draft-ietf-mile-jsoniodef-06.txt   draft-ietf-mile-jsoniodef-07.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft NICT Internet-Draft NICT
Intended status: Standards Track R. Danyliw Intended status: Standards Track R. Danyliw
Expires: May 7, 2019 CERT Expires: July 6, 2019 CERT
M. Suzuki M. Suzuki
NICT NICT
November 3, 2018 January 2, 2019
CBOR/JSON binding of IODEF CBOR/JSON binding of IODEF
draft-ietf-mile-jsoniodef-06 draft-ietf-mile-jsoniodef-07
Abstract Abstract
RFC7970 specified an information model and a corresponding XML data RFC7970 specified an information model and a corresponding XML data
model for exchanging incident and indicator information. This draft model for exchanging incident and indicator information. This draft
provides an alternative data model implementation in CBOR/JSON. provides an alternative data model implementation in CBOR/JSON.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2019. This Internet-Draft will expire on July 6, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3
2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5
2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5
2.2.2. Software and SoftwareReference . . . . . . . . . . . 6 2.2.2. Software and Software Reference . . . . . . . . . . . 6
2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 6 2.2.3. Structured Information . . . . . . . . . . . . . . . 6
2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7
3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7
3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7
3.2. Mapping between CBOR/JSON and XML IODEF . . . . . . . . . 17 3.2. Mapping between CBOR/JSON and XML IODEF . . . . . . . . . 17
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18
4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20
5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 24 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 25
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 7. Security Considerations . . . . . . . . . . . . . . . . . . . 40
8. Security Considerations . . . . . . . . . . . . . . . . . . . 43 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 40
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.1. Normative References . . . . . . . . . . . . . . . . . . 43 9.1. Normative References . . . . . . . . . . . . . . . . . . 40
9.2. Informative References . . . . . . . . . . . . . . . . . 43 9.2. Informative References . . . . . . . . . . . . . . . . . 41
Appendix A. Data Types used in this document . . . . . . . . . . 43 Appendix A. Data Types used in this document . . . . . . . . . . 41
Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 44 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69
1. Introduction 1. Introduction
[RFC7970] defines a data representation for security incident reports [RFC7970] defines a data representation for security incident reports
and indicators commonly exchanged by operational security teams. It and indicators commonly exchanged by operational security teams. It
facilitates the automated exchange of this information to enable facilitates the automated exchange of this information to enable
mitigation and watch-and-warning. Section 3 of [RFC7970] defined an mitigation and watch-and-warning. Section 3 of [RFC7970] defined an
information model using Unified Modeling Language (UML) and a information model using Unified Modeling Language (UML) and a
corresponding Extensible Markup Language (XML) schema data model in corresponding Extensible Markup Language (XML) schema data model in
Section 8. This UML-based information model and XML-based data model Section 8. This UML-based information model and XML-based data model
skipping to change at page 3, line 16 skipping to change at page 3, line 16
implementers and operators an alternative format to exchange the same implementers and operators an alternative format to exchange the same
information. information.
The normative IODEF JSON data model is found in Section 5. Section 2 The normative IODEF JSON data model is found in Section 5. Section 2
and Section 3 describe the data types and elements of this data and Section 3 describe the data types and elements of this data
model. Section 4 provides examples. model. Section 4 provides examples.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in RFC 2119 [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. IODEF Data Types 2. IODEF Data Types
The abstract IODEF JSON implements the abstract data types specified The abstract IODEF JSON implements the abstract data types specified
in Section 2 of [RFC7970]. in Section 2 of [RFC7970].
2.1. Abstract Data Type to JSON Data Type Mapping 2.1. Abstract Data Type to JSON Data Type Mapping
IODEF JSON uses native and derived JSON data types. Figure 1 IODEF JSON uses native and derived JSON data types. Figure 1
describes the mapping between the abstract data types in Section 2 of describes the mapping between the abstract data types in Section 2 of
skipping to change at page 4, line 22 skipping to change at page 4, line 22
| STRING | Section 2.3 | "string" per [jsonschema] | | STRING | Section 2.3 | "string" per [jsonschema] |
| ML_STRING | Section 2.4 | see Section 2.2.1 | | ML_STRING | Section 2.4 | see Section 2.2.1 |
| BYTE | Section 2.5.1 | "string" per [jsonschema] | | BYTE | Section 2.5.1 | "string" per [jsonschema] |
| BYTE[] | Section 2.5.1 | "string" per [jsonschema] | | BYTE[] | Section 2.5.1 | "string" per [jsonschema] |
| HEXBIN | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN | Section 2.5.2 | "string" per [jsonschema] |
| HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] |
| ENUM | Section 2.6 | "enum" array per [jsonschema] | | ENUM | Section 2.6 | "enum" array per [jsonschema] |
| DATETIME | Section 2.7 | "string" per [jsonschema] | | DATETIME | Section 2.7 | "string" per [jsonschema] |
| TIMEZONE | Section 2.8 | "string" per [jsonschema] | | TIMEZONE | Section 2.8 | "string" per [jsonschema] |
| PORTLIST | Section 2.9 | "string" per [jsonschema] | | PORTLIST | Section 2.9 | "string" per [jsonschema] |
| POSTAL | Section 2.10 | "string" per [jsonschema] | | POSTAL | Section 2.10 | ML_STRING, Section 2.2.1 |
| | | / ML_STRING, Section 2.2.1 |
| PHONE | Section 2.11 | "string" per [jsonschema] | | PHONE | Section 2.11 | "string" per [jsonschema] |
| EMAIL | Section 2.12 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] |
| URL | Section 2.13 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] |
| ID | Section 2.14 | "string" per [jsonschema] | | ID | Section 2.14 | "string" per [jsonschema] |
| IDREF | Section 2.14 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] |
| SOFTWARE | Section 2.15 | see Section 2.2.2 | | SOFTWARE | Section 2.15 | see Section 2.2.2 |
| STRUCTURED | RFC 7213 | see Section 2.2.3 | | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.3 |
| EXTENSION | Section 2.16 | see Section 2.2.4 | | EXTENSION | Section 2.16 | see Section 2.2.4 |
+-----------------+-------------------+-------------------------------+ +-----------------+-------------------+-------------------------------+
Figure 1: JSON Data Types Figure 1: JSON Data Types
+-----------------+------------------+---------------------------------+ +-----------------+------------------+---------------------------------+
| IODEF Data Type | CBOR Data Type | CDDL prelude | | IODEF Data Type | CBOR Data Type | CDDL prelude |
| | | [draft-ietf-cbor-cddl-05] | | | | [draft-ietf-cbor-cddl-05] |
+-----------------+------------------+---------------------------------+ +-----------------+------------------+---------------------------------+
| INTEGER | 6 tag 2, 6 tag 3 | integer | | INTEGER | 0, 1, 6 tag 2, | integer |
| | 6 tag 3 | |
| REAL | 7 bits 26 | float32 | | REAL | 7 bits 26 | float32 |
| CHARACTER | 3 text string | text | | CHARACTER | 3 | text |
| STRING | 3 text string | text | | STRING | 3 | text |
| ML_STRING | 5 map | Maps/Structs (Section 3.5.1) | | ML_STRING | 5 | Maps/Structs (Section 3.5.1) |
| BYTE | 6 tag 22 | eb64legacy | | BYTE | 6 tag 22 | eb64legacy |
| BYTE[] | 6 tag 22 | eb64legacy | | BYTE[] | 6 tag 22 | eb64legacy |
| HEXBIN | 2 byte string | bytes | | HEXBIN | 2 | bytes |
| HEXBIN[] | 2 byte string | bytes | | HEXBIN[] | 2 | bytes |
| ENUM | - | Choices (Section 2.2.2) | | ENUM | - | Choices (Section 2.2.2) |
| DATETIME | 6 tag 0 | tdate | | DATETIME | 6 tag 0 | tdate |
| TIMEZONE | 3 text string | text | | TIMEZONE | 3 | text |
| PORTLIST | 3 text string | text | | PORTLIST | 3 | text |
| POSTAL | 3 text string | text | | POSTAL | 3 | ML_STRING (Section 2.2.1) |
| | | or Maps/Structs(Section 3.5.1) | | PHONE | 3 | text |
| PHONE | 3 text string | text | | EMAIL | 3 | text |
| EMAIL | 3 text string | text |
| URL | 6 tag 32 | uri | | URL | 6 tag 32 | uri |
| ID | 3 text string | text | | ID | 3 | text |
| IDREF | 3 text string | text | | IDREF | 3 | text |
| SOFTWARE | 5 map | Maps/Structs (Section 3.5.1) | | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) |
| STRUCTURED | 5 map | Maps/Structs (Section 3.5.1) | | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) |
| EXTENSION | 5 map | Maps/Structs (Section 3.5.1) | | EXTENSION | 5 | Maps/Structs (Section 3.5.1) |
+-----------------+------------------+---------------------------------+ +-----------------+------------------+---------------------------------+
Figure 2: CBOR Data Types Figure 2: CBOR Data Types
2.2. Complex JSON Types 2.2. Complex JSON Types
2.2.1. Multilingual Strings 2.2.1. Multilingual Strings
A string that needs to be represented in a human-readable language A string that needs to be represented in a human-readable language
different than the default encoding of the document is represented in different from the default encoding of the document is represented in
the information model by the ML_STRING data type. This data type is the information model by the ML_STRING data type. This data type is
implemented as an object with "value", "lang", and "translation-id" implemented as either an object with "value", "lang", and
elements as defined in Section 5. Examples are shown below. "translation-id" elements or a text string as defined in Section 5.
Examples are shown below.
"MLStringType": { "MLStringType": {
"value": "free-form text", //STRING "value": "free-form text", //STRING
"lang": "en", //ENUM "lang": "en", //ENUM
"translation-id": "jp2en0023" //STRING "translation-id": "jp2en0023" //STRING
} }
2.2.2. Software and SoftwareReference 2.2.2. Software and Software Reference
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a URL, or with free-form text. The SOFTWARE data using a reference, a URL, or with free-form text. The SOFTWARE data
type is implemented as an object with "SoftwareReference", "URL", and type is implemented as an object with "SoftwareReference", "URL", and
"Description" elements as defined in Section 5. Examples are shown "Description" elements as defined in Section 5. Examples are shown
below. below.
"SoftwareType": { "SoftwareType": {
"SoftwareReference": {...}, //SoftwareReference "SoftwareReference": {...}, //SoftwareReference
"Description": ["MS Windows"] //STRING "Description": ["MS Windows"] //STRING
} }
SoftwareReference class is a reference to a particular version of SoftwareReference class is a reference to a particular version of
software. Examples are shown below. software. Examples are shown below.
"SoftwareReference": { "SoftwareReference": {
"value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING "value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING
"spec-name": "cpe", //ENUM "spec-name": "cpe", //ENUM
"dtype": "string", //ENUM "dtype": "string" //ENUM
} }
2.2.3. StructuredInfo 2.2.3. Structured Information
Information provided in a form of structured string, such as ID, or Information provided in a form of structured string, such as ID, or
structured information, such as XML documents, is represented in the structured information, such as XML documents, is represented in the
information model by the StructuredInfo data type. Note that this information model by the STRUCTUREDINFO data type. Note that this
type was originally specified in RFC7203. The StructuredInfo data type was originally specified in [RFC7203]. The STRUCTUREDINFO data
type is implemented as an object with "SpecID", "ext-SpecID", type is implemented as an object with "SpecID", "ext-SpecID",
"ContentID", "RawData", "Reference" elements. An example for "ContentID", "dtype", "RawData", "Reference" elements. An example
embedding a structured ID is shown below. for embedding a structured ID is shown below.
"StructuredInformation": { "StructuredInfo": {
"SpecID": "cve", //ENUM "SpecID": "cve", //ENUM
"ContentID": "CVE-2007-5000" //STRING "ContentID": "CVE-2007-5000" //STRING
} }
When embedding the raw data, base64 conversion should be used for When embedding the raw data, base64 conversion should be used for
encoding the data, as shown below. encoding the data, as shown below.
"StructuredInformation": { "StructuredInfo": {
"SpecID": "oval", //ENUM "SpecID": "oval", //ENUM
"RawData": "<<<strings encoded with base64>>>" //BYTE "RawData": "<<<strings encoded with base64>>>" //BYTE
} }
2.2.4. EXTENSION 2.2.4. EXTENSION
Information not otherwise represented in the IODEF can be added using Information not otherwise represented in the IODEF can be added using
the EXTENSION data type. This data type is a generic extension the EXTENSION data type. This data type is a generic extension
mechanism. The EXTENSION data type is implemented as an mechanism. The EXTENSION data type is implemented as an
ExtensionType object with "value", "name", "dtype", "ext-dtype", ExtensionType object with "value", "name", "dtype", "ext-dtype",
"meaning", "formatid", "restriction", "ext-restriction", and "meaning", "formatid", "restriction", "ext-restriction", and
"observable-id" elements. An example for embedding a structured ID "observable-id" elements. An example for embedding a structured ID
is shown below. is shown below.
