draft-ietf-mile-jsoniodef-13.txt   draft-ietf-mile-jsoniodef-14.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft NICT Internet-Draft NICT
Intended status: Standards Track R. Danyliw Intended status: Standards Track R. Danyliw
Expires: August 13, 2020 CERT Expires: September 2, 2020 CERT
M. Suzuki M. Suzuki
NICT NICT
February 10, 2020 March 1, 2020
JSON binding of IODEF JSON binding of IODEF
draft-ietf-mile-jsoniodef-13 draft-ietf-mile-jsoniodef-14
Abstract Abstract
The Incident Object Description Exchange Format defined in RFC 7970 The Incident Object Description Exchange Format defined in RFC 7970
provides an information model and a corresponding XML data model for provides an information model and a corresponding XML data model for
exchanging incident and indicator information. This draft gives exchanging incident and indicator information. This draft gives
implementers and operators an alternative format to exchange the same implementers and operators an alternative format to exchange the same
information by defining an alternative data model implementation in information by defining an alternative data model implementation in
JSON and its encoding in CBOR. JSON and its encoding in CBOR.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 13, 2020. This Internet-Draft will expire on September 2, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 21 skipping to change at page 7, line 21
When embedding the raw data, it should be encoded as a BYTE type When embedding the raw data, it should be encoded as a BYTE type
object, as shown below. object, as shown below.
"StructuredInfo": { "StructuredInfo": {
"SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM
"RawData": "<<< encoded structured data >>>" # BYTE "RawData": "<<< encoded structured data >>>" # BYTE
} }
When embedding the raw data, base64 encoding defined in Section 4 of When embedding the raw data, base64 encoding defined in Section 4 of
[RFC4648] SHOULD be used for JSON IODEF while binary representation [RFC4648] MUST be used for JSON IODEF while binary representation
SHOULD be used for CBOR IODEF. MUST be used for CBOR IODEF.
2.2.6. EXTENSION 2.2.6. EXTENSION
Information not otherwise represented in the IODEF can be added using Information not otherwise represented in the IODEF can be added using
the EXTENSION data type. This data type is a generic extension the EXTENSION data type. This data type is a generic extension
mechanism. The EXTENSION data type is implemented as an mechanism. The EXTENSION data type is implemented as an
ExtensionType object with "value", "name", "dtype", "ext-dtype", ExtensionType object with "value", "name", "dtype", "ext-dtype",
"meaning", "formatid", "restriction", "ext-restriction", and "meaning", "formatid", "restriction", "ext-restriction", and
"observable-id" elements. An example for embedding a structured ID "observable-id" elements. An example for embedding a structured ID
is shown below. is shown below.
"ExtensionType": { "ExtensionType": {
"value": "xxxxxxx", # STRING "value": "xxxxxxx", # STRING
"name": "Syslog", # STRING "name": "Syslog", # STRING
"dtype": "string", # ENUM "dtype": "string", # ENUM
"meaning": "Syslog from the security appliance X" # STRING "meaning": "Syslog from the security appliance X" # STRING
} }
Note that this data type is prepared in [RFC7970] as its generic Note that this data type is specified in [RFC7970] as its generic
extension mechanism. If a data item has internal structure that is extension mechanism. If a data item has internal structure that is
intended to be processed outside of the IODEF framework, one may intended to be processed outside of the IODEF framework, one may
consider using StructuredInfo data type mentioned in Section 2.2.5. consider using StructuredInfo data type mentioned in Section 2.2.5.
3. IODEF JSON Data Model 3. IODEF JSON Data Model
3.1. Classes and Elements 3.1. Classes and Elements
The following table shows the list of IODEF Classes, their elements, The following table shows the list of IODEF Classes, their elements,
and the corresponding section in [RFC7970]. Note that the complete and the corresponding section in [RFC7970]. Note that the complete
JSON schema is defined in Section 6 using CDDL. JSON schema is defined in Section 6 using CDDL.
skipping to change at page 18, line 45 skipping to change at page 18, line 45
allowing the type to have not only a predefined object type but allowing the type to have not only a predefined object type but
also text type, in order to allow simple descriptions of elements also text type, in order to allow simple descriptions of elements
of the type. Implementations need to be capable of parsing of the type. Implementations need to be capable of parsing
MLStringType that could take form of both text and object. MLStringType that could take form of both text and object.
o The elements of ML_STRING type in XML IODEF document are presented o The elements of ML_STRING type in XML IODEF document are presented
as either STRING type or ML_STRING type in JSON IODEF document. as either STRING type or ML_STRING type in JSON IODEF document.
When converting from XML IODEF document to JSON one or vice versa, When converting from XML IODEF document to JSON one or vice versa,
the information contained in the original data of ML_STRING type the information contained in the original data of ML_STRING type
must be preserved. When STRING is used instead of ML_STRING, must be preserved. When STRING is used instead of ML_STRING,
parsers can assume that its xml:lang is set to "en". Otherwise it parsers can assume that its "xml:lang" is set to "en".
is expected that both receiver and sender have some external
methods to agree upon the language used in this field.
o Data models of the extension classes defined by [RFC7203] and o Data models of the extension classes defined by [RFC7203] and
referenced by [RFC7970] are represented by StructuredInfo class referenced by [RFC7970] are represented by StructuredInfo class
defined in this document. defined in this document.
o Signature, X509Data, and RawData are encoded using base64 encoding o Signature, X509Data, and RawData are encoded using base64 encoding
for JSON IODEF and binary representation for CBOR IODEF to for JSON IODEF and binary representation for CBOR IODEF to
represent them as BYTE object. represent them as BYTE object.
o EmailBody represents an whole message body including MIME o EmailBody represents an whole message body including MIME
skipping to change at page 21, line 6 skipping to change at page 21, line 6
"type": "organization", "type": "organization",
"role": "creator", "role": "creator",
"Email": [{"EmailTo": "contact@csirt.example.com"}] "Email": [{"EmailTo": "contact@csirt.example.com"}]
}] }]
}] }]
} }
Figure 4: A Minimal Example in JSON Figure 4: A Minimal Example in JSON
A3 # map(3) A3 # map(3)
01 # unsigned(1) 37 # negative(23)
63 # text(3) 63 # text(3)
322E30 # "2.0" 322E30 # "2.0"
02 # unsigned(2) 36 # negative(22)
62 # text(2) 62 # text(2)
656E # "en" 656E # "en"
06 # unsigned(6) 32 # negative(18)
81 # array(1) 81 # array(1)
A5 # map(5) A5 # map(5)
17 # unsigned(23) 21 # negative(1)
69 # text(9) 69 # text(9)
7265706F7274696E67 # "reporting" 7265706F7274696E67 # "reporting"
0F # unsigned(15) 29 # negative(9)
67 # text(7) 67 # text(7)
70726976617465 # "private" 70726976617465 # "private"
18 1B # unsigned(27) 02 # unsigned(2)
A2 # map(2) A2 # map(2)
18 2B # unsigned(43) 12 # unsigned(18)
66 # text(6) 66 # text(6)
343932333832 # "492382" 343932333832 # "492382"
0A # unsigned(10) 2E # negative(14)
71 # text(17) 71 # text(17)
63736972742E6578616D706C652E636F6D 63736972742E6578616D706C652E636F6D # "csirt.example.com"
# "csirt.example.com" 0A # unsigned(10)
18 23 # unsigned(35)
78 19 # text(25) 78 19 # text(25)
323031352D30372D31385430393A30303A30302D30353A3030 323031352D30372D31385430393A30303A30302D30353A3030
# "2015-07-18T09:00:00-05:00" # "2015-07-18T09:00:00-05:00"
18 27 # unsigned(39) 0E # unsigned(14)
81 # array(1) 81 # array(1)
A3 # map(3) A3 # map(3)
18 35 # unsigned(53) 18 1C # unsigned(28)
6C # text(12) 6C # text(12)
6F7267616E697A6174696F6E # "organization" 6F7267616E697A6174696F6E # "organization"
18 33 # unsigned(51) 18 1A # unsigned(26)
67 # text(7) 67 # text(7)
63726561746F72 # "creator" 63726561746F72 # "creator"
18 3B # unsigned(59) 18 22 # unsigned(34)
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
18 42 # unsigned(66) 18 29 # unsigned(41)
78 19 # text(25) 78 19 # text(25)
636F6E746163744063736972742E6578616D706C652E636F6D 636F6E746163744063736972742E6578616D706C652E636F6D
# "contact@csirt.example.com" # "contact@csirt.example.com"
Figure 5: A Minimal Example in CBOR Figure 5: A Minimal Example in CBOR
4.2. Indicators from a Campaign 4.2. Indicators from a Campaign
An example of C2 domains from a given campaign is shown below in JSON An example of C2 domains from a given campaign is shown below in JSON
and CBOR, respectively. and CBOR, respectively.
