:13:09.474762859 -0700 +++ 2/draft-ietf-mile-jsoniodef-06.txt 2018-11-03 23:13:09.626766493 -0700 @@ -1,44 +1,44 @@ MILE T. Takahashi Internet-Draft NICT Intended status: Standards Track R. Danyliw -Expires: April 25, 2019 CERT +Expires: May 7, 2019 CERT M. Suzuki NICT - October 22, 2018 + November 3, 2018 CBOR/JSON binding of IODEF - draft-ietf-mile-jsoniodef-05 + draft-ietf-mile-jsoniodef-06 Abstract RFC7970 specified an information model and a corresponding XML data model for exchanging incident and indicator information. This draft - provides an alternative data model implementation in JSON. + provides an alternative data model implementation in CBOR/JSON. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 25, 2019. + This Internet-Draft will expire on May 7, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -54,31 +54,34 @@ 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5 2.2.2. Software and SoftwareReference . . . . . . . . . . . 6 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 6 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 - 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 17 + 3.2. Mapping between CBOR/JSON and XML IODEF . . . . . . . . . 17 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 - 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 18 - 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 20 - 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 35 - 9. Normative References . . . . . . . . . . . . . . . . . . . . 35 - Appendix A. The IODEF Data Model (JSON Schema) . . . . . . . . . 35 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 + 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20 + 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 24 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 43 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 43 + 9.2. Informative References . . . . . . . . . . . . . . . . . 43 + Appendix A. Data Types used in this document . . . . . . . . . . 43 + Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 44 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 76 1. Introduction [RFC7970] defines a data representation for security incident reports and indicators commonly exchanged by operational security teams. It facilitates the automated exchange of this information to enable mitigation and watch-and-warning. Section 3 of [RFC7970] defined an information model using Unified Modeling Language (UML) and a corresponding Extensible Markup Language (XML) schema data model in Section 8. This UML-based information model and XML-based data model @@ -137,52 +140,52 @@ | PHONE | Section 2.11 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] | | ID | Section 2.14 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] | | SOFTWARE | Section 2.15 | see Section 2.2.2 | | STRUCTURED | RFC 7213 | see Section 2.2.3 | | EXTENSION | Section 2.16 | see Section 2.2.4 | +-----------------+-------------------+-------------------------------+ - Figure 1 + Figure 1: JSON Data Types -+-----------------+------------------+-------------------------------------+ ++-----------------+------------------+---------------------------------+ | IODEF Data Type | CBOR Data Type | CDDL prelude | -| | | [draft-ietf-cbor-cddl-05] Reference | -+-----------------+------------------+-------------------------------------+ +| | | [draft-ietf-cbor-cddl-05] | ++-----------------+------------------+---------------------------------+ | INTEGER | 6 tag 2, 6 tag 3 | integer | | REAL | 7 bits 26 | float32 | | CHARACTER | 3 text string | text | | STRING | 3 text string | text | -| ML_STRING | 5 map | see Maps/Structs, Section 3.5.1 | +| ML_STRING | 5 map | Maps/Structs (Section 3.5.1) | | BYTE | 6 tag 22 | eb64legacy | | BYTE[] | 6 tag 22 | eb64legacy | | HEXBIN | 2 byte string | bytes | | HEXBIN[] | 2 byte string | bytes | -| ENUM | - | see Choices, Section 2.2.2 | +| ENUM | - | Choices (Section 2.2.2) | | DATETIME | 6 tag 0 | tdate | | TIMEZONE | 3 text string | text | | PORTLIST | 3 text string | text | | POSTAL | 3 text string | text | -| | | / see Maps/Structs, Section 3.5.1 | +| | | or Maps/Structs(Section 3.5.1) | | PHONE | 3 text string | text | | EMAIL | 3 text string | text | | URL | 6 tag 32 | uri | | ID | 3 text string | text | | IDREF | 3 text string | text | -| SOFTWARE | 5 map | see Maps/Structs, Section 3.5.1 | -| STRUCTURED | 5 map | see Maps/Structs, Section 3.5.1 | -| EXTENSION | 5 map | see Maps/Structs, Section 3.5.1 | -+-----------------+------------------+-------------------------------------+ +| SOFTWARE | 5 map | Maps/Structs (Section 3.5.1) | +| STRUCTURED | 5 map | Maps/Structs (Section 3.5.1) | +| EXTENSION | 5 map | Maps/Structs (Section 3.5.1) | ++-----------------+------------------+---------------------------------+ - Figure 2 + Figure 2: CBOR Data Types 2.2. Complex JSON Types 2.2.1. Multilingual Strings A string that needs to be represented in a human-readable language different than the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as an object with "value", "lang", and "translation-id" elements as defined in Section 5. Examples are shown below. @@ -722,21 +725,23 @@ | IndicatorReference | uid-ref? | | | | euid-ref? | | | | version? | 3.24.7 | +-----------------------------+--------------------+---------------+ | AttackPhase | AttackPhaseID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.24.8 | +-----------------------------+--------------------+---------------+ -3.2. Mapping between JSON and XML IODEF + IODEF Classes + +3.2. Mapping between CBOR/JSON and XML IODEF o This document treats attributes and elements of each class defined in [RFC7970] equally and is agnostic on the order of their appearances. o Flow class is deleted, and classes with its instances now directly have instances of EventData class that used to belong to the Flow classs. o ApplicationHeader class is deleted, and classes with its instances @@ -754,140 +759,358 @@ o ObservableReference class is deleted, and classes with its instances now directly have uid-ref as an element. o Record class is replaced by RecordData class, and RecordData class is renamed to Record class. o Record class is deleted, and classes with its instances now directly have the instances of RecordData class that used to belong to the Record class. - o The elements of ML_STRING type are prepared as two separate - elements: one of STRING type and another of ML_STRING type, in - order to maintain the simplicity of IODEF documents when writing - with only STRING type characters. + o The elements of ML_STRING type in XML IODEF document are presented + as either STRING type or ML_STRING type in CBOR/JSON IODEF + document. + + o The order of appearances of class elements were ignored in CBOR/ + JSON version. 4. Examples This section provides example of IODEF documents. These examples do not represent the full capabilities of the data model or the the only way to encode particular information. 4.1. Minimal Example - A document containing only the mandatory elements and attributes. + A document containing only the mandatory elements and attributes is + shown below in JSON and CBOR, respectively. { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "reporting", "restriction": "private", "IncidentID": { "id": "492382", "name": "csirt.example.com" }, "GenerationTime": "2015-07-18T09:00:00-05:00", "Contact": [{ "type": "organization", "role": "creator", - "Email": [{ - "EmailTo": "contact@csirt.example.com" - }] + "Email": [{"EmailTo": "contact@csirt.example.com"}] }] }] } + Figure 3: A Minimal Example in JSON + + A3 # map(3) + 67 # text(7) + 76657273696F6E # "version" + 63 # text(3) + 322E30 # "2.0" + 64 # text(4) + 6C616E67 # "lang" + 62 # text(2) + 656E # "en" + 68 # text(8) + 496E636964656E74 # "Incident" + 81 # array(1) + A5 # map(5) + 67 # text(7) + 707572706F7365 # "purpose" + 69 # text(9) + 7265706F7274696E67 # "reporting" + 6B # text(11) + 7265737472696374696F6E # "restriction" + 67 # text(7) + 70726976617465 # "private" + 6A # text(10) + 496E636964656E744944 # "IncidentID" + A2 # map(2) + 62 # text(2) + 6964 # "id" + 66 # text(6) + 343932333832 # "492382" + 64 # text(4) + 6E616D65 # "name" + 71 # text(17) + 63736972742E6578616D706C652E636F6D # "csirt.example.com" + 6E # text(14) + 47656E65726174696F6E54696D65 # "GenerationTime" + C0 # tag(0) + 78 19 # text(25) + 323031352D30372D31385430393A30303A30302D30353A3030 + # "2015-07-18T09:00:00-05:00" + 67 # text(7) + 436F6E74616374 # "Contact" + 81 # array(1) + A3 # map(3) + 64 # text(4) + 74797065 # "type" + 6C # text(12) + 6F7267616E697A6174696F6E # "organization" + 64 # text(4) + 726F6C65 # "role" + 67 # text(7) + 63726561746F72 # "creator" + 65 # text(5) + 456D61696C # "Email" + 81 # array(1) + A1 # map(1) + 67 # text(7) + 456D61696C546F # "EmailTo" + 78 19 # text(25) + 636F6E746163744063736972742E6578616D706C652E636F6D + # "contact@csirt.example.com" + + Figure 4: A Minimal Example in CBOR + 4.2. Indicators from a Campaign - An example of C2 domains from a given campaign. + An example of C2 domains from a given campaign is shwon below in JSON + and CBOR, respectively. { "version": "2.0", "lang": "en", - "Incidents": [ - { + "Incident": [{ "purpose": "watch", "restriction": "green", "IncidentID": { "id": "897923", "name": "csirt.example.com" }, - "RelatedActivity": [ - { - "ThreatActor": [ - { - "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", - "Description": "Aggressive Butterfly" - } - ], - "Campaign": [ - { - "CampaignID": "C-2015-59405", - "Description": "Orange Giraffe" - } - ] - } - ], + "RelatedActivity": [{ + "ThreatActor": [{ + "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], + "Description": ["Aggressive Butterfly"]}], + "Campaign": [{ + "CampaignID": ["C-2015-59405"], + "Description": ["Orange Giraffe"] + }] + }], "GenerationTime": "2015-10-02T11:18:00-05:00", - "Description": [ - "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." - ], - "Assessment": [ - { - "BusinessImpact": { - "type": "breach-proprietary" - } - } - ], - "Contacts": [ - { + "Description": ["Summarizes the Indicators of Compromise for the + Orange Giraffe campaign of the Aggressive Butterfly crime gang."], + "Assessment": [{ + "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] + }], + "Contact": [{ "type": "organization", "role": "creator", - "ContactName": "CSIRT for example.com", - "Email": { - "emailTo": "contact@csirt.example.com" - } - } - ], - "IndicatorList": [ - { + "ContactName": ["CSIRT for example.com"], + "Email": [{ + "EmailTo": "contact@csirt.example.com" + }] + }], + "Indicator": [{ "IndicatorID": { "id": "G90823490", "name": "csirt.example.com", "version": "1" }, - "Description": "C2 domains", + "Description": ["C2 domains"], "StartTime": "2014-12-02T11:18:00-05:00", "Observable": { "BulkObservable": { - "type": "fqdn" - }, - "BulkObservableList": [ - "kj290023j09r34.example.com", - "09ijk23jfj0k8.example.net", - "klknjwfjiowjefr923.example.org", - "oimireik79msd.example.org" - ] - } - } - ] + "type": "ipv6-addr", + "BulkObservableList": "kj290023j09r34.example.com"} } - ] + }] + }] } + Figure 5: Indicators