"ExtensionType": { "ExtensionType": {
"value": "xxxxxxx", //String "value": "xxxxxxx", //STRING
"name": "Syslog", //String "name": "Syslog", //STRING
"dtype": "string", //String "dtype": "string", //ENUM
"meaning": "Syslog from the security appliance X", //String "meaning": "Syslog from the security appliance X" //STRING
} }
3. IODEF JSON Data Model 3. IODEF JSON Data Model
3.1. Classes and Elements 3.1. Classes and Elements
The following table shows the list of IODEF Classes, their elements, The following table shows the list of IODEF Classes, their elements,
and the corresponding section in [RFC7970]. Note that the complete and the corresponding section in [RFC7970]. Note that the complete
JSON schema is defined in Section 5 usind CDDL. JSON schema is defined in Section 5 usind CDDL.
skipping to change at page 12, line 12 skipping to change at page 12, line 12
| | Expectation* | | | | Expectation* | |
| | RecordData* | | | | RecordData* | |
| | EventData* | | | | EventData* | |
| | AdditionalData* | 3.14 | | | AdditionalData* | 3.14 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Expectation | action? | | | Expectation | action? | |
| | ext-action? | | | | ext-action? | |
| | severity? | | | | severity? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | |
| | Description* | | | | Description* | |
| | DefinedCOA* | | | | DefinedCOA* | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | Contact? | 3.15 | | | Contact? | 3.15 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| System | category? | | | System | category? | |
| | ext-category? | | | | ext-category? | |
| | interface? | | | | interface? | |
| | spoofed? | | | | spoofed? | |
skipping to change at page 12, line 34 skipping to change at page 12, line 35
| | ext-ownership? | | | | ext-ownership? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | Node | | | | Node | |
| | NodeRole* | | | | NodeRole* | |
| | Service* | | | | Service* | |
| | OperatingSystem* | | | | OperatingSystem* | |
| | Counter* | | | | Counter* | |
| | AssetID* | | | | AssetID* | |
| | Description* | | | | Description* | |
| | AdditionalData* | 3.16 | | | AdditionalData* | 3.17 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Node | DomainData* | | | Node | DomainData* | |
| | Address* | | | | Address* | |
| | PostalAddress? | | | | PostalAddress? | |
| | Location* | | | | Location* | |
| | Counter* | 3.17 | | | Counter* | 3.18 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Address | value | | | Address | value | |
| | category | | | | category | |
| | ext-category? | | | | ext-category? | |
| | vlan-name? | | | | vlan-name? | |
| | vlan-num? | | | | vlan-num? | |
| | observable-id? | 3.17.1 | | | observable-id? | 3.18.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| NodeRole | category | | | NodeRole | category | |
| | ext-category? | | | | ext-category? | |
| | Description* | 3.17.2 | | | Description* | 3.18.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Counter | value | | | Counter | value | |
| | type | | | | type | |
| | ext-type? | | | | ext-type? | |
| | unit | | | | unit | |
| | ext-unit? | | | | ext-unit? | |
| | meaning? | | | | meaning? | |
| | duration? | | | | duration? | |
| | ext-duration? | 3.17.3 | | | ext-duration? | 3.18.3 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| DomainData | system-status | | | DomainData | system-status | |
| | ext-system-status? | | | | ext-system-status? | |
| | domain-status | | | | domain-status | |
| | ext-domain-status? | | | | ext-domain-status? | |
| | observable-id? | | | | observable-id? | |
| | Name | | | | Name | |
| | DateDomainWasChecked?| | | | DateDomainWasChecked?| |
| | RegistrationDate? | | | | RegistrationDate? | |
| | ExpirationDate? | | | | ExpirationDate? | |
| | RelatedDNS* | | | | RelatedDNS* | |
| | Nameservers* | | | | Nameservers* | |
| | DomainContacts? | 3.18 | | | DomainContacts? | 3.19 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Nameserver | Server | | | Nameserver | Server | |
| | Address* | 3.18.1 | | | Address* | 3.19.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| DomainContacts | SameDomainContact? | | | DomainContacts | SameDomainContact? | |
| | Contact+ | 3.18.2 | | | Contact+ | 3.19.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Service | ip-protocol? | | | Service | ip-protocol? | |
| | observable-id? | | | | observable-id? | |
| | ServiceName? | | | | ServiceName? | |
| | Port? | | | | Port? | |
| | Portlist? | | | | Portlist? | |
| | ProtoCode? | | | | ProtoCode? | |
| | ProtoType? | | | | ProtoType? | |
| | ProtoField? | | | | ProtoField? | |
| | ApplicationHeaderField*| | | | ApplicationHeaderField*| |
| | EmailData? | | | | EmailData? | |
| | Application? | 3.19 | | | Application? | 3.20 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| ServiceName | IANAService? | | | ServiceName | IANAService? | |
| | URL* | | | | URL* | |
| | Description* | 3.19.1 | | | Description* | 3.20.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| EmailData | observable-id? | | | EmailData | observable-id? | |
| | EmailTo* | | | | EmailTo* | |
| | EmailFrom? | | | | EmailFrom? | |
| | EmailSubject? | | | | EmailSubject? | |
| | EmailX-Mailer? | | | | EmailX-Mailer? | |
| | EmailHeaderField* | | | | EmailHeaderField* | |
| | EmailHeaders? | | | | EmailHeaders? | |
| | EmailBody? | | | | EmailBody? | |
| | EmailMessage? | | | | EmailMessage? | |
| | HashData* | | | | HashData* | |
| | Signature* | 3.19.2 | | | Signature* | 3.21 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| RecordData | restriction? | | | RecordData | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | DateTime? | | | | DateTime? | |
| | Description* | | | | Description* | |
| | Application? | | | | Application? | |
| | RecordPattern* | | | | RecordPattern* | |
| | RecordItem* | | | | RecordItem* | |
| | URL* | | | | URL* | |
| | FileData* | | | | FileData* | |
| | WindowsRegistryKeysModified*| | | | WindowsRegistryKeysModified*| |
| | CertificateData* | | | | CertificateData* | |
| | AdditionalData* | 3.19.3 | | | AdditionalData* | 3.22.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| RecordPattern | type | | | RecordPattern | type | |
| | ext-type? | | | | ext-type? | |
| | offset? | | | | offset? | |
| | offsetunit? | | | | offsetunit? | |
| | ext-offsetunit? | | | | ext-offsetunit? | |
| | instance? | | | | instance? | |
| | value | 3.19.4 | | | value | 3.22.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| WindowsRegistryKeysModified | observable-id? | 3.20 | | WindowsRegistryKeysModified | observable-id? | 3.23 |
| | Key+ | | | | Key+ | |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Key | registryaction? | | | Key | registryaction? | |
| | ext-registryaction?| | | | ext-registryaction?| |
| | observable-id? | | | | observable-id? | |
| | KeyName | | | | KeyName | |
| | KeyValue? | 3.20.1 | | | KeyValue? | 3.23.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| CertificateData | restriction? | | | CertificateData | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | Certificate+ | 3.21 | | | Certificate+ | 3.24 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Certificate | observable-id? | | | Certificate | observable-id? | |
| | X509Data | | | | X509Data | |
| | Description* | 3.21.1 | | | Description* | 3.24.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| FileData | restriction? | | | FileData | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | File+ | 3.22 | | | File+ | 3.25 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| File | observable-id? | | | File | observable-id? | |
| | FileName? | | | | FileName? | |
| | FileSize? | | | | FileSize? | |
| | FileType? | | | | FileType? | |
| | URL* | | | | URL* | |
| | HashData? | | | | HashData? | |
| | Signature* | | | | Signature* | |
| | AssociatedSoftware?| | | | AssociatedSoftware?| |
| | FileProperties* | 3.22.1 | | | FileProperties* | 3.25.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| HashData | scope | | | HashData | scope | |
| | HashTargetID? | | | | HashTargetID? | |
| | Hash* | | | | Hash* | |
| | FuzzyHash* | 3.23 | | | FuzzyHash* | 3.26 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Hash | DigestMethod | | | Hash | DigestMethod | |
| | DigestValue | | | | DigestValue | |
| | CanonicalizationMethod?| | | | CanonicalizationMethod?| |
| | Application? | 3.23.1 | | | Application? | 3.26.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| FuzzyHash | FuzzyHashValue+ | | | FuzzyHash | FuzzyHashValue+ | |
| | Application? | | | | Application? | |
| | AdditionalData* | 3.23.2 | | | AdditionalData* | 3.26.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Indicator | restriction? | | | Indicator | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | IndicatorID | | | | IndicatorID | |
| | AlternativeIndicatorID*| | | | AlternativeIndicatorID*| |
| | Description* | | | | Description* | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | Confidence? | | | | Confidence? | |
| | Contact* | | | | Contact* | |
| | Observable? | | | | Observable? | |
| | uid-ref? | | | | uid-ref? | |
| | IndicatorExpression?| | | | IndicatorExpression?| |
| | IndicatorReference?| | | | IndicatorReference?| |
| | NodeRole* | | | | NodeRole* | |
| | AttackPhase* | | | | AttackPhase* | |
| | Reference* | | | | Reference* | |
| | AdditionalData* | 3.24 | | | AdditionalData* | 3.29 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IndicatorID | id | | | IndicatorID | id | |
| | name | | | | name | |
| | version | 3.24.1 | | | version | 3.29.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| AlternativeIndicatorID | restriction? | | | AlternativeIndicatorID | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | IndicatorReference+| 3.24.2 | | | IndicatorID+ | 3.29.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Observable | restriction? | | | Observable | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | System? | | | | System? | |
| | Address? | | | | Address? | |
| | DomainData? | | | | DomainData? | |
| | Service? | | | | Service? | |
| | EmailData? | | | | EmailData? | |
| | WindowsRegistryKeysModified?| | | | WindowsRegistryKeysModified?| |
| | FileData? | | | | FileData? | |
skipping to change at page 16, line 32 skipping to change at page 16, line 33
| | RegistryHandle? | | | | RegistryHandle? | |
| | RecordData? | | | | RecordData? | |
| | EventData? | | | | EventData? | |
| | Incident? | | | | Incident? | |
| | Expectation? | | | | Expectation? | |
| | Reference? | | | | Reference? | |
| | Assessment? | | | | Assessment? | |
| | DetectionPattern? | | | | DetectionPattern? | |
| | HistoryItem? | | | | HistoryItem? | |
| | BulkObservable? | | | | BulkObservable? | |
| | AdditionalData* | 3.24.3 | | | AdditionalData* | 3.29.3 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| BulkObservable | type? | | | BulkObservable | type? | |
| | ext-type? | | | | ext-type? | |
| | BulkObservableFormat?| | | | BulkObservableFormat?| |
| | BulkObservableList | | | | BulkObservableList | |
| | AdditionalData* | 3.24.4 | | | AdditionalData* | 3.29.4 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| BulkObservableFormat | Hash? | | | BulkObservableFormat | Hash? | |
| | AdditionalData* | 3.24.5 | | | AdditionalData* | 3.29.5 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IndicatorExpression | operator? | | | IndicatorExpression | operator? | |
| | ext-operator? | | | | ext-operator? | |
| | IndicatorExpression*| | | | IndicatorExpression*| |
| | Observable* | | | | Observable* | |
| | uid-ref* | | | | uid-ref* | |
| | IndicatorReference*| | | | IndicatorReference*| |
| | Confidence? | | | | Confidence? | |
| | AdditionalData* | 3.24.6 | | | AdditionalData* | 3.29.6 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IndicatorReference | uid-ref? | | | IndicatorReference | uid-ref? | |
| | euid-ref? | | | | euid-ref? | |
| | version? | 3.24.7 | | | version? | 3.29.7 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| AttackPhase | AttackPhaseID* | | | AttackPhase | AttackPhaseID* | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | |
| | AdditionalData* | 3.24.8 | | | AdditionalData* | 3.29.8 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
IODEF Classes Figure 3: IODEF Classes
3.2. Mapping between CBOR/JSON and XML IODEF 3.2. Mapping between CBOR/JSON and XML IODEF
o This document treats attributes and elements of each class defined o This document treats attributes and elements of each class defined
in [RFC7970] equally and is agnostic on the order of their in [RFC7970] equally and is agnostic on the order of their
appearances. appearances.
o Flow class is deleted, and classes with its instances now directly o Flow class is deleted, and classes with its instances now directly
have instances of EventData class that used to belong to the Flow have instances of EventData class that used to belong to the Flow
classs. classs.
skipping to change at page 17, line 48 skipping to change at page 17, line 49
o ObservableReference class is deleted, and classes with its o ObservableReference class is deleted, and classes with its
instances now directly have uid-ref as an element. instances now directly have uid-ref as an element.
o Record class is replaced by RecordData class, and RecordData class o Record class is replaced by RecordData class, and RecordData class
is renamed to Record class. is renamed to Record class.
o Record class is deleted, and classes with its instances now o Record class is deleted, and classes with its instances now
directly have the instances of RecordData class that used to directly have the instances of RecordData class that used to
belong to the Record class. belong to the Record class.
o The MLStringType were modified to support simple string by
allowing the type to have not only a predefined object type but
also text type, in order to allow simple descriptions of elements
of the type.
o The elements of ML_STRING type in XML IODEF document are presented o The elements of ML_STRING type in XML IODEF document are presented
as either STRING type or ML_STRING type in CBOR/JSON IODEF as either STRING type or ML_STRING type in CBOR/JSON IODEF
document. document.
o The order of appearances of class elements were ignored in CBOR/ o Data models of the extension classes defined by [RFC7203] and
JSON version. referenced by [RFC7970] are represented by StructuredInfo class
defined in this document.
o Signature, X509Data, and RawData are encoded with base64 and are
reprensetend as string (BYTE type) in CBOR/JSON IODEF documents.
4. Examples 4. Examples
This section provides example of IODEF documents. These examples do This section provides examples of IODEF documents. These examples do
not represent the full capabilities of the data model or the the only not represent the full capabilities of the data model or the only way
way to encode particular information. to encode particular information.
