draft-ietf-mile-jsoniodef-14.txt   rfc8727.txt 
MILE T. Takahashi Internet Engineering Task Force (IETF) T. Takahashi
Internet-Draft NICT Request for Comments: 8727 NICT
Intended status: Standards Track R. Danyliw Category: Standards Track R. Danyliw
Expires: September 2, 2020 CERT ISSN: 2070-1721 CERT
M. Suzuki M. Suzuki
NICT NICT
March 1, 2020 August 2020
JSON binding of IODEF JSON Binding of the Incident Object Description Exchange Format
draft-ietf-mile-jsoniodef-14
Abstract Abstract
The Incident Object Description Exchange Format defined in RFC 7970 The Incident Object Description Exchange Format (IODEF) defined in
provides an information model and a corresponding XML data model for RFC 7970 provides an information model and a corresponding XML data
exchanging incident and indicator information. This draft gives model for exchanging incident and indicator information. This
implementers and operators an alternative format to exchange the same document gives implementers and operators an alternative format to
information by defining an alternative data model implementation in exchange the same information by defining an alternative data model
JSON and its encoding in CBOR. implementation in JSON and its encoding in Concise Binary Object
Representation (CBOR).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on September 2, 2020. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8727.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types
2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping
2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 2.2. Complex JSON Types
2.2.1. Integer . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1. Integer
2.2.2. Multilingual Strings . . . . . . . . . . . . . . . . 5 2.2.2. Multilingual Strings
2.2.3. Enum . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.3. Enum
2.2.4. Software and Software Reference . . . . . . . . . . . 6 2.2.4. Software and Software Reference
2.2.5. Structured Information . . . . . . . . . . . . . . . 6 2.2.5. Structured Information
2.2.6. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 2.2.6. EXTENSION
3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 3. IODEF JSON Data Model
3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 8 3.1. Classes and Elements
3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 18 3.2. Mapping between JSON and XML IODEF
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4. Examples
4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 19 4.1. Minimal Example
4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 22 4.2. Indicators from a Campaign
5. Mapkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5. Mapkeys
6. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 30 6. The IODEF Data Model (CDDL)
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 7. IANA Considerations
8. Security Considerations . . . . . . . . . . . . . . . . . . . 50 8. Security Considerations
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50 9. References
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 50 9.1. Normative References
10.1. Normative References . . . . . . . . . . . . . . . . . . 50 9.2. Informative References
10.2. Informative References . . . . . . . . . . . . . . . . . 51 Appendix A. Data Types Used in This Document
Appendix A. Data Types used in this document . . . . . . . . . . 51 Appendix B. The IODEF Data Model (JSON Schema)
Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 52 Acknowledgments
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 Authors' Addresses
1. Introduction 1. Introduction
The Incident Object Description Exchange Format (IODEF) [RFC7970] The Incident Object Description Exchange Format (IODEF) [RFC7970]
defines a data representation for security incident reports and defines a data representation for security incident reports and
indicators commonly exchanged by operational security teams. It indicators commonly exchanged by operational security teams. It
facilitates the automated exchange of this information to enable facilitates the automated exchange of this information to enable
mitigation and watch-and-warning. Section 3 of [RFC7970] defined an mitigation and watch-and-warning. An information model using Unified
information model using Unified Modeling Language (UML) and a Modeling Language (UML) is defined in Section 3 of [RFC7970] and a
corresponding Extensible Markup Language (XML) schema data model in corresponding Extensible Markup Language (XML) schema data model is
Section 8. This UML-based information model and XML-based data model defined in Section 8 of [RFC7970]. This UML-based information model
are referred to as IODEF UML and IODEF XML, respectively in this and XML-based data model are referred to as IODEF UML and IODEF XML,
document. respectively, in this document.
IODEF documents are structured and thus suitable for machine IODEF documents are structured and thus suitable for machine
processing. They will streamline incident response operations. processing. They will streamline incident response operations.
Another well-used and structured format that is suitable for machine Another well-used and structured format that is suitable for machine
processing is JavaScript Object Notation (JSON) [RFC8259]. To processing is JavaScript Object Notation (JSON) [RFC8259]. To
facilitate the automation of incident response operations, IODEF facilitate the automation of incident response operations, IODEF
documents and implementations should support JSON representation and documents and implementations should support JSON representation and
it encoding in Concise Binary Object Representation (CBOR) [RFC7049]. its encoding in Concise Binary Object Representation (CBOR)
[RFC7049].
This document defines an alternate implementation of the IODEF UML This document defines an alternate implementation of the IODEF UML
information model by specifying a JavaScript Object Notation (JSON) information model by specifying a JSON data model using Concise Data
data model using Concise Data Definition Language (CDDL) [RFC8610] Definition Language (CDDL) [RFC8610] and a JSON Schema [JSON-SCHEMA].
and JSON Schema [I-D.handrews-json-schema-validation]. This JSON This JSON data model is referred to as IODEF JSON in this document.
data model is referred to as IODEF JSON in this document. IODEF JSON IODEF JSON provides all of the expressivity of IODEF XML. It gives
provides all of the expressivity of IODEF XML. It gives implementers implementers and operators an alternative format to exchange the same
and operators an alternative format to exchange the same information. information.
The normative IODEF JSON data model is found in Section 6. Section 2 The normative IODEF JSON data model is found in Section 6. Sections
and Section 3 describe the data types and elements of this data 2 and 3 describe the data types and elements of this data model.
model. Section 4 provides examples. Section 4 provides examples.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119][RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. IODEF Data Types 2. IODEF Data Types
IODEF JSON implements the abstract data types specified in Section 2 IODEF JSON implements the abstract data types specified in Section 2
of [RFC7970]. of [RFC7970].
2.1. Abstract Data Type to JSON Data Type Mapping 2.1. Abstract Data Type to JSON Data Type Mapping
IODEF JSON uses native and derived JSON data types. Figure 1 IODEF JSON uses native and derived JSON data types. Table 1
describes the mapping between the abstract data types in Section 2 of describes the mapping between the abstract data types in Section 2 of
[RFC7970] and their corresponding implementations in IODEF JSON. [RFC7970] and their corresponding implementations in IODEF JSON.
+-----------------+-------------------+-------------------------------+ +=================+==========================+================+
| IODEF Data Type | [RFC7970] | JSON Data Type | | IODEF Data Type | Reference | JSON Data Type |
| | Reference | | +=================+==========================+================+
+-----------------+-------------------+-------------------------------+ | INTEGER | Section 2.1 of [RFC7970] | integer; see |
| INTEGER | Section 2.1 | integer, see Section 2.2.1 | | | | Section 2.2.1 |
| REAL | Section 2.2 | "number" per [RFC8259] | +-----------------+--------------------------+----------------+
| CHARACTER | Section 2.3 | "string" per [RFC8259] | | REAL | Section 2.2 of [RFC7970] | "number" per |
| STRING | Section 2.3 | "string" per [RFC8259] | | | | [RFC8259] |
| ML_STRING | Section 2.4 | see Section 2.2.2 | +-----------------+--------------------------+----------------+
| BYTE | Section 2.5.1 | "string" per [RFC8259] | | CHARACTER | Section 2.3 of [RFC7970] | "string" per |
| BYTE[] | Section 2.5.1 | "string" per [RFC8259] | | | | [RFC8259] |
| HEXBIN | Section 2.5.2 | "string" per [RFC8259] | +-----------------+--------------------------+----------------+
| HEXBIN[] | Section 2.5.2 | "string" per [RFC8259] | | STRING | Section 2.3 of [RFC7970] | "string" per |
| ENUM | Section 2.6 | see Section 2.2.3 | | | | [RFC8259] |
| DATETIME | Section 2.7 | "string" per [RFC8259] | +-----------------+--------------------------+----------------+
| TIMEZONE | Section 2.8 | "string" per [RFC8259] | | ML_STRING | Section 2.4 of [RFC7970] | see |
| PORTLIST | Section 2.9 | "string" per [RFC8259] | | | | Section 2.2.2 |
| POSTAL | Section 2.10 | ML_STRING, Section 2.2.2 | +-----------------+--------------------------+----------------+
| PHONE | Section 2.11 | "string" per [RFC8259] | | BYTE | Section 2.5.1 of | "string" per |
| EMAIL | Section 2.12 | "string" per [RFC8259] | | | [RFC7970] | [RFC8259] |
| URL | Section 2.13 | "string" per [RFC8259] | +-----------------+--------------------------+----------------+
| ID | Section 2.14 | "string" per [RFC8259] | | BYTE[] | Section 2.5.1 of | "string" per |
| IDREF | Section 2.14 | "string" per [RFC8259] | | | [RFC7970] | [RFC8259] |
| SOFTWARE | Section 2.15 | see Section 2.2.4 | +-----------------+--------------------------+----------------+
| STRUCTUREDINFO | [RFC 7203] | see Section 2.2.5 | | HEXBIN | Section 2.5.2 of | "string" per |
| EXTENSION | Section 2.16 | see Section 2.2.6 | | | [RFC7970] | [RFC8259] |
+-----------------+-------------------+-------------------------------+ +-----------------+--------------------------+----------------+
| HEXBIN[] | Section 2.5.2 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| ENUM | Section 2.6 of [RFC7970] | see |
| | | Section 2.2.3 |
+-----------------+--------------------------+----------------+
| DATETIME | Section 2.7 of [RFC7970] | "string" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| TIMEZONE | Section 2.8 of [RFC7970] | "string" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| PORTLIST | Section 2.9 of [RFC7970] | "string" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| POSTAL | Section 2.10 of | ML_STRING; see |
| | [RFC7970] | Section 2.2.2 |
+-----------------+--------------------------+----------------+
| PHONE | Section 2.11 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| EMAIL | Section 2.12 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| URL | Section 2.13 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| ID | Section 2.14 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| IDREF | Section 2.14 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| SOFTWARE | Section 2.15 of | see |
| | [RFC7970] | Section 2.2.4 |
+-----------------+--------------------------+----------------+
| STRUCTUREDINFO | Section 4.4 of [RFC7203] | see |
| | | Section 2.2.5 |
+-----------------+--------------------------+----------------+
| EXTENSION | Section 2.16 of | see |
| | [RFC7970] | Section 2.2.6 |
+-----------------+--------------------------+----------------+
Figure 1: JSON Data Types Table 1: JSON Data Types
+-----------------+------------------+---------------------------------+ +=================+================+=============================+
| IODEF Data Type | CBOR Data Type | CDDL prelude | | IODEF Data Type | CBOR Data Type | CDDL Prelude [RFC8610] |
| | | [RFC8610] | +=================+================+=============================+
+-----------------+------------------+---------------------------------+ | INTEGER | 0, 1, 6 tag 2, | integer |
| INTEGER | 0, 1, 6 tag 2, | integer | | | 6 tag 3 | |
| | 6 tag 3 | | +-----------------+----------------+-----------------------------+
| REAL | 7 bits 26 | float32 | | REAL | 7 bits 26 | float32 |
| CHARACTER | 3 | text | +-----------------+----------------+-----------------------------+
| STRING | 3 | text | | CHARACTER | 3 | text |
| ML_STRING | 5 | Maps/Structs (Section 3.5.1) | +-----------------+----------------+-----------------------------+
| BYTE | 6 tag 22 | eb64legacy | | STRING | 3 | text |
| BYTE[] | 6 tag 22 | eb64legacy | +-----------------+----------------+-----------------------------+
| HEXBIN | 6 tag 23 | eb16 | | ML_STRING | 5 | Maps/Structs (Section 3.5.1 |
| HEXBIN[] | 6 tag 23 | eb16 | | | | of [RFC8610]) |
| ENUM | - | Choices (Section 2.2.2) | +-----------------+----------------+-----------------------------+
| DATETIME | 6 tag 0 | tdate | | BYTE | 6 tag 22 | eb64legacy |
| TIMEZONE | 3 | text | +-----------------+----------------+-----------------------------+
| PORTLIST | 3 | text | | BYTE[] | 6 tag 22 | eb64legacy |
| POSTAL | 3 | ML_STRING (Section 2.2.1) | +-----------------+----------------+-----------------------------+
| PHONE | 3 | text | | HEXBIN | 6 tag 23 | eb16 |
| EMAIL | 3 | text | +-----------------+----------------+-----------------------------+
| URL | 6 tag 32 | uri | | HEXBIN[] | 6 tag 23 | eb16 |
| ID | 3 | text | +-----------------+----------------+-----------------------------+
| IDREF | 3 | text | | ENUM | - | Choices (Section 2.2.2 of |
| SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | | | | [RFC8610]) |
| STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | +-----------------+----------------+-----------------------------+
| EXTENSION | 5 | Maps/Structs (Section 3.5.1) | | DATETIME | 6 tag 0 | tdate |
+-----------------+------------------+---------------------------------+ +-----------------+----------------+-----------------------------+
| TIMEZONE | 3 | text |
+-----------------+----------------+-----------------------------+
| PORTLIST | 3 | text |
+-----------------+----------------+-----------------------------+
| POSTAL | 3 | ML_STRING (Section 2.2.2) |
+-----------------+----------------+-----------------------------+
| PHONE | 3 | text |
+-----------------+----------------+-----------------------------+
| EMAIL | 3 | text |
+-----------------+----------------+-----------------------------+
| URL | 6 tag 32 | uri |
+-----------------+----------------+-----------------------------+
| ID | 3 | text |
+-----------------+----------------+-----------------------------+
| IDREF | 3 | text |
+-----------------+----------------+-----------------------------+
| SOFTWARE | 5 | Maps/Structs (Section 3.5.1 |
| | | of [RFC8610]) |
+-----------------+----------------+-----------------------------+
| STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1 |
| | | of [RFC8610]) |
+-----------------+----------------+-----------------------------+
| EXTENSION | 5 | Maps/Structs (Section 3.5.1 |
| | | of [RFC8610]) |
+-----------------+----------------+-----------------------------+
Figure 2: CBOR Data Types Table 2: CBOR Data Types
2.2. Complex JSON Types 2.2. Complex JSON Types
2.2.1. Integer 2.2.1. Integer
An integer is a subset of "number" type of JSON, which represents An integer is a subset of the "number" type of JSON, which represents
signed digits encoded in Base 10. The definition of this integer is signed digits encoded in Base 10. The definition of this integer is
"[ minus ] int" in [RFC8259] Section 6 manner. "[ minus ] int" per [RFC8259], Section 6.