skipping to change at page 23, line 14 skipping to change at page 23, line 14
"type": "domain-name", "type": "domain-name",
"BulkObservableList": "kj290023j09r34.example.com"} "BulkObservableList": "kj290023j09r34.example.com"}
} }
}] }]
}] }]
} }
Figure 6: Indicators from a Campaign in JSON Figure 6: Indicators from a Campaign in JSON
A3 # map(3) A3 # map(3)
01 # unsigned(1) 37 # negative(23)
63 # text(3) 63 # text(3)
322E30 # "2.0" 322E30 # "2.0"
02 # unsigned(2) 36 # negative(22)
62 # text(2) 62 # text(2)
656E # "en" 656E # "en"
06 # unsigned(6) 32 # negative(18)
81 # array(1) 81 # array(1)
A9 # map(9) A9 # map(9)
17 # unsigned(23) 21 # negative(1)
65 # text(5) 65 # text(5)
7761746368 # "watch" 7761746368 # "watch"
0F # unsigned(15) 29 # negative(9)
65 # text(5) 65 # text(5)
677265656E # "green" 677265656E # "green"
18 1B # unsigned(27) 02 # unsigned(2)
A2 # map(2) A2 # map(2)
18 2B # unsigned(43) 12 # unsigned(18)
66 # text(6) 66 # text(6)
383937393233 # "897923" 383937393233 # "897923"
0A # unsigned(10) 2E # negative(14)
71 # text(17) 71 # text(17)
63736972742E6578616D706C652E636F6D # "csirt.example.com" 63736972742E6578616D706C652E636F6D
18 1D # unsigned(29) # "csirt.example.com"
04 # unsigned(4)
81 # array(1) 81 # array(1)
A2 # map(2) A2 # map(2)
18 2D # unsigned(45) 14 # unsigned(20)
81 # array(1) 81 # array(1)
A2 # map(2) A2 # map(2)
18 31 # unsigned(49) 18 18 # unsigned(24)
81 # array(1) 81 # array(1)
78 1A # text(26) 78 1A # text(26)
54412D31322D414747524553534956452D425554544552464C59 54412D31322D414747524553534956452D425554544552464C59
# "TA-12-AGGRESSIVE-BUTTERFLY" # "TA-12-AGGRESSIVE-BUTTERFLY"
14 # unsigned(20) 24 # negative(4)
81 # array(1) 81 # array(1)
74 # text(20) 74 # text(20)
4167677265737369766520427574746572666C79 4167677265737369766520427574746572666C79
# "Aggressive Butterfly" # "Aggressive Butterfly"
18 2E # unsigned(46) 15 # unsigned(21)
81 # array(1) 81 # array(1)
A2 # map(2) A2 # map(2)
18 32 # unsigned(50) 18 19 # unsigned(25)
81 # array(1) 81 # array(1)
6C # text(12) 6C # text(12)
432D323031352D3539343035 432D323031352D3539343035
# "C-2015-59405" # "C-2015-59405"
14 # unsigned(20) 24 # negative(4)
81 # array(1) 81 # array(1)
6E # text(14) 6E # text(14)
4F72616E67652047697261666665 4F72616E67652047697261666665
# "Orange Giraffe" # "Orange Giraffe"
18 23 # unsigned(35) 0A # unsigned(10)
78 19 # text(25) 78 19 # text(25)
323031352D31302D30325431313A31383A30302D30353A3030 323031352D31302D30325431313A31383A30302D30353A3030
# "2015-10-02T11:18:00-05:00" # "2015-10-02T11:18:00-05:00"
14 # unsigned(20) 24 # negative(4)
81 # array(1) 81 # array(1)
78 70 # text(112) 78 6F # text(111)
53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F72207468650D0A4F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E 53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F7220746865204F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E
# "Summarizes the Indicators of Compromise for the\r\nOrange Giraffe campaign of the Aggressive Butterfly crime gang." # "Summarizes the Indicators of