4.1. Minimal Example 4.1. Minimal Example
A document containing only the mandatory elements and attributes is A document containing only the mandatory elements and attributes is
shown below in JSON and CBOR, respectively. shown below in JSON and CBOR, respectively.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incident": [{ "Incident": [{
skipping to change at page 18, line 38 skipping to change at page 18, line 48
}, },
"GenerationTime": "2015-07-18T09:00:00-05:00", "GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [{ "Contact": [{
"type": "organization", "type": "organization",
"role": "creator", "role": "creator",
"Email": [{"EmailTo": "contact@csirt.example.com"}] "Email": [{"EmailTo": "contact@csirt.example.com"}]
}] }]
}] }]
} }
Figure 3: A Minimal Example in JSON Figure 4: A Minimal Example in JSON
A3 # map(3) A3 # map(3)
67 # text(7) 67 # text(7)
76657273696F6E # "version" 76657273696F6E # "version"
63 # text(3) 63 # text(3)
322E30 # "2.0" 322E30 # "2.0"
64 # text(4) 64 # text(4)
6C616E67 # "lang" 6C616E67 # "lang"
62 # text(2) 62 # text(2)
656E # "en" 656E # "en"
skipping to change at page 20, line 5 skipping to change at page 20, line 15
65 # text(5) 65 # text(5)
456D61696C # "Email" 456D61696C # "Email"
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
67 # text(7) 67 # text(7)
456D61696C546F # "EmailTo" 456D61696C546F # "EmailTo"
78 19 # text(25) 78 19 # text(25)
636F6E746163744063736972742E6578616D706C652E636F6D 636F6E746163744063736972742E6578616D706C652E636F6D
# "contact@csirt.example.com" # "contact@csirt.example.com"
Figure 4: A Minimal Example in CBOR Figure 5: A Minimal Example in CBOR
4.2. Indicators from a Campaign 4.2. Indicators from a Campaign
An example of C2 domains from a given campaign is shwon below in JSON An example of C2 domains from a given campaign is shwon below in JSON
and CBOR, respectively. and CBOR, respectively.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incident": [{ "Incident": [{
skipping to change at page 21, line 13 skipping to change at page 21, line 24
"StartTime": "2014-12-02T11:18:00-05:00", "StartTime": "2014-12-02T11:18:00-05:00",
"Observable": { "Observable": {
"BulkObservable": { "BulkObservable": {
"type": "ipv6-addr", "type": "ipv6-addr",
"BulkObservableList": "kj290023j09r34.example.com"} "BulkObservableList": "kj290023j09r34.example.com"}
} }
}] }]
}] }]
} }
Figure 5: Indicators from a Campaign in JSON Figure 6: Indicators from a Campaign in JSON
A3 # map(3) A3 # map(3)
67 # text(7) 67 # text(7)
76657273696F6E # "version" 76657273696F6E # "version"
63 # text(3) 63 # text(3)
322E30 # "2.0" 322E30 # "2.0"
64 # text(4) 64 # text(4)
6C616E67 # "lang" 6C616E67 # "lang"
62 # text(2) 62 # text(2)
656E # "en" 656E # "en"
skipping to change at page 24, line 44 skipping to change at page 25, line 7
74797065 # "type" 74797065 # "type"
69 # text(9) 69 # text(9)
697076362D61646472 # "ipv6-addr" 697076362D61646472 # "ipv6-addr"
72 # text(18) 72 # text(18)
42756C6B4F627365727661626C654C697374 42756C6B4F627365727661626C654C697374
# "BulkObservableList" # "BulkObservableList"
78 1A # text(26) 78 1A # text(26)
6B6A3239303032336A30397233342E6578616D706C652E636F6D 6B6A3239303032336A30397233342E6578616D706C652E636F6D
# "kj290023j09r34.example.com" # "kj290023j09r34.example.com"
Figure 6: Indicators from a Campaign in CBOR Figure 7: Indicators from a Campaign in CBOR
5. The IODEF Data Model (CDDL) 5. The IODEF Data Model (CDDL)
start = iodef start = iodef
;;; iodef.json: IODEF-Document ;;; iodef.json: IODEF-Document
iodef = { iodef = {
version: text version: text
? lang: lang ? lang: lang
? format-id: text ? format-id: text
? private-enum-name: text ? private-enum-name: text
? private-enum-id: text ? private-enum-id: text
Incident: [+ Incident] Incident: [+ Incident]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
skipping to change at page 25, line 38 skipping to change at page 25, line 49
"contact-sender" / "investigate" / "block-host" / "contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" / "block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" / "honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" / "harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" / "status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value" "defined-coa" / "other" / "ext-value"
DATETIME = tdate DATETIME = tdate
BYTE = eb64legacy
MLStringType = { MLStringType = {
value: text value: text
? lang: lang ? lang: lang
? translation-id: text ? translation-id: text
} } / text
PositiveFloatType = float32 .gt 0 PositiveFloatType = float32 .gt 0
PAddressType = MLStringType PAddressType = MLStringType
ExtensionType = { ExtensionType = {
? ssvalue: text value: text
? name: text ? name: text
dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" / "ntpstamp" / "integer" / "portlist" / "real" / "string" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" / "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value"
.default "string" .default "string"
? ext-dtype: text ? ext-dtype: text
? meaning: text ? meaning: text
? formatid: text ? formatid: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
} }
SoftwareType = { SoftwareType = {
? SoftwareReference: SoftwareReference ? SoftwareReference: SoftwareReference
? URL: [+ URLtype] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
SoftwareReference = { SoftwareReference = {
? value: text ? value: text
spec-name: "custom" / "cpe" / "swid" / "ext-value" spec-name: "custom" / "cpe" / "swid" / "ext-value"
? ext-spec-name: text ? ext-spec-name: text
? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value"
.default "string" .default "string"
? ext-dtype: text ? ext-dtype: text
} }
skipping to change at page 26, line 51 skipping to change at page 27, line 16
? observable-id: IDtype ? observable-id: IDtype
IncidentID: IncidentID IncidentID: IncidentID
? AlternativeID: AlternativeID ? AlternativeID: AlternativeID
? RelatedActivity: [+ RelatedActivity] ? RelatedActivity: [+ RelatedActivity]
? DetectTime: DATETIME ? DetectTime: DATETIME
? StartTime: DATETIME ? StartTime: DATETIME
? EndTime: DATETIME ? EndTime: DATETIME
? RecoveryTime: DATETIME ? RecoveryTime: DATETIME
? ReportTime: DATETIME ? ReportTime: DATETIME
GenerationTime: DATETIME GenerationTime: DATETIME
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? Discovery: [+ Discovery] ? Discovery: [+ Discovery]
? Assessment: [+ Assessment] ? Assessment: [+ Assessment]
? Method: [+ Method] ? Method: [+ Method]
Contact: [+ Contact] Contact: [+ Contact]
? EventData: [+ EventData] ? EventData: [+ EventData]
? Indicator: [+ Indicator] ? Indicator: [+ Indicator]
? History: History ? History: History
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
skipping to change at page 27, line 39 skipping to change at page 28, line 4
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? IncidentID: [+ IncidentID] ? IncidentID: [+ IncidentID]
? URL: [+ URLtype] ? URL: [+ URLtype]
? ThreatActor: [+ ThreatActor] ? ThreatActor: [+ ThreatActor]
? Campaign: [+ Campaign] ? Campaign: [+ Campaign]
? IndicatorID: [+ IndicatorID] ? IndicatorID: [+ IndicatorID]
? Confidence: Confidence ? Confidence: Confidence
? Description: [+ text] ? Description: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
ThreatActor = { ThreatActor = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? ThreatActorID: [+ text] ? ThreatActorID: [+ text]
? URL: [+ URLtype] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Campaign = { Campaign = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? CampaignID: [+ text] ? CampaignID: [+ text]
? URL: [+ URLtype] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Contact = { Contact = {
role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
"vendor" / "vendor-support" / "victim" / "victim-notified" / "vendor" / "vendor-support" / "victim" / "victim-notified" /
"ext-value" "ext-value"
? ext-role: text ? ext-role: text
type: "person" / "organization" / "ext-value" type: "person" / "organization" / "ext-value"
? ext-type: text ? ext-type: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? ContactName: [+ text / MLStringType] ? ContactName: [+ MLStringType]
? ContactTitle: [+ text / MLStringType] ? ContactTitle: [+ MLStringType]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? RegistryHandle: [+ RegistryHandle] ? RegistryHandle: [+ RegistryHandle]
? PostalAddress: [+ PostalAddress] ? PostalAddress: [+ PostalAddress]
? Email: [+ Email] ? Email: [+ Email]
? Telephone: [+ Telephone] ? Telephone: [+ Telephone]
? Timezone: TimeZonetype ? Timezone: TimeZonetype
? Contact: [+ Contact] ? Contact: [+ Contact]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
RegistryHandle = { RegistryHandle = {
skipping to change at page 28, line 39 skipping to change at page 29, line 4
? Contact: [+ Contact] ? Contact: [+ Contact]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
RegistryHandle = { RegistryHandle = {
handle: text handle: text
registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" /
"afrinic" / "local" / "ext-value" "afrinic" / "local" / "ext-value"
? ext-registry: text ? ext-registry: text
} }
PostalAddress = { PostalAddress = {
? type: text ? type: "street" / "mailing" / "ext-value"
? ext-type: text ? ext-type: text
PAddress: PAddressType PAddress: PAddressType
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
Email = { Email = {
? type: "direct" / "hotline" / "ext-value" ? type: "direct" / "hotline" / "ext-value"
? ext-type: text ? ext-type: text
EmailTo: text EmailTo: text
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
Telephone = { Telephone = {
? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value"
? ext-type: text ? ext-type: text
TelephoneNumber: text TelephoneNumber: text
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
Discovery = { Discovery = {
? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
"incident" / "os-log" / "application-log" / "device-log" / "incident" / "os-log" / "application-log" / "device-log" /
"network-flow" / "passive-dns" / "investigation" / "audit" / "network-flow" / "passive-dns" / "investigation" / "audit" /
"internal-notification" / "external-notification" / "internal-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value" "leo" / "partner" / "actor" / "unknown" / "ext-value"
? ext-source: text ? ext-source: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? Contact: [+ Contact] ? Contact: [+ Contact]
? DetectionPattern: [+ DetectionPattern] ? DetectionPattern: [+ DetectionPattern]
} }
DetectionPattern = { DetectionPattern = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
(Description: [+ MLStringType] // DetectionConfiguration: [+ text])
Application: SoftwareType Application: SoftwareType
? Description: [+ text / MLStringType]
? DetectionConfiguration: [+ text]
} }
Method = { Method = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? Reference: [+ Reference] ? Reference: [+ Reference]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? AttackPattern: [+ StructuredInformation] ? AttackPattern: [+ StructuredInfo]
? Vulnerability: [+ StructuredInformation] ? Vulnerability: [+ StructuredInfo]
? Weakness: [+ StructuredInformation] ? Weakness: [+ StructuredInfo]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
StructuredInformation = { StructuredInfo = {
SpecID: SpecID SpecID: SpecID
? ext-SpecID: text ? ext-SpecID: text
? ContentID: text ? ContentID: text
? RawData: [+ ExtensionType] ? (RawData: [+ BYTE] // Reference:[+ Reference])
? Reference:[+ Reference]
? Platform:[+ Platform] ? Platform:[+ Platform]
? Scoring:[+ Scoring] ? Scoring:[+ Scoring]
} }
Platform = { Platform = {
SpecID: SpecID SpecID: SpecID
? ext-SpecID: text ? ext-SpecID: text
? ContentID: text ? ContentID: text
? RawData: [+ ExtensionType] ? RawData: [+ BYTE]
? Reference: [+ Reference] ? Reference: [+ Reference]
} }
Scoring = { Scoring = {
SpecID: SpecID SpecID: SpecID
? ext-SpecID: text ? ext-SpecID: text
? ContentID: text ? ContentID: text
? RawData: [+ ExtensionType] ? RawData: [+ BYTE]
? Reference: [+ Reference] ? Reference: [+ Reference]
} }
Reference = { Reference = {
? observable-id: IDtype ? observable-id: IDtype
? ReferenceName: ReferenceName ? ReferenceName: ReferenceName
? URL: [+ URLtype] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
ReferenceName = { ReferenceName = {
specIndex: integer specIndex: integer
ID: IDtype ID: IDtype
} }
Assessment = { Assessment = {
? occurrence: "actual" / "potential" ? occurrence: "actual" / "potential"
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? IncidentCategory: [+ text / MLStringType] ? IncidentCategory: [+ MLStringType]
Impact: [+ {SystemImpact: SystemImpact} / Impact: [+ {SystemImpact: SystemImpact} /
{BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} /
{MonetaryImpact: MonetaryImpact} / {MonetaryImpact: MonetaryImpact} /
{IntendedImpact: BusinessImpact}] {IntendedImpact: BusinessImpact}]
? Counter: [+ Counter] ? Counter: [+ Counter]
? MitigatingFactor: [+ text / MLStringType] ? MitigatingFactor: [+ MLStringType]
? Cause: [+ text / MLStringType] ? Cause: [+ MLStringType]
? Confidence: Confidence ? Confidence: Confidence
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
SystemImpact = { SystemImpact = {
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
? completion: "failed" / "succeeded" ? completion: "failed" / "succeeded"
type: "takeover-account" / "takeover-service" / "takeover-system" / type: "takeover-account" / "takeover-service" / "takeover-system" /
"cps-manipulation" / "cps-damage" / "availability-data" / "cps-manipulation" / "cps-damage" / "availability-data" /
"availability-account" / "availability-service" / "availability-account" / "availability-service" /
"availability-system" / "damaged-system" / "damaged-data" / "availability-system" / "damaged-system" / "damaged-data" /
"breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-proprietary" / "breach-privacy" / "breach-credential" /
"breach-configuration" / "integrity-data" / "breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" / "integrity-configuration" / "integrity-hardware" /
"traffic-redirection"/"monitoring-traffic"/"monitoring-host"/ "traffic-redirection" / "monitoring-traffic" / "monitoring-host"/