2.2.2. Multilingual Strings 2.2.2. Multilingual Strings
A string that needs to be represented in a human-readable language A string that needs to be represented in a human-readable language
different from the default encoding of the document is represented in different from the default encoding of the document is represented in
the information model by the ML_STRING data type. This data type is the information model by the ML_STRING data type. This data type is
implemented as either an object with "value", "lang", and implemented as either an object with "value", "lang", and
"translation-id" elements or a text string as defined in Section 6. "translation-id" elements or a text string as defined in Section 6.
An example is shown below. An example is shown below.
"MLStringType": { "MLStringType": {
"value": "free-form text", # STRING "value": "free-form text", # STRING
"lang": "en", # ENUM "lang": "en", # ENUM
"translation-id": "jp2en0023" # STRING "translation-id": "jp2en0023" # STRING
} }
Note that in figures throughout this document, some supplementary Note that in figures throughout this document, some supplementary
information follows "#", but these are not valid syntax in JSON, but information follows "#", but these are not valid syntax in JSON;
are intended to facilitate reader understanding. instead, they are intended to facilitate reader understanding.
2.2.3. Enum 2.2.3. Enum
Enum is an ordered list of acceptable string values. Each value has Enum is an ordered list of acceptable string values. Each value has
a representative keyword. Within the data model, the enumerated type a representative keyword. Within the data model, the enumerated type
keywords are used as attribute values. keywords are used as attribute values.
2.2.4. Software and Software Reference 2.2.4. Software and Software Reference
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a Uniform Resource Locator (URL) [RFC3986], or using a reference, a Uniform Resource Locator (URL) [RFC3986], or
with free-form text. The SOFTWARE data type is implemented as an free-form text. The SOFTWARE data type is implemented as an object
object with "SoftwareReference", "URL", and "Description" elements as with "SoftwareReference", "URL", and "Description" elements as
defined in Section 6. Examples are shown below. defined in Section 6. Examples are shown below.
"SoftwareType": { "SoftwareType": {
"SoftwareReference": {...}, # SoftwareReference "SoftwareReference": {...}, # SoftwareReference
"Description": ["MS Windows"] # STRING "Description": ["MS Windows"] # STRING
} }
SoftwareReference class is a reference to a particular version of SoftwareReference class is a reference to a particular version of
software. Examples are shown below. software. Examples are shown below.
"SoftwareReference": { "SoftwareReference": {
"value": "cpe:/a:google:chrome:59.0.3071.115", # STRING "value": "cpe:/a:google:chrome:59.0.3071.115", # STRING
"spec-name": "cpe", # ENUM "spec-name": "cpe", # ENUM
"dtype": "string" # ENUM "dtype": "string" # ENUM
} }
2.2.5. Structured Information 2.2.5. Structured Information
Information provided in a form of structured string, such as ID, or Information provided in the form of a structured string, such as an
structured information, such as XML documents, is represented in the ID, or structured information, such as XML documents, is represented
information model by the STRUCTUREDINFO data type. Note that this in the information model by the STRUCTUREDINFO data type. Note that
type was originally specified in Section 4.4 of [RFC7203] as a basic this type was originally specified in Section 4.4 of [RFC7203] as a
structure of its extension classes. The STRUCTUREDINFO data type is basic structure of its extension classes. The STRUCTUREDINFO data
implemented as an object with "SpecID", "ext-SpecID", "ContentID", type is implemented as an object with "SpecID", "ext-SpecID",
"RawData", and "Reference" elements. An example for embedding a "ContentID", "RawData", and "Reference" elements. An example for
structured ID is shown below. embedding a structured ID is shown below.
"StructuredInfo": { "STRUCTUREDINFO": {
"SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM
"ContentID": "CWE-89" # STRING "ContentID": "CWE-89" # STRING
} }
When embedding the raw data, it should be encoded as a BYTE type When embedding the raw data, it should be encoded as a BYTE type
object, as shown below. object, as shown below.
"StructuredInfo": { "STRUCTUREDINFO": {
"SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM
"RawData": "<<< encoded structured data >>>" # BYTE "RawData": "<<< encoded structured data >>>" # BYTE
} }
When embedding the raw data, base64 encoding defined in Section 4 of When embedding the raw data, base64 encoding defined in Section 4 of
[RFC4648] MUST be used for JSON IODEF while binary representation [RFC4648] MUST be used for JSON IODEF while binary representation
MUST be used for CBOR IODEF. MUST be used for CBOR IODEF.
2.2.6. EXTENSION 2.2.6. EXTENSION
skipping to change at page 7, line 44 skipping to change at line 367
"ExtensionType": { "ExtensionType": {
"value": "xxxxxxx", # STRING "value": "xxxxxxx", # STRING
"name": "Syslog", # STRING "name": "Syslog", # STRING
"dtype": "string", # ENUM "dtype": "string", # ENUM
"meaning": "Syslog from the security appliance X" # STRING "meaning": "Syslog from the security appliance X" # STRING
} }
Note that this data type is specified in [RFC7970] as its generic Note that this data type is specified in [RFC7970] as its generic
extension mechanism. If a data item has internal structure that is extension mechanism. If a data item has internal structure that is
intended to be processed outside of the IODEF framework, one may intended to be processed outside of the IODEF framework, one may
consider using StructuredInfo data type mentioned in Section 2.2.5. consider using the STRUCTUREDINFO data type mentioned in
Section 2.2.5.
3. IODEF JSON Data Model 3. IODEF JSON Data Model
3.1. Classes and Elements 3.1. Classes and Elements
The following table shows the list of IODEF Classes, their elements, The following table shows the list of IODEF classes and their
and the corresponding section in [RFC7970]. Note that the complete elements and the corresponding sections in [RFC7970]. Note that the
JSON schema is defined in Section 6 using CDDL. complete JSON schema is defined in Section 6 using CDDL.
+-----------------------------+--------------------+---------------+ +===========================+============================+==========+
| IODEF Class | Class | Corresponding | | IODEF Class | Class, Element, and |Section in|
| | Elements and | Section | | | Attribute |[RFC7970] |
| | Attribute | in [RFC7970] | +===========================+============================+==========+
+-----------------------------+--------------------+---------------+ | IODEF-Document | version | 3.1 |
| IODEF-Document | version | 3.1 | | | lang? | |
| | lang? | | | | format-id? | |
| | format-id? | | | | private-enum-name? | |
| | private-enum-name? | | | | private-enum-id? | |
| | private-enum-id? | | | | Incident+ | |
| | Incident+ | | | | AdditionalData* | |
| | AdditionalData* | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Incident | purpose | 3.2 |
| Incident | purpose | 3.2 | | | ext-purpose? | |
| | ext-purpose? | | | | status? | |
| | status? | | | | ext-status? | |
| | ext-status? | | | | lang? | |
| | lang? | | | | restriction? | |
| | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | IncidentID | |
| | IncidentID | | | | AlternativeID? | |
| | AlternativeID? | | | | RelatedActivity* | |
| | RelatedActivity* | | | | DetectTime? | |
| | DetectTime? | | | | StartTime? | |
| | StartTime? | | | | EndTime? | |
| | EndTime? | | | | RecoveryTime? | |
| | RecoveryTime? | | | | ReportTime? | |
| | ReportTime? | | | | GenerationTime | |
| | GenerationTime | | | | Description* | |
| | Description* | | | | Discovery* | |
| | Discovery* | | | | Assessment* | |
| | Assessment* | | | | Method* | |
| | Method* | | | | Contact+ | |
| | Contact+ | | | | EventData* | |
| | EventData* | | | | Indicator* | |
| | Indicator* | | | | History? | |
| | History? | | | | AdditionalData* | |
| | AdditionalData* | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | IncidentID | id | 3.4 |
| IncidentID | id | 3.4 | | | name | |
| | name | | | | instance? | |
| | instance? | | | | restriction? | |
| | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | AlternativeID | restriction? | 3.5 |
| AlternativeID | restriction? | 3.5 | | | ext-restriction? | |
| | ext-restriction? | | | | IncidentID+ | |
| | IncidentID+ | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | RelatedActivity | restriction? | 3.6 |
| RelatedActivity | restriction? | 3.6 | | | ext-restriction? | |
| | ext-restriction? | | | | IncidentID* | |
| | IncidentID* | | | | URL* | |
| | URL* | | | | ThreatActor* | |
| | ThreatActor* | | | | Campaign* | |
| | Campaign* | | | | IndicatorID* | |
| | IndicatorID* | | | | Confidence? | |
| | Confidence? | | | | Description* | |
| | Description* | | | | AdditionalData* | |
| | AdditionalData* | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | ThreatActor | restriction? | 3.7 |
| ThreatActor | restriction? | 3.7 | | | ext-restriction? | |
| | ext-restriction? | | | | ThreatActorID* | |
| | ThreatActorID* | | | | URL* | |
| | URL* | | | | Description* | |
| | Description* | | | | AdditionalData* | |
| | AdditionalData* | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Campaign | restriction? | 3.8 |
| Campaign | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | CampaignID* | |
| | CampaignID* | | | | URL* | |
| | URL* | | | | Description* | |
| | Description* | | | | AdditionalData* | |
| | AdditionalData* | 3.8 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Contact | role | 3.9 |
| Contact | role | | | | ext-role? | |
| | ext-role? | | | | type | |
| | type | | | | ext-type? | |
| | ext-type? | | | | restriction? | |
| | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | ContactName* | |
| | ContactName*, | | | | ContactTitle* | |
| | ContactTitle* | | | | Description* | |
| | Description* | | | | RegistryHandle* | |
| | RegistryHandle* | | | | PostalAddress* | |
| | PostalAddress* | | | | Email* | |
| | Email* | | | | Telephone* | |
| | Telephone* | | | | Timezone? | |
| | Timezone? | | | | Contact* | |
| | Contact* | | | | AdditionalData* | |
| | AdditionalData* | 3.9 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | RegistryHandle | handle | 3.9.1 |
| RegistryHandle | handle | | | | registry | |
| | registry | | | | ext-registry? | |
| | ext-registry? | 3.9.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | PostalAddress | type? | 3.9.2 |
| PostalAddress | type? | | | | ext-type? | |
| | ext-type? | | | | PAddress | |
| | PAddress | | | | Description* | |
| | Description* | 3.9.2 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Email | type? | 3.9.3 |
| Email | type? | | | | ext-type? | |
| | ext-type? | | | | EmailTo | |
| | EmailTo | | | | Description* | |
| | Description* | 3.9.3 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Telephone | type? | 3.9.4 |
| Telephone | type? | | | | ext-type? | |
| | ext-type? | | | | TelephoneNumber | |
| | TelephoneNumber | | | | Description* | |
| | Description* | 3.9.4 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Discovery | source? | 3.10 |
| Discovery | source? | | | | ext-source? | |
| | ext-source? | | | | restriction? | |
| | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | Description* | |
| | Description* | | | | Contact* | |
| | Contact* | | | | DetectionPattern* | |
| | DetectionPattern* | 3.10 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | DetectionPattern | restriction? | 3.10.1 |
| DetectionPattern | restriction? | 3.10.1 | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | Application | |
| | Application | | | | Description* | |
| | Description* | | | | DetectionConfiguration* | |
| | DetectionConfiguration* | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Method | restriction? | 3.11 |
| Method | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | Reference* | |
| | Reference* | | | | Description* | |
| | Description* | | | | AttackPattern* | |
| | AttackPattern* | | | | Vulnerability* | |
| | Vulnerability* | | | | Weakness* | |
| | Weakness* | | | | AdditionalData* | |
| | AdditionalData* | 3.11 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Weakness | restriction? | 4.5.5 in |
| Weakness (TBD) | restriction? | | | | ext-restriction? |[RFC7203] |
| | ext-restriction? | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Reference | observable-id? | 3.11.1 |
| Reference | observable-id? | | | | ReferenceName? | |
| | ReferenceName? | | | | URL* | |
| | URL* | | | | Description* | |
| | Description* | 3.11.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Assessment | occurrence? | 3.12 |
| Assessment | occurence? | | | | restriction? | |
| | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | IncidentCategory* | |
| | IncidentCategory* | | | | SystemImpact* | |
| | SystemImpact* | | | | BusinessImpact* | |
| | BusinessImpact* | | | | TimeImpact* | |
| | TimeImpact* | | | | MonetaryImpact* | |
| | MonetaryImpact* | | | | IntendedImpact* | |
| | IntendedImpact* | | | | Counter* | |
| | Counter* | | | | MitigatingFactor* | |
| | MitigatingFactor* | | | | Cause* | |
| | Cause* | | | | Confidence? | |
| | Confidence? | | | | AdditionalData* | |
| | AdditionalData* | 3.12 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | SystemImpact | severity? | 3.12.1 |
| SystemImpact | severity? | | | | completion? | |
| | completion? | | | | type | |
| | type | | | | ext-type? | |
| | ext-type? | | | | Description* | |
| | Description* | 3.12.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | BusinessImpact | severity? | 3.12.2 |
| BusinessImpact | severity? | | | | ext-severity? | |
| | ext-severity? | | | | type | |
| | type | | | | ext-type? | |
| | ext-type? | | | | Description* | |