18 25 # unsigned(37) # Compromise for the Orange Giraffe
# campaign of the Aggressive
# Butterfly crime gang."
0C # unsigned(12)
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
18 58 # unsigned(88) 18 3F # unsigned(63)
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
18 5A # unsigned(90) 18 41 # unsigned(65)
A1 # map(1) A1 # map(1)
18 35 # unsigned(53) 18 1C # unsigned(28)
72 # text(18) 72 # text(18)
6272656163682D70726F7072696574617279 6272656163682D70726F7072696574617279
# "breach-proprietary" # "breach-proprietary"
18 27 # unsigned(39) 0E # unsigned(14)
81 # array(1) 81 # array(1)
A4 # map(4) A4 # map(4)
18 35 # unsigned(53) 18 1C # unsigned(28)
6C # text(12) 6C # text(12)
6F7267616E697A6174696F6E # "organization" 6F7267616E697A6174696F6E
18 33 # unsigned(51) # "organization"
18 1A # unsigned(26)
67 # text(7) 67 # text(7)
63726561746F72 # "creator" 63726561746F72 # "creator"
18 37 # unsigned(55) 18 1E # unsigned(30)
81 # array(1) 81 # array(1)
75 # text(21) 75 # text(21)
435349525420666F72206578616D706C652E636F6D 435349525420666F72206578616D706C652E636F6D
# "CSIRT for example.com" # "CSIRT for example.com"
18 3B # unsigned(59) 18 22 # unsigned(34)
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
18 42 # unsigned(66) 18 29 # unsigned(41)
78 19 # text(25) 78 19 # text(25)
636F6E746163744063736972742E6578616D706C652E636F6D 636F6E746163744063736972742E6578616D706C652E636F6D
# "contact@csirt.example.com" # "contact@csirt.example.com"
18 29 # unsigned(41) 10 # unsigned(16)
81 # array(1) 81 # array(1)
A4 # map(4) A4 # map(4)
18 2F # unsigned(47) 16 # unsigned(22)
A3 # map(3) A3 # map(3)
18 2B # unsigned(43) 12 # unsigned(18)
69 # text(9) 69 # text(9)
473930383233343930 # "G90823490" 473930383233343930 # "G90823490"
0A # unsigned(10) 2E # negative(14)
71 # text(17) 71 # text(17)
63736972742E6578616D706C652E636F6D 63736972742E6578616D706C652E636F6D
# "csirt.example.com" # "csirt.example.com"
01 # unsigned(1) 37 # negative(23)
61 # text(1) 61 # text(1)
31 # "1" 31 # "1"
14 # unsigned(20) 24 # negative(4)
81 # array(1) 81 # array(1)
6A # text(10) 6A # text(10)
433220646F6D61696E73 # "C2 domains" 433220646F6D61696E73 # "C2 domains"
18 1F # unsigned(31) 06 # unsigned(6)
78 19 # text(25) 78 19 # text(25)
323031342D31322D30325431313A31383A30302D30353A3030 323031342D31322D30325431313A31383A30302D30353A3030
# "2014-12-02T11:18:00-05:00" # "2014-12-02T11:18:00-05:00"
18 C4 # unsigned(196) 18 AB # unsigned(171)
A1 # map(1) A1 # map(1)
18 C9 # unsigned(201) 18 B0 # unsigned(176)
A2 # map(2) A2 # map(2)
18 35 # unsigned(53) 18 1C # unsigned(28)
6B # text(11) 6B # text(11)
646F6D61696E2D6E616D65 # "domain-name" 646F6D61696E2D6E616D65
18 CB # unsigned(203) # "domain-name"
18 B2 # unsigned(178)
78 1A # text(26) 78 1A # text(26)
6B6A3239303032336A30397233342E6578616D706C652E636F6D 6B6A3239303032336A30397233342E6578616D706C652E636F6D
# "kj290023j09r34.example.com" # "kj290023j09r34.example.com"
Figure 7: Indicators from a Campaign in CBOR Figure 7: Indicators from a Campaign in CBOR
5. Mapkeys 5. Mapkeys
The mapkeys are provided in Table Figure 8 for minimizing the CBOR The mapkeys are provided in Table Figure 8 for minimizing the CBOR
size. size.
+---------------------------------+-------+ +-----------------------------------+-------+
|mapkey |cborkey| |mapkey |cborkey|
+---------------------------------+-------+ +-----------------------------------+-------+
|iodef-version |1 | | iodef-version | -24 |
|iodef-lang |2 | | iodef-lang | -23 |
|iodef-format-id |3 | | iodef-format-id | -22 |
|iodef-private-enum-name |4 | | iodef-private-enum-name | -21 |
|iodef-private-enum-id |5 | | iodef-private-enum-id | -20 |
|iodef-Incident |6 | | iodef-Incident | -19 |
|iodef-AdditionalData |7 | | iodef-AdditionalData | -18 |
|iodef-value |8 | | iodef-value | -17 |
|iodef-translation-id |9 | | iodef-translation-id | -16 |
|iodef-name |10 | | iodef-name | -15 |
|iodef-dtype |11 | | iodef-dtype | -14 |
|iodef-ext-dtype |12 | | iodef-ext-dtype | -13 |
|iodef-meaning |13 | | iodef-meaning | -12 |
|iodef-formatid |14 | | iodef-formatid | -11 |
|iodef-restriction |15 | | iodef-restriction | -10 |
|iodef-ext-restriction |16 | | iodef-ext-restriction | -9 |
|iodef-observable-id |17 | | iodef-observable-id | -8 |
|iodef-SoftwareReference |18 | | iodef-SoftwareReference | -7 |
|iodef-URL |19 | | iodef-URL | -6 |
|iodef-Description |20 | | iodef-Description | -5 |
|iodef-spec-name |21 | | iodef-spec-name | -4 |
|iodef-ext-spec-name |22 | | iodef-ext-spec-name | -3 |
|iodef-purpose |23 | | iodef-purpose | -2 |
|iodef-ext-purpose |24 | | iodef-ext-purpose | -1 |
|iodef-status |25 | | iodef-status | 0 |
|iodef-ext-status |26 | | iodef-ext-status | 1 |
|iodef-IncidentID |27 | | iodef-IncidentID | 2 |
|iodef-AlternativeID |28 | | iodef-AlternativeID | 3 |
|iodef-RelatedActivity |29 | | iodef-RelatedActivity | 4 |
|iodef-DetectTime |30 | | iodef-DetectTime | 5 |
|iodef-StartTime |31 | | iodef-StartTime | 6 |
|iodef-EndTime |32 | | iodef-EndTime | 7 |
|iodef-RecoveryTime |33 | | iodef-RecoveryTime | 8 |
|iodef-ReportTime |34 | | iodef-ReportTime | 9 |
|iodef-GenerationTime |35 | | iodef-GenerationTime | 10 |
|iodef-Discovery |36 | | iodef-Discovery | 11 |
|iodef-Assessment |37 | | iodef-Assessment | 12 |
|iodef-Method |38 | | iodef-Method | 13 |
|iodef-Contact |39 | | iodef-Contact | 14 |
|iodef-EventData |40 | | iodef-EventData | 15 |
|iodef-Indicator |41 | | iodef-Indicator | 16 |
|iodef-History |42 | | iodef-History | 17 |
|iodef-id |43 | | iodef-id | 18 |
|iodef-instance |44 | | iodef-instance | 19 |
|iodef-ThreatActor |45 | | iodef-ThreatActor | 20 |
|iodef-Campaign |46 | | iodef-Campaign | 21 |
|iodef-IndicatorID |47 | | iodef-IndicatorID | 22 |
|iodef-Confidence |48 | | iodef-Confidence | 23 |
|iodef-ThreatActorID |49 | | iodef-ThreatActorID | 24 |
|iodef-CampaignID |50 | | iodef-CampaignID | 25 |
|iodef-role |51 | | iodef-role | 26 |
|iodef-ext-role |52 | | iodef-ext-role | 27 |
|iodef-type |53 | | iodef-type | 28 |
|iodef-ext-type |54 | | iodef-ext-type | 29 |
|iodef-ContactName |55 | | iodef-ContactName | 30 |
|iodef-ContactTitle |56 | | iodef-ContactTitle | 31 |
|iodef-RegistryHandle |57 | | iodef-RegistryHandle | 32 |