from a Campaign in JSON + +A3 # map(3) + 67 # text(7) + 76657273696F6E # "version" + 63 # text(3) + 322E30 # "2.0" + 64 # text(4) + 6C616E67 # "lang" + 62 # text(2) + 656E # "en" + 68 # text(8) + 496E636964656E74 # "Incident" + 81 # array(1) + A9 # map(9) + 67 # text(7) + 707572706F7365 # "purpose" + 65 # text(5) + 7761746368 # "watch" + 6B # text(11) + 7265737472696374696F6E # "restriction" + 65 # text(5) + 677265656E # "green" + 6A # text(10) + 496E636964656E744944 # "IncidentID" + A2 # map(2) + 62 # text(2) + 6964 # "id" + 66 # text(6) + 383937393233 # "897923" + 64 # text(4) + 6E616D65 # "name" + 71 # text(17) + 63736972742E6578616D706C652E636F6D # "csirt.example.com" + 6F # text(15) + 52656C617465644163746976697479 # "RelatedActivity" + 81 # array(1) + A2 # map(2) + 6B # text(11) + 5468726561744163746F72 # "ThreatActor" + 81 # array(1) + A2 # map(2) + 6D # text(13) + 5468726561744163746F724944 # "ThreatActorID" + 81 # array(1) + 78 1A # text(26) + 54412D31322D414747524553534956452D425554544552464 + C59 # "TA-12-AGGRESSIVE-BUTTERFLY" + 6B # text(11) + 4465736372697074696F6E # "Description" + 81 # array(1) + 74 # text(20) + 4167677265737369766520427574746572666C79 + # "Aggressive Butterfly" + 68 # text(8) + 43616D706169676E # "Campaign" + 81 # array(1) + A2 # map(2) + 6A # text(10) + 43616D706169676E4944 # "CampaignID" + 81 # array(1) + 6C # text(12) + 432D323031352D3539343035 # "C-2015-59405" + 6B # text(11) + 4465736372697074696F6E # "Description" + 81 # array(1) + 6E # text(14) + 4F72616E67652047697261666665 # "Orange Giraffe" + 6E # text(14) + 47656E65726174696F6E54696D65 # "GenerationTime" + C0 # tag(0) + 78 19 # text(25) + 323031352D31302D30325431313A31383A30302D30353A3030 + # "2015-10-02T11:18:00-05:00" + 6B # text(11) + 4465736372697074696F6E # "Description" + 81 # array(1) + 78 6F # text(111) + 53756D6D6172697A65732074686520496E64696361746F7273206F6620436 + F6D70726F6D69736520666F7220746865204F72616E676520476972616666 + 652063616D706169676E206F6620746865204167677265737369766520427 + 574746572666C79206372696D652067616E672E + # "Summarizes the Indicators of Compromise for the Orange + Giraffe campaign of the Aggressive Butterfly crime gang." + 6A # text(10) + 4173736573736D656E74 # "Assessment" + 81 # array(1) + A1 # map(1) + 66 # text(6) + 496D70616374 # "Impact" + 81 # array(1) + A1 # map(1) + 6E # text(14) + 427573696E657373496D70616374 # "BusinessImpact" + A1 # map(1) + 64 # text(4) + 74797065 # "type" + 72 # text(18) + 6272656163682D70726F7072696574617279 + # "breach-proprietary" + 67 # text(7) + 436F6E74616374 # "Contact" + 81 # array(1) + A4 # map(4) + 64 # text(4) + 74797065 # "type" + 6C # text(12) + 6F7267616E697A6174696F6E # "organization" + 64 # text(4) + 726F6C65 # "role" + 67 # text(7) + 63726561746F72 # "creator" + 6B # text(11) + 436F6E746163744E616D65 # "ContactName" + 81 # array(1) + 75 # text(21) + 435349525420666F72206578616D706C652E636F6D + # "CSIRT for example.com" + 65 # text(5) + 456D61696C # "Email" + 81 # array(1) + A1 # map(1) + 67 # text(7) + 456D61696C546F # "EmailTo" + 78 19 # text(25) + 636F6E746163744063736972742E6578616D706C652E636F6D + # "contact@csirt.example.com" + 69 # text(9) + 496E64696361746F72 # "Indicator" + 81 # array(1) + A4 # map(4) + 6B # text(11) + 496E64696361746F724944 # "IndicatorID" + A3 # map(3) + 62 # text(2) + 6964 # "id" + 69 # text(9) + 473930383233343930 # "G90823490" + 64 # text(4) + 6E616D65 # "name" + 71 # text(17) + 63736972742E6578616D706C652E636F6D + # "csirt.example.com" + 67 # text(7) + 76657273696F6E # "version" + 61 # text(1) + 31 # "1" + 6B # text(11) + 4465736372697074696F6E # "Description" + 81 # array(1) + 6A # text(10) + 433220646F6D61696E73 # "C2 domains" + 69 # text(9) + 537461727454696D65 # "StartTime" + C0 # tag(0) + 78 19 # text(25) + 323031342D31322D30325431313A31383A30302D30353A3030 + # "2014-12-02T11:18:00-05:00" + 6A # text(10) + 4F627365727661626C65 # "Observable" + A1 # map(1) + 6E # text(14) + 42756C6B4F627365727661626C65 # "BulkObservable" + A2 # map(2) + 64 # text(4) + 74797065 # "type" + 69 # text(9) + 697076362D61646472 # "ipv6-addr" + 72 # text(18) + 42756C6B4F627365727661626C654C697374 + # "BulkObservableList" + 78 1A # text(26) + 6B6A3239303032336A30397233342E6578616D706C652E636F6D + # "kj290023j09r34.example.com" + + Figure 6: Indicators from a Campaign in CBOR + 5. The IODEF Data Model (CDDL) start = iodef ;;; iodef.json: IODEF-Document - iodef = { version: text ? lang: lang ? format-id: text ? private-enum-name: text ? private-enum-id: text Incident: [+ Incident] ? AdditionalData: [+ ExtensionType] } @@ -891,94 +1114,98 @@ ? AdditionalData: [+ ExtensionType] } duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / "year" / "ext-value" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" restriction = "public" / "partner" / "need-to-know" / "private" / "default" / "white" / "green" / "amber" / "red" / "ext-value" +SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" IDREFType = IDtype +URLtype = uri TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" -PortlistType = text .regexp "\d+(\-\d+)?(,\d+(\-\d+)?)*" -action = "nothing" / "contact-source-site" / "cotact-target-site" / +PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*" +action = "nothing" / "contact-source-site" / "contact-target-site" / "contact-sender" / "investigate" / "block-host" / "block-network" / "block-port" / "rate-limit-host" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "honeypot" / "upgrade-software" / "rebuild-asset" / "harden-asset" / "remediate-other" / "status-triage" / "status-new-info" / "watch-and-report" / "training" / "defined-coa" / "other" / "ext-value" +DATETIME = tdate + MLStringType = { value: text ?lang: lang ?translation-id: text } -PositiveFloatType = { - value: float32 .gt 0 -} +PositiveFloatType = float32 .gt 0 PAddressType = MLStringType ExtensionType = { - value: text - ? Name: text + ? ssvalue: text + ? name: text dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / "ntpstamp" / "integer" / "portlist" / "real" / "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" / - "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string" + "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" + .default "string" ? ext-dtype: text ? meaning: text ? formatid: text ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype } SoftwareType = { ? SoftwareReference: SoftwareReference - ? URL: [+ uri] + ? URL: [+ URLtype] ? Description: [+ text / MLStringType] } SoftwareReference = { ? value: text spec-name: "custom" / "cpe" / "swid" / "ext-value" ? ext-spec-name: text - ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string" + ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" + .default "string" ? ext-dtype: text } Incident = { purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / "ext-value" ? ext-purpose: text ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / "ext-value" ? ext-status: text ? lang: lang ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype IncidentID: IncidentID ? AlternativeID: AlternativeID ? RelatedActivity: [+ RelatedActivity] - ? DetectTime: tdate - ? StartTime: tdate - ? EndTime: tdate - ? RecoveryTime: tdate - ? ReportTime: tdate - GenerationTime: tdate + ? DetectTime: DATETIME + ? StartTime: DATETIME + ? EndTime: DATETIME + ? RecoveryTime: DATETIME + ? ReportTime: DATETIME + GenerationTime: DATETIME ? Description: [+ text / MLStringType] ? Discovery: [+ Discovery] ? Assessment: [+ Assessment] ? Method: [+ Method] Contact: [+ Contact] ? EventData: [+ EventData] ? Indicator: [+ Indicator] ? History: History ? AdditionalData: [+ ExtensionType] } @@ -994,43 +1221,43 @@ AlternativeID = { ? restriction: restriction .default "private" ? ext-restriction: text IncidentID: [+ IncidentID] } RelatedActivity = { ? restriction: restriction .default "private" ? ext-restriction: text ? IncidentID: [+ IncidentID] - ? URL: [+ uri] + ? URL: [+ URLtype] ? ThreatActor: [+ ThreatActor] ? Campaign: [+ Campaign] ? IndicatorID: [+ IndicatorID] ? Confidence: Confidence ? Description: [+ text] ? AdditionalData: [+ ExtensionType] } ThreatActor = { ? restriction: restriction .default "private" ? ext-restriction: text ? ThreatActorID: [+ text] - ? URL: [+ uri] + ? URL: [+ URLtype] ? Description: [+ text / MLStringType] ? AdditionalData: [+ ExtensionType] } Campaign = { ? restriction: restriction .default "private" ? ext-restriction: text ? CampaignID: [+ text] - ? URL: [+ uri] + ? URL: [+ URLtype] ? Description: [+ text / MLStringType] ? AdditionalData: [+ ExtensionType] } Contact = { role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" / "victim" / "victim-notified" / "ext-value" ? ext-role: text @@ -1045,38 +1272,38 @@ ? PostalAddress: [+ PostalAddress] ? Email: [+ Email] ? Telephone: [+ Telephone] ? Timezone: TimeZonetype ? Contact: [+ Contact] ? AdditionalData: [+ ExtensionType] } RegistryHandle = { handle: text - registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / - "local" / "ext-value" + registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / + "afrinic" / "local" / "ext-value" ? ext-registry: text - } PostalAddress = { ? type: text ? ext-type: text PAddress: PAddressType - ? Description: [+ text / MLStringTYpe] + ? Description: [+ text / MLStringType] } Email = { ? type: "direct" / "hotline" / "ext-value" ? ext-type: text EmailTo: text ? Description: [+ text / MLStringType] + } Telephone = { ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? ext-type: text TelephoneNumber: text ? Description: [+ text / MLStringType] } Discovery = { @@ -1075,22 +1302,22 @@ Telephone = { ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? ext-type: text TelephoneNumber: text ? Description: [+ text / MLStringType] } Discovery = { ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / "incident" / "os-log" / "application-log" / "device-log" / - "network-flow" / "passive-dns" / "investiation" / "audit" / - "international-notification" / "external-notification" / + "network-flow" / "passive-dns" / "investigation" / "audit" / + "internal-notification" / "external-notification" / "leo" / "partner" / "actor" / "unknown" / "ext-value" ? ext-source: text ? restriction: restriction .default "private" ? ext-restriction: text ? Description: [+ text / MLStringType] ? Contact: [+ Contact] ? DetectionPattern: [+ DetectionPattern] } DetectionPattern = { @@ -1107,73 +1334,90 @@ ? ext-restriction: text ? Reference: [+ Reference] ? Description: [+ text / MLStringType] ? AttackPattern: [+ StructuredInformation] ? Vulnerability: [+ StructuredInformation] ? Weakness: [+ StructuredInformation] ? AdditionalData: [+ ExtensionType] } StructuredInformation = { - specID: text - ? ext-specID: text - ? contentID: text - ? RawData: any - ? URL: uri + SpecID: SpecID + ? ext-SpecID: text + ? ContentID: text + ? RawData: [+ ExtensionType] + ? Reference:[+ Reference] + ? Platform:[+ Platform] + ? Scoring:[+ Scoring] +} +Platform = { + SpecID: SpecID + ? ext-SpecID: text + ? ContentID: text + ? RawData: [+ ExtensionType] + ? Reference: [+ Reference] +} +Scoring = { + SpecID: SpecID + ? ext-SpecID: text + ? ContentID: text + ? RawData: [+ ExtensionType] + ? Reference: [+ Reference] } - Reference = { ? observable-id: IDtype ? ReferenceName: ReferenceName - ? URL: [+ uri] + ? URL: [+ URLtype] ? Description: [+ text / MLStringType] } ReferenceName = { specIndex: integer ID: IDtype } Assessment = { ? occurrence: "actual" / "potential" ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype ? IncidentCategory: [+ text / MLStringType] - Impact: [+ {SystemImpact: SystemImpact} / {BusinessImpact: BusinessImpact} / - {TimeImpact: TimeImpact} / {MonetaryImpact: MonetaryImpact} / - {MonetaryImpact: MonetaryImpact} / {IntendedImpact: BusinessImpact}] + Impact: [+ {SystemImpact: SystemImpact} / + {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / + {MonetaryImpact: MonetaryImpact} / + {IntendedImpact: BusinessImpact}] ? Counter: [+ Counter] ? MitigatingFactor: [+ text / MLStringType] ? Cause: [+ text / MLStringType] ? Confidence: Confidence ? AdditionalData: [+ ExtensionType] } SystemImpact = { ? severity: "low" / "medium" / "high" ? completion: "failed" / "succeeded" type: "takeover-account" / "takeover-service" / "takeover-system" / "cps-manipulation" / "cps-damage" / "availability-data" / "availability-account" / "availability-service" / "availability-system" / "damaged-system" / "damaged-data" / "breach-proprietary" / "breach-privacy" / "breach-credential" / - "breack-configuration" / "integrity-data" / + "breach-configuration" / "integrity-data" / "integrity-configuration" / "integrity-hardware" / "traffic-redirection" / "monitoring-traffic" / "monitoring-host" / "policy" / "unknown" / "ext-value" .default "unknown" ? ext-type: text ? Description: [+ text / MLStringType] } BusinessImpact = { - ? severity: "none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown" + ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" + .default "unknown" ? ext-severity: text type: "breach-proprietary" / "breach-privacy" / "breach-credential" / "loss-of-integrity" / "loss-of-service" / "theft-financial" / "theft-service" / "degraded-reputation" / "asset-damage" / "asset-manipulation" / "legal" / "extortion" / "unknown" / "ext-value" .default "unknown" ? ext-type: text ? Description: [+ text / MLStringType] } @@ -1203,60 +1446,60 @@ ? ext-restriction: text HistoryItem: [+ HistoryItem] } HistoryItem = { action: action .default "other" ? ext-action: text ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype - DateTime: tdate + DateTime: DATETIME ? IncidentID: IncidentID ? Contact: Contact ? Description: [+ text / MLStringType] ? DefinedCOA: [+ text] ? AdditionalData: [+ ExtensionType] } EventData = { ? restriction: restriction .default "default" ? ext-restriction: text ? observable-id: IDtype ? Description: [+ text / MLStringType] - ? DetectTime: tdate - ? StartTime: tdate - ? EndTime: tdate - ? RecoveryTime: tdate - ? ReportTime: tdate + ? DetectTime: DATETIME + ? StartTime: DATETIME + ? EndTime: DATETIME + ? RecoveryTime: DATETIME + ? ReportTime: DATETIME ? Contact: [+ Contact] ? Discovery: [+ Discovery] ? Assessment: Assessment ? Method: [+ Method] ? System: [+ System] ? Expectation: [+ Expectation] ? RecordData: [+ RecordData] ? EventData: [+ EventData] ? AdditionalData: [+ ExtensionType] } Expectation = { ? action: action .default "other" ? ext-action: text ? severity: "low" / "medium" / "high" ? restriction: restriction .default "default" ? ext-restriction: text ? observable-id: IDtype ? Description: [+ text / MLStringType] ? DefinedCOA: [+ text] - ? StartTime: tdate - ? EndTime: tdate + ? StartTime: DATETIME + ? EndTime: DATETIME ? Contact: Contact } System = { ? category: "source" / "target" / "intermediate" / "sensor" / "infrastructure" / "ext-value" ? ext-category: text ? interface: text ? spoofed: "unknown" / "yes" / "no" .default "unknown" ? virtual: "yes" / "no" / "unknown" .default "unknown" @@ -1270,24 +1513,26 @@ ? NodeRole: [+ NodeRole] ? Service: [+ Service] ? OperatingSystem: [+ SoftwareType] ? Counter: [+ Counter] ? AssetID: [+ text] ? Description: [+ text / MLStringType] ? AdditionalData: [+ ExtensionType] } Node = { - ? DomainData: [+ DomainData] - ? Address: [+ Address] - ? PostalAddress: PAddressType - ? Location: [+ text / MLSTringType] + ( DomainData:[+ DomainData] + ? Address:[+ Address]) / + (? DomainData:[+ DomainData] + + Address:[+ Address]) + ? PostalAddress: PostalAddress + ? Location: [+ text / MLStringType] ? Counter: [+ Counter] } Address = { value: text category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" / "ext-value" .default "ipv6-addr" ? ext-category: text @@ -1316,39 +1562,39 @@ } Counter = { value: float32 type: "count" / "peak" / "average" / "ext-value" ? ext-type: text unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / "message" / "event" / "host" / "site" / "organization" / "ext-value" ? ext-unit: text - ? meaning: text / MLStringTYpe + ? meaning: text ? duration: duration .default "hour" ? ext-duration: text } DomainData = { system-status: "spoofed" / "fraudulent" / "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value" ? ext-system-status: text domain-status: "reservedDelegation" / "assignedAndActive" / "assignedAndInactive" / "assignedAndOnHold" / "revoked" / "transferPending" / "registryLock" / "registrarLock" / "other" / "unknown" / "ext-value" ? ext-domain-status: text ? observable-id: IDtype Name: text - ? DateDomainWasChecked: tdate - ? RegistrationDate: tdate - ? ExpirationDate: tdate + ? DateDomainWasChecked: DATETIME + ? RegistrationDate: DATETIME + ? ExpirationDate: DATETIME ? RelatedDNS: [+ ExtensionType] ? NameServers: [+ NameServers] ? DomainContacts: DomainContacts } NameServers = { Server: text Address: [+ Address] } @@ -1366,47 +1612,156 @@ ? ProtoCode: integer ? ProtoType: integer ? ProtoField: integer ? ApplicationHeaderField: [+ ExtensionType] ? EmailData: EmailData ? Application: SoftwareType } ServiceName = { ? IANAService: text - ? URL: [+ uri] + ? URL: [+ URLtype] ? Description: [+ text / MLStringType] } EmailData = { ? observable-id: IDtype ? EmailTo: [+ text] ? EmailFrom: text ? EmailSubject: text ? EmailX-Mailer: text ? EmailHeaderField: [+ ExtensionType] ? EmailHeaders: text ? EmailBody: text ? EmailMessage: text ? HashData: [+ HashData] - ? Signature: [+ text] + ? Signature: [+ SignatureType] +} + +SignatureType = { + ? id: IDtype + SignedInfo: SignedInfoType + SignatureValue: SignatureValueType + ? KeyInfo: KeyInfoType + ? Object: [+ ObjectType] +} + +SignedInfoType = { + ? id: IDtype + CanonicalizationMethod: CanonicalizationMethodType + SignatureMethod: SignatureMethodType + Reference: [+ ReferenceType] +} + +SignatureMethodType = { + ? value: text + Algorithm: URLtype + ? HMACOutputLength: HMACOutputLengthType +} + +HMACOutputLengthType = integer + +ReferenceType = { + ? id: IDtype + ? URI: URLtype + ? Type: URLtype + ? Transforms: TransformsType + DigestMethod: DigestMethodType + DigestValue: DigestValueType +} + +TransformsType = { + Transform: [+ TransformType] +} + +TransformType = { + ? value: text + Algorithm: URLtype + ? XPath: [+ text] +} + +DigestMethodType = { + ? value: text + Algorithm: URLtype +} + +DigestValueType = eb64legacy + +SignatureValueType = { + value: eb64legacy + ? id: IDtype +} + +KeyInfoType = { + ? value: text + ? id: IDtype + KeyProperties: [+ {KeyName: text} / {KeyValue: KeyValueType} / + {RetrievalMethod: RetrievalMethodType} / + {X509Data: X509DataType} / {PGPData: PGPDataType} / + {SPKIData: SPKIDataType} / {MgmtData: text}] +} + +KeyValueType = { + ? value: text + KeyValueProperties: {DSAKeyValue: DSAKeyValueType} / + {RSAKeyValue: RSAKeyValueType} +} + +DSAKeyValueType = { + ? P: CryptoBinary + ? Q: CryptoBinary + ? G: CryptoBinary + Y: CryptoBinary + ? J: CryptoBinary + ? Seed: CryptoBinary + ? PgenCounter: CryptoBinary } + +CryptoBinary = eb64legacy + +RSAKeyValueType ={ + Modulus: CryptoBinary + Exponent: CryptoBinary +} + +RetrievalMethodType = { + URI: URLtype + ? Type: URLtype + ? Transforms: TransformsType +} +PGPDataType = { + ? value: text + PGPDataProperties: {PGPKeyID: eb64legacy} / {PGPKeyPacket: eb64legacy} +} + +SPKIDataType = { + ? value: text + SPKISexp: [+ eb64legacy] +} + +ObjectType = { + ? value: text + ? id: IDtype + ? MimeType: text + ? Encoding: URLtype +} + RecordData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype - ? DateTime: tdate + ? DateTime: DATETIME ? Description: [+ text / MLStringType] - ? Applicadtion: SoftwareType + ? Application: SoftwareType ? RecordPattern: [+ RecordPattern] ? RecordItem: [+ ExtensionType] - ? URL: [+ uri] + ? URL: [+ URLtype] ? FileData: [+ FileData] ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] ? CertificateData: [+ CertificateData] ? AdditionalData: [+ ExtensionType] } RecordPattern = { value: text type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" ? ext-type: text @@ -1430,75 +1784,93 @@ KeyName: text ? KeyValue: text } CertificateData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype Certificate: [+ Certificate] } + Certificate = { ? observable-id: IDtype - X509Data: text + X509Data: X509DataType ? Description: [+ text / MLStringType] } +X509DataType = { + X509DataProperties: [+ {X509IssuerSerial: X509IssuerSerialType} / + {X509SKI: eb64legacy} / {X509SubjectName: text} / + {X509Certificate: eb64legacy} / + {X509CRL: eb64legacy}] +} + +X509IssuerSerialType = { + X509IssuerName: text + X509SerialNumber: integer +} + FileData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype File: [+ File] } File = { ? observable-id: IDtype ? FileName: text ? FileSize: integer ? FileType: text - ? URL: [+ uri] + ? URL: [+ URLtype] ? HashData: HashData - ? Signature: [+ text] + ? Signature: [+ SignatureType] ? AssociatedSoftware: SoftwareType ? FileProperties: [+ ExtensionType] } HashData = { scope: "file-contents" / "file-pe-section" / "file-pe-iat" / "file-pe-resource" / "file-pdf-object" / "email-hash" / "email-hash-header" / "email-hash-body" ? HashTargetID: text ? Hash: [+ Hash] ? FuzzyHash: [+ FuzzyHash] } Hash = { - DigestMethod: text - DigestValue: text - ? CanonicalizationMethod: any + DigestMethod: DigestMethodType + DigestValue: DigestValueType + ? CanonicalizationMethod: CanonicalizationMethodType ? Application: SoftwareType } +CanonicalizationMethodType = { + ? value: text + Algorithm: URLtype +} + FuzzyHash = { FuzzyHashValue: [+ ExtensionType] ? Application: SoftwareType ? AdditionalData: [+ ExtensionType] } Indicator = { ? restriction: restriction .default "private" ? ext-restriction: text IndicatorID: IndicatorID ? AlternativeIndicatorID: [+ AlternativeIndicatorID] ? Description: [+ text / MLStringType] - ? StartTime: tdate - ? EndTime: tdate + ? StartTime: DATETIME + ? EndTime: DATETIME ? Confidence: Confidence ? Contact: [+ Contact] ? Observable: Observable ? uid-ref: IDREFType ? IndicatorExpression: IndicatorExpression ? IndicatorReference: IndicatorReference ? NodeRole: [+ NodeRole] ? AttackPhase: [+ AttackPhase] ? Reference: [+ Reference] ? AdditionalData: [+ ExtensionType] @@ -1572,891 +1944,1550 @@ } IndicatorReference = { ? uid-ref: IDREFType ? euid-ref: text ? version: text } AttackPhase = { ? AttackPhaseID: [+ text] - ? URL: [+ uri] + ? URL: [+ URLtype] ? Description: [+ text / MLStringType] ? AdditionalData: [+ ExtensionType] } - Figure 3: Data Model in CDDL + Figure 7: Data Model in CDDL 6. Acknowledgements - We would like to thank Yasuaki Morita, Henk Birkholz and Carsten - Bormann for their insightful comments on CDDL. + We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki + Morita, and Takahiko Nagata for their insightful comments on CDDL. 7. IANA Considerations This document registers a JSON schema. 