| | Description* | 3.12.2 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | TimeImpact | value | 3.12.3 |
| TimeImpact | value | | | | severity? | |
| | severity? | | | | metric | |
| | metric | | | | ext-metric? | |
| | ext-metric? | | | | duration? | |
| | duration? | | | | ext-duration? | |
| | ext-duration? | 3.12.3 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | MonetaryImpact | value | 3.12.4 |
| MonetaryImpact | value | | | | severity? | |
| | severity? | | | | currency? | |
| | currency? | 3.12.4 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Confidence | value | 3.12.5 |
| Confidence | value | | | | rating | |
| | rating | | | | ext-rating? | |
| | ext-rating? | 3.12.5 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | History | restriction? | 3.13 |
| History | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | HistoryItem+ | |
| | HistoryItem+ | 3.13 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | HistoryItem | action | 3.13.1 |
| HistoryItem | action | | | | ext-action? | |
| | ext-action? | | | | restriction? | |
| | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | DateTime | |
| | DateTime | | | | IncidentID? | |
| | IncidentID? | | | | Contact? | |
| | Contact? | | | | Description* | |
| | Description* | | | | DefinedCOA* | |
| | DefinedCOA* | | | | AdditionalData* | |
| | AdditionalData* | 3.13.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | EventData | restriction? | 3.14 |
| EventData | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | Description* | |
| | Description* | | | | DetectTime? | |
| | DetectTime? | | | | StartTime? | |
| | StartTime? | | | | EndTime? | |
| | EndTime? | | | | RecoveryTime? | |
| | RecoveryTime? | | | | ReportTime? | |
| | ReportTime? | | | | Contact* | |
| | Contact* | | | | Discovery* | |
| | Discovery* | | | | Assessment? | |
| | Assessment? | | | | Method* | |
| | Method* | | | | System* | |
| | System* | | | | Expectation* | |
| | Expectation* | | | | RecordData* | |
| | RecordData* | | | | EventData* | |
| | EventData* | | | | AdditionalData* | |
| | AdditionalData* | 3.14 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Expectation | action? | 3.15 |
| Expectation | action? | | | | ext-action? | |
| | ext-action? | | | | severity? | |
| | severity? | | | | restriction? | |
| | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | Description* | |
| | Description* | | | | DefinedCOA* | |
| | DefinedCOA* | | | | StartTime? | |
| | StartTime? | | | | EndTime? | |
| | EndTime? | | | | Contact? | |
| | Contact? | 3.15 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | System | category? | 3.17 |
| System | category? | | | | ext-category? | |
| | ext-category? | | | | interface? | |
| | interface? | | | | spoofed? | |
| | spoofed? | | | | virtual? | |
| | virtual? | | | | ownership? | |
| | ownership? | | | | ext-ownership? | |
| | ext-ownership? | | | | restriction? | |
| | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | Node | |
| | Node | | | | NodeRole* | |
| | NodeRole* | | | | Service* | |
| | Service* | | | | OperatingSystem* | |
| | OperatingSystem* | | | | Counter* | |
| | Counter* | | | | AssetID* | |
| | AssetID* | | | | Description* | |
| | Description* | | | | AdditionalData* | |
| | AdditionalData* | 3.17 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Node | DomainData* | 3.18 |
| Node | DomainData* | | | | Address* | |
| | Address* | | | | PostalAddress? | |
| | PostalAddress? | | | | Location* | |
| | Location* | | | | Counter* | |
| | Counter* | 3.18 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Address | value | 3.18.1 |
| Address | value | | | | category | |
| | category | | | | ext-category? | |
| | ext-category? | | | | vlan-name? | |
| | vlan-name? | | | | vlan-num? | |
| | vlan-num? | | | | observable-id? | |
| | observable-id? | 3.18.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | NodeRole | category | 3.18.2 |
| NodeRole | category | | | | ext-category? | |
| | ext-category? | | | | Description* | |
| | Description* | 3.18.2 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Counter | value | 3.18.3 |
| Counter | value | | | | type | |
| | type | | | | ext-type? | |
| | ext-type? | | | | unit | |
| | unit | | | | ext-unit? | |
| | ext-unit? | | | | meaning? | |
| | meaning? | | | | duration? | |
| | duration? | | | | ext-duration? | |
| | ext-duration? | 3.18.3 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | DomainData | system-status | 3.19 |
| DomainData | system-status | | | | ext-system-status? | |
| | ext-system-status? | | | | domain-status | |
| | domain-status | | | | ext-domain-status? | |
| | ext-domain-status? | | | | observable-id? | |
| | observable-id? | | | | Name | |
| | Name | | | | DateDomainWasChecked? | |
| | DateDomainWasChecked?| | | | RegistrationDate? | |
| | RegistrationDate? | | | | ExpirationDate? | |
| | ExpirationDate? | | | | RelatedDNS* | |
| | RelatedDNS* | | | | Nameservers* | |
| | Nameservers* | | | | DomainContacts? | |
| | DomainContacts? | 3.19 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Nameservers | Server | 3.19.1 |
| Nameserver | Server | | | | Address* | |
| | Address* | 3.19.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | DomainContacts | SameDomainContact? | 3.19.2 |
| DomainContacts | SameDomainContact? | | | | Contact+ | |
| | Contact+ | 3.19.2 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Service | ip-protocol? | 3.20 |
| Service | ip-protocol? | | | | observable-id? | |
| | observable-id? | | | | ServiceName? | |
| | ServiceName? | | | | Port? | |
| | Port? | | | | Portlist? | |
| | Portlist? | | | | ProtoCode? | |
| | ProtoCode? | | | | ProtoType? | |
| | ProtoType? | | | | ProtoField? | |
| | ProtoField? | | | | ApplicationHeaderField* | |
| | ApplicationHeaderField*| | | | EmailData? | |
| | EmailData? | | | | Application? | |
| | Application? | 3.20 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | ServiceName | IANAService? | 3.20.1 |
| ServiceName | IANAService? | | | | URL* | |
| | URL* | | | | Description* | |
| | Description* | 3.20.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | EmailData | observable-id? | 3.21 |
| EmailData | observable-id? | | | | EmailTo* | |
| | EmailTo* | | | | EmailFrom? | |
| | EmailFrom? | | | | EmailSubject? | |
| | EmailSubject? | | | | EmailX-Mailer? | |
| | EmailX-Mailer? | | | | EmailHeaderField* | |
| | EmailHeaderField* | | | | EmailHeaders? | |
| | EmailHeaders? | | | | EmailBody? | |
| | EmailBody? | | | | EmailMessage? | |
| | EmailMessage? | | | | HashData* | |
| | HashData* | | | | Signature* | |
| | Signature* | 3.21 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | RecordData | restriction? | 3.22.1 |
| RecordData | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | DateTime? | |
| | DateTime? | | | | Description* | |
| | Description* | | | | Application? | |
| | Application? | | | | RecordPattern* | |
| | RecordPattern* | | | | RecordItem* | |
| | RecordItem* | | | | URL* | |
| | URL* | | | | FileData* | |
| | FileData* | | | |WindowsRegistryKeysModified*| |
| | WindowsRegistryKeysModified*| | | | CertificateData* | |
| | CertificateData* | | | | AdditionalData* | |
| | AdditionalData* | 3.22.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | RecordPattern | type | 3.22.2 |
| RecordPattern | type | | | | ext-type? | |
| | ext-type? | | | | offset? | |
| | offset? | | | | offsetunit? | |
| | offsetunit? | | | | ext-offsetunit? | |
| | ext-offsetunit? | | | | instance? | |
| | instance? | | | | value | |
| | value | 3.22.2 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ |WindowsRegistryKeysModified| observable-id? | 3.23 |
| WindowsRegistryKeysModified | observable-id? | 3.23 | | | Key+ | |
| | Key+ | | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Key | registryaction? | 3.23.1 |
| Key | registryaction? | | | | ext-registryaction? | |
| | ext-registryaction?| | | | observable-id? | |
| | observable-id? | | | | KeyName | |
| | KeyName | | | | KeyValue? | |
| | KeyValue? | 3.23.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | CertificateData | restriction? | 3.24 |
| CertificateData | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | Certificate+ | |
| | Certificate+ | 3.24 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Certificate | observable-id? | 3.24.1 |
| Certificate | observable-id? | | | | X509Data | |
| | X509Data | | | | Description* | |
| | Description* | 3.24.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | FileData | restriction? | 3.25 |
| FileData | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | observable-id? | |
| | observable-id? | | | | File+ | |
| | File+ | 3.25 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | File | observable-id? | 3.25.1 |
| File | observable-id? | | | | FileName? | |
| | FileName? | | | | FileSize? | |
| | FileSize? | | | | FileType? | |
| | FileType? | | | | URL* | |
| | URL* | | | | HashData? | |
| | HashData? | | | | Signature* | |
| | Signature* | | | | AssociatedSoftware? | |
| | AssociatedSoftware?| | | | FileProperties* | |
| | FileProperties* | 3.25.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | HashData | scope | 3.26 |
| HashData | scope | | | | HashTargetID? | |
| | HashTargetID? | | | | Hash* | |
| | Hash* | | | | FuzzyHash* | |
| | FuzzyHash* | 3.26 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Hash | DigestMethod | 3.26.1 |
| Hash | DigestMethod | | | | DigestValue | |
| | DigestValue | | | | CanonicalizationMethod? | |
| | CanonicalizationMethod?| | | | Application? | |
| | Application? | 3.26.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | FuzzyHash | FuzzyHashValue+ | 3.26.2 |
| FuzzyHash | FuzzyHashValue+ | | | | Application? | |
| | Application? | | | | AdditionalData* | |
| | AdditionalData* | 3.26.2 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Indicator | restriction? | 3.29 |
| Indicator | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | IndicatorID | |
| | IndicatorID | | | | AlternativeIndicatorID* | |
| | AlternativeIndicatorID*| | | | Description* | |
| | Description* | | | | StartTime? | |
| | StartTime? | | | | EndTime? | |
| | EndTime? | | | | Confidence? | |
| | Confidence? | | | | Contact* | |
| | Contact* | | | | Observable? | |
| | Observable? | | | | uid-ref? | |
| | uid-ref? | | | | IndicatorExpression? | |
| | IndicatorExpression?| | | | IndicatorReference? | |
| | IndicatorReference?| | | | NodeRole* | |
| | NodeRole* | | | | AttackPhase* | |
| | AttackPhase* | | | | Reference* | |
| | Reference* | | | | AdditionalData* | |
| | AdditionalData* | 3.29 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | IndicatorID | id | 3.29.1 |
| IndicatorID | id | | | | name | |
| | name | | | | version | |
| | version | 3.29.1 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | AlternativeIndicatorID | restriction? | 3.29.2 |
| AlternativeIndicatorID | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | IndicatorID+ | |
| | IndicatorID+ | 3.29.2 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | Observable | restriction? | 3.29.3 |
| Observable | restriction? | | | | ext-restriction? | |
| | ext-restriction? | | | | System? | |
| | System? | | | | Address? | |
| | Address? | | | | DomainData? | |
| | DomainData? | | | | Service? | |
| | Service? | | | | EmailData? | |
| | EmailData? | | | |WindowsRegistryKeysModified?| |
| | WindowsRegistryKeysModified?| | | | FileData? | |
| | FileData? | | | | CertificateData? | |
| | CertificateData? | | | | RegistryHandle? | |
| | RegistryHandle? | | | | RecordData? | |
| | RecordData? | | | | EventData? | |
| | EventData? | | | | Incident? | |
| | Incident? | | | | Expectation? | |
| | Expectation? | | | | Reference? | |
| | Reference? | | | | Assessment? | |
| | Assessment? | | | | DetectionPattern? | |
| | DetectionPattern? | | | | HistoryItem? | |
| | HistoryItem? | | | | BulkObservable? | |
| | BulkObservable? | | | | AdditionalData* | |
| | AdditionalData* | 3.29.3 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | BulkObservable | type? | 3.29.3.1 |
| BulkObservable | type? | | | | ext-type? | |
| | ext-type? | | | | BulkObservableFormat? | |
| | BulkObservableFormat?| | | | BulkObservableList | |
| | BulkObservableList | | | | AdditionalData* | |
| | AdditionalData* | 3.29.4 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | BulkObservableFormat | Hash? |3.29.3.1.1|
| BulkObservableFormat | Hash? | | | | AdditionalData* | |
| | AdditionalData* | 3.29.5 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | IndicatorExpression | operator? | 3.29.4 |
| IndicatorExpression | operator? | | | | ext-operator? | |
| | ext-operator? | | | | IndicatorExpression* | |
| | IndicatorExpression*| | | | Observable* | |
| | Observable* | | | | uid-ref* | |
| | uid-ref* | | | | IndicatorReference* | |
| | IndicatorReference*| | | | Confidence? | |
| | Confidence? | | | | AdditionalData* | |
| | AdditionalData* | 3.29.6 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | IndicatorReference | uid-ref? | 3.29.7 |
| IndicatorReference | uid-ref? | | | | euid-ref? | |
| | euid-ref? | | | | version? | |
| | version? | 3.29.7 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+ | AttackPhase | AttackPhaseID* | 3.29.8 |
| AttackPhase | AttackPhaseID* | | | | URL* | |
| | URL* | | | | Description* | |
| | Description* | | | | AdditionalData* | |
| | AdditionalData* | 3.29.8 | +---------------------------+----------------------------+----------+
+-----------------------------+--------------------+---------------+
Figure 3: IODEF Classes Table 3: IODEF Classes
3.2. Mapping between JSON and XML IODEF 3.2. Mapping between JSON and XML IODEF
o Attributes and elements of each class in XML IODEF document are * Attributes and elements of each class in the XML IODEF document
both presented as JSON attributes in JSON IODEF document, and the are both presented as JSON attributes in the JSON IODEF document,
order of their appearances is ignored. and the order of their appearances is ignored.