|iodef-PostalAddress |58 | | iodef-PostalAddress | 33 |
|iodef-Email |59 | | iodef-Email | 34 |
|iodef-Telephone |60 | | iodef-Telephone | 35 |
|iodef-Timezone |61 | | iodef-Timezone | 36 |
|iodef-handle |62 | | iodef-handle | 37 |
|iodef-registry |63 | | iodef-registry | 38 |
|iodef-ext-registry |64 | | iodef-ext-registry | 39 |
|iodef-PAddress |65 | | iodef-PAddress | 40 |
|iodef-EmailTo |66 | | iodef-EmailTo | 41 |
|iodef-TelephoneNumber |67 | | iodef-TelephoneNumber | 42 |
|iodef-source |68 | | iodef-source | 43 |
|iodef-ext-source |69 | | iodef-ext-source | 44 |
|iodef-DetectionPattern |70 | | iodef-DetectionPattern | 45 |
|iodef-DetectionConfiguration |71 | | iodef-DetectionConfiguration | 46 |
|iodef-Application |72 | | iodef-Application | 47 |
|iodef-Reference |73 | | iodef-Reference | 48 |
|iodef-AttackPattern |74 | | iodef-AttackPattern | 49 |
|iodef-Vulnerability |75 | | iodef-Vulnerability | 50 |
|iodef-Weakness |76 | | iodef-Weakness | 51 |
|iodef-SpecID |77 | | iodef-SpecID | 52 |
|iodef-ext-SpecID |78 | | iodef-ext-SpecID | 53 |
|iodef-ContentID |79 | | iodef-ContentID | 54 |
|iodef-RawData |80 | | iodef-RawData | 55 |
|iodef-Platform |81 | | iodef-Platform | 56 |
|iodef-Scoring |82 | | iodef-Scoring | 57 |
|iodef-ReferenceName |83 | | iodef-ReferenceName | 58 |
|iodef-specIndex |84 | | iodef-specIndex | 59 |
|iodef-ID |85 | | iodef-ID | 60 |
|iodef-occurrence |86 | | iodef-occurrence | 61 |
|iodef-IncidentCategory |87 | | iodef-IncidentCategory | 62 |
|iodef-Impact |88 | | iodef-Impact | 63 |
|iodef-SystemImpact |89 | | iodef-SystemImpact | 64 |
|iodef-BusinessImpact |90 | | iodef-BusinessImpact | 65 |
|iodef-TimeImpact |91 | | iodef-TimeImpact | 66 |
|iodef-MonetaryImpact |92 | | iodef-MonetaryImpact | 67 |
|iodef-IntendedImpact |93 | | iodef-IntendedImpact | 68 |
|iodef-Counter |94 | | iodef-Counter | 69 |
|iodef-MitigatingFactor |95 | | iodef-MitigatingFactor | 70 |
|iodef-Cause |96 | | iodef-Cause | 71 |
|iodef-severity |97 | | iodef-severity | 72 |
|iodef-completion |98 | | iodef-completion | 73 |
|iodef-ext-severity |99 | | iodef-ext-severity | 74 |
|iodef-metric |100 | | iodef-metric | 75 |
|iodef-ext-metric |101 | | iodef-ext-metric | 76 |
|iodef-duration |102 | | iodef-duration | 77 |
|iodef-ext-duration |103 | | iodef-ext-duration | 78 |
|iodef-currency |104 | | iodef-currency | 79 |
|iodef-rating |105 | | iodef-rating | 80 |
|iodef-ext-rating |106 | | iodef-ext-rating | 81 |
|iodef-HistoryItem |107 | | iodef-HistoryItem | 82 |
|iodef-action |108 | | iodef-action | 83 |
|iodef-ext-action |109 | | iodef-ext-action | 84 |
|iodef-DateTime |110 | | iodef-DateTime | 85 |
|iodef-DefinedCOA |111 | | iodef-DefinedCOA | 86 |
|iodef-System |112 | | iodef-System | 87 |
|iodef-Expectation |113 | | iodef-Expectation | 88 |
|iodef-RecordData |114 | | iodef-RecordData | 89 |
|iodef-category |115 | | iodef-category | 90 |
|iodef-ext-category |116 | | iodef-ext-category | 91 |
|iodef-interface |117 | | iodef-interface | 92 |
|iodef-spoofed |118 | | iodef-spoofed | 93 |
|iodef-virtual |119 | | iodef-virtual | 94 |
|iodef-ownership |120 | | iodef-ownership | 95 |
|iodef-ext-ownership |121 | | iodef-ext-ownership | 96 |
|iodef-Node |122 | | iodef-Node | 97 |
|iodef-NodeRole |123 | | iodef-NodeRole | 98 |
|iodef-Service |124 | | iodef-Service | 99 |
|iodef-OperatingSystem |125 | | iodef-OperatingSystem | 100 |
|iodef-AssetID |126 | | iodef-AssetID | 101 |
|iodef-DomainData |127 | | iodef-DomainData | 102 |
|iodef-Address |128 | | iodef-Address | 103 |
|iodef-Location |129 | | iodef-Location | 104 |
|iodef-vlan-name |130 | | iodef-vlan-name | 105 |
|iodef-vlan-num |131 | | iodef-vlan-num | 106 |
|iodef-unit |132 | | iodef-unit | 107 |
|iodef-ext-unit |133 | | iodef-ext-unit | 108 |
|iodef-system-status |134 | | iodef-system-status | 109 |
|iodef-ext-system-status |135 | | iodef-ext-system-status | 110 |
|iodef-domain-status |136 | | iodef-domain-status | 111 |
|iodef-ext-domain-status |137 | | iodef-ext-domain-status | 112 |
|iodef-Name |138 | | iodef-Name | 113 |
|iodef-DateDomainWasChecked |139 | | iodef-DateDomainWasChecked | 114 |
|iodef-RegistrationDate |140 | | iodef-RegistrationDate | 115 |
|iodef-ExpirationDate |141 | | iodef-ExpirationDate | 116 |
|iodef-RelatedDNS |142 | | iodef-RelatedDNS | 117 |
|iodef-NameServers |143 | | iodef-NameServers | 118 |
|iodef-DomainContacts |144 | | iodef-DomainContacts | 119 |
|iodef-Server |145 | | iodef-Server | 120 |
|iodef-SameDomainContact |146 | | iodef-SameDomainContact | 121 |
|iodef-ip-protocol |147 | | iodef-ip-protocol | 122 |
|iodef-ServiceName |148 | | iodef-ServiceName | 123 |
|iodef-Port |149 | | iodef-Port | 124 |
|iodef-Portlist |150 | | iodef-Portlist | 125 |
|iodef-ProtoCode |151 | | iodef-ProtoCode | 126 |
|iodef-ProtoType |152 | | iodef-ProtoType | 127 |
|iodef-ProtoField |153 | | iodef-ProtoField | 128 |
|iodef-ApplicationHeaderField |154 | | iodef-ApplicationHeaderField | 129 |
|iodef-EmailData |155 | | iodef-EmailData | 130 |
|iodef-IANAService |156 | | iodef-IANAService | 131 |
|iodef-EmailFrom |157 | | iodef-EmailFrom | 132 |
|iodef-EmailSubject |158 | | iodef-EmailSubject | 133 |
|iodef-EmailX-Mailer |159 | | iodef-EmailX-Mailer | 134 |
|iodef-EmailHeaderField |160 | | iodef-EmailHeaderField | 135 |
|iodef-EmailHeaders |161 | | iodef-EmailHeaders | 136 |
|iodef-EmailBody |162 | | iodef-EmailBody | 137 |
|iodef-EmailMessage |163 | | iodef-EmailMessage | 138 |
|iodef-HashData |164 | | iodef-HashData | 139 |
|iodef-Signature |165 | | iodef-Signature | 140 |
|iodef-RecordPattern |166 | | iodef-RecordPattern | 141 |
|iodef-RecordItem |167 | | iodef-RecordItem | 142 |
|iodef-FileData |168 | | iodef-FileData | 143 |
|iodef-WindowsRegistryKeysModified|169 | | iodef-WindowsRegistryKeysModified | 169 |
|iodef-CertificateData |170 | | iodef-CertificateData | 145 |
|iodef-offset |171 | | iodef-offset | 146 |
|iodef-offsetunit |172 | | iodef-offsetunit | 147 |
|iodef-ext-offsetunit |173 | | iodef-ext-offsetunit | 148 |
|iodef-Key |174 | | iodef-Key | 149 |
|iodef-registryaction |175 | | iodef-registryaction | 150 |
|iodef-ext-registryaction |176 | | iodef-ext-registryaction | 151 |