8. Security Considerations This memo does not provide any further security considerations than the one described in [RFC7970]. -9. Normative References +9. References - [jsonschema] - "JSON Schema", 2006. +9.1. Normative References - http://json-schema.org/ + [cddlspec] + Henk Birkholz, Christoph Vigano, and Carsten Bormann, + "Concise data definition language (CDDL): a notational + convention to express CBOR and JSON data structuresy", + 2018. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, . -Appendix A. The IODEF Data Model (JSON Schema) +9.2. Informative References + + [jsonschema] + Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: + core definitions and terminology", 2013. + +Appendix A. Data Types used in this document + + The CDDL prelude used in this document is mapped to JSON as shown in + the table below. + + +-----------------+-------------------+----------------------------+ + | CDDL Prelude | Use of JSON | Instance | Validation | + +-----------------+-------------------+----------------------------+ + | bytes | n/a | string | tool available | + | text | string | string | unnecessary | + | tdate | n/a | string | 7.3.1 date-time | + | integer | n/a | number | integer | + | eb64legacy | n/a | string | tool available | + | uri | n/a | string | 7.3.6 uri | + | float32 | float32 | number | unnecessary | + +-----------------+-------------------+----------------------------+ + + Figure 8 + +Appendix B. The IODEF Data Model (JSON Schema) This section provides a JSON schema that defines the IODEF Data Model defined in this draft. { "$schema": "http://json-schema.org/draft-04/schema#", "definitions": { "action": {"enum": ["nothing","contact-source-site", "contact-target-site","contact-sender","investigate", "block-host","block-network","block-port","rate-limit-host", "rate-limit-network","rate-limit-port","redirect-traffic", "honeypot","upgrade-software","rebuild-asset","harden-asset", "remediate-other","status-triage","status-new-info", - "watch-and-report","training","defined-coa","ext-value"]}, - "duration": {"enum": ["second","minute","hour","day","month","quarter", - "year","ext-value"]}, - "lang": {"enum": ["en","jp"]}, + "watch-and-report","training","defined-coa","other", + "ext-value"]}, + "duration":{"enum":["second","minute","hour","day","month", + "quarter","year","ext-value"]}, + "SpecID":{ + "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, + "lang": { + "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, "purpose": {"enum": ["traceback","mitigation","reporting","watch", "other","ext-value"]}, "restriction": {"enum": ["public","partner","need-to-know","private", "default","white","green","amber","red","ext-value"]}, "status": {"enum": ["new","in-progress","forwarded","resolved", "future","ext-value"]}, - "DATETIME": {"type": "string"}, - "PORTLIST": {"type": "string"}, - "URLtype": {"type": "string"}, - "IDtype": {"type": "string"}, + "DATETIME": {"type": "string","format": "date-time"}, + "PortlistType": { + "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"}, + "TimeZonetype": { + "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, + "URLtype": { + "type": "string", + "pattern": + "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, + "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, + "IDREFType": {"$ref": "#/definitions/IDtype"}, + "CryptoBinary": {"type": "string"}, + "MLStringType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "lang": {"$ref": "#/definitions/lang"}, + "translation-id": {"type": "string"}}, + "required": ["value"], + "additionalProperties":false}, + "PositiveFloatType": {"type": "number","minimum": 0}, + "PAddressType": {"$ref": "#/definitions/MLStringType"}, "ExtensionType": { "type": "object", "properties": { - "name": {"type": "string"}, - "dtype": {"enum": ["boolean","byte","bytes","character","date-time", - "ntpstamp","integer","portlist","real","string","file", - "path","frame","packet","ipv4-packet","ipv6-packet","url", - "csv","winreg","xml","ext-value"]}, + "value": {"type": "string"}, + "Name": {"type": "string"}, + "dtype":{"enum":["boolean","byte","bytes","character", + "date-time","ntpstamp","integer","portlist","real","string", + "file","path","frame","packet","ipv4-packet","ipv6-packet", + "url", "csv","winreg","xml","ext-value"],"default": "string"}, "ext-dtype": {"type": "string"}, "meaning": {"type": "string"}, "formatid": {"type": "string"}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": { + "$ref": "#/definitions/restriction","default": "private"}, "ext-restriction": {"type": "string"}, - "observable-id": {"$ref": "#/definitions/IDtype"}}}, + "observable-id": {"$ref": "#/definitions/IDtype"}}, + "required": ["value","dtype"], + "additionalProperties":false}, "ExtensionTypeList": { "type": "array", - "items": {"$ref": "#/definitions/ExtensionType"}}, + "items": {"$ref": "#/definitions/ExtensionType"}, + "minItems": 1}, "SoftwareType": { "type": "object", "properties": { "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, - "URL": {"$ref": "#/definitions/URLtype"}, - "Description": {"type": "array", "items": {"type":"string"}}}, + "URL": { + "type": "array", + "items": {"$ref": "#/definitions/URLtype", + "minItems": 1}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1 }}, "required": [], "additionalProperties": false}, "SoftwareReference": { "type": "object", "properties": { "value": {"type": "string"}, - "spec-name": {"type": "string"}, + "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, "ext-spec-name": {"type": "string"}, - "dtype": {"type": "string"}, + "dtype": {"enum": ["bytes","integer","real","string","xml", + "ext-value"] , "default": "string"}, "ext-dtype": {"type": "string"}}, "required": ["spec-name"], "additionalProperties": false}, - "StructuredInfo": { + "StructuredInformation": { "type": "object", "properties": { - "specID": {"type": "string"}, - "ext-specID": {"type": "string"}, - "contentID": {"type": "string"}, - "RawData": {"type": "string"}, - "URL": {"$ref": "#/definitions/URLtype"}}, - "required": ["specID"], + "SpecID": {"$ref":"#/definitions/SpecID"}, + "ext-SpecID": {"type": "string"}, + "ContentID": {"type": "string"}, + "RawData": {"$ref": "#/definitions/ExtensionTypeList"}, + "Reference": { + "type": "array", + "items": {"$ref": "#/definitions/Reference"}, + "minItems": 1 + }, + "Platform": { + "type": "array", + "items": {"$ref": "#/definitions/Platform"}, + "minItems": 1 + }, + "Scoring": { + "type": "array", + "items": {"$ref": "#/definitions/Scoring"}, + "minItems": 1}}, + "required": ["SpecID"], + "additionalProperties": false}, + "Platform": { + "type": "object", + "properties": { + "SpecID": {"$ref":"#/definitions/SpecID"}, + "ext-SpecID": {"type": "string"}, + "ContentID": {"type": "string"}, + "RawData": {"$ref": "#/definitions/ExtensionTypeList"}, + "Reference": { + "type": "array", + "items": {"$ref": "#/definitions/Reference"}, + "minItems": 1}}, + "required": ["SpecID"], + "additionalProperties": false}, + "Scoring": { + "type": "object", + "properties": { + "SpecID": {"$ref":"#/definitions/SpecID"}, + "ext-SpecID": {"type": "string"}, + "ContentID": {"type": "string"}, + "RawData": {"$ref": "#/definitions/ExtensionTypeList"}, + "Reference": { + "type": "array", + "items": {"$ref": "#/definitions/Reference"}, + "minItems": 1}}, + "required": ["SpecID"], "additionalProperties": false}, "Incident": { "title": "Incident", "description": "JSON schema for Incident class", "type": "object", "properties": { "purpose": {"$ref": "#/definitions/purpose"}, "ext-purpose": {"type": "string"}, "status": {"$ref": "#/definitions/status"}, "ext-status": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "RelatedActivity": { "type": "array", - "items": {"$ref": "#/definitions/RelatedActivity"}}, - "DetectTime": {"type": "string"}, - "StartTime": {"type": "string"}, - "EndTime": {"type": "string"}, - "RecoveryTime": {"type": "string"}, - "ReportTime": {"type": "string"}, - "GenerationTime": {"type": "string"}, - "Description": {"type": "array","items": {"type": "string"}}, + "items": {"$ref": "#/definitions/RelatedActivity"}, + "minItems": 1}, + "DetectTime": {"$ref": "#/definitions/DATETIME"}, + "StartTime": {"$ref": "#/definitions/DATETIME"}, + "EndTime": {"$ref": "#/definitions/DATETIME"}, + "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, + "ReportTime": {"$ref": "#/definitions/DATETIME"}, + "GenerationTime": {"$ref": "#/definitions/DATETIME"}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "Discovery": { - "type": "array","items": {"$ref": "#/definitions/Discovery"}}, + "type": "array", + "items": {"$ref": "#/definitions/Discovery"}, + "minItems": 1}, "Assessment": { - "type": "array","items": {"$ref": "#/definitions/Assessment"}}, - "Methods": { - "type": "array","items": {"$ref": "#/definitions/Method"}}, - "Contacts": { - "type": "array","items": {"$ref": "#/definitions/Contact"}}, + "type": "array", + "items": {"$ref": "#/definitions/Assessment"}, + "minItems": 1}, + "Method": { + "type": "array", + "items": {"$ref": "#/definitions/Method"}, + "minItems": 1}, + "Contact": { + "type": "array", + "items": {"$ref": "#/definitions/Contact"}, + "minItems": 1}, "EventData": { - "type": "array","items": {"$ref": "#/definitions/EventData"}}, - "IndicatorList": { - "type": "array","items": {"$ref": "#/definitions/Indicator"}}, - + "type": "array", + "items": {"$ref": "#/definitions/EventData"}, + "minItems": 1}, + "Indicator": { + "type": "array", + "items": {"$ref": "#/definitions/Indicator"}, + "minItems": 1}, "History": {"$ref": "#/definitions/History"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, - "required": ["IncidentID","GenerationTime","Contacts","purpose"], + "required": ["IncidentID","GenerationTime","Contact","purpose"], "additionalProperties": false}, "IncidentID": { "title": "IncidentID", "description": "JSON schema for IncidentID class", "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "instance": {"type": "string"}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}}, - "required": ["name"], + "required": ["id","name"], "additionalProperties": false}, "AlternativeID": { "title": "AlternativeID", "description": "JSON schema for AlternativeID class", "type": "object", "properties": { "IncidentID": { - "type": "array","items":{"$ref": "#/definitions/IncidentID"}}, - "restriction": {"$ref": "#/definitions/restriction"}, + "type": "array", + "items":{"$ref": "#/definitions/IncidentID"}, + "minItems": 