o Flow class is deleted, and classes with its instances now directly * Flow class is deleted, and classes with its instances now directly
have instances of EventData class that used to belong to the Flow have instances of the EventData class that used to belong to the
class. Flow class.
o ApplicationHeader class is deleted, and classes with its instances * ApplicationHeader class is deleted, and classes with its instances
now directly have instances of ApplicationHeaderField class that now directly have instances of the ApplicationHeaderField class
used to belong to the ApplicationHeader class. that used to belong to the ApplicationHeader class.
o SignatureData class is deleted, and classes with its instances now * SignatureData class is deleted, and classes with its instances now
directly have instance of Signature class that used to belong to directly have instances of the Signature class that used to belong
the SignatureData class. to the SignatureData class.
o IndicatorData class is deleted, and classes with its instances now * IndicatorData class is deleted, and classes with its instances now
directly have the instances of Indicator class that used to belong directly have instances of the Indicator class that used to belong
to the IndicatorData class. to the IndicatorData class.
o ObservableReference class is deleted, and classes with its * ObservableReference class is deleted, and classes with its
instances now directly have uid-ref as an element. instances now directly have uid-ref as an element.
o Record class is deleted, and classes with its instances now * Record class is deleted, and classes with its instances now
directly have the instances of RecordData class that used to directly have instances of the RecordData class that used to
belong to the Record class. belong to the Record class.
o The MLStringType were modified to support simple string by * The MLStringType was modified to support simple string by allowing
allowing the type to have not only a predefined object type but the type to have not only a predefined object type but also a text
also text type, in order to allow simple descriptions of elements type, in order to allow simple descriptions of elements of the
of the type. Implementations need to be capable of parsing type. Implementations need to be capable of parsing an
MLStringType that could take form of both text and object. MLStringType that could take the form of both text and an object.
o The elements of ML_STRING type in XML IODEF document are presented * The elements of the ML_STRING type in the XML IODEF document are
as either STRING type or ML_STRING type in JSON IODEF document. presented as either STRING type or ML_STRING type in the JSON
When converting from XML IODEF document to JSON one or vice versa, IODEF document. When converting from the XML IODEF document to
the information contained in the original data of ML_STRING type the JSON IODEF document, or vice versa, the information contained
must be preserved. When STRING is used instead of ML_STRING, in the original data of the ML_STRING type must be preserved.
parsers can assume that its "xml:lang" is set to "en". When STRING is used instead of ML_STRING, parsers can assume that
its "xml:lang" is set to "en".
o Data models of the extension classes defined by [RFC7203] and * Data models of the extension classes defined by [RFC7203] and
referenced by [RFC7970] are represented by StructuredInfo class referenced by [RFC7970] are represented by the STRUCTUREDINFO
defined in this document. class defined in this document.
o Signature, X509Data, and RawData are encoded using base64 encoding * Signature, X509Data, and RawData are encoded using base64 encoding
for JSON IODEF and binary representation for CBOR IODEF to for JSON IODEF and binary representation for CBOR IODEF to
represent them as BYTE object. represent them as BYTE objects.
o EmailBody represents an whole message body including MIME * EmailBody represents a whole message body including MIME structure
structure in the same manner defined in [RFC7970]. In case of an in the same manner defined in [RFC7970]. In case of an email
email composed of MIME multipart, the EmailBody contains multiple composed of a MIME multipart, the EmailBody contains multiple body
body parts separated by boundary strings. parts separated by boundary strings.
o The "ipv6-net-mask" type attribute of BulkObservable class remains * The "ipv6-net-mask" type attribute of the BulkObservable class
available for the backward compatibility purpose, but the use of remains available for the purpose of backward compatibility, but
this attribute is not recommended because IPV6 does not use the use of this attribute is not recommended because IPv6 does not
netmask any more. use netmask any more.
o ENUM values in this document is extensible and is managed by IANA, * ENUM values in this document are extensible and managed by IANA,
as with [RFC7970]. The values in the table are used both by which is also the case in [RFC7970]. The values in the table are
[RFC7970] implementations and by their JSON (and CBOR) bindings as used both by [RFC7970] implementations and by their JSON (and
specified by this document. CBOR) bindings as specified by this document.
o This document uses JSON's "number" type to represent integers that * This document uses JSON's "number" type to represent integers that
only has full precision for integer values between -2**53 and only have full precision for integer values between -2^(53) and
2**53. When dealing with integers outside the range, this issue 2^(53). When dealing with integers outside the range, this issue
needs to be considered. needs to be considered.
o Binaries are encoded in bytes. Note that XML IODEF in [RFC7970] * Binaries are encoded in bytes. Note that XML IODEF in [RFC7970]
uses HEXBIN due to the incapability of XML for embedding binaries uses HEXBIN due to the incapability of XML for embedding binaries
as they are. as they are.
4. Examples 4. Examples
This section provides examples of IODEF documents. These examples do This section provides examples of IODEF documents. These examples do
not represent the full capabilities of the data model or the only way not represent the full capabilities of the data model or the only way
to encode particular information. to encode particular information.
4.1. Minimal Example 4.1. Minimal Example
skipping to change at page 20, line 24 skipping to change at line 953
}, },
"GenerationTime": "2015-07-18T09:00:00-05:00", "GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [{ "Contact": [{
"type": "organization", "type": "organization",
"role": "creator", "role": "creator",
"Email": [{"EmailTo": "contact@csirt.example.com"}] "Email": [{"EmailTo": "contact@csirt.example.com"}]
}] }]
}] }]
} }
Figure 4: A Minimal Example in JSON Figure 1: A Minimal Example in JSON
A3 # map(3) A3 # map(3)
37 # negative(23) 37 # negative(23)
63 # text(3) 63 # text(3)
322E30 # "2.0" 322E30 # "2.0"
36 # negative(22) 36 # negative(22)
62 # text(2) 62 # text(2)
656E # "en" 656E # "en"
32 # negative(18) 32 # negative(18)
81 # array(1) 81 # array(1)
A5 # map(5) A5 # map(5)
21 # negative(1) 21 # negative(1)
69 # text(9) 69 # text(9)
7265706F7274696E67 # "reporting" 7265706F7274696E67 # "reporting"
29 # negative(9) 29 # negative(9)
67 # text(7) 67 # text(7)
70726976617465 # "private" 70726976617465 # "private"
02 # unsigned(2) 02 # unsigned(2)
A2 # map(2) A2 # map(2)
12 # unsigned(18) 12 # unsigned(18)
66 # text(6) 66 # text(6)
343932333832 # "492382" 343932333832 # "492382"
2E # negative(14) 2E # negative(14)
71 # text(17) 71 # text(17)
63736972742E6578616D706C652E636F6D # "csirt.example.com" 63736972742E6578616D706C652E636F6D
0A # unsigned(10) # "csirt.example.com"
78 19 # text(25) 0A # unsigned(10)
323031352D30372D31385430393A30303A30302D30353A3030 78 19 # text(25)
# "2015-07-18T09:00:00-05:00" 323031352D30372D31385430393A30303A30302D30353A3030
0E # unsigned(14) # "2015-07-18T09:00:00
81 # array(1) # -05:00"
A3 # map(3) 0E # unsigned(14)
18 1C # unsigned(28) 81 # array(1)
6C # text(12) A3 # map(3)
6F7267616E697A6174696F6E # "organization" 18 1C # unsigned(28)
18 1A # unsigned(26) 6C # text(12)
67 # text(7) 6F7267616E697A6174696F6E # "organization"
63726561746F72 # "creator" 18 1A # unsigned(26)
18 22 # unsigned(34) 67 # text(7)
81 # array(1) 63726561746F72 # "creator"
A1 # map(1) 18 22 # unsigned(34)
18 29 # unsigned(41) 81 # array(1)
78 19 # text(25) A1 # map(1)
636F6E746163744063736972742E6578616D706C652E636F6D 18 29 # unsigned(41)