|iodef-KeyName |177 | | iodef-KeyName | 152 |
|iodef-KeyValue |178 | | iodef-KeyValue | 153 |
|iodef-Certificate |179 | | iodef-Certificate | 154 |
|iodef-X509Data |180 | | iodef-X509Data | 155 |
|iodef-File |181 | | iodef-File | 156 |
|iodef-FileName |182 | | iodef-FileName | 157 |
|iodef-FileSize |183 | | iodef-FileSize | 158 |
|iodef-FileType |184 | | iodef-FileType | 159 |
|iodef-AssociatedSoftware |185 | | iodef-AssociatedSoftware | 160 |
|iodef-FileProperties |186 | | iodef-FileProperties | 161 |
|iodef-scope |187 | | iodef-scope | 162 |
|iodef-HashTargetID |188 | | iodef-HashTargetID | 163 |
|iodef-Hash |189 | | iodef-Hash | 164 |
|iodef-FuzzyHash |190 | | iodef-FuzzyHash | 165 |
|iodef-DigestMethod |191 | | iodef-DigestMethod | 166 |
|iodef-DigestValue |192 | | iodef-DigestValue | 167 |
|iodef-CanonicalizationMethod |193 | | iodef-CanonicalizationMethod | 168 |
|iodef-FuzzyHashValue |194 | | iodef-FuzzyHashValue | 169 |
|iodef-AlternativeIndicatorID |195 | | iodef-AlternativeIndicatorID | 170 |
|iodef-Observable |196 | | iodef-Observable | 171 |
|iodef-uid-ref |197 | | iodef-uid-ref | 172 |
|iodef-IndicatorExpression |198 | | iodef-IndicatorExpression | 173 |
|iodef-IndicatorReference |199 | | iodef-IndicatorReference | 174 |
|iodef-AttackPhase |200 | | iodef-AttackPhase | 175 |
|iodef-BulkObservable |201 | | iodef-BulkObservable | 176 |
|iodef-BulkObservableFormat |202 | | iodef-BulkObservableFormat | 177 |
|iodef-BulkObservableList |203 | | iodef-BulkObservableList | 178 |
|iodef-operator |204 | | iodef-operator | 179 |
|iodef-ext-operator |205 | | iodef-ext-operator | 180 |
|iodef-euid-ref |206 | | iodef-euid-ref | 181 |
|iodef-AttackPhaseID |207 | | iodef-AttackPhaseID | 182 |
+---------------------------------+-------+ +-----------------------------------+-------+
Figure 8: Mapkeys Figure 8: Mapkeys
6. The IODEF Data Model (CDDL) 6. The IODEF Data Model (CDDL)
This section provides the IODEF data model. Note that mapkeys are This section provides the IODEF data model. Note that mapkeys are
described at the beginning of the CDDL data model for better described at the beginning of the CDDL data model for better
readability. readability.
start = iodef start = iodef
;;; iodef.json: IODEF-Document ;;; iodef.json: IODEF-Document
iodef-version = 1 iodef-version = -24
iodef-lang = 2 iodef-lang = -23
iodef-format-id = 3 iodef-format-id = -22
iodef-private-enum-name = 4 iodef-private-enum-name = -21
iodef-private-enum-id = 5 iodef-private-enum-id = -20
iodef-Incident = 6 iodef-Incident = -19
iodef-AdditionalData = 7 iodef-AdditionalData = -18
iodef-value = 8 iodef-value = -17
iodef-translation-id = 9 iodef-translation-id = -16
iodef-name = 10 iodef-name = -15
iodef-dtype = 11 iodef-dtype = -14
iodef-ext-dtype = 12 iodef-ext-dtype = -13
iodef-meaning = 13 iodef-meaning = -12
iodef-formatid = 14 iodef-formatid = -11
iodef-restriction = 15 iodef-restriction = -10
iodef-ext-restriction = 16 iodef-ext-restriction = -9
iodef-observable-id = 17 iodef-observable-id = -8
iodef-SoftwareReference = 18 iodef-SoftwareReference = -7
iodef-URL = 19 iodef-URL = -6
iodef-Description = 20 iodef-Description = -5
iodef-spec-name = 21 iodef-spec-name = -4
iodef-ext-spec-name = 22 iodef-ext-spec-name = -3
iodef-purpose = 23 iodef-purpose = -2
iodef-ext-purpose = 24 iodef-ext-purpose = -1
iodef-status = 25 iodef-status = 0
iodef-ext-status = 26 iodef-ext-status = 1
iodef-IncidentID = 27 iodef-IncidentID = 2
iodef-AlternativeID = 28 iodef-AlternativeID = 3
iodef-RelatedActivity = 29 iodef-RelatedActivity = 4
iodef-DetectTime = 30 iodef-DetectTime = 5
iodef-StartTime = 31 iodef-StartTime = 6
iodef-EndTime = 32 iodef-EndTime = 7
iodef-RecoveryTime = 33 iodef-RecoveryTime = 8
iodef-ReportTime = 34 iodef-ReportTime = 9
iodef-GenerationTime = 35 iodef-GenerationTime = 10
iodef-Discovery = 36 iodef-Discovery = 11
iodef-Assessment = 37 iodef-Assessment = 12
iodef-Method = 38 iodef-Method = 13
iodef-Contact = 39 iodef-Contact = 14
iodef-EventData = 40 iodef-EventData = 15
iodef-Indicator = 41 iodef-Indicator = 16
iodef-History = 42 iodef-History = 17
iodef-id = 43 iodef-id = 18
iodef-instance = 44 iodef-instance = 19
iodef-ThreatActor = 45 iodef-ThreatActor = 20
iodef-Campaign = 46 iodef-Campaign = 21
iodef-IndicatorID = 47 iodef-IndicatorID = 22
iodef-Confidence = 48 iodef-Confidence = 23
iodef-ThreatActorID = 49 iodef-ThreatActorID = 24
iodef-CampaignID = 50 iodef-CampaignID = 25
iodef-role = 51 iodef-role = 26
iodef-ext-role = 52 iodef-ext-role = 27
iodef-type = 53 iodef-type = 28
iodef-ext-type = 54 iodef-ext-type = 29
iodef-ContactName = 55 iodef-ContactName = 30
iodef-ContactTitle = 56 iodef-ContactTitle = 31
iodef-RegistryHandle = 57 iodef-RegistryHandle = 32
iodef-PostalAddress = 58 iodef-PostalAddress = 33
iodef-Email = 59 iodef-Email = 34
iodef-Telephone = 60 iodef-Telephone = 35
iodef-Timezone = 61 iodef-Timezone = 36
iodef-handle = 62 iodef-handle = 37
iodef-registry = 63 iodef-registry = 38
iodef-ext-registry = 64 iodef-ext-registry = 39
iodef-PAddress = 65 iodef-PAddress = 40
iodef-EmailTo = 66 iodef-EmailTo = 41
iodef-TelephoneNumber = 67 iodef-TelephoneNumber = 42
iodef-source = 68 iodef-source = 43
iodef-ext-source = 69 iodef-ext-source = 44
iodef-DetectionPattern = 70 iodef-DetectionPattern = 45
iodef-DetectionConfiguration = 71 iodef-DetectionConfiguration = 46
iodef-Application = 72 iodef-Application = 47
iodef-Reference = 73 iodef-Reference = 48
iodef-AttackPattern = 74 iodef-AttackPattern = 49
iodef-Vulnerability = 75 iodef-Vulnerability = 50
iodef-Weakness = 76 iodef-Weakness = 51
iodef-SpecID = 77 iodef-SpecID = 52
iodef-ext-SpecID = 78 iodef-ext-SpecID = 53
iodef-ContentID = 79 iodef-ContentID = 54
iodef-RawData = 80 iodef-RawData = 55
iodef-Platform = 81 iodef-Platform = 56
iodef-Scoring = 82 iodef-Scoring = 57
iodef-ReferenceName = 83 iodef-ReferenceName = 58
iodef-specIndex = 84 iodef-specIndex = 59
iodef-ID = 85 iodef-ID = 60
iodef-occurrence = 86 iodef-occurrence = 61
iodef-IncidentCategory = 87 iodef-IncidentCategory = 62
iodef-Impact = 88 iodef-Impact = 63
iodef-SystemImpact = 89 iodef-SystemImpact = 64
iodef-BusinessImpact = 90 iodef-BusinessImpact = 65