"policy" / "unknown" / "ext-value" .default "unknown" "policy" / "unknown" / "ext-value" .default "unknown"
? ext-type: text ? ext-type: text
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
BusinessImpact = { BusinessImpact = {
? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value"
.default "unknown" .default "unknown"
? ext-severity: text ? ext-severity: text
type: "breach-proprietary" / "breach-privacy" / "breach-credential" / type: "breach-proprietary" / "breach-privacy" / "breach-credential" /
"loss-of-integrity" / "loss-of-service" / "theft-financial" / "loss-of-integrity" / "loss-of-service" / "theft-financial" /
"theft-service" / "degraded-reputation" / "asset-damage" / "theft-service" / "degraded-reputation" / "asset-damage" /
"asset-manipulation" / "legal" / "extortion" / "unknown" / "asset-manipulation" / "legal" / "extortion" / "unknown" /
"ext-value" .default "unknown" "ext-value" .default "unknown"
? ext-type: text ? ext-type: text
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
TimeImpact = { TimeImpact = {
value: PositiveFloatType value: PositiveFloatType
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
metric: "labor" / "elapsed" / "downtime" / "ext-value" metric: "labor" / "elapsed" / "downtime" / "ext-value"
? ext-metric: text ? ext-metric: text
? duration: duration .default "hour" ? duration: duration .default "hour"
? ext-duration: text ? ext-duration: text
} }
skipping to change at page 32, line 19 skipping to change at page 32, line 31
HistoryItem = { HistoryItem = {
action: action .default "other" action: action .default "other"
? ext-action: text ? ext-action: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
DateTime: DATETIME DateTime: DATETIME
? IncidentID: IncidentID ? IncidentID: IncidentID
? Contact: Contact ? Contact: Contact
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? DefinedCOA: [+ text] ? DefinedCOA: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
EventData = { EventData = {
? restriction: restriction .default "default" ? restriction: restriction .default "default"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? DetectTime: DATETIME ? DetectTime: DATETIME
? StartTime: DATETIME ? StartTime: DATETIME
? EndTime: DATETIME ? EndTime: DATETIME
? RecoveryTime: DATETIME ? RecoveryTime: DATETIME
? ReportTime: DATETIME ? ReportTime: DATETIME
? Contact: [+ Contact] ? Contact: [+ Contact]
? Discovery: [+ Discovery] ? Discovery: [+ Discovery]
? Assessment: Assessment ? Assessment: Assessment
? Method: [+ Method] ? Method: [+ Method]
? System: [+ System] ? System: [+ System]
skipping to change at page 33, line 4 skipping to change at page 33, line 16
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Expectation = { Expectation = {
? action: action .default "other" ? action: action .default "other"
? ext-action: text ? ext-action: text
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
? restriction: restriction .default "default" ? restriction: restriction .default "default"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? DefinedCOA: [+ text] ? DefinedCOA: [+ text]
? StartTime: DATETIME ? StartTime: DATETIME
? EndTime: DATETIME ? EndTime: DATETIME
? Contact: Contact ? Contact: Contact
} }
System = { System = {
? category: "source" / "target" / "intermediate" / "sensor" / ? category: "source" / "target" / "intermediate" / "sensor" /
"infrastructure" / "ext-value" "infrastructure" / "ext-value"
? ext-category: text ? ext-category: text
skipping to change at page 33, line 30 skipping to change at page 33, line 42
? ext-ownership: text ? ext-ownership: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
Node: Node Node: Node
? NodeRole: [+ NodeRole] ? NodeRole: [+ NodeRole]
? Service: [+ Service] ? Service: [+ Service]
? OperatingSystem: [+ SoftwareType] ? OperatingSystem: [+ SoftwareType]
? Counter: [+ Counter] ? Counter: [+ Counter]
? AssetID: [+ text] ? AssetID: [+ text]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Node = { Node = {
( DomainData:[+ DomainData] (DomainData:[+ DomainData]
? Address:[+ Address]) / ? Address:[+ Address] //
(? DomainData:[+ DomainData] ? DomainData:[+ DomainData]
+ Address:[+ Address]) Address:[+ Address])
? PostalAddress: PostalAddress ? PostalAddress: PostalAddress
? Location: [+ text / MLStringType] ? Location: [+ MLStringType]
? Counter: [+ Counter] ? Counter: [+ Counter]
} }
Address = { Address = {
value: text value: text
category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
"ext-value" .default "ipv6-addr" "ext-value" .default "ipv6-addr"
? ext-category: text ? ext-category: text
? vlan-name: text ? vlan-name: text
? vlan-num: integer ? vlan-num: integer
? observable-id: IDtype ? observable-id: IDtype
} }
NodeRole = { NodeRole = {
category: "client" / "client-enterprise" / "clent-partner" / category: "client" / "client-enterprise" / "client-partner" /
"client-remote" / "client-kiosk" / "client-mobile" / "client-remote" / "client-kiosk" / "client-mobile" /
"server-internal" / "server-public" / "www" / "mail" / "server-internal" / "server-public" / "www" / "mail" /
"webmail" / "messaging" / "streaming" / "voice" / "file" / "webmail" / "messaging" / "streaming" / "voice" / "file" /
"ftp" / "p2p" / "name" / "directory" / "credential" / "ftp" / "p2p" / "name" / "directory" / "credential" /
"print" / "application" / "database" / "backup" / "dhcp" / "print" / "application" / "database" / "backup" / "dhcp" /
"assessment" / "source-control" / "config-management" / "assessment" / "source-control" / "config-management" /
"monitoring" / "infra" / "infra-firewall" / "infra-router" / "monitoring" / "infra" / "infra-firewall" / "infra-router" /
"infra-switch" / "camera" / "proxy" / "remote-access" / "infra-switch" / "camera" / "proxy" / "remote-access" /
"log" / "virtualization" / "pos" / "scada" / "log" / "virtualization" / "pos" / "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" / "scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" / "anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hot-point" / "reflector" / "drop-server" / "hop-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" / "phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value" "fraudulent-site" / "ext-value"
? ext-category: text ? ext-category: text
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
Counter = { Counter = {
value: float32 value: float32
type: "count" / "peak" / "average" / "ext-value" type: "count" / "peak" / "average" / "ext-value"
? ext-type: text ? ext-type: text
unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
"message" / "event" / "host" / "site" / "organization" / "message" / "event" / "host" / "site" / "organization" /
"ext-value" "ext-value"
? ext-unit: text ? ext-unit: text
skipping to change at page 35, line 18 skipping to change at page 35, line 29
? NameServers: [+ NameServers] ? NameServers: [+ NameServers]
? DomainContacts: DomainContacts ? DomainContacts: DomainContacts
} }
NameServers = { NameServers = {
Server: text Server: text
Address: [+ Address] Address: [+ Address]
} }
DomainContacts = { DomainContacts = {
? SameDomainContact: text (SameDomainContact: text // Contact: [+ Contact])
Contact: [+ Contact]
} }
Service = { Service = {
? ip-protocol: integer ? ip-protocol: integer
? observable-id: IDtype ? observable-id: IDtype
? ServiceName: ServiceName ? ServiceName: ServiceName
? Port: integer ? Port: integer
? Portlist: PortlistType ? Portlist: PortlistType
? ProtoCode: integer ? ProtoCode: integer
? ProtoType: integer ? ProtoType: integer
? ProtoField: integer ? ProtoField: integer
? ApplicationHeaderField: [+ ExtensionType] ? ApplicationHeaderField: [+ ExtensionType]
? EmailData: EmailData ? EmailData: EmailData
? Application: SoftwareType ? Application: SoftwareType
} }
ServiceName = { ServiceName = {
? IANAService: text ? IANAService: text
? URL: [+ URLtype] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
} }
EmailData = { EmailData = {
? observable-id: IDtype ? observable-id: IDtype
? EmailTo: [+ text] ? EmailTo: [+ text]
? EmailFrom: text ? EmailFrom: text
? EmailSubject: text ? EmailSubject: text
? EmailX-Mailer: text ? EmailX-Mailer: text
? EmailHeaderField: [+ ExtensionType] ? EmailHeaderField: [+ ExtensionType]
? EmailHeaders: text ? EmailHeaders: text
? EmailBody: text ? EmailBody: text
? EmailMessage: text ? EmailMessage: text
skipping to change at page 36, line 5 skipping to change at page 36, line 15
? observable-id: IDtype ? observable-id: IDtype
? EmailTo: [+ text] ? EmailTo: [+ text]
? EmailFrom: text ? EmailFrom: text
? EmailSubject: text ? EmailSubject: text
? EmailX-Mailer: text ? EmailX-Mailer: text
? EmailHeaderField: [+ ExtensionType] ? EmailHeaderField: [+ ExtensionType]
? EmailHeaders: text ? EmailHeaders: text
? EmailBody: text ? EmailBody: text
? EmailMessage: text ? EmailMessage: text
? HashData: [+ HashData] ? HashData: [+ HashData]
? Signature: [+ SignatureType] ? Signature: [+ BYTE]
}
SignatureType = {
? id: IDtype
SignedInfo: SignedInfoType
SignatureValue: SignatureValueType
? KeyInfo: KeyInfoType
? Object: [+ ObjectType]
}
SignedInfoType = {
? id: IDtype
CanonicalizationMethod: CanonicalizationMethodType
SignatureMethod: SignatureMethodType
Reference: [+ ReferenceType]
}
SignatureMethodType = {
? value: text
Algorithm: URLtype
? HMACOutputLength: HMACOutputLengthType
}
HMACOutputLengthType = integer
ReferenceType = {
? id: IDtype
? URI: URLtype
? Type: URLtype
? Transforms: TransformsType
DigestMethod: DigestMethodType
DigestValue: DigestValueType
}
TransformsType = {
Transform: [+ TransformType]
}
TransformType = {
? value: text
Algorithm: URLtype
? XPath: [+ text]
}
DigestMethodType = {
? value: text
Algorithm: URLtype
}
DigestValueType = eb64legacy
SignatureValueType = {
value: eb64legacy
? id: IDtype
}
KeyInfoType = {
? value: text
? id: IDtype
KeyProperties: [+ {KeyName: text} / {KeyValue: KeyValueType} /
{RetrievalMethod: RetrievalMethodType} /
{X509Data: X509DataType} / {PGPData: PGPDataType} /
{SPKIData: SPKIDataType} / {MgmtData: text}]
}
KeyValueType = {
? value: text
KeyValueProperties: {DSAKeyValue: DSAKeyValueType} /
{RSAKeyValue: RSAKeyValueType}
}
DSAKeyValueType = {
? P: CryptoBinary
? Q: CryptoBinary
? G: CryptoBinary
Y: CryptoBinary
? J: CryptoBinary
? Seed: CryptoBinary
? PgenCounter: CryptoBinary
}
CryptoBinary = eb64legacy
RSAKeyValueType ={
Modulus: CryptoBinary
Exponent: CryptoBinary
}
RetrievalMethodType = {
URI: URLtype
? Type: URLtype
? Transforms: TransformsType
}
PGPDataType = {
? value: text
PGPDataProperties: {PGPKeyID: eb64legacy} / {PGPKeyPacket: eb64legacy}
}
SPKIDataType = {
? value: text
SPKISexp: [+ eb64legacy]
}
ObjectType = {
? value: text
? id: IDtype
? MimeType: text
? Encoding: URLtype
} }
RecordData = { RecordData = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? DateTime: DATETIME ? DateTime: DATETIME
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? Application: SoftwareType ? Application: SoftwareType
? RecordPattern: [+ RecordPattern] ? RecordPattern: [+ RecordPattern]
? RecordItem: [+ ExtensionType] ? RecordItem: [+ ExtensionType]
? URL: [+ URLtype] ? URL: [+ URLtype]
? FileData: [+ FileData] ? FileData: [+ FileData]
? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified]
? CertificateData: [+ CertificateData] ? CertificateData: [+ CertificateData]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
skipping to change at page 39, line 23 skipping to change at page 37, line 20
CertificateData = { CertificateData = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
Certificate: [+ Certificate] Certificate: [+ Certificate]
} }
Certificate = { Certificate = {
? observable-id: IDtype ? observable-id: IDtype
X509Data: X509DataType X509Data: BYTE
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
}
X509DataType = {
X509DataProperties: [+ {X509IssuerSerial: X509IssuerSerialType} /
{X509SKI: eb64legacy} / {X509SubjectName: text} /
{X509Certificate: eb64legacy} /
{X509CRL: eb64legacy}]
}
X509IssuerSerialType = {
X509IssuerName: text
X509SerialNumber: integer
} }
FileData = { FileData = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
File: [+ File] File: [+ File]
} }
File = { File = {
? observable-id: IDtype ? observable-id: IDtype
? FileName: text ? FileName: text
? FileSize: integer ? FileSize: integer
? FileType: text ? FileType: text
? URL: [+ URLtype] ? URL: [+ URLtype]
? HashData: HashData ? HashData: HashData
? Signature: [+ SignatureType] ? Signature: [+ BYTE]
? AssociatedSoftware: SoftwareType ? AssociatedSoftware: SoftwareType
? FileProperties: [+ ExtensionType] ? FileProperties: [+ ExtensionType]
} }
HashData = { HashData = {
scope: "file-contents" / "file-pe-section" / "file-pe-iat" / scope: "file-contents" / "file-pe-section" / "file-pe-iat" /
"file-pe-resource" / "file-pdf-object" / "email-hash" / "file-pe-resource" / "file-pdf-object" / "email-hash" /
"email-hash-header" / "email-hash-body" "email-headers-hash" / "email-body-hash" / "ext-value"
? HashTargetID: text ? HashTargetID: text
? Hash: [+ Hash] ? Hash: [+ Hash]
? FuzzyHash: [+ FuzzyHash] ? FuzzyHash: [+ FuzzyHash]
} }
Hash = { Hash = {
DigestMethod: DigestMethodType DigestMethod: BYTE
DigestValue: DigestValueType DigestValue: BYTE
? CanonicalizationMethod: CanonicalizationMethodType ? CanonicalizationMethod: BYTE
? Application: SoftwareType ? Application: SoftwareType
} }
CanonicalizationMethodType = {
? value: text
Algorithm: URLtype
}
FuzzyHash = { FuzzyHash = {
FuzzyHashValue: [+ ExtensionType] FuzzyHashValue: [+ ExtensionType]
? Application: SoftwareType ? Application: SoftwareType
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Indicator = { Indicator = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
IndicatorID: IndicatorID IndicatorID: IndicatorID
? AlternativeIndicatorID: [+ AlternativeIndicatorID] ? AlternativeIndicatorID: [+ AlternativeIndicatorID]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? StartTime: DATETIME ? StartTime: DATETIME
? EndTime: DATETIME ? EndTime: DATETIME
? Confidence: Confidence ? Confidence: Confidence
? Contact: [+ Contact] ? Contact: [+ Contact]
? Observable: Observable (Observable: Observable // uid-ref: IDREFType //
? uid-ref: IDREFType IndicatorExpression: IndicatorExpression //