# "contact@csirt.example.com" 78 19 # text(25)
636F6E746163744063736972742E6578616D70
6C652E636F6D
# "contact@csirt.example.com"
Figure 5: A Minimal Example in CBOR Figure 2: A Minimal Example in CBOR
4.2. Indicators from a Campaign 4.2. Indicators from a Campaign
An example of C2 domains from a given campaign is shown below in JSON An example of C2 domains from a given campaign is shown below in JSON
and CBOR, respectively. and CBOR, respectively.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incident": [{ "Incident": [{
"purpose": "watch", "purpose": "watch",
"restriction": "green", "restriction": "green",
"IncidentID": { "IncidentID": {
"id": "897923", "id": "897923",
"name": "csirt.example.com" "name": "csirt.example.com"
}, },
"RelatedActivity": [{ "RelatedActivity": [{
"ThreatActor": [{ "ThreatActor": [{
"ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"],
"Description": ["Aggressive Butterfly"]}], "Description": ["Aggressive Butterfly"]}],
"Campaign": [{ "Campaign": [{
"CampaignID": ["C-2015-59405"], "CampaignID": ["C-2015-59405"],
"Description": ["Orange Giraffe"] "Description": ["Orange Giraffe"]
}] }]
}], }],
"GenerationTime": "2015-10-02T11:18:00-05:00", "GenerationTime": "2015-10-02T11:18:00-05:00",
"Description": ["Summarizes the Indicators of Compromise for the "Description": ["Summarizes the Indicators of Compromise for the
Orange Giraffe campaign of the Aggressive Butterfly crime gang."], Orange Giraffe campaign of the Aggressive Butterfly crime
"Assessment": [{ gang."],
"Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] "Assessment": [{
}], "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}]
"Contact": [{ }],
"type": "organization", "Contact": [{
"role": "creator", "type": "organization",
"ContactName": ["CSIRT for example.com"], "role": "creator",
"Email": [{ "ContactName": ["CSIRT for example.com"],
"EmailTo": "contact@csirt.example.com" "Email": [{
}] "EmailTo": "contact@csirt.example.com"
}], }]
"Indicator": [{ }],
"IndicatorID": { "Indicator": [{
"id": "G90823490", "IndicatorID": {
"name": "csirt.example.com", "id": "G90823490",
"version": "1" "name": "csirt.example.com",
}, "version": "1"
"Description": ["C2 domains"], },
"StartTime": "2014-12-02T11:18:00-05:00", "Description": ["C2 domains"],
"Observable": { "StartTime": "2014-12-02T11:18:00-05:00",
"BulkObservable": { "Observable": {
"type": "domain-name", "BulkObservable": {
"BulkObservableList": "kj290023j09r34.example.com"} "type": "domain-name",
} "BulkObservableList": "kj290023j09r34.example.com"}
}] }
}] }]
} }]
}
Figure 6: Indicators from a Campaign in JSON Figure 3: Indicators from a Campaign in JSON
A3 # map(3) A3 # map(3)
37 # negative(23) 37 # negative(23)
63 # text(3) 63 # text(3)
322E30 # "2.0" 322E30 # "2.0"
36 # negative(22) 36 # negative(22)
62 # text(2) 62 # text(2)
656E # "en" 656E # "en"
32 # negative(18) 32 # negative(18)
81 # array(1) 81 # array(1)
A9 # map(9) A9 # map(9)
21 # negative(1) 21 # negative(1)
65 # text(5) 65 # text(5)
7761746368 # "watch" 7761746368 # "watch"
29 # negative(9) 29 # negative(9)
65 # text(5) 65 # text(5)
677265656E # "green" 677265656E # "green"
02 # unsigned(2) 02 # unsigned(2)
A2 # map(2) A2 # map(2)
12 # unsigned(18) 12 # unsigned(18)
66 # text(6) 66 # text(6)
383937393233 # "897923" 383937393233 # "897923"
2E # negative(14) 2E # negative(14)
71 # text(17) 71 # text(17)
63736972742E6578616D706C652E636F6D 63736972742E6578616D706C652E636F6D
# "csirt.example.com" # "csirt.example.com"
04 # unsigned(4) 04 # unsigned(4)
81 # array(1) 81 # array(1)
A2 # map(2) A2 # map(2)
14 # unsigned(20) 14 # unsigned(20)
81 # array(1) 81 # array(1)
A2 # map(2) A2 # map(2)
18 18 # unsigned(24) 18 18 # unsigned(24)
81 # array(1) 81 # array(1)
78 1A # text(26) 78 1A # text(26)
54412D31322D414747524553534956452D425554544552464C59 54412D31322D414747524553534956452D4
# "TA-12-AGGRESSIVE-BUTTERFLY" 25554544552464C59
24 # negative(4) # "TA-12-AGGRESSIVE
81 # array(1) # -BUTTERFLY"
74 # text(20) 24 # negative(4)
4167677265737369766520427574746572666C79 81 # array(1)
# "Aggressive Butterfly" 74 # text(20)
15 # unsigned(21) 41676772657373697665204275747465726
81 # array(1) 66C79
A2 # map(2) # "Aggressive Butterfly"
18 19 # unsigned(25) 15 # unsigned(21)
81 # array(1) 81 # array(1)
6C # text(12) A2 # map(2)
432D323031352D3539343035 18 19 # unsigned(25)
# "C-2015-59405" 81 # array(1)
24 # negative(4) 6C # text(12)
81 # array(1) 432D323031352D3539343035
6E # text(14) # "C-2015-59405"
4F72616E67652047697261666665 24 # negative(4)
# "Orange Giraffe" 81 # array(1)
0A # unsigned(10) 6E # text(14)
78 19 # text(25) 4F72616E67652047697261666665
323031352D31302D30325431313A31383A30302D30353A3030 # "Orange Giraffe"
# "2015-10-02T11:18:00-05:00" 0A # unsigned(10)
24 # negative(4) 78 19 # text(25)
81 # array(1) 323031352D31302D30325431313A31383A30302D30353A3030
78 6F # text(111) # "2015-10-02T11:18:00-05:00"
53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F7220746865204F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E 24 # negative(4)
# "Summarizes the Indicators of 81 # array(1)
# Compromise for the Orange Giraffe 78 6F # text(111)
# campaign of the Aggressive 53756D6D6172697A65732074686520496E64696361746F7
# Butterfly crime gang." 273206F6620436F6D70726F6D69736520666F7220746865
0C # unsigned(12) 204F72616E676520476972616666652063616D706169676
81 # array(1) E206F662074686520416767726573736976652042757474
A1 # map(1) 6572666C79206372696D652067616E672E
18 3F # unsigned(63) # "Summarizes the Indicators
81 # array(1) # of Compromise for the
A1 # map(1) # Orange Giraffe campaign
18 41 # unsigned(65) # of the Aggressive
A1 # map(1) # Butterfly crime gang."
18 1C # unsigned(28) 0C # unsigned(12)
72 # text(18) 81 # array(1)
6272656163682D70726F7072696574617279 A1 # map(1)
# "breach-proprietary" 18 3F # unsigned(63)
0E # unsigned(14) 81 # array(1)
81 # array(1) A1 # map(1)
A4 # map(4) 18 41 # unsigned(65)
18 1C # unsigned(28) A1 # map(1)
6C # text(12) 18 1C # unsigned(28)
6F7267616E697A6174696F6E 72 # text(18)
# "organization" 6272656163682D70726F7072696574617279
18 1A # unsigned(26) # "breach-proprietary"
67 # text(7) 0E # unsigned(14)
63726561746F72 # "creator" 81 # array(1)
18 1E # unsigned(30) A4 # map(4)
81 # array(1) 18 1C # unsigned(28)
75 # text(21) 6C # text(12)
435349525420666F72206578616D706C652E636F6D 6F7267616E697A6174696F6E
# "CSIRT for example.com" # "organization"
18 22 # unsigned(34) 18 1A # unsigned(26)
81 # array(1) 67 # text(7)
A1 # map(1) 63726561746F72 # "creator"
18 29 # unsigned(41) 18 1E # unsigned(30)
78 19 # text(25) 81 # array(1)
636F6E746163744063736972742E6578616D706C652E636F6D 75 # text(21)
# "contact@csirt.example.com" 435349525420666F72206578616D706C652E636F6D
10 # unsigned(16) # "CSIRT for example.com"
81 # array(1) 18 22 # unsigned(34)
A4 # map(4) 81 # array(1)
16 # unsigned(22) A1 # map(1)
A3 # map(3) 18 29 # unsigned(41)
12 # unsigned(18) 78 19 # text(25)
69 # text(9) 636F6E746163744063736972742E6578616D70
473930383233343930 # "G90823490" 6C652E636F6D
2E # negative(14) # "contact@csirt.example.com"
71 # text(17) 10 # unsigned(16)
63736972742E6578616D706C652E636F6D 81 # array(1)
# "csirt.example.com" A4 # map(4)
37 # negative(23) 16 # unsigned(22)
61 # text(1) A3 # map(3)
31 # "1" 12 # unsigned(18)
24 # negative(4) 69 # text(9)
81 # array(1) 473930383233343930 # "G90823490"
6A # text(10) 2E # negative(14)
433220646F6D61696E73 # "C2 domains" 71 # text(17)
06 # unsigned(6) 63736972742E6578616D706C652E636F6D
78 19 # text(25) # "csirt.example.com"
323031342D31322D30325431313A31383A30302D30353A3030 37 # negative(23)
# "2014-12-02T11:18:00-05:00" 61 # text(1)
18 AB # unsigned(171) 31 # "1"
A1 # map(1) 24 # negative(4)
18 B0 # unsigned(176) 81 # array(1)
A2 # map(2) 6A # text(10)
18 1C # unsigned(28) 433220646F6D61696E73 # "C2 domains"
6B # text(11) 06 # unsigned(6)
646F6D61696E2D6E616D65 78 19 # text(25)
# "domain-name" 323031342D31322D30325431313A31383A30302D30353A3030
18 B2 # unsigned(178) # "2014-12-02T11:18:00-05:00"
78 1A # text(26) 18 AB # unsigned(171)
6B6A3239303032336A30397233342E6578616D706C652E636F6D A1 # map(1)
# "kj290023j09r34.example.com" 18 B0 # unsigned(176)
A2 # map(2)
18 1C # unsigned(28)
6B # text(11)
646F6D61696E2D6E616D65
# "domain-name"
18 B2 # unsigned(178)
78 1A # text(26)
6B6A3239303032336A30397233342E6578616D
706C652E636F6D
# "kj290023j09r34.example.com"
Figure 7: Indicators from a Campaign in CBOR Figure 4: Indicators from a Campaign in CBOR
5. Mapkeys 5. Mapkeys
The mapkeys are provided in Table Figure 8 for minimizing the CBOR The mapkeys are provided in Table 4 for minimizing the CBOR size.
size.