1}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}}, "required": ["IncidentID"], "additionalProperties": false}, "RelatedActivity": { "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "IncidentID": { - "type": "array","items": {"$ref": "#/definitions/IncidentID"}}, + "type": "array", + "items": {"$ref": "#/definitions/IncidentID"}, + "minItems": 1}, "URL": { - "type": "array","items": {"$ref": "#/definitions/URLtype"}}, + "type": "array", + "items": {"$ref": "#/definitions/URLtype"}, + "minItems": 1}, "ThreatActor": { - "type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, + "type": "array", + "items": {"$ref": "#/definitions/ThreatActor"}, + "minItems": 1}, "Campaign": { - "type": "array","items": {"$ref": "#/definitions/Campaign"}}, + "type": "array", + "items": {"$ref": "#/definitions/Campaign"}, + "minItems": 1}, "IndicatorID": { - "type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, + "type": "array", + "items": {"$ref": "#/definitions/IndicatorID"}, + "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, - "Description": { "type": "array","items": {"type": "string"}}, + "Description": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "ThreatActor": { "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, - "ThreatActorID": {"type": "array", "items": {"type": "string"}}, - "Description": {"type": "array", "items": {"type": "string"}}, - "URL": {"type":"array","items":{"$ref":"#/definitions/URLtype"}}, + "ThreatActorID": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + "URL": { + "type":"array", + "items":{"$ref":"#/definitions/URLtype"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "Campaign": { "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, - "CampaignID": {"type": "array", "items": {"type": "string"}}, - "URL": {"type":"array", "items":{"$ref":"#/definitions/URLtype"}}, - "Description": {"type": "array", "items": {"type": "string"}}, + "CampaignID": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1}, + "URL": { + "type":"array", + "items":{"$ref":"#/definitions/URLtype"}, + "minItems": 1}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "Contact": { "type": "object", "properties": { "role": { "enum": ["creator","reporter","admin","tech","provider","user", "billing","legal","irt","abuse","cc","cc-irt","leo", "vendor","vendor-support","victim","victim-notified", "ext-value"]}, "ext-role": {"type": "string"}, "type": {"enum": ["person","organization","ext-value"]}, "ext-type": {"type": "string"}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, - "ContactName": {"type": "array", "items": {"type": "string"}}, - "ContactTitle": {"type": "array", "items": {"type": "string"}}, - "Description": {"type": "array", "items": {"type": "string"}}, + "ContactName": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + + "ContactTitle": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "RegistryHandle": { - "type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}}, + "type":"array", + "items":{"$ref":"#/definitions/RegistryHandle"}, + "minItems": 1}, "PostalAddress": { - "type":"array", "items":{"$ref":"#/definitions/PostalAddress"}}, - "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, + "type":"array", + "items":{"$ref":"#/definitions/PostalAddress"}, + "minItems": 1}, + "Email": { + "type": "array", + "items": {"$ref": "#/definitions/Email"}, + "minItems": 1}, "Telephone": { - "type": "array", "items": {"$ref": "#/definitions/Telephone"}}, - "Timezone": {"type": "string"}, + "type": "array", + "items": {"$ref": "#/definitions/Telephone"}, + "minItems": 1}, + "Timezone": {"$ref": "#/definitions/TimeZonetype"}, "Contact": { - "type": "array", "items": {"$ref": "#/definitions/Contact"}}, + "type": "array", + "items": {"$ref": "#/definitions/Contact"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["role","type"], "additionalProperties": false}, "RegistryHandle": { "type": "object", "properties": { "handle": {"type": "string"}, "registry": { "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", "local","ext-value"]}, "ext-registry": {"type": "string"}}, - "required": ["registry"], + "required": ["handle","registry"], "additionalProperties": false}, "PostalAddress": { "type": "object", "properties": { "type": {"type": "string"}, "ext-type": {"type": "string"}, - "PAddress": {"type": "string"}, - "Description": {"type": "array", "items": {"type": "string"}}}, + "PAddress": {"$ref": "#/definitions/PAddressType"}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": ["PAddress"], "additionalProperties": false}, "Email": { "type": "object", "properties": { "type": { "enum":["direct","hotline","ext-value"]}, "ext-type": {"type": "string"}, "EmailTo": {"type": "string"}, - "Description": {"type": "array", "items": {"type": "string"}}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": ["EmailTo"], "additionalProperties": false}, "Telephone": { "type": "object", "properties": { "type": { "enum":["wired","mobile","fax","hotline","ext-value"]}, "ext-type": {"type": "string"}, "TelephoneNumber": {"type": "string"}, - "Description": {"type": "array", "items": {"type": "string"}}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": ["TelephoneNumber"], "additionalProperties": false}, "Discovery": { "type": "object", "properties": { "source": { "enum":["nidps","hips","siem","av","third-party-monitoring", "incident","os-log","application-log","device-log", "network-flow","passive-dns","investigation","audit", "internal-notification","external-notification","leo", "partner","actor","unknown","ext-value"]}, "ext-source": {"type": "string"}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, - "Description": {"type": "array", "items": {"type": "string"}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "Contact": { - "type": "array", "items": {"$ref": "#/definitions/Contact"}}, + "type": "array", + "items": {"$ref": "#/definitions/Contact"}, + "minItems": 1}, "DetectionPattern": { "type":"array", - "items":{"$ref":"#/definitions/DetectionPattern"}}}, + "items":{"$ref":"#/definitions/DetectionPattern"}, + "minItems": 1}}, "required": [], "additionalProperties": false}, "DetectionPattern": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Application": {"$ref": "#/definitions/SoftwareType"}, - "Description": {"type": "array", "items": {"type": "string"}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "DetectionConfiguration": { - "type": "array", "items": {"type": "string"}}}, + "type": "array", + "items": {"type": "string"}, + "minItems": 1}}, "required": ["Application"], "additionalProperties": false}, "Method": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, - "References": { - "type": "array","items": {"$ref": "#/definitions/Reference"}}, - "Description": {"type": "array", "items": {"type": "string"}}, + "Reference": { + "type": "array", + "items": {"$ref": "#/definitions/Reference"}, + "minItems": 1}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "AttackPattern": { - "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, + "type":"array", + "items":{"$ref":"#/definitions/StructuredInformation"}, + "minItems": 1}, "Vulnerability": { - "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, + "type":"array", + "items":{"$ref":"#/definitions/StructuredInformation"}, + "minItems": 1}, "Weakness": { - "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, + "type":"array", + "items":{"$ref":"#/definitions/StructuredInformation"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Reference": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, - "ReferenceName": {"type": "string"}, - "URL":{"type":"array", "items":{"$ref":"#/definitions/URLtype"}}, - "Description": {"type": "array", "items": {"type": "string"}}}, + "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, + "URL":{ + "type":"array", + "items":{"$ref":"#/definitions/URLtype"}, + "minItems": 1}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": [], "additionalProperties": false}, + "ReferenceName" : { + "type": "object", + "properties": { + "specIndex": {"type": "number"}, + "ID": {"$ref":"#/definitions/IDtype"}}, + "required": ["specIndex","ID"], + "additionalProperties": false}, "Assessment": { "type": "object", "properties": { "occurrence": {"enum":["actual","potential"]}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, - "IncidentCategory": {"type": "array", "items": {"type": "string"}}, - "SystemImpact": { - "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, - "BusinessImpact": { - "type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}}, - "TimeImpact": { - "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, - "MonetaryImpact": { - "type":"array", "items":{"$ref":"#/definitions/MonetaryImpact"}}, - "IntendedImpact": { - "type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}}, + "IncidentCategory": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + "Impact": { + "type": "array", + "items": { + "properties": { + "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, + "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, + "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, + "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, + "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, + "additionalProperties":false}, + "minItems" : 1 + }, "Counter": { - "type": "array", "items": {"$ref": "#/definitions/Counter"}}, + "type": "array", + "items": {"$ref": "#/definitions/Counter"}, + "minItems": 1}, "MitigatingFactor": { - "type": "array", "items": {"$type": "string"}}, - "Cause": {"type": "array", "items": {"$type": "string"}}, + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + "Cause": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, - "required": [], + "required": ["Impact"], "additionalProperties": false}, "SystemImpact": { "type": "object", "properties": { - "severity": { - "enum":["low","medium","high"]}, + "severity": {"enum":["low","medium","high"]}, "completion": {"enum":["failed","succeeded"]}, "type": { - "enum":["takeover-account","takeover-service","takeover-system", - "cps-manipulation","cps-damage","availability-data", - "availability-account","availability-service", - "availability-system","damaged-system","damaged-data", - "breach-proprietary","breach-privacy","breach-credential", + "enum":["takeover-account","takeover-service", + "takeover-system","cps-manipulation","cps-damage", + "availability-data","availability-account", + "availability-service","availability-system", + "damaged-system","damaged-data","breach-proprietary", + "breach-privacy","breach-credential", "breach-configuration","integrity-data", "integrity-configuration","integrity-hardware", "traffic-redirection","monitoring-traffic", "monitoring-host","policy","unknown","ext-value"]}, "ext-type": {"type": "string"}, - "Description": {"type": "array","items": {"type": "string"}}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "BusinessImpact": { "type": "object", "properties": { - "severity": { - "enum":["none","low","medium","high","unknown","ext-value"]}, - + "severity": {"enum":["none","low","medium","high","unknown", + "ext-value"],"default": "unknown"}, "ext-severity": {"type":"string"}, - "type": { - "enum":["breach-proprietary","breach-privacy","breach-credential", - "loss-of-integrity","loss-of-service","theft-financial", - "theft-service","degraded-reputation","asset-damage", - "asset-manipulation","legal","extortion","unknown", - "ext-value"]}, + "type": {"enum":["breach-proprietary","breach-privacy", + "breach-credential","loss-of-integrity","loss-of-service", + "theft-financial","theft-service","degraded-reputation", + "asset-damage","asset-manipulation","legal","extortion", + "unknown","ext-value"]}, "ext-type": {"type": "string"}, - "Description": {"type": "array","items": {"type": "string"}}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "TimeImpact": { "type": "object", "properties": { - "value": {"type": "number"}, + "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum": ["low","medium","high"]}, "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "ext-metric": {"type": "string"}, - "duration": {"$ref":"#/definitions/duration"}, + "duration": {"$ref":"#/definitions/duration","default": "hour"}, "ext-duration": {"type": "string"}}, - "required": ["metric"], + "required": ["value","metric"], "additionalProperties": false}, "MonetaryImpact": { "type": "object", "properties": { - "value": {"type": "number"}, + "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum":["low","medium","high"]}, "currency": {"type": "string"}}, - "required": [], + + "required": ["value"], "additionalProperties": false}, "Confidence": { "type": "object", "properties": { "value": {"type": "number"}, - "rating": { - "enum": ["low","medium","high","numeric","unknown","ext-value"]}, + "rating": {"enum": ["low","medium","high","numeric","unknown", + "ext-value"]}, "ext-rating": {"type":"string"}}, - "required": ["rating"], + "required": ["value","rating"], "additionalProperties": false}, "History": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "HistoryItem": { - "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, + "type": "array", + "items": {"$ref": "#/definitions/HistoryItem"}, + "minItems": 1}}, "required": ["HistoryItem"], "additionalProperties": false}, - "HistoryItem": { "type": "object", "properties": { - "action": {"$ref": "#/definitions/action"}, + "action": {"$ref": "#/definitions/action","default": "other"}, "ext-action": {"type": "string"}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "Contact": {"$ref": "#/definitions/Contact"}, - "Description": {"type": "array","items": {"type": "string"}}, - "DefinedCOA": {"type": "array","items": {"type": "string"}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + "DefinedCOA": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["DateTime","action"], "additionalProperties": false}, "EventData": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, - "Description": {"type": "array","items": {"type": "string"}}, - "DetectTime": {"type": "string"}, - "StartTime": {"type": "string"}, - "EndTime": {"type": "string"}, - "RecoveryTime": {"type": "string"}, - "ReportTime": {"type": "string"}, + "Description": {"type": "array", + "items": { "type":"string", + "$ref":"#/definitions/MLStringType"}}, + "DetectTime": {"$ref": "#/definitions/DATETIME"}, + "StartTime": {"$ref": "#/definitions/DATETIME"}, + "EndTime": {"$ref": "#/definitions/DATETIME"}, + "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, + "ReportTime": {"$ref": "#/definitions/DATETIME"}, "Contact": { - "type": "array","items": {"$ref": "#/definitions/Contact"}}, + "type": "array", + "items": {"$ref": "#/definitions/Contact"}, + "minItems": 1}, "Discovery": { - "type": "array","items": {"$ref": "#/definitions/Discovery"}}, + "type": "array", + "items": {"$ref": "#/definitions/Discovery"}, + "minItems": 1}, "Assessment": {"$ref": "#/definitions/Assessment"}, "Method": { - "type": "array","items": {"$ref": "#/definitions/Method"}}, + "type": "array", + "items": {"$ref": "#/definitions/Method"}, + "minItems": 1}, "System": { - "type": "array","items": {"$ref": "#/definitions/System"}}, + "type": "array", + "items": {"$ref": "#/definitions/System"}, + "minItems": 1}, "Expectation": { - "type": "array","items": {"$ref": "#/definitions/Expectation"}}, - "RecordData": {"type": "array", - "items": {"$ref": "#/definitions/RecordData"}}, + "type": "array", + "items": {"$ref": "#/definitions/Expectation"}, + "minItems": 1}, + "RecordData": { + "type": "array", + "items": {"$ref": "#/definitions/RecordData"}, + "minItems": 1}, "EventData": { - "type": "array","items": {"$ref": "#/definitions/EventData"}}, + "type": "array", + "items": {"$ref": "#/definitions/EventData"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, - "required": ["ReportTime"], + "required": [], "additionalProperties": false}, "Expectation": { "type": "object", "properties": { - "action": {"$ref":"#/definitions/action"}, + "action": {"$ref":"#/definitions/action","default": "other"}, "ext-action": {"type": "string"}, "severity": {"enum": ["low","medium","high"]}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "default"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, - "Description": {"type": "array","items": {"type": "string"}}, - "DefinedCOA": {"type": "array","items": {"type": "string"}}, - "StartTime": {"type": "string"}, - "EndTime": {"type": "string"}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + "DefinedCOA": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1}, + "StartTime": {"$ref": "#/definitions/DATETIME"}, + "EndTime": {"$ref": "#/definitions/DATETIME"}, "Contact": {"$ref": "#/definitions/Contact"}}, "required": [], "additionalProperties": false}, "System": { "type": "object", "properties": { "category": { "enum": ["source","target","intermediate","sensor", "infrastructure","ext-value"]}, "ext-category": {"type": "string"}, "interface": {"type": "string"}, - "spoofed": {"enum": ["unknown","yes","no"]}, - "virtual": {"enum": ["yes","no","unknown"]}, + "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, + "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, "ownership": { "enum":["organization","personal","partner","customer", "no-relationship","unknown","ext-value"]}, "ext-ownership": {"type": "string"}, - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Node": {"$ref": "#/definitions/Node"}, "NodeRole": { - "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, + "type": "array", + "items": {"$ref": "#/definitions/NodeRole"}, + "minItems": 1}, "Service": { - "type": "array","items": {"$ref": "#/definitions/Service"}}, + "type": "array", + "items": {"$ref": "#/definitions/Service"}, + "minItems": 1}, "OperatingSystem": { - "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, + "type": "array", + "items": {"$ref": "#/definitions/SoftwareType"}, + "minItems": 1}, "Counter": { - "type": "array","items": {"$ref": "#/definitions/Counter"}}, - "AssetID": {"type": "array","items": {"type": "string"}}, - "Description": {"type": "array","items": {"type": "string"}}, + "type": "array", + "items": {"$ref": "#/definitions/Counter"}, + "minItems": 1}, + "AssetID": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Node"], "additionalProperties": false}, "Node": { "type": "object", "properties": { "DomainData": { - "type": "array","items": {"$ref": "#/definitions/DomainData"}}, + "type": "array", + "items": {"$ref": "#/definitions/DomainData"}, + "minItems": 1}, "Address": { - "type": "array","items": {"$ref": "#/definitions/Address"}}, - "PostalAddress": {"type": "string"}, - "Location": {"type": "array","items": {"type": "string"}}, - "Counter": {"type":"array", - "items":{"$ref":"#/definitions/Counter"}}}, + "type": "array", + "items": {"$ref": "#/definitions/Address"}, + "minItems": 1}, + "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, + "Location": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + "Counter": { + "type":"array", + "items":{"$ref":"#/definitions/Counter"}, + "minItems": 1}}, "required": [], "additionalProperties": false}, "Address": { "type": "object", "properties": { "value": {"type": "string"}, "category": { "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", - "ipv6-net-masked","mac","site-url","ext-value"]}, + "ipv6-net-masked","mac","site-url","ext-value"], + "default": "ipv6-addr"}, "ext-category": {"type": "string"}, "vlan-name": {"type": "string"}, - "vlan-num": {"type": "integer"}, + "vlan-num": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, - "required": ["category"], + "required": ["value","category"], "additionalProperties": false}, "NodeRole": { "type": "object", "properties": { "category": { "enum":["client","client-enterprise","clent-partner", "client-remote","client-kiosk","client-mobile", "server-internal","server-public","www","mail","webmail", "messaging","streaming","voice","file","ftp","p2p","name", "directory","credential","print","application","database", "backup","dhcp","assessment","source-control", "config-management","monitoring","infra","infra-firewall", "infra-router","infra-switch","camera","proxy", "remote-access","log","virtualization","pos", "scada", "scada-supervisory","sinkhole","honeypot","anomyzation", "c2-server","malware-distribution","drop-server", "hot-point","reflector","phishing-site", - "spear-phishing-site","recruiting-site", - "fraudulent-site","ext-value"]}, + "spear-phishing-site","recruiting-site","fraudulent-site", + "ext-value"]}, "ext-category": {"type": "string"}, - "Description": {"type": "array","items": {"type": "string"}}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": ["category"], "additionalProperties": false}, "Counter": { "type": "object", "properties": { - "value": {"type": "string"}, + "value": {"type": "number"}, "type": {"enum": ["count","peak","average","ext-value"]}, "ext-type": {"type": "string"}, "unit": {"enum": ["byte","mbit","packet","flow","session","alert", - "message","event","host","site","organization", - "ext-value"]}, + "message","event","host","site","organization","ext-value"]}, "ext-unit": {"type": "string"}, "meaning": {"type": "string"}, - "duration": {"$ref":"#/definitions/duration"}, + "duration": {"$ref":"#/definitions/duration","default": "hour"}, "ext-duration": {"type": "string"}}, - "required": ["type","unit"], + "required": ["value","type","unit"], "additionalProperties": false}, "DomainData": { "type": "object", "properties": { "system-status": { "enum": ["spoofed","fraudulent","innocent-hacked", "innocent-hijacked","unknown","ext-value"]}, "ext-system-status": {"type": "string"}, "domain-status": { - "enum": [ - "reservedDelegation","assignedAndActive","assignedAndInactive", - "assignedAndOnHold","revoked","transferPending","registryLock", - "registrarLock","other","unknown","ext-value"]}, + "enum": [ "reservedDelegation","assignedAndActive", + "assignedAndInactive","assignedAndOnHold","revoked", + "transferPending","registryLock","registrarLock", + "other","unknown","ext-value"]}, "ext-domain-status": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Name": {"type": "string"}, "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "RelatedDNS": { - "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, + "type": "array", + "items": {"$ref": "#/definitions/ExtensionType"}, + "minItems": 