iodef-TimeImpact = 91 iodef-TimeImpact = 66
iodef-MonetaryImpact = 92 iodef-MonetaryImpact = 67
iodef-IntendedImpact = 93 iodef-IntendedImpact = 68
iodef-Counter = 94 iodef-Counter = 69
iodef-MitigatingFactor = 95 iodef-MitigatingFactor = 70
iodef-Cause = 96 iodef-Cause = 71
iodef-severity = 97 iodef-severity = 72
iodef-completion = 98 iodef-completion = 73
iodef-ext-severity = 99 iodef-ext-severity = 74
iodef-metric = 100 iodef-metric = 75
iodef-ext-metric = 101 iodef-ext-metric = 76
iodef-duration = 102 iodef-duration = 77
iodef-ext-duration = 103 iodef-ext-duration = 78
iodef-currency = 104 iodef-currency = 79
iodef-rating = 105 iodef-rating = 80
iodef-ext-rating = 106 iodef-ext-rating = 81
iodef-HistoryItem = 107 iodef-HistoryItem = 82
iodef-action = 108 iodef-action = 83
iodef-ext-action = 109 iodef-ext-action = 84
iodef-DateTime = 110 iodef-DateTime = 85
iodef-DefinedCOA = 111 iodef-DefinedCOA = 86
iodef-System = 112 iodef-System = 87
iodef-Expectation = 113 iodef-Expectation = 88
iodef-RecordData = 114 iodef-RecordData = 89
iodef-category = 115 iodef-category = 90
iodef-ext-category = 116 iodef-ext-category = 91
iodef-interface = 117 iodef-interface = 92
iodef-spoofed = 118 iodef-spoofed = 93
iodef-virtual = 119 iodef-virtual = 94
iodef-ownership = 120 iodef-ownership = 95
iodef-ext-ownership = 121 iodef-ext-ownership = 96
iodef-Node = 122 iodef-Node = 97
iodef-NodeRole = 123 iodef-NodeRole = 98
iodef-Service = 124 iodef-Service = 99
iodef-OperatingSystem = 125 iodef-OperatingSystem = 100
iodef-AssetID = 126 iodef-AssetID = 101
iodef-DomainData = 127 iodef-DomainData = 102
iodef-Address = 128 iodef-Address = 103
iodef-Location = 129 iodef-Location = 104
iodef-vlan-name = 130 iodef-vlan-name = 105
iodef-vlan-num = 131 iodef-vlan-num = 106
iodef-unit = 132 iodef-unit = 107
iodef-ext-unit = 133 iodef-ext-unit = 108
iodef-system-status = 134 iodef-system-status = 109
iodef-ext-system-status = 135 iodef-ext-system-status = 110
iodef-domain-status = 136 iodef-domain-status = 111
iodef-ext-domain-status = 137 iodef-ext-domain-status = 112
iodef-Name = 138 iodef-Name = 113
iodef-DateDomainWasChecked = 139 iodef-DateDomainWasChecked = 114
iodef-RegistrationDate = 140 iodef-RegistrationDate = 115
iodef-ExpirationDate = 141 iodef-ExpirationDate = 116
iodef-RelatedDNS = 142 iodef-RelatedDNS = 117
iodef-NameServers = 143 iodef-NameServers = 118
iodef-DomainContacts = 144 iodef-DomainContacts = 119
iodef-Server = 145 iodef-Server = 120
iodef-SameDomainContact = 146 iodef-SameDomainContact = 121
iodef-ip-protocol = 147 iodef-ip-protocol = 122
iodef-ServiceName = 148 iodef-ServiceName = 123
iodef-Port = 149 iodef-Port = 124
iodef-Portlist = 150 iodef-Portlist = 125
iodef-ProtoCode = 151 iodef-ProtoCode = 126
iodef-ProtoType = 152 iodef-ProtoType = 127
iodef-ProtoField = 153 iodef-ProtoField = 128
iodef-ApplicationHeaderField = 154 iodef-ApplicationHeaderField = 129
iodef-EmailData = 155 iodef-EmailData = 130
iodef-IANAService = 156 iodef-IANAService = 131
iodef-EmailFrom = 157 iodef-EmailFrom = 132
iodef-EmailSubject = 158 iodef-EmailSubject = 133
iodef-EmailX-Mailer = 159 iodef-EmailX-Mailer = 134
iodef-EmailHeaderField = 160 iodef-EmailHeaderField = 135
iodef-EmailHeaders = 161 iodef-EmailHeaders = 136
iodef-EmailBody = 162 iodef-EmailBody = 137
iodef-EmailMessage = 163 iodef-EmailMessage = 138
iodef-HashData = 164 iodef-HashData = 139
iodef-Signature = 165 iodef-Signature = 140
iodef-RecordPattern = 166 iodef-RecordPattern = 141
iodef-RecordItem = 167 iodef-RecordItem = 142
iodef-FileData = 168 iodef-FileData = 143
iodef-WindowsRegistryKeysModified = 169 iodef-WindowsRegistryKeysModified = 169
iodef-CertificateData = 170 iodef-CertificateData = 145
iodef-offset = 171 iodef-offset = 146
iodef-offsetunit = 172 iodef-offsetunit = 147
iodef-ext-offsetunit = 173 iodef-ext-offsetunit = 148
iodef-Key = 174 iodef-Key = 149
iodef-registryaction = 175 iodef-registryaction = 150
iodef-ext-registryaction = 176 iodef-ext-registryaction = 151
iodef-KeyName = 177 iodef-KeyName = 152
iodef-KeyValue = 178 iodef-KeyValue = 153
iodef-Certificate = 179 iodef-Certificate = 154
iodef-X509Data = 180 iodef-X509Data = 155
iodef-File = 181 iodef-File = 156
iodef-FileName = 182 iodef-FileName = 157
iodef-FileSize = 183 iodef-FileSize = 158
iodef-FileType = 184 iodef-FileType = 159
iodef-AssociatedSoftware = 185 iodef-AssociatedSoftware = 160
iodef-FileProperties = 186 iodef-FileProperties = 161
iodef-scope = 187 iodef-scope = 162
iodef-HashTargetID = 188 iodef-HashTargetID = 163
iodef-Hash = 189 iodef-Hash = 164
iodef-FuzzyHash = 190 iodef-FuzzyHash = 165
iodef-DigestMethod = 191 iodef-DigestMethod = 166
iodef-DigestValue = 192 iodef-DigestValue = 167
iodef-CanonicalizationMethod = 193 iodef-CanonicalizationMethod = 168
iodef-FuzzyHashValue = 194 iodef-FuzzyHashValue = 169
iodef-AlternativeIndicatorID = 195 iodef-AlternativeIndicatorID = 170
iodef-Observable = 196 iodef-Observable = 171
iodef-uid-ref = 197 iodef-uid-ref = 172
iodef-IndicatorExpression = 198 iodef-IndicatorExpression = 173
iodef-IndicatorReference = 199 iodef-IndicatorReference = 174
iodef-AttackPhase = 200 iodef-AttackPhase = 175
iodef-BulkObservable = 201 iodef-BulkObservable = 176
iodef-BulkObservableFormat = 202 iodef-BulkObservableFormat = 177
iodef-BulkObservableList = 203 iodef-BulkObservableList = 178
iodef-operator = 204 iodef-operator = 179
iodef-ext-operator = 205 iodef-ext-operator = 180
iodef-euid-ref = 206 iodef-euid-ref = 181
iodef-AttackPhaseID = 207 iodef-AttackPhaseID = 182
iodef = { iodef = {
iodef-version => text, iodef-version => text,
? iodef-lang => lang, ? iodef-lang => lang,
? iodef-format-id => text ? iodef-format-id => text
? iodef-private-enum-name => text, ? iodef-private-enum-name => text,
? iodef-private-enum-id => text, ? iodef-private-enum-id => text,
iodef-Incident => [+ Incident], iodef-Incident => [+ Incident],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
skipping to change at page 36, line 32 skipping to change at page 36, line 34
SoftwareType = { SoftwareType = {
? iodef-SoftwareReference => SoftwareReference, ? iodef-SoftwareReference => SoftwareReference,
? iodef-URL => [+ URLtype], ? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