+-----------------------------------+-------+ +===================================+=========+
|mapkey |cborkey| | mapkey | cborkey |
+-----------------------------------+-------+ +===================================+=========+
| iodef-version | -24 | | iodef-version | -24 |
| iodef-lang | -23 | +-----------------------------------+---------+
| iodef-format-id | -22 | | iodef-lang | -23 |
| iodef-private-enum-name | -21 | +-----------------------------------+---------+
| iodef-private-enum-id | -20 | | iodef-format-id | -22 |
| iodef-Incident | -19 | +-----------------------------------+---------+
| iodef-AdditionalData | -18 | | iodef-private-enum-name | -21 |
| iodef-value | -17 | +-----------------------------------+---------+
| iodef-translation-id | -16 | | iodef-private-enum-id | -20 |
| iodef-name | -15 | +-----------------------------------+---------+
| iodef-dtype | -14 | | iodef-Incident | -19 |
| iodef-ext-dtype | -13 | +-----------------------------------+---------+
| iodef-meaning | -12 | | iodef-AdditionalData | -18 |
| iodef-formatid | -11 | +-----------------------------------+---------+
| iodef-restriction | -10 | | iodef-value | -17 |
| iodef-ext-restriction | -9 | +-----------------------------------+---------+
| iodef-observable-id | -8 | | iodef-translation-id | -16 |
| iodef-SoftwareReference | -7 | +-----------------------------------+---------+
| iodef-URL | -6 | | iodef-name | -15 |
| iodef-Description | -5 | +-----------------------------------+---------+
| iodef-spec-name | -4 | | iodef-dtype | -14 |
| iodef-ext-spec-name | -3 | +-----------------------------------+---------+
| iodef-purpose | -2 | | iodef-ext-dtype | -13 |
| iodef-ext-purpose | -1 | +-----------------------------------+---------+
| iodef-status | 0 | | iodef-meaning | -12 |
| iodef-ext-status | 1 | +-----------------------------------+---------+
| iodef-IncidentID | 2 | | iodef-formatid | -11 |
| iodef-AlternativeID | 3 | +-----------------------------------+---------+
| iodef-RelatedActivity | 4 | | iodef-restriction | -10 |
| iodef-DetectTime | 5 | +-----------------------------------+---------+
| iodef-StartTime | 6 | | iodef-ext-restriction | -9 |
| iodef-EndTime | 7 | +-----------------------------------+---------+
| iodef-RecoveryTime | 8 | | iodef-observable-id | -8 |
| iodef-ReportTime | 9 | +-----------------------------------+---------+
| iodef-GenerationTime | 10 | | iodef-SoftwareReference | -7 |
| iodef-Discovery | 11 | +-----------------------------------+---------+
| iodef-Assessment | 12 | | iodef-URL | -6 |
| iodef-Method | 13 | +-----------------------------------+---------+
| iodef-Contact | 14 | | iodef-Description | -5 |
| iodef-EventData | 15 | +-----------------------------------+---------+
| iodef-Indicator | 16 | | iodef-spec-name | -4 |
| iodef-History | 17 | +-----------------------------------+---------+
| iodef-id | 18 | | iodef-ext-spec-name | -3 |
| iodef-instance | 19 | +-----------------------------------+---------+
| iodef-ThreatActor | 20 | | iodef-purpose | -2 |
| iodef-Campaign | 21 | +-----------------------------------+---------+
| iodef-IndicatorID | 22 | | iodef-ext-purpose | -1 |
| iodef-Confidence | 23 | +-----------------------------------+---------+
| iodef-ThreatActorID | 24 | | iodef-status | 0 |
| iodef-CampaignID | 25 | +-----------------------------------+---------+
| iodef-role | 26 | | iodef-ext-status | 1 |
| iodef-ext-role | 27 | +-----------------------------------+---------+
| iodef-type | 28 | | iodef-IncidentID | 2 |
| iodef-ext-type | 29 | +-----------------------------------+---------+
| iodef-ContactName | 30 | | iodef-AlternativeID | 3 |
| iodef-ContactTitle | 31 | +-----------------------------------+---------+
| iodef-RegistryHandle | 32 | | iodef-RelatedActivity | 4 |
| iodef-PostalAddress | 33 | +-----------------------------------+---------+
| iodef-Email | 34 | | iodef-DetectTime | 5 |
| iodef-Telephone | 35 | +-----------------------------------+---------+
| iodef-Timezone | 36 | | iodef-StartTime | 6 |
| iodef-handle | 37 | +-----------------------------------+---------+
| iodef-registry | 38 | | iodef-EndTime | 7 |
| iodef-ext-registry | 39 | +-----------------------------------+---------+
| iodef-PAddress | 40 | | iodef-RecoveryTime | 8 |
| iodef-EmailTo | 41 | +-----------------------------------+---------+
| iodef-TelephoneNumber | 42 | | iodef-ReportTime | 9 |
| iodef-source | 43 | +-----------------------------------+---------+
| iodef-ext-source | 44 | | iodef-GenerationTime | 10 |
| iodef-DetectionPattern | 45 | +-----------------------------------+---------+
| iodef-DetectionConfiguration | 46 | | iodef-Discovery | 11 |
| iodef-Application | 47 | +-----------------------------------+---------+
| iodef-Reference | 48 | | iodef-Assessment | 12 |
| iodef-AttackPattern | 49 | +-----------------------------------+---------+
| iodef-Vulnerability | 50 | | iodef-Method | 13 |
| iodef-Weakness | 51 | +-----------------------------------+---------+
| iodef-SpecID | 52 | | iodef-Contact | 14 |
| iodef-ext-SpecID | 53 | +-----------------------------------+---------+
| iodef-ContentID | 54 | | iodef-EventData | 15 |
| iodef-RawData | 55 | +-----------------------------------+---------+
| iodef-Platform | 56 | | iodef-Indicator | 16 |
| iodef-Scoring | 57 | +-----------------------------------+---------+
| iodef-ReferenceName | 58 | | iodef-History | 17 |
| iodef-specIndex | 59 | +-----------------------------------+---------+
| iodef-ID | 60 | | iodef-id | 18 |
| iodef-occurrence | 61 | +-----------------------------------+---------+
| iodef-IncidentCategory | 62 | | iodef-instance | 19 |
| iodef-Impact | 63 | +-----------------------------------+---------+
| iodef-SystemImpact | 64 | | iodef-ThreatActor | 20 |
| iodef-BusinessImpact | 65 | +-----------------------------------+---------+
| iodef-TimeImpact | 66 | | iodef-Campaign | 21 |
| iodef-MonetaryImpact | 67 | +-----------------------------------+---------+
| iodef-IntendedImpact | 68 | | iodef-IndicatorID | 22 |
| iodef-Counter | 69 | +-----------------------------------+---------+
| iodef-MitigatingFactor | 70 | | iodef-Confidence | 23 |
| iodef-Cause | 71 | +-----------------------------------+---------+
| iodef-severity | 72 | | iodef-ThreatActorID | 24 |
| iodef-completion | 73 | +-----------------------------------+---------+
| iodef-ext-severity | 74 | | iodef-CampaignID | 25 |
| iodef-metric | 75 | +-----------------------------------+---------+
| iodef-ext-metric | 76 | | iodef-role | 26 |
| iodef-duration | 77 | +-----------------------------------+---------+
| iodef-ext-duration | 78 | | iodef-ext-role | 27 |
| iodef-currency | 79 | +-----------------------------------+---------+
| iodef-rating | 80 | | iodef-type | 28 |
| iodef-ext-rating | 81 | +-----------------------------------+---------+
| iodef-HistoryItem | 82 | | iodef-ext-type | 29 |
| iodef-action | 83 | +-----------------------------------+---------+
| iodef-ext-action | 84 | | iodef-ContactName | 30 |
| iodef-DateTime | 85 | +-----------------------------------+---------+
| iodef-DefinedCOA | 86 | | iodef-ContactTitle | 31 |
| iodef-System | 87 | +-----------------------------------+---------+
| iodef-Expectation | 88 | | iodef-RegistryHandle | 32 |
| iodef-RecordData | 89 | +-----------------------------------+---------+
| iodef-category | 90 | | iodef-PostalAddress | 33 |
| iodef-ext-category | 91 | +-----------------------------------+---------+
| iodef-interface | 92 | | iodef-Email | 34 |
| iodef-spoofed | 93 | +-----------------------------------+---------+
| iodef-virtual | 94 | | iodef-Telephone | 35 |
| iodef-ownership | 95 | +-----------------------------------+---------+
| iodef-ext-ownership | 96 | | iodef-Timezone | 36 |
| iodef-Node | 97 | +-----------------------------------+---------+
| iodef-NodeRole | 98 | | iodef-handle | 37 |
| iodef-Service | 99 | +-----------------------------------+---------+
| iodef-OperatingSystem | 100 | | iodef-registry | 38 |
| iodef-AssetID | 101 | +-----------------------------------+---------+
| iodef-DomainData | 102 | | iodef-ext-registry | 39 |
| iodef-Address | 103 | +-----------------------------------+---------+
| iodef-Location | 104 | | iodef-PAddress | 40 |
| iodef-vlan-name | 105 | +-----------------------------------+---------+
| iodef-vlan-num | 106 | | iodef-EmailTo | 41 |
| iodef-unit | 107 | +-----------------------------------+---------+
| iodef-ext-unit | 108 | | iodef-TelephoneNumber | 42 |
| iodef-system-status | 109 | +-----------------------------------+---------+
| iodef-ext-system-status | 110 | | iodef-source | 43 |
| iodef-domain-status | 111 | +-----------------------------------+---------+
| iodef-ext-domain-status | 112 | | iodef-ext-source | 44 |
| iodef-Name | 113 | +-----------------------------------+---------+
| iodef-DateDomainWasChecked | 114 | | iodef-DetectionPattern | 45 |
| iodef-RegistrationDate | 115 | +-----------------------------------+---------+
| iodef-ExpirationDate | 116 | | iodef-DetectionConfiguration | 46 |
| iodef-RelatedDNS | 117 | +-----------------------------------+---------+
| iodef-NameServers | 118 | | iodef-Application | 47 |
| iodef-DomainContacts | 119 | +-----------------------------------+---------+
| iodef-Server | 120 | | iodef-Reference | 48 |
| iodef-SameDomainContact | 121 | +-----------------------------------+---------+
| iodef-ip-protocol | 122 | | iodef-AttackPattern | 49 |
| iodef-ServiceName | 123 | +-----------------------------------+---------+
| iodef-Port | 124 | | iodef-Vulnerability | 50 |
| iodef-Portlist | 125 | +-----------------------------------+---------+
| iodef-ProtoCode | 126 | | iodef-Weakness | 51 |
| iodef-ProtoType | 127 | +-----------------------------------+---------+
| iodef-ProtoField | 128 | | iodef-SpecID | 52 |
| iodef-ApplicationHeaderField | 129 | +-----------------------------------+---------+
| iodef-EmailData | 130 | | iodef-ext-SpecID | 53 |
| iodef-IANAService | 131 | +-----------------------------------+---------+
| iodef-EmailFrom | 132 | | iodef-ContentID | 54 |
| iodef-EmailSubject | 133 | +-----------------------------------+---------+
| iodef-EmailX-Mailer | 134 | | iodef-RawData | 55 |
| iodef-EmailHeaderField | 135 | +-----------------------------------+---------+
| iodef-EmailHeaders | 136 | | iodef-Platform | 56 |
| iodef-EmailBody | 137 | +-----------------------------------+---------+
| iodef-EmailMessage | 138 | | iodef-Scoring | 57 |
| iodef-HashData | 139 | +-----------------------------------+---------+
| iodef-Signature | 140 | | iodef-ReferenceName | 58 |
| iodef-RecordPattern | 141 | +-----------------------------------+---------+
| iodef-RecordItem | 142 | | iodef-specIndex | 59 |
| iodef-FileData | 143 | +-----------------------------------+---------+
| iodef-WindowsRegistryKeysModified | 169 | | iodef-ID | 60 |
| iodef-CertificateData | 145 | +-----------------------------------+---------+
| iodef-offset | 146 | | iodef-occurrence | 61 |
| iodef-offsetunit | 147 | +-----------------------------------+---------+
| iodef-ext-offsetunit | 148 | | iodef-IncidentCategory | 62 |
| iodef-Key | 149 | +-----------------------------------+---------+
| iodef-registryaction | 150 | | iodef-Impact | 63 |
| iodef-ext-registryaction | 151 | +-----------------------------------+---------+
| iodef-KeyName | 152 | | iodef-SystemImpact | 64 |
| iodef-KeyValue | 153 | +-----------------------------------+---------+
| iodef-Certificate | 154 | | iodef-BusinessImpact | 65 |
| iodef-X509Data | 155 | +-----------------------------------+---------+
| iodef-File | 156 | | iodef-TimeImpact | 66 |
| iodef-FileName | 157 | +-----------------------------------+---------+
| iodef-FileSize | 158 | | iodef-MonetaryImpact | 67 |
| iodef-FileType | 159 | +-----------------------------------+---------+
| iodef-AssociatedSoftware | 160 | | iodef-IntendedImpact | 68 |
| iodef-FileProperties | 161 | +-----------------------------------+---------+
| iodef-scope | 162 | | iodef-Counter | 69 |
| iodef-HashTargetID | 163 | +-----------------------------------+---------+
| iodef-Hash | 164 | | iodef-MitigatingFactor | 70 |
| iodef-FuzzyHash | 165 | +-----------------------------------+---------+
| iodef-DigestMethod | 166 | | iodef-Cause | 71 |
| iodef-DigestValue | 167 | +-----------------------------------+---------+
| iodef-CanonicalizationMethod | 168 | | iodef-severity | 72 |
| iodef-FuzzyHashValue | 169 | +-----------------------------------+---------+
| iodef-AlternativeIndicatorID | 170 | | iodef-completion | 73 |
| iodef-Observable | 171 | +-----------------------------------+---------+
| iodef-uid-ref | 172 | | iodef-ext-severity | 74 |
| iodef-IndicatorExpression | 173 | +-----------------------------------+---------+