1}, "NameServers": { - "type": "array","items": {"$ref": "#/definitions/NameServers"}}, - "DomainContacts": { - "$ref": "#/definitions/DomainContacts"}}, + "type": "array", + "items": {"$ref": "#/definitions/NameServers"}, + "minItems": 1}, + "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, "required": ["Name","system-status","domain-status"], "additionalProperties": false}, "NameServers": { "type": "object", "properties": { "Server": {"type": "string"}, - "Address": {"type":"array", - "items":{"$ref":"#/definitions/Address"}}}, + "Address": { + "type":"array", + "items":{"$ref":"#/definitions/Address"}, + "minItems": 1}}, "required": ["Server","Address"], "additionalProperties": false}, "DomainContacts": { "type": "object", "properties": { "SameDomainContact": {"type": "string"}, - "Contact": {"type":"array", - "items":{"$ref":"#/definitions/Contact"}}}, + "Contact": { + "type":"array", + "items":{"$ref":"#/definitions/Contact"}, + "minItems": 1}}, "required": ["Contact"], "additionalProperties": false}, "Service": { "type": "object", "properties": { - "ip-protocol": {"type": "integer"}, + "ip-protocol": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "ServiceName": {"$ref": "#/definitions/ServiceName"}, - "Port": {"type": "integer"}, - "Portlist": {"$ref": "#/definitions/PORTLIST"}, - "ProtoCode": {"type": "integer"}, - "ProtoType": {"type": "integer"}, - "ProtoField": {"type": "integer"}, - "ApplicationHeaderField":{"$ref":"#/definitions/ExtensionTypeList"}, + "Port": {"type": "number"}, + "Portlist": {"$ref": "#/definitions/PortlistType"}, + "ProtoCode": {"type": "number"}, + "ProtoType": {"type": "number"}, + "ProtoField": {"type": "number"}, + "ApplicationHeaderField":{ + "$ref":"#/definitions/ExtensionTypeList"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": [], "additionalProperties": false}, "ServiceName": { "type": "object", "properties": { "IANAService": {"type": "string"}, - "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, - "Description": {"type": "array","items": {"type": "string"}}}, + "URL": {"type": "array", + "items": {"$ref": "#/definitions/URLtype"}}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": [], "additionalProperties": false}, "EmailData": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, - "EmailTo": {"type": "array","items": {"type": "string"}}, + "EmailTo": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1}, "EmailFrom": {"type": "string"}, "EmailSubject": {"type": "string"}, "EmailX-Mailer": {"type": "string"}, "EmailHeaderField": { - "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, + "type": "array", + "items": {"$ref": "#/definitions/ExtensionType"}, + "minItems": 1}, "EmailHeaders": {"type": "string"}, "EmailBody": {"type": "string"}, "EmailMessage": {"type": "string"}, "HashData": { - "type": "array","items": {"$ref": "#/definitions/HashData"}}, - "Signature": {"type": "array","items": {"type": "string"}}}, + "type": "array", + "items": {"$ref": "#/definitions/HashData"}, + "minItems": 1}, + "Signature": { + "type": "array", + "items": {"$ref": "#/definitions/SignatureType"}, + "minItems": 1}}, "required": [], "additionalProperties": false}, + "SignatureType": { + "type": "object", + "properties": { + "id": {"$ref": "#/definitions/IDtype"}, + "SignedInfo": {"$ref": "#/definitions/SignedInfoType"}, + "SignatureValue": {"$ref": "#/definitions/SignatureValueType"}, + "KeyInfo": {"$ref": "#/definitions/KeyInfoType"}, + "Object": { + "type": "array", + "items": {"$ref": "#/definitions/ObjectType"}, + "minItems": 1}}, + "required": ["SignedInfo","SignatureValue"], + "additionalProperties": false + }, + "SignatureValueType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "id": {"$ref": "#/definitions/IDtype"} + }, + "required": ["value"], + "additionalProperties": false + }, + "SignedInfoType": { + "type": "object", + "properties": { + "id": {"$ref": "#/definitions/IDtype"}, + "CanonicalizationMethod": + {"$ref": "#/definitions/CanonicalizationMethodType"}, + "SignatureMethod": {"$ref":"#/definitions/SignatureMethodType"}, + "Reference": { + "type": "array", + "items": {"$ref": "#/definitions/ReferenceType"}, + "minItems": 1} + + }, + "required": ["CanonicalizationMethod","SignatureMethod", + "Reference"], + "additionalProperties": false + }, + "SignatureMethodType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "Algorithm": {"$ref": "#/definitions/URLtype"}, + "HMACOutputLength":{"$ref":"#/definitions/HMACOutputLengthType"} + }, + "required": ["Algorithm"], + "additionalProperties": false + }, + "HMACOutputLengthType": {"type": "number"}, + "ReferenceType": { + "type": "object", + "properties": { + "id": {"$ref": "#/definitions/IDtype"}, + "URI": {"$ref": "#/definitions/URLtype"}, + "Type": {"$ref": "#/definitions/URLtype"}, + "Transforms": {"$ref": "#/definitions/TransformsType"}, + "DigestMethod": {"$ref": "#/definitions/DigestMethodType"}, + "DigestValue": {"$ref": "#/definitions/DigestValueType"} + }, + "required": ["DigestMethod","DigestValue"], + "additionalProperties": false + }, + "TransformsType": { + "type": "object", + "properties": { + "Transform": { + "type": "array", + "items": {"$ref": "#/definitions/TransformType"}, + "minItems": 1} + }, + "required": ["Transform"], + "additionalProperties": false + }, + "TransformType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "Algorithm": {"$ref": "#/definitions/URLtype"}, + "XPath": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1} + }, + "required": ["Algorithm"], + "additionalProperties": false + }, + "DigestMethodType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "Algorithm": {"$ref": "#/definitions/URLtype"} + }, + "required": ["Algorithm"], + "additionalProperties": false + }, + "DigestValueType": {"type": "string"}, + "KeyInfoType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "id": {"$ref": "#/definitions/IDtype"}, + "KeyProperties": { + "type": "array", + "items": { + "type": "object", + "properties": { + "KeyName": {"type": "string"}, + "KeyValue": {"$ref": "#/definitions/KeyValueType"}, + "RetrievalMethod": + {"$ref": "#/definitions/RetrievalMethodType"}, + "X509Data": {"$ref": "#/definitions/X509DataType"}, + "PGPData": {"$ref": "#/definitions/PGPDataType"}, + "SPKIData": {"$ref": "#/definitions/SPKIDataType"}, + "MgmtData": {"type": "string"}}, + "additionalProperties": false}, + "minItems" : 1}}, + "required": ["KeyProperties"], + "additionalProperties": false + }, + "KeyValueType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "KeyValueProperties": { + "items": { + "type": "object", + "properties": { + "DSAKeyValue": {"$ref": "#/definitions/DSAKeyValueType"}, + "RSAKeyValue": {"$ref": "#/definitions/RSAKeyValueType"}}, + + "additionalProperties": false}} + }, + "required": ["KeyValueProperties"], + "additionalProperties": false + }, + "DSAKeyValueType": { + "type": "object", + "properties": { + "P": {"$ref": "#/definitions/CryptoBinary"}, + "Q": {"$ref": "#/definitions/CryptoBinary"}, + "G": {"$ref": "#/definitions/CryptoBinary"}, + "Y": {"$ref": "#/definitions/CryptoBinary"}, + "J": {"$ref": "#/definitions/CryptoBinary"}, + "Seed": {"$ref": "#/definitions/CryptoBinary"}, + "PgenCounter": {"$ref": "#/definitions/CryptoBinary"} + }, + "required": ["Y"], + "additionalProperties": false + }, + "RSAKeyValueType":{ + "type": "object", + "properties": { + "Modulus": {"$ref": "#/definitions/CryptoBinary"}, + "Exponent": {"$ref": "#/definitions/CryptoBinary"} + }, + "required": ["Modulus","Exponent"], + "additionalProperties": false + }, + "RetrievalMethodType": { + "type": "object", + "properties": { + "URI": {"$ref": "#/definitions/URLtype"}, + "Type": {"$ref": "#/definitions/URLtype"}, + "Transforms": {"$ref": "#/definitions/TransformsType"} + }, + "required": ["URI"], + "additionalProperties": false + }, + "PGPDataType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "PGPDataProperties": { + "items": { + "type": "object", + "properties": { + "PGPKeyID": {"type": "string"}, + "PGPKeyPacket": {"type": "string"}}, + + "additionalProperties": false}}}, + "required": ["PGPDataProperties"], + "additionalProperties": false + }, + "SPKIDataType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "SPKISexp": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1} + }, + "required": ["SPKISexp"], + "additionalProperties": false + }, + "ObjectType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "id": {"$ref": "#/definitions/IDtype"}, + "MimeType": {"type": "string"}, + "Encoding": {"$ref": "#/definitions/URLtype"} + }, + "additionalProperties": false + }, "RecordData": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, - "Description": {"type": "array","items": {"type": "string"}}, - "Applicadtion": {"$ref": "#/definitions/SoftwareType"}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, + "Application": {"$ref": "#/definitions/SoftwareType"}, "RecordPattern": { - "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, + "type": "array", + "items": {"$ref": "#/definitions/RecordPattern"}, + "minItems": 1}, "RecordItem": { - "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, + "type": "array", + "items": {"$ref": "#/definitions/ExtensionType"}, + "minItems": 1}, + "URL": { - "type": "array","items": {"$ref": "#/definitions/URLtype"}}, + "type": "array", + "items": {"$ref": "#/definitions/URLtype"}, + "minItems": 1}, "FileData": { - "type": "array","items": {"$ref": "#/definitions/FileData"}}, + "type": "array", + "items": {"$ref": "#/definitions/FileData"}, + "minItems": 1}, "WindowsRegistryKeysModified": { "type": "array", - "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, + "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, + "minItems": 1}, "CertificateData": { - "type":"array","items":{"$ref":"#/definitions/CertificateData"}}, + "type":"array", + "items":{"$ref":"#/definitions/CertificateData"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], - "additionalProperties": false - }, + "additionalProperties": false}, "RecordPattern": { "type": "object", "properties": { "value": {"type": "string"}, - "type": {"enum": ["regex","binary","xpath","ext-value"]}, + "type": {"enum": ["regex","binary","xpath","ext-value"], + "default": "regex"}, "ext-type": {"type": "string"}, - "offset": {"type": "integer"}, - "offsetunit": {"enum":["line","byte","ext-value"]}, + "offset": {"type": "number"}, + "offsetunit": {"enum":["line","byte","ext-value"] , + "default": "line"}, "ext-offsetunit": {"type": "string"}, - "instance": {"type": "integer"}}, - "required": ["type"], + "instance": {"type": "number"}}, + "required": ["value","type"], "additionalProperties": false}, "WindowsRegistryKeysModified": { "type": "object", "properties": { - "observabile-id": {"$ref": "#/definitions/IDtype"}, - "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, + "observable-id": {"$ref": "#/definitions/IDtype"}, + "Key": { + "type": "array", + "items": {"$ref": "#/definitions/Key"}, + "minItems": 