SoftwareReference = { SoftwareReference = {
? iodef-value => text, ? iodef-value => text,
iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value", iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
? iodef-ext-spec-name => text, ? iodef-ext-spec-name => text,
? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" /
.default "string", "ext-value" .default "string",
? iodef-ext-dtype => text ? iodef-ext-dtype => text
} }
Incident = { Incident = {
iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" / "other" / iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" /
"ext-value", "other" / "ext-value",
? iodef-ext-purpose => text, ? iodef-ext-purpose => text,
? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" / "future" / ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" /
"ext-value", "future" / "ext-value",
? iodef-ext-status => text, ? iodef-ext-status => text,
? iodef-lang => lang, ? iodef-lang => lang,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
iodef-IncidentID => IncidentID, iodef-IncidentID => IncidentID,
? iodef-AlternativeID => AlternativeID, ? iodef-AlternativeID => AlternativeID,
? iodef-RelatedActivity => [+ RelatedActivity], ? iodef-RelatedActivity => [+ RelatedActivity],
? iodef-DetectTime => DATETIME, ? iodef-DetectTime => DATETIME,
? iodef-StartTime => DATETIME, ? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME, ? iodef-EndTime => DATETIME,
? iodef-RecoveryTime => DATETIME, ? iodef-RecoveryTime => DATETIME,
? iodef-ReportTime => DATETIME, ? iodef-ReportTime => DATETIME,
iodef-GenerationTime => DATETIME, iodef-GenerationTime => DATETIME,
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-Discovery => [+ Discovery], ? iodef-Discovery => [+ Discovery],
? iodef-Assessment => [+ Assessment], ? iodef-Assessment => [+ Assessment],
? iodef-Method => [+ Method], ? iodef-Method => [+ Method],
iodef-Contact => [+ Contact], iodef-Contact => [+ Contact],
? iodef-EventData => [+ EventData], ? iodef-EventData => [+ EventData],
? iodef-Indicator => [+ Indicator], ? iodef-Indicator f=> [+ Indicator],
? iodef-History => History, ? iodef-History => History,
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
IncidentID = { IncidentID = {
iodef-id => text, iodef-id => text,
iodef-name => text, iodef-name => text,
? iodef-instance => text, ? iodef-instance => text,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text ? iodef-ext-restriction => text
skipping to change at page 39, line 19 skipping to change at page 39, line 22
} }
Telephone = { Telephone = {
? iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value", ? iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value",
? iodef-ext-type => text, ? iodef-ext-type => text,
iodef-TelephoneNumber => text, iodef-TelephoneNumber => text,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Discovery = { Discovery = {
? iodef-source => "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / ? iodef-source => "nidps" /"hips" /"siem" /"av" /"third-party-monitoring" /
"incident" / "os-log" / "application-log" / "device-log" / "incident" / "os-log" / "application-log" / "device-log" /
"network-flow" / "passive-dns" / "investigation" / "audit" / "network-flow" / "passive-dns" / "investigation" / "audit" /
"internal-notification" / "external-notification" / "internal-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value", "leo" / "partner" / "actor" / "unknown" / "ext-value",
? iodef-ext-source => text, ? iodef-ext-source => text,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-Contact => [+ Contact], ? iodef-Contact => [+ Contact],
? iodef-DetectionPattern => [+ DetectionPattern] ? iodef-DetectionPattern => [+ DetectionPattern]
} }
DetectionPattern = { DetectionPattern = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
(iodef-Description => [+ MLStringType], (iodef-Description => [+ MLStringType] // iodef-DetectionConfiguration => [+ text]),
iodef-DetectionConfiguration => [+ text]),
iodef-Application => SoftwareType iodef-Application => SoftwareType
} }
Method = { Method = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-Reference => [+ Reference], ? iodef-Reference => [+ Reference],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-AttackPattern => [+ StructuredInfo], ? iodef-AttackPattern => [+ StructuredInfo],
? iodef-Vulnerability => [+ StructuredInfo], ? iodef-Vulnerability => [+ StructuredInfo],
skipping to change at page 39, line 50 skipping to change at page 40, line 4
Method = { Method = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-Reference => [+ Reference], ? iodef-Reference => [+ Reference],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-AttackPattern => [+ StructuredInfo], ? iodef-AttackPattern => [+ StructuredInfo],
? iodef-Vulnerability => [+ StructuredInfo], ? iodef-Vulnerability => [+ StructuredInfo],
? iodef-Weakness => [+ StructuredInfo], ? iodef-Weakness => [+ StructuredInfo],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
StructuredInfo = { StructuredInfo = {
iodef-SpecID => SpecID, iodef-SpecID => SpecID,
? iodef-ext-SpecID => text, ? iodef-ext-SpecID => text,
? iodef-ContentID => text, ? iodef-ContentID => text,
? (iodef-RawData => [+ BYTE], ? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]),
iodef-Reference => [+ Reference]),
? iodef-Platform => [+ Platform], ? iodef-Platform => [+ Platform],
? iodef-Scoring => [+ Scoring] ? iodef-Scoring => [+ Scoring]
} }
Platform = { Platform = {
iodef-SpecID => SpecID, iodef-SpecID => SpecID,
? iodef-ext-SpecID => text, ? iodef-ext-SpecID => text,
? iodef-ContentID => text, ? iodef-ContentID => text,
? iodef-RawData => [+ BYTE], ? iodef-RawData => [+ BYTE],
? iodef-Reference => [+ Reference] ? iodef-Reference => [+ Reference]
skipping to change at page 41, line 27 skipping to change at page 41, line 29
"breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-proprietary" / "breach-privacy" / "breach-credential" /
"breach-configuration" / "integrity-data" / "breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" / "integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" / "traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown", "policy" / "unknown" / "ext-value" .default "unknown",