? IndicatorExpression: IndicatorExpression IndicatorReference: IndicatorReference)
? IndicatorReference: IndicatorReference
? NodeRole: [+ NodeRole] ? NodeRole: [+ NodeRole]
? AttackPhase: [+ AttackPhase] ? AttackPhase: [+ AttackPhase]
? Reference: [+ Reference] ? Reference: [+ Reference]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
IndicatorID = { IndicatorID = {
id: IDtype id: IDtype
name: text name: text
version: text version: text
} }
AlternativeIndicatorID = { AlternativeIndicatorID = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
IndicatorReference: [+ IndicatorReference] IndicatorID: [+ IndicatorID]
} }
Observable = { Observable = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? System: System ? (System: System // Address: Address // DomainData: DomainData //
? Address: Address EmailData: EmailData // Service: Service //
? DomainData: DomainData WindowsRegistryKeysModified: WindowsRegistryKeysModified //
? EmailData: EmailData FileData: FileData // CertificateData: CertificateData //
? Service: Service RegistryHandle: RegistryHandle // RecordData: RecordData //
? WindowsRegistryKeysModified: WindowsRegistryKeysModified EventData: EventData // Incident: Incident //
? FileData: FileData Expectation: Expectation // Reference: Reference //
? CertificateData: CertificateData Assessment: Assessment // DetectionPattern: DetectionPattern //
? RegistryHandle: RegistryHandle HistoryItem: HistoryItem // BulkObservable: BulkObservable //
? RecordData: RecordData AdditionalData: [+ ExtensionType])
? EventData: EventData
? Incident: Incident
? Expectation: Expectation
? Reference: Reference
? Assessment: Assessment
? DetectionPattern: DetectionPattern
? HistoryItem: HistoryItem
? BulkObservable: BulkObservable
? AdditionalData: [+ ExtensionType]
} }
BulkObservable = { BulkObservable = {
? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
"mac" / "site-url" / "domain-name" / "domain-to-ipv4" / "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv6" / "domain-to-ipv4-timestamp" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
"windows-reg-key" / "file-hash" / "email-x-mailer" / "windows-reg-key" / "file-hash" / "email-x-mailer" /
"email-subject" / "http-user-agent" / "http-request-uri" / "email-subject" / "http-user-agent" / "http-request-uri" /
"mutex" / "file-path" / "user-name" / "ext-value" "mutex" / "file-path" / "user-name" / "ext-value"
? ext-type: text ? ext-type: text
? BulkObservableFormat: BulkObservableFormat ? BulkObservableFormat: BulkObservableFormat
BulkObservableList: text BulkObservableList: text
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
BulkObservableFormat = { BulkObservableFormat = {
? Hash: Hash (Hash: Hash // AdditionalData: [+ ExtensionType])
? AdditionalData: [+ ExtensionType]
} }
IndicatorExpression = { IndicatorExpression = {
? operator: "not" / "and" / "or" / "xor" .default "and" ? operator: "not" / "and" / "or" / "xor" .default "and"
? ext-operator: text ? ext-operator: text
? IndicatorExpression: [+ IndicatorExpression] ? IndicatorExpression: [+ IndicatorExpression]
? Observable: [+ Observable] ? Observable: [+ Observable]
? uid-ref: [+ IDREFType] ? uid-ref: [+ IDREFType]
? IndicatorReference: [+ IndicatorReference] ? IndicatorReference: [+ IndicatorReference]
? Confidence: Confidence ? Confidence: Confidence
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
IndicatorReference = { IndicatorReference = {
? uid-ref: IDREFType (uid-ref: IDREFType // euid-ref: text)
? euid-ref: text
? version: text ? version: text
} }
AttackPhase = { AttackPhase = {
? AttackPhaseID: [+ text] ? AttackPhaseID: [+ text]
? URL: [+ URLtype] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ MLStringType]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Figure 7: Data Model in CDDL Figure 8: Data Model in CDDL
6. Acknowledgements
We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki
Morita, and Takahiko Nagata for their insightful comments on CDDL.
7. IANA Considerations 6. IANA Considerations
This document registers a JSON schema. This document registers an IODEF data model in CDDL. See Section 5.
8. Security Considerations 7. Security Considerations
This memo does not provide any further security considerations than This memo does not provide any further security considerations than
the one described in [RFC7970]. the one described in [RFC7970].
8. Acknowledgements
We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki
Morita, and Takahiko Nagata for their insightful comments on CDDL.
9. References 9. References
9.1. Normative References 9.1. Normative References
[cddlspec] [cddlspec]
Henk Birkholz, Christoph Vigano, and Carsten Bormann, Henk Birkholz, Christoph Vigano, and Carsten Bormann,
"Concise data definition language (CDDL): a notational "Concise data definition language (CDDL): a notational
convention to express CBOR and JSON data structuresy", convention to express CBOR and JSON data structuresy",
2018. 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
Incident Object Description Exchange Format (IODEF)
Extension for Structured Cybersecurity Information",
RFC 7203, DOI 10.17487/RFC7203, April 2014,
<https://www.rfc-editor.org/info/rfc7203>.
[RFC7970] Danyliw, R., "The Incident Object Description Exchange [RFC7970] Danyliw, R., "The Incident Object Description Exchange
Format Version 2", RFC 7970, DOI 10.17487/RFC7970, Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
November 2016, <https://www.rfc-editor.org/info/rfc7970>. November 2016, <https://www.rfc-editor.org/info/rfc7970>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References 9.2. Informative References
[jsonschema] [jsonschema]
Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema:
core definitions and terminology", 2013. core definitions and terminology", 2013.
Appendix A. Data Types used in this document Appendix A. Data Types used in this document
The CDDL prelude used in this document is mapped to JSON as shown in The CDDL prelude used in this document is mapped to JSON as shown in
the table below. the table below.
skipping to change at page 44, line 17 skipping to change at page 41, line 32
+-----------------+-------------------+----------------------------+ +-----------------+-------------------+----------------------------+
| bytes | n/a | string | tool available | | bytes | n/a | string | tool available |
| text | string | string | unnecessary | | text | string | string | unnecessary |
| tdate | n/a | string | 7.3.1 date-time | | tdate | n/a | string | 7.3.1 date-time |
| integer | n/a | number | integer | | integer | n/a | number | integer |
| eb64legacy | n/a | string | tool available | | eb64legacy | n/a | string | tool available |
| uri | n/a | string | 7.3.6 uri | | uri | n/a | string | 7.3.6 uri |
| float32 | float32 | number | unnecessary | | float32 | float32 | number | unnecessary |
+-----------------+-------------------+----------------------------+ +-----------------+-------------------+----------------------------+
Figure 8 Figure 9: CDDL Prelude mapping in JSON
Appendix B. The IODEF Data Model (JSON Schema) Appendix B. The IODEF Data Model (JSON Schema)
This section provides a JSON schema that defines the IODEF Data Model This section provides a JSON schema that defines the IODEF Data Model
defined in this draft. defined in this draft.
{ "$schema": "http://json-schema.org/draft-04/schema#", { "$schema": "http://json-schema.org/draft-04/schema#",
"definitions": { "definitions": {
"action": {"enum": ["nothing","contact-source-site", "action": {"enum": ["nothing","contact-source-site",
"contact-target-site","contact-sender","investigate", "contact-target-site","contact-sender","investigate",
skipping to change at page 44, line 38 skipping to change at page 42, line 4
"block-host","block-network","block-port","rate-limit-host", "block-host","block-network","block-port","rate-limit-host",
"rate-limit-network","rate-limit-port","redirect-traffic", "rate-limit-network","rate-limit-port","redirect-traffic",
"honeypot","upgrade-software","rebuild-asset","harden-asset", "honeypot","upgrade-software","rebuild-asset","harden-asset",
"remediate-other","status-triage","status-new-info", "remediate-other","status-triage","status-new-info",
"watch-and-report","training","defined-coa","other", "watch-and-report","training","defined-coa","other",
"ext-value"]}, "ext-value"]},
"duration":{"enum":["second","minute","hour","day","month", "duration":{"enum":["second","minute","hour","day","month",
"quarter","year","ext-value"]}, "quarter","year","ext-value"]},
"SpecID":{ "SpecID":{
"enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]},
"lang": { "lang": {
"type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
"purpose": {"enum": ["traceback","mitigation","reporting","watch", "purpose": {"enum": ["traceback","mitigation","reporting","watch",
"other","ext-value"]}, "other","ext-value"]},
"restriction":{"enum":["public","partner","need-to-know","private", "restriction":{"enum":["public","partner","need-to-know","private",
"default","white","green","amber","red","ext-value"]}, "default","white","green","amber","red","ext-value"]},
"status": {"enum": ["new","in-progress","forwarded","resolved", "status": {"enum": ["new","in-progress","forwarded","resolved",
"future","ext-value"]}, "future","ext-value"]},
"DATETIME": {"type": "string","format": "date-time"}, "DATETIME": {"type": "string","format": "date-time"},
"BYTE": {"type": "string"},
"PortlistType": { "PortlistType": {
"type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"}, "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"},
"TimeZonetype": { "TimeZonetype": {
"type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
"URLtype": { "URLtype": {
"type": "string", "type": "string",
"pattern": "pattern":
"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"},
"IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"},
"IDREFType": {"$ref": "#/definitions/IDtype"}, "IDREFType": {"$ref": "#/definitions/IDtype"},
"CryptoBinary": {"type": "string"},
"MLStringType": { "MLStringType": {
"type": "object", "oneOf": [{"type": "string"},
"properties": { {"type": "object",
"value": {"type": "string"}, "properties": {
"lang": {"$ref": "#/definitions/lang"}, "value": {"type": "string"},
"translation-id": {"type": "string"}}, "lang": {"$ref": "#/definitions/lang"},
"required": ["value"], "translation-id": {"type": "string"}},
"additionalProperties":false}, "required": ["value"],
"additionalProperties":false}]},
"PositiveFloatType": {"type": "number","minimum": 0}, "PositiveFloatType": {"type": "number","minimum": 0},
"PAddressType": {"$ref": "#/definitions/MLStringType"}, "PAddressType": {"$ref": "#/definitions/MLStringType"},
"ExtensionType": { "ExtensionType": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"Name": {"type": "string"}, "name": {"type": "string"},
"dtype":{"enum":["boolean","byte","bytes","character", "dtype":{"enum":["boolean","byte","bytes","character", "json",
"date-time","ntpstamp","integer","portlist","real","string", "date-time","ntpstamp","integer","portlist","real","string",
"file","path","frame","packet","ipv4-packet","ipv6-packet", "file","path","frame","packet","ipv4-packet","ipv6-packet",
"url", "csv","winreg","xml","ext-value"],"default": "string"}, "url", "csv","winreg","xml","ext-value"],"default": "string"},
"ext-dtype": {"type": "string"}, "ext-dtype": {"type": "string"},
"meaning": {"type": "string"}, "meaning": {"type": "string"},
"formatid": {"type": "string"}, "formatid": {"type": "string"},
"restriction": { "restriction": {
"$ref": "#/definitions/restriction","default": "private"}, "$ref": "#/definitions/restriction","default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}}, "observable-id": {"$ref": "#/definitions/IDtype"}},
skipping to change at page 45, line 51 skipping to change at page 43, line 19
"SoftwareType": { "SoftwareType": {
"type": "object", "type": "object",
"properties": { "properties": {
"SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"},
"URL": { "URL": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/URLtype", "items": {"$ref": "#/definitions/URLtype",
"minItems": 1}}, "minItems": 1}},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1 }}, "minItems": 1 }},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"SoftwareReference": { "SoftwareReference": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, "spec-name": {"enum": ["custom","cpe","swid","ext-value"]},
"ext-spec-name": {"type": "string"}, "ext-spec-name": {"type": "string"},
"dtype": {"enum": ["bytes","integer","real","string","xml", "dtype": {"enum": ["bytes","integer","real","string","xml",
"ext-value"] , "default": "string"}, "ext-value"] , "default": "string"},
"ext-dtype": {"type": "string"}}, "ext-dtype": {"type": "string"}},
"required": ["spec-name"], "required": ["spec-name"],
"additionalProperties": false}, "additionalProperties": false},
"StructuredInformation": { "StructuredInfo": {
"type": "object", "type": "object",
"properties": { "properties": {
"SpecID": {"$ref":"#/definitions/SpecID"}, "SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"}, "ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"}, "ContentID": {"type": "string"},
"RawData": {"$ref": "#/definitions/ExtensionTypeList"}, "RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": { "Reference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Reference"}, "items": {"$ref": "#/definitions/Reference"},
"minItems": 1 "minItems": 1
}, },
"Platform": { "Platform": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Platform"}, "items": {"$ref": "#/definitions/Platform"},
"minItems": 1 "minItems": 1
}, },
"Scoring": { "Scoring": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Scoring"}, "items": {"$ref": "#/definitions/Scoring"},
"minItems": 1}}, "minItems": 1}},
"required": ["SpecID"], "allOf": [
{"required": ["SpecID"]},
{"anyOf": [
{"oneOf": [
{"required":["Reference"]},
{"required":["RawData"]}]},
{ "not" : {"required":["Reference", "RawData"]}}]}],
"additionalProperties": false}, "additionalProperties": false},
"Platform": { "Platform": {
"type": "object", "type": "object",
"properties": { "properties": {