1}}, "required": ["Key"], "additionalProperties": false}, "Key": { "type": "object", "properties": { "registryaction": {"enum": ["add-key","add-value","delete-key", "delete-value","modify-key","modify-value", "ext-value"]}, "ext-registryaction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "KeyName": {"type":"string"}, "KeyValue": {"type": "string"}}, "required": ["KeyName"], "additionalProperties": false}, "CertificateData": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Certificate": { - "type": "array","items": {"$ref": "#/definitions/Certificate"}}}, + "type": "array", + "items": {"$ref": "#/definitions/Certificate"}, + "minItems": 1}}, "required": ["Certificate"], "additionalProperties": false}, "Certificate": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, - "X509Data": {type: "string"}, - "Description": {"type": "array","items": {"type": "string"}}}, + "X509Data": {"$ref": "#/definitions/X509DataType"}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}}, "required": ["X509Data"], "additionalProperties": false}, + "X509DataType": { + "type": "object", + "properties": { + "X509DataProperties": { + "type": "array", + "items": { + "type": "object", + "properties": { + "X509IssuerSerial": + {"$ref": "#/definitions/X509IssuerSerialType"}, + "X509SKI": {"type": "string"}, + "X509SubjectName": {"type": "string"}, + "X509Certificate": {"type": "string"}, + "X509CRL": {"type": "string"}}, + "additionalProperties": false}, + "minItems" : 1}}, + + "required": ["X509DataProperties"], + "additionalProperties": false + }, + "X509IssuerSerialType": { + "type": "object", + "properties": { + "X509IssuerName": {"type": "string"}, + "X509SerialNumber": {"type": "number"} + }, + "required": ["X509IssuerName","X509SerialNumber"], + "additionalProperties": false + }, "FileData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, - "File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, + "File": { + "type": "array", + "items": {"$ref": "#/definitions/File"}, + "minItems": 1}}, "required": ["File"], "additionalProperties": false}, "File": { "type": "object", "properties": { + "observable-id": {"$ref": "#/definitions/IDtype"}, "FileName": {"type": "string"}, - "FileSize": {"type": "integer"}, + "FileSize": {"type": "number"}, "FileType": {"type": "string"}, - "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, + "URL": { + "type": "array", + "items": {"$ref": "#/definitions/URLtype"}, + "minItems": 1}, "HashData": {"$ref": "#/definitions/HashData"}, - "Signature": {"type": "array","items": {"type": "string"}}, + "Signature": { + "type": "array", + "items": {"$ref": "#/definitions/SignatureType"}, + "minItems": 1}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "FileProperties": { - "type":"array","items":{"$ref":"#/definitions/ExtensionType"}}}, + "type":"array", + "items":{"$ref":"#/definitions/ExtensionType"}, + "minItems": 1}}, "required": [], "additionalProperties": false}, "HashData": { "type": "object", "properties": { - "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", - "file-pe-resource","file-pdf-object","email-hash", - "email-hash-header","email-hash-body"]}, + "scope": {"enum": ["file-contents","file-pe-section", + "file-pe-iat","file-pe-resource","file-pdf-object", + "email-hash","email-hash-header","email-hash-body"]}, "HashTargetID": {"type": "string"}, - "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, + "Hash": { + "type": "array", + "items": {"$ref": "#/definitions/Hash"}, + "minItems": 1}, "FuzzyHash": { - "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, + "type": "array", + "items": {"$ref": "#/definitions/FuzzyHash"}, + "minItems": 1}}, "required": ["scope"], "additionalProperties": false}, "Hash": { "type": "object", "properties": { - "DigestMethod": {"type": "string"}, - "DigestValue": {"type": "string"}, - "CanonicalizationMethod": {}, + "DigestMethod": {"$ref": "#/definitions/DigestMethodType"}, + "DigestValue": {"$ref": "#/definitions/DigestValueType"}, + "CanonicalizationMethod": + {"$ref": "#/definitions/CanonicalizationMethodType"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": ["DigestMethod","DigestValue"], "additionalProperties": false}, + "CanonicalizationMethodType": { + "type": "object", + "properties": { + "value": {"type": "string"}, + "Algorithm": {"$ref": "#/definitions/URLtype"} + }, + "required": ["Algorithm"], + "additionalProperties": false + }, "FuzzyHash": { "type": "object", "properties": { "FuzzyHashValue": { - "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, + "type": "array", + "items": {"$ref": "#/definitions/ExtensionType"}, + "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["FuzzyHashValue"], "additionalProperties": false}, "Indicator": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "AlternativeIndicatorID": { "type": "array", - "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, - "Description": {"type": "array","items": {"type": "string"}}, + "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, + "minItems": 1}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Contact": { - "type": "array","items": {"$ref": "#/definitions/Contact"}}, - + "type": "array", + "items": {"$ref": "#/definitions/Contact"}, + "minItems": 1}, "Observable": {"$ref": "#/definitions/Observable"}, - "uid-ref": {"type": "string"}, - "IndicatorExpression":{"$ref":"#/definitions/IndicatorExpression"}, - "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, + "uid-ref": {"$ref": "#/definitions/IDREFType"}, + "IndicatorExpression":{ + "$ref":"#/definitions/IndicatorExpression"}, + "IndicatorReference":{ + "$ref": "#/definitions/IndicatorReference"}, "NodeRole": { - "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, + "type": "array", + "items": {"$ref": "#/definitions/NodeRole"}, + "minItems": 1}, "AttackPhase": { - "type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, + "type": "array", + "items": {"$ref": "#/definitions/AttackPhase"}, + "minItems": 1}, "Reference": { - "type": "array","items": {"$ref": "#/definitions/Reference"}}, + "type": "array", + "items": {"$ref": "#/definitions/Reference"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IndicatorID"], "additionalProperties": false}, "IndicatorID": { "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "version": {"type": "string"}}, - "required": ["name","version"], + + "required": ["id","name","version"], "additionalProperties": false}, "AlternativeIndicatorID": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorReference": { "type": "array", - "items": {"$ref": "#/definitions/IndicatorReference"}}}, + "items": {"$ref": "#/definitions/IndicatorReference"}, + "minItems": 1}}, "required": ["IndicatorReference"], "additionalProperties": false}, "Observable": { "type": "object", "properties": { - "restriction": {"$ref": "#/definitions/restriction"}, + "restriction": {"$ref": "#/definitions/restriction", + "default": "private"}, "ext-restriction": {"type": "string"}, "System": {"$ref": "#/definitions/System"}, "Address": {"$ref": "#/definitions/Address"}, "DomainData": {"$ref": "#/definitions/DomainData"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Service": {"$ref": "#/definitions/Service"}, "WindowsRegistryKeysModified": { "$ref": "#/definitions/WindowsRegistryKeysModified"}, "FileData": {"$ref": "#/definitions/FileData"}, "CertificateData": {"$ref": "#/definitions/CertificateData"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, - "RecordData": {"type": "array", - "item": {"$ref": "#/definitions/Record"}}, - + "RecordData": {"$ref": "#/definitions/RecordData"}, "EventData": {"$ref": "#/definitions/EventData"}, "Incident": {"$ref": "#/definitions/Incident"}, "Expectation": {"$ref": "#/definitions/Expectation"}, "Reference": {"$ref": "#/definitions/Reference"}, "Assessment": {"$ref": "#/definitions/Assessment"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], @@ -2466,83 +3497,103 @@ "properties": { "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", "mac","site-url","domain-name","domain-to-ipv4", "domain-to-ipv6","domain-to-ipv4-timestamp", "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", "windows-reg-key","file-hash","email-x-mailer", "email-subject","http-user-agent","http-request-url", "mutex","file-path","user-name","ext-value"]}, "ext-type": {"type": "string"}, - "BulkObservableFormant":{ + "BulkObservableFormat":{ "$ref": "#/definitions/BulkObservableFormat"}, - "BulkObservableList": {"type": "array", "item":{"type": "string"}}, + "BulkObservableList": {"type": "string"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, - "required": [], + "required": ["BulkObservableList"], "additionalProperties": false}, "BulkObservableFormat": { "type": "object", "properties": { "Hash": {"$ref": "#/definitions/Hash"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorExpression": { "type": "object", "properties": { - "operator": {"enum": ["not","and","or","xor"]}, + "operator": {"enum": ["not","and","or","xor"],"default": "and"}, "ext-operator": {"type": "string"}, "IndicatorExpression": { "type": "array", - "items": {"$ref": "#/definitions/IndicatorExpression"}}, + "items": {"$ref": "#/definitions/IndicatorExpression"}, + "minItems": 1}, "Observable": { - "type": "array","items": {"$ref": "#/definitions/Observable"}}, - "uid-ref": {"type": "string"}, + "type": "array", + "items": {"$ref": "#/definitions/Observable"}, + "minItems": 1}, + "uid-ref": { + "type": "array", + "items": {"$ref": "#/definitions/IDREFType"}, + "minItems": 1}, "IndicatorReference": { "type": "array", - "items": {"$ref": "#/definitions/IndicatorReference"}}, + "items": {"$ref": "#/definitions/IndicatorReference"}, + "minItems": 1}, + "Confidence": {"$ref":"#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorReference": { "type": "object", "properties": { - "uid-ref": {"type": "string"}, + "uid-ref": {"$ref":"#/definitions/IDREFType"}, "euid-ref": {"type": "string"}, "version": {"type": "string"}}, "required": [], "additionalProperties": false}, "AttackPhase": { "type": "object", "properties": { - "AttackPhaseID": {"type": "array","items": {"type": "string"}}, - "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, - "Description": {"type": "array","items": {"type": "string"}}, + "AttackPhaseID": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1}, + "URL": { + "type": "array", + "items": {"$ref": "#/definitions/URLtype"}, + "minItems": 1}, + "Description": { + "type": "array", + "items": {"oneOf":[{"type": "string"}, + {"$ref": "#/definitions/MLStringType"}]}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}}, "title": "IODEF-Document", "description": "JSON schema for IODEF-Document class", "type": "object", "properties": { "version": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "format-id": {"type": "string"}, "private-enum-name": {"type": "string"}, "private-enum-id": {"type": "string"}, "Incident": { - "type": "array","items": {"$ref": "#/definitions/Incident"}}, + "type": "array", + "items": {"$ref": "#/definitions/Incident"}, + "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["version","Incident"], "additionalProperties": false} - Figure 4: JSON schema + Figure 9: JSON schema Authors' Addresses Takeshi Takahashi National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Phone: +81 42 327 5862 Email: takeshi_takahashi@nict.go.jp