? iodef-ext-type => text, ? iodef-ext-type => text,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
BusinessImpact = { BusinessImpact = {
? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" / "ext-value" ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" /
.default "unknown",
? iodef-ext-severity => text,
iodef-type => "breach-proprietary" / "breach-privacy" / "breach-credential" /
"loss-of-integrity" / "loss-of-service" / "theft-financial" /
"theft-service" / "degraded-reputation" / "asset-damage" /
"asset-manipulation" / "legal" / "extortion" / "unknown" /
"ext-value" .default "unknown", "ext-value" .default "unknown",
? iodef-ext-severity => text,
iodef-type => "breach-proprietary" / "breach-privacy" /
"breach-credential" / "loss-of-integrity" / "loss-of-service" /
"theft-financial" / "theft-service" / "degraded-reputation" /
"asset-damage" / "asset-manipulation" / "legal" / "extortion" /
"unknown" / "ext-value" .default "unknown",
? iodef-ext-type => text, ? iodef-ext-type => text,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
TimeImpact = { TimeImpact = {
iodef-value => PositiveFloatType, iodef-value => PositiveFloatType,
? iodef-severity => "low" / "medium" / "high", ? iodef-severity => "low" / "medium" / "high",
iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value", iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value",
? iodef-ext-metric => text, ? iodef-ext-metric => text,
? iodef-duration => duration .default "hour", ? iodef-duration => duration .default "hour",
skipping to change at page 43, line 42 skipping to change at page 43, line 45
? iodef-NodeRole => [+ NodeRole], ? iodef-NodeRole => [+ NodeRole],
? iodef-Service => [+ Service], ? iodef-Service => [+ Service],
? iodef-OperatingSystem => [+ SoftwareType], ? iodef-OperatingSystem => [+ SoftwareType],
? iodef-Counter => [+ Counter], ? iodef-Counter => [+ Counter],
? iodef-AssetID => [+ text], ? iodef-AssetID => [+ text],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Node = { Node = {
(iodef-DomainData => [+ DomainData], (iodef-DomainData => [+ DomainData] // iodef-Address => [+ Address]),
? iodef-Address => [+ Address] //
? iodef-DomainData => [+ DomainData],
iodef-Address => [+ Address]),
? iodef-PostalAddress => PostalAddress, ? iodef-PostalAddress => PostalAddress,
? iodef-Location => [+ MLStringType], ? iodef-Location => [+ MLStringType],
? iodef-Counter => [+ Counter] ? iodef-Counter => [+ Counter]
} }
Address = { Address = {
iodef-value => text, iodef-value => text,
iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
skipping to change at page 48, line 47 skipping to change at page 48, line 47
AlternativeIndicatorID = { AlternativeIndicatorID = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
iodef-IndicatorID => [+ IndicatorID] iodef-IndicatorID => [+ IndicatorID]
} }
Observable = { Observable = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? (iodef-System => System // iodef-Address => Address // iodef-DomainData => DomainData // ? (iodef-System => System // iodef-Address => Address //
iodef-EmailData => EmailData // iodef-Service => Service // iodef-DomainData => DomainData // iodef-EmailData => EmailData //
iodef-Service => Service //
iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified // iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified //
iodef-FileData => FileData // iodef-CertificateData => CertificateData // iodef-FileData => FileData //iodef-CertificateData => CertificateData //
iodef-RegistryHandle => RegistryHandle // iodef-RecordData => RecordData // iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>RecordData //
iodef-EventData => EventData // iodef-Incident => Incident // iodef-Expectation => Expectation // iodef-EventData => EventData // iodef-Incident => Incident //
iodef-Reference => Reference // iodef-Assessment => Assessment // iodef-Expectation => Expectation // iodef-Reference => Reference //
iodef-DetectionPattern => DetectionPattern // iodef-HistoryItem => HistoryItem // iodef-Assessment => Assessment //
iodef-BulkObservable => BulkObservable // iodef-AdditionalData => [+ ExtensionType]) iodef-DetectionPattern => DetectionPattern //
iodef-HistoryItem => HistoryItem //
iodef-BulkObservable => BulkObservable //
iodef-AdditionalData => [+ ExtensionType])
} }
BulkObservable = { BulkObservable = {
? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
"mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv6" / "domain-to-ipv4-timestamp" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
"windows-reg-key" / "file-hash" / "email-x-mailer" / "windows-reg-key" / "file-hash" / "email-x-mailer" /
"email-subject" / "http-user-agent" / "http-request-uri" / "email-subject" / "http-user-agent" / "http-request-uri" /
skipping to change at page 50, line 22 skipping to change at page 50, line 25
This document provides a mapping from XML IODEF defined in [RFC7970] This document provides a mapping from XML IODEF defined in [RFC7970]
to JSON, and Section 3.2 describes several issues that arise when to JSON, and Section 3.2 describes several issues that arise when
converting XML IODEF and JSON IODEF. Though it does not provide any converting XML IODEF and JSON IODEF. Though it does not provide any
further security considerations than the one described in [RFC7970], further security considerations than the one described in [RFC7970],
impelementers of this document should be aware of those issues to impelementers of this document should be aware of those issues to
avoid any unintended outcome. avoid any unintended outcome.
9. Acknowledgments 9. Acknowledgments
We would like to thank Henk Birkholz, Carsten Bormann, Benjamin We would like to thank Henk Birkholz, Carsten Bormann, Benjamin
Kaduk, Yasuaki Morita, and Takahiko Nagata for their insightful Kaduk, Alexey Melnikov, Yasuaki Morita, and Takahiko Nagata for their
comments on this document and CDDL. insightful comments on this document and CDDL.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
 End of changes. 77 change blocks. 
520 lines changed or deleted 524 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/