"SpecID": {"$ref":"#/definitions/SpecID"}, "SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"}, "ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"}, "ContentID": {"type": "string"},
"RawData": {"$ref": "#/definitions/ExtensionTypeList"}, "RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": { "Reference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Reference"}, "items": {"$ref": "#/definitions/Reference"},
"minItems": 1}}, "minItems": 1}},
"required": ["SpecID"], "required": ["SpecID"],
"additionalProperties": false}, "additionalProperties": false},
"Scoring": { "Scoring": {
"type": "object", "type": "object",
"properties": { "properties": {
"SpecID": {"$ref":"#/definitions/SpecID"}, "SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"}, "ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"}, "ContentID": {"type": "string"},
"RawData": {"$ref": "#/definitions/ExtensionTypeList"}, "RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": { "Reference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Reference"}, "items": {"$ref": "#/definitions/Reference"},
"minItems": 1}}, "minItems": 1}},
"required": ["SpecID"], "required": ["SpecID"],
"additionalProperties": false}, "additionalProperties": false},
"Incident": { "Incident": {
"title": "Incident", "title": "Incident",
"description": "JSON schema for Incident class", "description": "JSON schema for Incident class",
"type": "object", "type": "object",
skipping to change at page 47, line 48 skipping to change at page 45, line 33
"items": {"$ref": "#/definitions/RelatedActivity"}, "items": {"$ref": "#/definitions/RelatedActivity"},
"minItems": 1}, "minItems": 1},
"DetectTime": {"$ref": "#/definitions/DATETIME"}, "DetectTime": {"$ref": "#/definitions/DATETIME"},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"},
"GenerationTime": {"$ref": "#/definitions/DATETIME"}, "GenerationTime": {"$ref": "#/definitions/DATETIME"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"Discovery": { "Discovery": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Discovery"}, "items": {"$ref": "#/definitions/Discovery"},
"minItems": 1}, "minItems": 1},
"Assessment": { "Assessment": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Assessment"}, "items": {"$ref": "#/definitions/Assessment"},
"minItems": 1}, "minItems": 1},
"Method": { "Method": {
skipping to change at page 50, line 5 skipping to change at page 47, line 37
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"ThreatActorID": { "ThreatActorID": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"URL": { "URL": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/URLtype"}, "items":{"$ref":"#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false}, "additionalProperties": false},
"Campaign": { "Campaign": {
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
skipping to change at page 50, line 29 skipping to change at page 48, line 12
"CampaignID": { "CampaignID": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"URL": { "URL": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/URLtype"}, "items":{"$ref":"#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
"Contact": { "Contact": {
"type": "object", "type": "object",
"properties": { "properties": {
"role": { "role": {
"enum":["creator","reporter","admin","tech","provider","user", "enum":["creator","reporter","admin","tech","provider","user",
"billing","legal","irt","abuse","cc","cc-irt","leo", "billing","legal","irt","abuse","cc","cc-irt","leo",
"vendor","vendor-support","victim","victim-notified", "vendor","vendor-support","victim","victim-notified",
"ext-value"]}, "ext-value"]},
"ext-role": {"type": "string"}, "ext-role": {"type": "string"},
"type": {"enum": ["person","organization","ext-value"]}, "type": {"enum": ["person","organization","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"ContactName": { "ContactName": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"ContactTitle": { "ContactTitle": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"RegistryHandle": { "RegistryHandle": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/RegistryHandle"}, "items":{"$ref":"#/definitions/RegistryHandle"},
"minItems": 1}, "minItems": 1},
"PostalAddress": { "PostalAddress": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/PostalAddress"}, "items":{"$ref":"#/definitions/PostalAddress"},
"minItems": 1}, "minItems": 1},
"Email": { "Email": {
skipping to change at page 51, line 52 skipping to change at page 49, line 30
"handle": {"type": "string"}, "handle": {"type": "string"},
"registry": { "registry": {
"enum": ["internic","apnic","arin","lacnic","ripe","afrinic", "enum": ["internic","apnic","arin","lacnic","ripe","afrinic",
"local","ext-value"]}, "local","ext-value"]},
"ext-registry": {"type": "string"}}, "ext-registry": {"type": "string"}},
"required": ["handle","registry"], "required": ["handle","registry"],
"additionalProperties": false}, "additionalProperties": false},
"PostalAddress": { "PostalAddress": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": {"type": "string"}, "type": {
"enum": ["street","mailing","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"PAddress": {"$ref": "#/definitions/PAddressType"}, "PAddress": {"$ref": "#/definitions/PAddressType"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": ["PAddress"], "required": ["PAddress"],
"additionalProperties": false}, "additionalProperties": false},
"Email": { "Email": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": { "type": {
"enum":["direct","hotline","ext-value"]}, "enum":["direct","hotline","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"EmailTo": {"type": "string"}, "EmailTo": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": ["EmailTo"], "required": ["EmailTo"],
"additionalProperties": false}, "additionalProperties": false},
"Telephone": { "Telephone": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": { "type": {
"enum":["wired","mobile","fax","hotline","ext-value"]}, "enum":["wired","mobile","fax","hotline","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"TelephoneNumber": {"type": "string"}, "TelephoneNumber": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": ["TelephoneNumber"], "required": ["TelephoneNumber"],
"additionalProperties": false}, "additionalProperties": false},
"Discovery": { "Discovery": {
"type": "object", "type": "object",
"properties": { "properties": {
"source": { "source": {
"enum":["nidps","hips","siem","av","third-party-monitoring", "enum":["nidps","hips","siem","av","third-party-monitoring",
"incident","os-log","application-log","device-log", "incident","os-log","application-log","device-log",
"network-flow","passive-dns","investigation","audit", "network-flow","passive-dns","investigation","audit",
"internal-notification","external-notification","leo", "internal-notification","external-notification","leo",
"partner","actor","unknown","ext-value"]}, "partner","actor","unknown","ext-value"]},
"ext-source": {"type": "string"}, "ext-source": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"Contact": { "Contact": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Contact"}, "items": {"$ref": "#/definitions/Contact"},
"minItems": 1}, "minItems": 1},
"DetectionPattern": { "DetectionPattern": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/DetectionPattern"}, "items":{"$ref":"#/definitions/DetectionPattern"},
"minItems": 1}}, "minItems": 1}},
"required": [], "required": [],
skipping to change at page 53, line 31 skipping to change at page 51, line 7
"DetectionPattern": { "DetectionPattern": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Application": {"$ref": "#/definitions/SoftwareType"}, "Application": {"$ref": "#/definitions/SoftwareType"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"DetectionConfiguration": { "DetectionConfiguration": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}}, "minItems": 1}},
"required": ["Application"], "allOf": [
{"required": ["Application"]},
{"oneOf": [
{"required":["Description"]},
{"required":["DetectionConfiguration"]}]}],
"additionalProperties": false}, "additionalProperties": false},
"Method": { "Method": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"Reference": { "Reference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Reference"}, "items": {"$ref": "#/definitions/Reference"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"AttackPattern": { "AttackPattern": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/StructuredInformation"}, "items":{"$ref":"#/definitions/StructuredInfo"},
"minItems": 1}, "minItems": 1},
"Vulnerability": { "Vulnerability": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/StructuredInformation"}, "items":{"$ref":"#/definitions/StructuredInfo"},
"minItems": 1}, "minItems": 1},
"Weakness": { "Weakness": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/StructuredInformation"}, "items":{"$ref":"#/definitions/StructuredInfo"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Reference": { "Reference": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ReferenceName": {"$ref":"#/definitions/ReferenceName"}, "ReferenceName": {"$ref":"#/definitions/ReferenceName"},
"URL":{ "URL":{
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/URLtype"}, "items":{"$ref":"#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ReferenceName" : { "ReferenceName" : {
"type": "object", "type": "object",
"properties": { "properties": {
"specIndex": {"type": "number"}, "specIndex": {"type": "number"},
"ID": {"$ref":"#/definitions/IDtype"}}, "ID": {"$ref":"#/definitions/IDtype"}},
"required": ["specIndex","ID"], "required": ["specIndex","ID"],
"additionalProperties": false}, "additionalProperties": false},
"Assessment": { "Assessment": {
"type": "object", "type": "object",
"properties": { "properties": {
"occurrence": {"enum":["actual","potential"]}, "occurrence": {"enum":["actual","potential"]},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentCategory": { "IncidentCategory": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"Impact": { "Impact": {
"type": "array", "type": "array",
"items": { "items": {
"properties": { "properties": {
"SystemImpact":{"$ref":"#/definitions/SystemImpact"}, "SystemImpact":{"$ref":"#/definitions/SystemImpact"},
"BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"},
"TimeImpact":{"$ref":"#/definitions/TimeImpact"}, "TimeImpact":{"$ref":"#/definitions/TimeImpact"},
"MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"},
"IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}},
"additionalProperties":false}, "additionalProperties":false},
"minItems" : 1 "minItems" : 1
}, },
"Counter": { "Counter": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Counter"}, "items": {"$ref": "#/definitions/Counter"},
"minItems": 1}, "minItems": 1},
"MitigatingFactor": { "MitigatingFactor": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"Cause": { "Cause": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Impact"], "required": ["Impact"],
"additionalProperties": false}, "additionalProperties": false},
"SystemImpact": { "SystemImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"severity": {"enum":["low","medium","high"]}, "severity": {"enum":["low","medium","high"]},
"completion": {"enum":["failed","succeeded"]}, "completion": {"enum":["failed","succeeded"]},
skipping to change at page 56, line 11 skipping to change at page 53, line 33
"availability-service","availability-system", "availability-service","availability-system",
"damaged-system","damaged-data","breach-proprietary", "damaged-system","damaged-data","breach-proprietary",
"breach-privacy","breach-credential", "breach-privacy","breach-credential",
"breach-configuration","integrity-data", "breach-configuration","integrity-data",
"integrity-configuration","integrity-hardware", "integrity-configuration","integrity-hardware",
"traffic-redirection","monitoring-traffic", "traffic-redirection","monitoring-traffic",
"monitoring-host","policy","unknown","ext-value"]}, "monitoring-host","policy","unknown","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": ["type"], "required": ["type"],
"additionalProperties": false}, "additionalProperties": false},
"BusinessImpact": { "BusinessImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"severity": {"enum":["none","low","medium","high","unknown", "severity": {"enum":["none","low","medium","high","unknown",
"ext-value"],"default": "unknown"}, "ext-value"],"default": "unknown"},
"ext-severity": {"type":"string"}, "ext-severity": {"type":"string"},
"type": {"enum":["breach-proprietary","breach-privacy", "type": {"enum":["breach-proprietary","breach-privacy",
"breach-credential","loss-of-integrity","loss-of-service", "breach-credential","loss-of-integrity","loss-of-service",
"theft-financial","theft-service","degraded-reputation", "theft-financial","theft-service","degraded-reputation",
"asset-damage","asset-manipulation","legal","extortion", "asset-damage","asset-manipulation","legal","extortion",
"unknown","ext-value"]}, "unknown","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": ["type"], "required": ["type"],
"additionalProperties": false}, "additionalProperties": false},
"TimeImpact": { "TimeImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"}, "value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum": ["low","medium","high"]}, "severity": {"enum": ["low","medium","high"]},
"metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "metric": {"enum": ["labor","elapsed","downtime","ext-value"]},
"ext-metric": {"type": "string"}, "ext-metric": {"type": "string"},
skipping to change at page 57, line 42 skipping to change at page 55, line 13
"ext-action": {"type": "string"}, "ext-action": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"}, "DateTime": {"$ref": "#/definitions/DATETIME"},
"IncidentID": {"$ref": "#/definitions/IncidentID"}, "IncidentID": {"$ref": "#/definitions/IncidentID"},
"Contact": {"$ref": "#/definitions/Contact"}, "Contact": {"$ref": "#/definitions/Contact"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"DefinedCOA": { "DefinedCOA": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["DateTime","action"], "required": ["DateTime","action"],
"additionalProperties": false}, "additionalProperties": false},