| iodef-IndicatorReference | 174 | | iodef-metric | 75 |
| iodef-AttackPhase | 175 | +-----------------------------------+---------+
| iodef-BulkObservable | 176 | | iodef-ext-metric | 76 |
| iodef-BulkObservableFormat | 177 | +-----------------------------------+---------+
| iodef-BulkObservableList | 178 | | iodef-duration | 77 |
| iodef-operator | 179 | +-----------------------------------+---------+
| iodef-ext-operator | 180 | | iodef-ext-duration | 78 |
| iodef-euid-ref | 181 | +-----------------------------------+---------+
| iodef-AttackPhaseID | 182 | | iodef-currency | 79 |
+-----------------------------------+-------+ +-----------------------------------+---------+
| iodef-rating | 80 |
+-----------------------------------+---------+
| iodef-ext-rating | 81 |
+-----------------------------------+---------+
| iodef-HistoryItem | 82 |
+-----------------------------------+---------+
| iodef-action | 83 |
+-----------------------------------+---------+
| iodef-ext-action | 84 |
+-----------------------------------+---------+
| iodef-DateTime | 85 |
+-----------------------------------+---------+
| iodef-DefinedCOA | 86 |
+-----------------------------------+---------+
| iodef-System | 87 |
+-----------------------------------+---------+
| iodef-Expectation | 88 |
+-----------------------------------+---------+
| iodef-RecordData | 89 |
+-----------------------------------+---------+
| iodef-category | 90 |
+-----------------------------------+---------+
| iodef-ext-category | 91 |
+-----------------------------------+---------+
| iodef-interface | 92 |
+-----------------------------------+---------+
| iodef-spoofed | 93 |
+-----------------------------------+---------+
| iodef-virtual | 94 |
+-----------------------------------+---------+
| iodef-ownership | 95 |
+-----------------------------------+---------+
| iodef-ext-ownership | 96 |
+-----------------------------------+---------+
| iodef-Node | 97 |
+-----------------------------------+---------+
| iodef-NodeRole | 98 |
+-----------------------------------+---------+
| iodef-Service | 99 |
+-----------------------------------+---------+
| iodef-OperatingSystem | 100 |
+-----------------------------------+---------+
| iodef-AssetID | 101 |
+-----------------------------------+---------+
| iodef-DomainData | 102 |
+-----------------------------------+---------+
| iodef-Address | 103 |
+-----------------------------------+---------+
| iodef-Location | 104 |
+-----------------------------------+---------+
| iodef-vlan-name | 105 |
+-----------------------------------+---------+
| iodef-vlan-num | 106 |
+-----------------------------------+---------+
| iodef-unit | 107 |
+-----------------------------------+---------+
| iodef-ext-unit | 108 |
+-----------------------------------+---------+
| iodef-system-status | 109 |
+-----------------------------------+---------+
| iodef-ext-system-status | 110 |
+-----------------------------------+---------+
| iodef-domain-status | 111 |
+-----------------------------------+---------+
| iodef-ext-domain-status | 112 |
+-----------------------------------+---------+
| iodef-Name | 113 |
+-----------------------------------+---------+
| iodef-DateDomainWasChecked | 114 |
+-----------------------------------+---------+
| iodef-RegistrationDate | 115 |
+-----------------------------------+---------+
| iodef-ExpirationDate | 116 |
+-----------------------------------+---------+
| iodef-RelatedDNS | 117 |
+-----------------------------------+---------+
| iodef-NameServers | 118 |
+-----------------------------------+---------+
| iodef-DomainContacts | 119 |
+-----------------------------------+---------+
| iodef-Server | 120 |
+-----------------------------------+---------+
| iodef-SameDomainContact | 121 |
+-----------------------------------+---------+
| iodef-ip-protocol | 122 |
+-----------------------------------+---------+
| iodef-ServiceName | 123 |
+-----------------------------------+---------+
| iodef-Port | 124 |
+-----------------------------------+---------+
| iodef-Portlist | 125 |
+-----------------------------------+---------+
| iodef-ProtoCode | 126 |
+-----------------------------------+---------+
| iodef-ProtoType | 127 |
+-----------------------------------+---------+
| iodef-ProtoField | 128 |
+-----------------------------------+---------+
| iodef-ApplicationHeaderField | 129 |
+-----------------------------------+---------+
| iodef-EmailData | 130 |
+-----------------------------------+---------+
| iodef-IANAService | 131 |
+-----------------------------------+---------+
| iodef-EmailFrom | 132 |
+-----------------------------------+---------+
| iodef-EmailSubject | 133 |
+-----------------------------------+---------+
| iodef-EmailX-Mailer | 134 |
+-----------------------------------+---------+
| iodef-EmailHeaderField | 135 |
+-----------------------------------+---------+
| iodef-EmailHeaders | 136 |
+-----------------------------------+---------+
| iodef-EmailBody | 137 |
+-----------------------------------+---------+
| iodef-EmailMessage | 138 |
+-----------------------------------+---------+
| iodef-HashData | 139 |
+-----------------------------------+---------+
| iodef-Signature | 140 |
+-----------------------------------+---------+
| iodef-RecordPattern | 141 |
+-----------------------------------+---------+
| iodef-RecordItem | 142 |
+-----------------------------------+---------+
| iodef-FileData | 143 |
+-----------------------------------+---------+
| iodef-WindowsRegistryKeysModified | 144 |
+-----------------------------------+---------+
| iodef-CertificateData | 145 |
+-----------------------------------+---------+
| iodef-offset | 146 |
+-----------------------------------+---------+
| iodef-offsetunit | 147 |
+-----------------------------------+---------+
| iodef-ext-offsetunit | 148 |
+-----------------------------------+---------+
| iodef-Key | 149 |
+-----------------------------------+---------+
| iodef-registryaction | 150 |
+-----------------------------------+---------+
| iodef-ext-registryaction | 151 |
+-----------------------------------+---------+
| iodef-KeyName | 152 |
+-----------------------------------+---------+
| iodef-KeyValue | 153 |
+-----------------------------------+---------+
| iodef-Certificate | 154 |
+-----------------------------------+---------+
| iodef-X509Data | 155 |
+-----------------------------------+---------+
| iodef-File | 156 |
+-----------------------------------+---------+
| iodef-FileName | 157 |
+-----------------------------------+---------+
| iodef-FileSize | 158 |
+-----------------------------------+---------+
| iodef-FileType | 159 |
+-----------------------------------+---------+
| iodef-AssociatedSoftware | 160 |
+-----------------------------------+---------+
| iodef-FileProperties | 161 |
+-----------------------------------+---------+
| iodef-scope | 162 |
+-----------------------------------+---------+
| iodef-HashTargetID | 163 |
+-----------------------------------+---------+
| iodef-Hash | 164 |
+-----------------------------------+---------+
| iodef-FuzzyHash | 165 |
+-----------------------------------+---------+
| iodef-DigestMethod | 166 |
+-----------------------------------+---------+
| iodef-DigestValue | 167 |
+-----------------------------------+---------+
| iodef-CanonicalizationMethod | 168 |
+-----------------------------------+---------+
| iodef-FuzzyHashValue | 169 |
+-----------------------------------+---------+
| iodef-AlternativeIndicatorID | 170 |
+-----------------------------------+---------+
| iodef-Observable | 171 |
+-----------------------------------+---------+
| iodef-uid-ref | 172 |
+-----------------------------------+---------+
| iodef-IndicatorExpression | 173 |
+-----------------------------------+---------+
| iodef-IndicatorReference | 174 |
+-----------------------------------+---------+
| iodef-AttackPhase | 175 |
+-----------------------------------+---------+
| iodef-BulkObservable | 176 |
+-----------------------------------+---------+
| iodef-BulkObservableFormat | 177 |
+-----------------------------------+---------+
| iodef-BulkObservableList | 178 |
+-----------------------------------+---------+
| iodef-operator | 179 |
+-----------------------------------+---------+
| iodef-ext-operator | 180 |
+-----------------------------------+---------+
| iodef-euid-ref | 181 |
+-----------------------------------+---------+
| iodef-AttackPhaseID | 182 |
+-----------------------------------+---------+
Figure 8: Mapkeys Table 4: Mapkeys
6. The IODEF Data Model (CDDL) 6. The IODEF Data Model (CDDL)
This section provides the IODEF data model. Note that mapkeys are This section provides the IODEF data model. Note that mapkeys are
described at the beginning of the CDDL data model for better described at the beginning of the CDDL data model for better
readability. readability.
start = iodef start = iodef
;;; iodef.json: IODEF-Document
iodef-version = -24 ;;; iodef.json: IODEF-Document
iodef-lang = -23
iodef-format-id = -22
iodef-private-enum-name = -21
iodef-private-enum-id = -20
iodef-Incident = -19
iodef-AdditionalData = -18
iodef-value = -17
iodef-translation-id = -16
iodef-name = -15
iodef-dtype = -14
iodef-ext-dtype = -13
iodef-meaning = -12
iodef-formatid = -11
iodef-restriction = -10
iodef-ext-restriction = -9
iodef-observable-id = -8
iodef-SoftwareReference = -7
iodef-URL = -6
iodef-Description = -5
iodef-spec-name = -4
iodef-ext-spec-name = -3
iodef-purpose = -2
iodef-ext-purpose = -1
iodef-status = 0
iodef-ext-status = 1
iodef-IncidentID = 2
iodef-AlternativeID = 3
iodef-RelatedActivity = 4
iodef-DetectTime = 5
iodef-StartTime = 6
iodef-EndTime = 7
iodef-RecoveryTime = 8
iodef-ReportTime = 9
iodef-GenerationTime = 10
iodef-Discovery = 11
iodef-Assessment = 12
iodef-Method = 13
iodef-Contact = 14
iodef-EventData = 15
iodef-Indicator = 16
iodef-History = 17
iodef-id = 18
iodef-instance = 19
iodef-ThreatActor = 20
iodef-Campaign = 21
iodef-IndicatorID = 22
iodef-Confidence = 23
iodef-ThreatActorID = 24
iodef-CampaignID = 25
iodef-role = 26
iodef-ext-role = 27
iodef-type = 28
iodef-ext-type = 29
iodef-ContactName = 30
iodef-ContactTitle = 31
iodef-RegistryHandle = 32
iodef-PostalAddress = 33
iodef-Email = 34
iodef-Telephone = 35
iodef-Timezone = 36
iodef-handle = 37
iodef-registry = 38
iodef-ext-registry = 39
iodef-PAddress = 40
iodef-EmailTo = 41
iodef-TelephoneNumber = 42
iodef-source = 43
iodef-ext-source = 44
iodef-DetectionPattern = 45
iodef-DetectionConfiguration = 46
iodef-Application = 47
iodef-Reference = 48
iodef-AttackPattern = 49
iodef-Vulnerability = 50
iodef-Weakness = 51
iodef-SpecID = 52
iodef-ext-SpecID = 53
iodef-ContentID = 54
iodef-RawData = 55
iodef-Platform = 56
iodef-Scoring = 57
iodef-ReferenceName = 58
iodef-specIndex = 59
iodef-ID = 60
iodef-occurrence = 61
iodef-IncidentCategory = 62
iodef-Impact = 63
iodef-SystemImpact = 64
iodef-BusinessImpact = 65
iodef-TimeImpact = 66
iodef-MonetaryImpact = 67
iodef-IntendedImpact = 68
iodef-Counter = 69
iodef-MitigatingFactor = 70
iodef-Cause = 71
iodef-severity = 72
iodef-completion = 73
iodef-ext-severity = 74
iodef-metric = 75
iodef-ext-metric = 76
iodef-duration = 77
iodef-ext-duration = 78
iodef-currency = 79
iodef-rating = 80
iodef-ext-rating = 81
iodef-HistoryItem = 82
iodef-action = 83
iodef-ext-action = 84
iodef-DateTime = 85
iodef-DefinedCOA = 86
iodef-System = 87
iodef-Expectation = 88
iodef-RecordData = 89
iodef-category = 90
iodef-ext-category = 91
iodef-interface = 92
iodef-spoofed = 93
iodef-virtual = 94
iodef-ownership = 95
iodef-ext-ownership = 96
iodef-Node = 97
iodef-NodeRole = 98
iodef-Service = 99
iodef-OperatingSystem = 100
iodef-AssetID = 101
iodef-DomainData = 102
iodef-Address = 103
iodef-Location = 104
iodef-vlan-name = 105
iodef-vlan-num = 106
iodef-unit = 107
iodef-ext-unit = 108
iodef-system-status = 109
iodef-ext-system-status = 110
iodef-domain-status = 111
iodef-ext-domain-status = 112
iodef-Name = 113
iodef-DateDomainWasChecked = 114
iodef-RegistrationDate = 115
iodef-ExpirationDate = 116
iodef-RelatedDNS = 117
iodef-NameServers = 118
iodef-DomainContacts = 119
iodef-Server = 120
iodef-SameDomainContact = 121
iodef-ip-protocol = 122
iodef-ServiceName = 123
iodef-Port = 124
iodef-Portlist = 125
iodef-ProtoCode = 126
iodef-ProtoType = 127
iodef-ProtoField = 128
iodef-ApplicationHeaderField = 129
iodef-EmailData = 130
iodef-IANAService = 131
iodef-EmailFrom = 132
iodef-EmailSubject = 133
iodef-EmailX-Mailer = 134
iodef-EmailHeaderField = 135
iodef-EmailHeaders = 136
iodef-EmailBody = 137
iodef-EmailMessage = 138
iodef-HashData = 139
iodef-Signature = 140
iodef-RecordPattern = 141
iodef-RecordItem = 142
iodef-FileData = 143
iodef-WindowsRegistryKeysModified = 169
iodef-CertificateData = 145
iodef-offset = 146
iodef-offsetunit = 147
iodef-ext-offsetunit = 148
iodef-Key = 149