"EventData": { "EventData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array", "Description": {"type": "array",
"items": { "type":"string", "items": { "$ref":"#/definitions/MLStringType"}},
"$ref":"#/definitions/MLStringType"}},
"DetectTime": {"$ref": "#/definitions/DATETIME"}, "DetectTime": {"$ref": "#/definitions/DATETIME"},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"},
"Contact": { "Contact": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Contact"}, "items": {"$ref": "#/definitions/Contact"},
"minItems": 1}, "minItems": 1},
"Discovery": { "Discovery": {
skipping to change at page 59, line 14 skipping to change at page 56, line 32
"properties": { "properties": {
"action": {"$ref":"#/definitions/action","default": "other"}, "action": {"$ref":"#/definitions/action","default": "other"},
"ext-action": {"type": "string"}, "ext-action": {"type": "string"},
"severity": {"enum": ["low","medium","high"]}, "severity": {"enum": ["low","medium","high"]},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "default"}, "default": "default"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"DefinedCOA": { "DefinedCOA": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"Contact": {"$ref": "#/definitions/Contact"}}, "Contact": {"$ref": "#/definitions/Contact"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
skipping to change at page 60, line 19 skipping to change at page 57, line 36
"Counter": { "Counter": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Counter"}, "items": {"$ref": "#/definitions/Counter"},
"minItems": 1}, "minItems": 1},
"AssetID": { "AssetID": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Node"], "required": ["Node"],
"additionalProperties": false}, "additionalProperties": false},
"Node": { "Node": {
"type": "object", "type": "object",
"properties": { "properties": {
"DomainData": { "DomainData": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/DomainData"}, "items": {"$ref": "#/definitions/DomainData"},
skipping to change at page 60, line 36 skipping to change at page 58, line 4
"type": "object", "type": "object",
"properties": { "properties": {
"DomainData": { "DomainData": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/DomainData"}, "items": {"$ref": "#/definitions/DomainData"},
"minItems": 1}, "minItems": 1},
"Address": { "Address": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Address"}, "items": {"$ref": "#/definitions/Address"},
"minItems": 1}, "minItems": 1},
"PostalAddress": {"$ref": "#/definitions/PostalAddress"}, "PostalAddress": {"$ref": "#/definitions/PostalAddress"},
"Location": { "Location": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"Counter": { "Counter": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/Counter"}, "items":{"$ref":"#/definitions/Counter"},
"minItems": 1}}, "minItems": 1}},
"required": [], "anyOf": [
{"required": ["DomainData"]},
{"required": ["Address"]}
],
"additionalProperties": false}, "additionalProperties": false},
"Address": { "Address": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"category": { "category": {
"enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
"ipv6-net-masked","mac","site-url","ext-value"], "ipv6-net-masked","mac","site-uri","ext-value"],
"default": "ipv6-addr"}, "default": "ipv6-addr"},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"vlan-name": {"type": "string"}, "vlan-name": {"type": "string"},
"vlan-num": {"type": "number"}, "vlan-num": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"}}, "observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["value","category"], "required": ["value","category"],
"additionalProperties": false}, "additionalProperties": false},
"NodeRole": { "NodeRole": {
"type": "object", "type": "object",
"properties": { "properties": {
"category": { "category": {
"enum":["client","client-enterprise","clent-partner", "enum":["client","client-enterprise","client-partner",
"client-remote","client-kiosk","client-mobile", "client-remote","client-kiosk","client-mobile",
"server-internal","server-public","www","mail","webmail", "server-internal","server-public","www","mail","webmail",
"messaging","streaming","voice","file","ftp","p2p","name", "messaging","streaming","voice","file","ftp","p2p","name",
"directory","credential","print","application","database", "directory","credential","print","application","database",
"backup","dhcp","assessment","source-control", "backup","dhcp","assessment","source-control",
"config-management","monitoring","infra","infra-firewall", "config-management","monitoring","infra","infra-firewall",
"infra-router","infra-switch","camera","proxy", "infra-router","infra-switch","camera","proxy",
"remote-access","log","virtualization","pos", "scada", "remote-access","log","virtualization","pos", "scada",
"scada-supervisory","sinkhole","honeypot","anomyzation", "scada-supervisory","sinkhole","honeypot","anomyzation",
"c2-server","malware-distribution","drop-server", "c2-server","malware-distribution","drop-server",
"hot-point","reflector","phishing-site", "hop-point","reflector","phishing-site",
"spear-phishing-site","recruiting-site","fraudulent-site", "spear-phishing-site","recruiting-site","fraudulent-site",
"ext-value"]}, "ext-value"]},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": ["category"], "required": ["category"],
"additionalProperties": false}, "additionalProperties": false},
"Counter": { "Counter": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "number"}, "value": {"type": "number"},
"type": {"enum": ["count","peak","average","ext-value"]}, "type": {"enum": ["count","peak","average","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"unit":{"enum":["byte","mbit","packet","flow","session","alert", "unit":{"enum":["byte","mbit","packet","flow","session","alert",
skipping to change at page 63, line 6 skipping to change at page 60, line 23
"required": ["Server","Address"], "required": ["Server","Address"],
"additionalProperties": false}, "additionalProperties": false},
"DomainContacts": { "DomainContacts": {
"type": "object", "type": "object",
"properties": { "properties": {
"SameDomainContact": {"type": "string"}, "SameDomainContact": {"type": "string"},
"Contact": { "Contact": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/Contact"}, "items":{"$ref":"#/definitions/Contact"},
"minItems": 1}}, "minItems": 1}},
"required": ["Contact"], "oneOf": [
{"required": ["SameDomainContact"]},
{"required": ["Contact"]}],
"additionalProperties": false}, "additionalProperties": false},
"Service": { "Service": {
"type": "object", "type": "object",
"properties": { "properties": {
"ip-protocol": {"type": "number"}, "ip-protocol": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ServiceName": {"$ref": "#/definitions/ServiceName"}, "ServiceName": {"$ref": "#/definitions/ServiceName"},
"Port": {"type": "number"}, "Port": {"type": "number"},
"Portlist": {"$ref": "#/definitions/PortlistType"}, "Portlist": {"$ref": "#/definitions/PortlistType"},
"ProtoCode": {"type": "number"}, "ProtoCode": {"type": "number"},
skipping to change at page 63, line 29 skipping to change at page 60, line 48
"ApplicationHeaderField":{ "ApplicationHeaderField":{
"$ref":"#/definitions/ExtensionTypeList"}, "$ref":"#/definitions/ExtensionTypeList"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Application": {"$ref": "#/definitions/SoftwareType"}}, "Application": {"$ref": "#/definitions/SoftwareType"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ServiceName": { "ServiceName": {
"type": "object", "type": "object",
"properties": { "properties": {
"IANAService": {"type": "string"}, "IANAService": {"type": "string"},
"URL": {"type": "array", "URL": {
"items": {"$ref": "#/definitions/URLtype"}}, "type": "array","items": {"$ref": "#/definitions/URLtype"}},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"EmailData": { "EmailData": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"EmailTo": { "EmailTo": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
skipping to change at page 64, line 14 skipping to change at page 61, line 32
"minItems": 1}, "minItems": 1},
"EmailHeaders": {"type": "string"}, "EmailHeaders": {"type": "string"},
"EmailBody": {"type": "string"}, "EmailBody": {"type": "string"},
"EmailMessage": {"type": "string"}, "EmailMessage": {"type": "string"},
"HashData": { "HashData": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/HashData"}, "items": {"$ref": "#/definitions/HashData"},
"minItems": 1}, "minItems": 1},
"Signature": { "Signature": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/SignatureType"}, "items": {"$ref": "#/definitions/BYTE"},
"minItems": 1}}, "minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"SignatureType": {
"type": "object",
"properties": {
"id": {"$ref": "#/definitions/IDtype"},
"SignedInfo": {"$ref": "#/definitions/SignedInfoType"},
"SignatureValue": {"$ref": "#/definitions/SignatureValueType"},
"KeyInfo": {"$ref": "#/definitions/KeyInfoType"},
"Object": {
"type": "array",
"items": {"$ref": "#/definitions/ObjectType"},
"minItems": 1}},
"required": ["SignedInfo","SignatureValue"],
"additionalProperties": false
},
"SignatureValueType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"id": {"$ref": "#/definitions/IDtype"}
},
"required": ["value"],
"additionalProperties": false
},
"SignedInfoType": {
"type": "object",
"properties": {
"id": {"$ref": "#/definitions/IDtype"},
"CanonicalizationMethod":
{"$ref": "#/definitions/CanonicalizationMethodType"},
"SignatureMethod": {"$ref":"#/definitions/SignatureMethodType"},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/ReferenceType"},
"minItems": 1}
},
"required": ["CanonicalizationMethod","SignatureMethod",
"Reference"],
"additionalProperties": false
},
"SignatureMethodType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"Algorithm": {"$ref": "#/definitions/URLtype"},
"HMACOutputLength":{"$ref":"#/definitions/HMACOutputLengthType"}
},
"required": ["Algorithm"],
"additionalProperties": false
},
"HMACOutputLengthType": {"type": "number"},
"ReferenceType": {
"type": "object",
"properties": {
"id": {"$ref": "#/definitions/IDtype"},
"URI": {"$ref": "#/definitions/URLtype"},
"Type": {"$ref": "#/definitions/URLtype"},
"Transforms": {"$ref": "#/definitions/TransformsType"},
"DigestMethod": {"$ref": "#/definitions/DigestMethodType"},
"DigestValue": {"$ref": "#/definitions/DigestValueType"}
},
"required": ["DigestMethod","DigestValue"],
"additionalProperties": false
},
"TransformsType": {
"type": "object",
"properties": {
"Transform": {
"type": "array",
"items": {"$ref": "#/definitions/TransformType"},
"minItems": 1}
},
"required": ["Transform"],
"additionalProperties": false
},
"TransformType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"Algorithm": {"$ref": "#/definitions/URLtype"},
"XPath": {
"type": "array",
"items": {"type": "string"},
"minItems": 1}
},
"required": ["Algorithm"],
"additionalProperties": false
},
"DigestMethodType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"Algorithm": {"$ref": "#/definitions/URLtype"}
},
"required": ["Algorithm"],
"additionalProperties": false
},
"DigestValueType": {"type": "string"},
"KeyInfoType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"id": {"$ref": "#/definitions/IDtype"},
"KeyProperties": {
"type": "array",
"items": {
"type": "object",
"properties": {
"KeyName": {"type": "string"},
"KeyValue": {"$ref": "#/definitions/KeyValueType"},
"RetrievalMethod":
{"$ref": "#/definitions/RetrievalMethodType"},
"X509Data": {"$ref": "#/definitions/X509DataType"},
"PGPData": {"$ref": "#/definitions/PGPDataType"},
"SPKIData": {"$ref": "#/definitions/SPKIDataType"},
"MgmtData": {"type": "string"}},
"additionalProperties": false},
"minItems" : 1}},
"required": ["KeyProperties"],
"additionalProperties": false
},
"KeyValueType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"KeyValueProperties": {
"items": {
"type": "object",
"properties": {
"DSAKeyValue": {"$ref": "#/definitions/DSAKeyValueType"},
"RSAKeyValue": {"$ref": "#/definitions/RSAKeyValueType"}},
"additionalProperties": false}}
},
"required": ["KeyValueProperties"],
"additionalProperties": false
},
"DSAKeyValueType": {
"type": "object",
"properties": {
"P": {"$ref": "#/definitions/CryptoBinary"},
"Q": {"$ref": "#/definitions/CryptoBinary"},
"G": {"$ref": "#/definitions/CryptoBinary"},
"Y": {"$ref": "#/definitions/CryptoBinary"},
"J": {"$ref": "#/definitions/CryptoBinary"},
"Seed": {"$ref": "#/definitions/CryptoBinary"},
"PgenCounter": {"$ref": "#/definitions/CryptoBinary"}
},
"required": ["Y"],
"additionalProperties": false
},
"RSAKeyValueType":{
"type": "object",
"properties": {
"Modulus": {"$ref": "#/definitions/CryptoBinary"},
"Exponent": {"$ref": "#/definitions/CryptoBinary"}
},
"required": ["Modulus","Exponent"],
"additionalProperties": false
},
"RetrievalMethodType": {
"type": "object",
"properties": {
"URI": {"$ref": "#/definitions/URLtype"},
"Type": {"$ref": "#/definitions/URLtype"},
"Transforms": {"$ref": "#/definitions/TransformsType"}
},
"required": ["URI"],
"additionalProperties": false
},
"PGPDataType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"PGPDataProperties": {
"items": {
"type": "object",
"properties": {
"PGPKeyID": {"type": "string"},
"PGPKeyPacket": {"type": "string"}},
"additionalProperties": false}}},
"required": ["PGPDataProperties"],
"additionalProperties": false
},
"SPKIDataType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"SPKISexp": {
"type": "array",
"items": {"type": "string"},
"minItems": 1}
},
"required": ["SPKISexp"],
"additionalProperties": false
},
"ObjectType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"id": {"$ref": "#/definitions/IDtype"},
"MimeType": {"type": "string"},
"Encoding": {"$ref": "#/definitions/URLtype"}
},
"additionalProperties": false
},
"RecordData": { "RecordData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"}, "DateTime": {"$ref": "#/definitions/DATETIME"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"}, "Application": {"$ref": "#/definitions/SoftwareType"},
"RecordPattern": { "RecordPattern": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/RecordPattern"}, "items": {"$ref": "#/definitions/RecordPattern"},
"minItems": 1}, "minItems": 1},
"RecordItem": { "RecordItem": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"}, "items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1}, "minItems": 1},
skipping to change at page 70, line 28 skipping to change at page 63, line 34
"Certificate": { "Certificate": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Certificate"}, "items": {"$ref": "#/definitions/Certificate"},
"minItems": 1}}, "minItems": 1}},
"required": ["Certificate"], "required": ["Certificate"],
"additionalProperties": false}, "additionalProperties": false},
"Certificate": { "Certificate": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"X509Data": {"$ref": "#/definitions/X509DataType"}, "X509Data": {"$ref": "#/definitions/BYTE"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}}, "minItems": 1}},
"required": ["X509Data"], "required": ["X509Data"],
"additionalProperties": false}, "additionalProperties": false},
"X509DataType": {
"type": "object",
"properties": {
"X509DataProperties": {
"type": "array",
"items": {
"type": "object",
"properties": {
"X509IssuerSerial":
{"$ref": "#/definitions/X509IssuerSerialType"},
"X509SKI": {"type": "string"},
"X509SubjectName": {"type": "string"},
"X509Certificate": {"type": "string"},
"X509CRL": {"type": "string"}},
"additionalProperties": false},
"minItems" : 1}},
"required": ["X509DataProperties"],
"additionalProperties": false
},
"X509IssuerSerialType": {
"type": "object",
"properties": {
"X509IssuerName": {"type": "string"},
"X509SerialNumber": {"type": "number"}
},
"required": ["X509IssuerName","X509SerialNumber"],
"additionalProperties": false
},
"FileData": { "FileData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"File": { "File": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/File"}, "items": {"$ref": "#/definitions/File"},
"minItems": 1}}, "minItems": 1}},
skipping to change at page 71, line 43 skipping to change at page 64, line 19
"FileName": {"type": "string"}, "FileName": {"type": "string"},
"FileSize": {"type": "number"}, "FileSize": {"type": "number"},
"FileType": {"type": "string"}, "FileType": {"type": "string"},
"URL": { "URL": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/URLtype"}, "items": {"$ref": "#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"HashData": {"$ref": "#/definitions/HashData"}, "HashData": {"$ref": "#/definitions/HashData"},
"Signature": { "Signature": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/SignatureType"}, "items": {"$ref": "#/definitions/BYTE"},
"minItems": 1}, "minItems": 1},
"AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
"FileProperties": { "FileProperties": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/ExtensionType"}, "items":{"$ref":"#/definitions/ExtensionType"},
"minItems": 1}}, "minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"HashData": { "HashData": {
"type": "object", "type": "object",
"properties": { "properties": {
"scope": {"enum": ["file-contents","file-pe-section", "scope": {"enum": ["file-contents","file-pe-section",
"file-pe-iat","file-pe-resource","file-pdf-object", "file-pe-iat","file-pe-resource","file-pdf-object",
"email-hash","email-hash-header","email-hash-body"]}, "email-hash","email-headers-hash","email-body-hash",
"ext-value"]},
"HashTargetID": {"type": "string"}, "HashTargetID": {"type": "string"},
"Hash": { "Hash": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Hash"}, "items": {"$ref": "#/definitions/Hash"},
"minItems": 1}, "minItems": 1},
"FuzzyHash": { "FuzzyHash": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/FuzzyHash"}, "items": {"$ref": "#/definitions/FuzzyHash"},
"minItems": 1}}, "minItems": 1}},
"required": ["scope"], "required": ["scope"],
"additionalProperties": false}, "additionalProperties": false},
"Hash": { "Hash": {
"type": "object", "type": "object",
"properties": { "properties": {
"DigestMethod": {"$ref": "#/definitions/DigestMethodType"}, "DigestMethod": {"$ref": "#/definitions/BYTE"},
"DigestValue": {"$ref": "#/definitions/DigestValueType"}, "DigestValue": {"$ref": "#/definitions/BYTE"},
"CanonicalizationMethod": "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"},
{"$ref": "#/definitions/CanonicalizationMethodType"},
"Application": {"$ref": "#/definitions/SoftwareType"}}, "Application": {"$ref": "#/definitions/SoftwareType"}},
"required": ["DigestMethod","DigestValue"], "required": ["DigestMethod","DigestValue"],
"additionalProperties": false}, "additionalProperties": false},
"CanonicalizationMethodType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"Algorithm": {"$ref": "#/definitions/URLtype"}
},
"required": ["Algorithm"],
"additionalProperties": false
},
"FuzzyHash": { "FuzzyHash": {
"type": "object", "type": "object",
"properties": { "properties": {
"FuzzyHashValue": { "FuzzyHashValue": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"}, "items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1}, "minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"}, "Application": {"$ref": "#/definitions/SoftwareType"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["FuzzyHashValue"], "required": ["FuzzyHashValue"],
skipping to change at page 73, line 15 skipping to change at page 65, line 31
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
"AlternativeIndicatorID": { "AlternativeIndicatorID": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/AlternativeIndicatorID"}, "items": {"$ref": "#/definitions/AlternativeIndicatorID"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"Contact": { "Contact": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Contact"}, "items": {"$ref": "#/definitions/Contact"},
"minItems": 1}, "minItems": 1},
"Observable": {"$ref": "#/definitions/Observable"}, "Observable": {"$ref": "#/definitions/Observable"},
"uid-ref": {"$ref": "#/definitions/IDREFType"}, "uid-ref": {"$ref": "#/definitions/IDREFType"},
skipping to change at page 73, line 44 skipping to change at page 66, line 10
"minItems": 1}, "minItems": 1},
"AttackPhase": { "AttackPhase": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/AttackPhase"}, "items": {"$ref": "#/definitions/AttackPhase"},
"minItems": 1}, "minItems": 1},
"Reference": { "Reference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Reference"}, "items": {"$ref": "#/definitions/Reference"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IndicatorID"], "allOf": [
{"required": ["IndicatorID"]},
{"oneOf": [
{"required":["Observable"]},
{"required":["uid-ref"]},
{"required":["IndicatorExpression"]},
{"required":["IndicatorReference"]}]}],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorID": { "IndicatorID": {
"type": "object", "type": "object",
"properties": { "properties": {
"id": {"type": "string"}, "id": {"type": "string"},
"name": {"type": "string"}, "name": {"type": "string"},
"version": {"type": "string"}}, "version": {"type": "string"}},
"required": ["id","name","version"], "required": ["id","name","version"],
"additionalProperties": false}, "additionalProperties": false},
"AlternativeIndicatorID": { "AlternativeIndicatorID": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"IndicatorReference": { "IndicatorID": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorReference"}, "items": {"$ref": "#/definitions/IndicatorID"},
"minItems": 1}}, "minItems": 1}},
"required": ["IndicatorReference"], "required": ["IndicatorID"],
"additionalProperties": false}, "additionalProperties": false},
"Observable": { "Observable": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"System": {"$ref": "#/definitions/System"}, "System": {"$ref": "#/definitions/System"},
"Address": {"$ref": "#/definitions/Address"}, "Address": {"$ref": "#/definitions/Address"},
"DomainData": {"$ref": "#/definitions/DomainData"}, "DomainData": {"$ref": "#/definitions/DomainData"},
skipping to change at page 74, line 45 skipping to change at page 67, line 16
"RecordData": {"$ref": "#/definitions/RecordData"}, "RecordData": {"$ref": "#/definitions/RecordData"},
"EventData": {"$ref": "#/definitions/EventData"}, "EventData": {"$ref": "#/definitions/EventData"},
"Incident": {"$ref": "#/definitions/Incident"}, "Incident": {"$ref": "#/definitions/Incident"},
"Expectation": {"$ref": "#/definitions/Expectation"}, "Expectation": {"$ref": "#/definitions/Expectation"},
"Reference": {"$ref": "#/definitions/Reference"}, "Reference": {"$ref": "#/definitions/Reference"},
"Assessment": {"$ref": "#/definitions/Assessment"}, "Assessment": {"$ref": "#/definitions/Assessment"},
"DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
"HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "oneOf": [
{"required":["System"]},
{"required":["Address"]},
{"required":["DomainData"]},
{"required":["EmailData"]},
{"required":["Service"]},
{"required":["WindowsRegistryKeysModified"]},
{"required":["FileData"]},
{"required":["CertificateData"]},
{"required":["RegistryHandle"]},
{"required":["RecordData"]},
{"required":["EventData"]},
{"required":["Incident"]},
{"required":["Expectation"]},
{"required":["Reference"]},
{"required":["Assessment"]},
{"required":["DetectionPattern"]},
{"required":["HistoryItem"]},
{"required":["BulkObservable"]},
{"required":["AdditionalData"]}],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservable": { "BulkObservable": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask",
"mac","site-url","domain-name","domain-to-ipv4", "mac","site-uri","domain-name","domain-to-ipv4",
"domain-to-ipv6","domain-to-ipv4-timestamp", "domain-to-ipv6","domain-to-ipv4-timestamp",
"domain-to-ipv6-timestamp","ipv4-port","ipv6-port", "domain-to-ipv6-timestamp","ipv4-port","ipv6-port",
"windows-reg-key","file-hash","email-x-mailer", "windows-reg-key","file-hash","email-x-mailer",
"email-subject","http-user-agent","http-request-url", "email-subject","http-user-agent","http-request-url",
"mutex","file-path","user-name","ext-value"]}, "mutex","file-path","user-name","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"BulkObservableFormat":{ "BulkObservableFormat":{
"$ref": "#/definitions/BulkObservableFormat"}, "$ref": "#/definitions/BulkObservableFormat"},
"BulkObservableList": {"type": "string"}, "BulkObservableList": {"type": "string"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["BulkObservableList"], "required": ["BulkObservableList"],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservableFormat": { "BulkObservableFormat": {
"type": "object", "type": "object",
"properties": { "properties": {
"Hash": {"$ref": "#/definitions/Hash"}, "Hash": {"$ref": "#/definitions/Hash"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "oneOf": [
{"required": ["Hash"]},
{"required": ["AdditionalData"]}
],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorExpression": { "IndicatorExpression": {
"type": "object", "type": "object",
"properties": { "properties": {
"operator": {"enum": ["not","and","or","xor"],"default": "and"}, "operator": {"enum": ["not","and","or","xor"],"default": "and"},
"ext-operator": {"type": "string"}, "ext-operator": {"type": "string"},
"IndicatorExpression": { "IndicatorExpression": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorExpression"}, "items": {"$ref": "#/definitions/IndicatorExpression"},
"minItems": 1}, "minItems": 1},
skipping to change at page 76, line 6 skipping to change at page 68, line 48
"Confidence": {"$ref":"#/definitions/Confidence"}, "Confidence": {"$ref":"#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorReference": { "IndicatorReference": {
"type": "object", "type": "object",
"properties": { "properties": {
"uid-ref": {"$ref":"#/definitions/IDREFType"}, "uid-ref": {"$ref":"#/definitions/IDREFType"},
"euid-ref": {"type": "string"}, "euid-ref": {"type": "string"},
"version": {"type": "string"}}, "version": {"type": "string"}},
"required": [], "oneOf": [
{"required": ["uid-ref"]},
{"required": ["euid-ref"]}
],
"additionalProperties": false}, "additionalProperties": false},
"AttackPhase": { "AttackPhase": {
"type": "object", "type": "object",
"properties": { "properties": {
"AttackPhaseID": { "AttackPhaseID": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"URL": { "URL": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/URLtype"}, "items": {"$ref": "#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"oneOf":[{"type": "string"}, "items": {"$ref": "#/definitions/MLStringType"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}}, "additionalProperties": false}},
"title": "IODEF-Document", "title": "IODEF-Document",
"description": "JSON schema for IODEF-Document class", "description": "JSON schema for IODEF-Document class",
"type": "object", "type": "object",
"properties": { "properties": {
"version": {"type": "string"}, "version": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
skipping to change at page 76, line 44 skipping to change at page 69, line 40
"private-enum-name": {"type": "string"}, "private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"}, "private-enum-id": {"type": "string"},
"Incident": { "Incident": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Incident"}, "items": {"$ref": "#/definitions/Incident"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version","Incident"], "required": ["version","Incident"],
"additionalProperties": false} "additionalProperties": false}
Figure 9: JSON schema Figure 10: JSON schema
Authors' Addresses Authors' Addresses
Takeshi Takahashi Takeshi Takahashi
National Institute of Information and Communications Technology National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi 4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795 Koganei, Tokyo 184-8795
Japan Japan
Phone: +81 42 327 5862 Phone: +81 42 327 5862
Email: takeshi_takahashi@nict.go.jp Email: takeshi_takahashi@nict.go.jp
Roman Danyliw Roman Danyliw
CERT, Software Engineering Institute, Carnegie Mellon University CERT, Software Engineering Institute, Carnegie Mellon University
4500 Fifth Avenue 4500 Fifth Avenue
Pittsburgh, PA Pittsburgh, PA
USA USA
Email: rdd@cert.org Email: rdd@cert.org
Mio Suzuki Mio Suzuki
National Institute of Information and Communications Technology National Institute of Information and Communications Technology
 End of changes. 207 change blocks. 
676 lines changed or deleted 345 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/