iodef-registryaction = 150
iodef-ext-registryaction = 151
iodef-KeyName = 152
iodef-KeyValue = 153
iodef-Certificate = 154
iodef-X509Data = 155
iodef-File = 156
iodef-FileName = 157
iodef-FileSize = 158
iodef-FileType = 159
iodef-AssociatedSoftware = 160
iodef-FileProperties = 161
iodef-scope = 162
iodef-HashTargetID = 163
iodef-Hash = 164
iodef-FuzzyHash = 165
iodef-DigestMethod = 166
iodef-DigestValue = 167
iodef-CanonicalizationMethod = 168
iodef-FuzzyHashValue = 169
iodef-AlternativeIndicatorID = 170
iodef-Observable = 171
iodef-uid-ref = 172
iodef-IndicatorExpression = 173
iodef-IndicatorReference = 174
iodef-AttackPhase = 175
iodef-BulkObservable = 176
iodef-BulkObservableFormat = 177
iodef-BulkObservableList = 178
iodef-operator = 179
iodef-ext-operator = 180
iodef-euid-ref = 181
iodef-AttackPhaseID = 182
iodef = { iodef-version = -24
iodef-version => text, iodef-lang = -23
? iodef-lang => lang, iodef-format-id = -22
? iodef-format-id => text iodef-private-enum-name = -21
? iodef-private-enum-name => text, iodef-private-enum-id = -20
? iodef-private-enum-id => text, iodef-Incident = -19
iodef-Incident => [+ Incident], iodef-AdditionalData = -18
? iodef-AdditionalData => [+ ExtensionType] iodef-value = -17
} iodef-translation-id = -16
iodef-name = -15
iodef-dtype = -14
iodef-ext-dtype = -13
iodef-meaning = -12
iodef-formatid = -11
iodef-restriction = -10
iodef-ext-restriction = -9
iodef-observable-id = -8
iodef-SoftwareReference = -7
iodef-URL = -6
iodef-Description = -5
iodef-spec-name = -4
iodef-ext-spec-name = -3
iodef-purpose = -2
iodef-ext-purpose = -1
iodef-status = 0
iodef-ext-status = 1
iodef-IncidentID = 2
iodef-AlternativeID = 3
iodef-RelatedActivity = 4
iodef-DetectTime = 5
iodef-StartTime = 6
iodef-EndTime = 7
iodef-RecoveryTime = 8
iodef-ReportTime = 9
iodef-GenerationTime = 10
iodef-Discovery = 11
iodef-Assessment = 12
iodef-Method = 13
iodef-Contact = 14
iodef-EventData = 15
iodef-Indicator = 16
iodef-History = 17
iodef-id = 18
iodef-instance = 19
iodef-ThreatActor = 20
iodef-Campaign = 21
iodef-IndicatorID = 22
iodef-Confidence = 23
iodef-ThreatActorID = 24
iodef-CampaignID = 25
iodef-role = 26
iodef-ext-role = 27
iodef-type = 28
iodef-ext-type = 29
iodef-ContactName = 30
iodef-ContactTitle = 31
iodef-RegistryHandle = 32
iodef-PostalAddress = 33
iodef-Email = 34
iodef-Telephone = 35
iodef-Timezone = 36
iodef-handle = 37
iodef-registry = 38
iodef-ext-registry = 39
iodef-PAddress = 40
iodef-EmailTo = 41
iodef-TelephoneNumber = 42
iodef-source = 43
iodef-ext-source = 44
iodef-DetectionPattern = 45
iodef-DetectionConfiguration = 46
iodef-Application = 47
iodef-Reference = 48
iodef-AttackPattern = 49
iodef-Vulnerability = 50
iodef-Weakness = 51
iodef-SpecID = 52
iodef-ext-SpecID = 53
iodef-ContentID = 54
iodef-RawData = 55
iodef-Platform = 56
iodef-Scoring = 57
iodef-ReferenceName = 58
iodef-specIndex = 59
iodef-ID = 60
iodef-occurrence = 61
iodef-IncidentCategory = 62
iodef-Impact = 63
iodef-SystemImpact = 64
iodef-BusinessImpact = 65
iodef-TimeImpact = 66
iodef-MonetaryImpact = 67
iodef-IntendedImpact = 68
iodef-Counter = 69
iodef-MitigatingFactor = 70
iodef-Cause = 71
iodef-severity = 72
iodef-completion = 73
iodef-ext-severity = 74
iodef-metric = 75
iodef-ext-metric = 76
iodef-duration = 77
iodef-ext-duration = 78
iodef-currency = 79
iodef-rating = 80
iodef-ext-rating = 81
iodef-HistoryItem = 82
iodef-action = 83
iodef-ext-action = 84
iodef-DateTime = 85
iodef-DefinedCOA = 86
iodef-System = 87
iodef-Expectation = 88
iodef-RecordData = 89
iodef-category = 90
iodef-ext-category = 91
iodef-interface = 92
iodef-spoofed = 93
iodef-virtual = 94
iodef-ownership = 95
iodef-ext-ownership = 96
iodef-Node = 97
iodef-NodeRole = 98
iodef-Service = 99
iodef-OperatingSystem = 100
iodef-AssetID = 101
iodef-DomainData = 102
iodef-Address = 103
iodef-Location = 104
iodef-vlan-name = 105
iodef-vlan-num = 106
iodef-unit = 107
iodef-ext-unit = 108
iodef-system-status = 109
iodef-ext-system-status = 110
iodef-domain-status = 111
iodef-ext-domain-status = 112
iodef-Name = 113
iodef-DateDomainWasChecked = 114
iodef-RegistrationDate = 115
iodef-ExpirationDate = 116
iodef-RelatedDNS = 117
iodef-NameServers = 118
iodef-DomainContacts = 119
iodef-Server = 120
iodef-SameDomainContact = 121
iodef-ip-protocol = 122
iodef-ServiceName = 123
iodef-Port = 124
iodef-Portlist = 125
iodef-ProtoCode = 126
iodef-ProtoType = 127
iodef-ProtoField = 128
iodef-ApplicationHeaderField = 129
iodef-EmailData = 130
iodef-IANAService = 131
iodef-EmailFrom = 132
iodef-EmailSubject = 133
iodef-EmailX-Mailer = 134
iodef-EmailHeaderField = 135
iodef-EmailHeaders = 136
iodef-EmailBody = 137
iodef-EmailMessage = 138
iodef-HashData = 139
iodef-Signature = 140
iodef-RecordPattern = 141
iodef-RecordItem = 142
iodef-FileData = 143
iodef-WindowsRegistryKeysModified = 144
iodef-CertificateData = 145
iodef-offset = 146
iodef-offsetunit = 147
iodef-ext-offsetunit = 148
iodef-Key = 149
iodef-registryaction = 150
iodef-ext-registryaction = 151
iodef-KeyName = 152
iodef-KeyValue = 153
iodef-Certificate = 154
iodef-X509Data = 155
iodef-File = 156
iodef-FileName = 157
iodef-FileSize = 158
iodef-FileType = 159
iodef-AssociatedSoftware = 160
iodef-FileProperties = 161
iodef-scope = 162
iodef-HashTargetID = 163
iodef-Hash = 164
iodef-FuzzyHash = 165
iodef-DigestMethod = 166
iodef-DigestValue = 167
iodef-CanonicalizationMethod = 168
iodef-FuzzyHashValue = 169
iodef-AlternativeIndicatorID = 170
iodef-Observable = 171
iodef-uid-ref = 172
iodef-IndicatorExpression = 173
iodef-IndicatorReference = 174
iodef-AttackPhase = 175
iodef-BulkObservable = 176
iodef-BulkObservableFormat = 177
iodef-BulkObservableList = 178
iodef-operator = 179
iodef-ext-operator = 180
iodef-euid-ref = 181
iodef-AttackPhaseID = 182
duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / iodef = {
"year" / "ext-value" iodef-version => text,
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" ? iodef-lang => lang,
? iodef-format-id => text
? iodef-private-enum-name => text,
? iodef-private-enum-id => text,
iodef-Incident => [+ Incident],
? iodef-AdditionalData => [+ ExtensionType]
}
restriction = "public" / "partner" / "need-to-know" / "private" / duration = "second" / "minute" / "hour" / "day" / "month" /
"default" / "white" / "green" / "amber" / "red" / "quarter" / "year" / "ext-value"
"ext-value" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype
URLtype = uri
TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
action = "nothing" / "contact-source-site" / "contact-target-site" /
"contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value"
DATETIME = tdate restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" /
"ext-value"
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype
URLtype = uri
TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp
"[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
action = "nothing" / "contact-source-site" / "contact-target-site" /
"contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value"
BYTE = eb64legacy DATETIME = tdate
MLStringType = { BYTE = eb64legacy
iodef-value => text,
? iodef-lang => lang,
? iodef-translation-id => text
} / text
PositiveFloatType = float32 .gt 0
PAddressType = MLStringType MLStringType = {
iodef-value => text,
? iodef-lang => lang,
? iodef-translation-id => text
} / text
ExtensionType = { PositiveFloatType = float32 .gt 0
iodef-value => text,
? iodef-name => text,
iodef-dtype => "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" / "json" /
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value"
.default "string"
? iodef-ext-dtype => text,
? iodef-meaning => text,
? iodef-formatid => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
}
SoftwareType = { PAddressType = MLStringType
? iodef-SoftwareReference => SoftwareReference,
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType]
}
SoftwareReference = { ExtensionType = {
? iodef-value => text, iodef-value => text,
iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value", ? iodef-name => text,
? iodef-ext-spec-name => text, iodef-dtype => "boolean" / "byte" / "bytes" / "character" /
? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" / "date-time" / "ntpstamp" / "integer" / "portlist" / "real" /
"ext-value" .default "string", "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
? iodef-ext-dtype => text "json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" /
} "ext-value"
.default "string"
? iodef-ext-dtype => text,
? iodef-meaning => text,
? iodef-formatid => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
}
Incident = { SoftwareType = {
iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" / ? iodef-SoftwareReference => SoftwareReference,
"other" / "ext-value", ? iodef-URL => [+ URLtype],
? iodef-ext-purpose => text, ? iodef-Description => [+ MLStringType]
? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" / }
"future" / "ext-value",
? iodef-ext-status => text,
? iodef-lang => lang,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
iodef-IncidentID => IncidentID,
? iodef-AlternativeID => AlternativeID,
? iodef-RelatedActivity => [+ RelatedActivity],
? iodef-DetectTime => DATETIME,
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-RecoveryTime => DATETIME,
? iodef-ReportTime => DATETIME,
iodef-GenerationTime => DATETIME,
? iodef-Description => [+ MLStringType],
? iodef-Discovery => [+ Discovery],
? iodef-Assessment => [+ Assessment],
? iodef-Method => [+ Method],
iodef-Contact => [+ Contact],
? iodef-EventData => [+ EventData],
? iodef-Indicator f=> [+ Indicator],
? iodef-History => History,
? iodef-AdditionalData => [+ ExtensionType]
}
IncidentID = { SoftwareReference = {
iodef-id => text, ? iodef-value => text,
iodef-name => text, iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
? iodef-instance => text, ? iodef-ext-spec-name => text,
? iodef-restriction => restriction .default "private", ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" /
? iodef-ext-restriction => text "ext-value" .default "string",
} ? iodef-ext-dtype => text
}
AlternativeID = { Incident = {
? iodef-restriction => restriction .default "private", iodef-purpose => "traceback" / "mitigation" / "reporting" /
? iodef-ext-restriction => text, "watch" / "other" / "ext-value",
iodef-IncidentID => [+ IncidentID] ? iodef-ext-purpose => text,
} ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" /
"future" / "ext-value",
? iodef-ext-status => text,
? iodef-lang => lang,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
iodef-IncidentID => IncidentID,
? iodef-AlternativeID => AlternativeID,
? iodef-RelatedActivity => [+ RelatedActivity],
? iodef-DetectTime => DATETIME,
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-RecoveryTime => DATETIME,
? iodef-ReportTime => DATETIME,
iodef-GenerationTime => DATETIME,
? iodef-Description => [+ MLStringType],
? iodef-Discovery => [+ Discovery],
? iodef-Assessment => [+ Assessment],
? iodef-Method => [+ Method],
iodef-Contact => [+ Contact],
? iodef-EventData => [+ EventData],
? iodef-Indicator => [+ Indicator],
? iodef-History => History,
? iodef-AdditionalData => [+ ExtensionType]
}
RelatedActivity = { IncidentID = {
? iodef-restriction => restriction .default "private", iodef-id => text,
? iodef-ext-restriction => text, iodef-name => text,
? iodef-IncidentID => [+ IncidentID], ? iodef-instance => text,
? iodef-URL => [+ URLtype], ? iodef-restriction => restriction .default "private",
? iodef-ThreatActor => [+ ThreatActor], ? iodef-ext-restriction => text
? iodef-Campaign => [+ Campaign], }
? iodef-IndicatorID => [+ IndicatorID],
? iodef-Confidence => Confidence,
? iodef-Description => [+ text],
? iodef-AdditionalData => [+ ExtensionType]
}
ThreatActor = { AlternativeID = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-ThreatActorID => [+ text], iodef-IncidentID => [+ IncidentID]
? iodef-URL => [+ URLtype], }
? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType]
}
Campaign = { RelatedActivity = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-CampaignID => [+ text], ? iodef-IncidentID => [+ IncidentID],
? iodef-URL => [+ URLtype], ? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType], ? iodef-ThreatActor => [+ ThreatActor],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-Campaign => [+ Campaign],
} ? iodef-IndicatorID => [+ IndicatorID],
? iodef-Confidence => Confidence,
? iodef-Description => [+ text],
? iodef-AdditionalData => [+ ExtensionType]
}
Contact = { ThreatActor = {
iodef-role => "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /, ? iodef-restriction => restriction .default "private",
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / ? iodef-ext-restriction => text,
"vendor" / "vendor-support" / "victim" / "victim-notified" / ? iodef-ThreatActorID => [+ text],
"ext-value", ? iodef-URL => [+ URLtype],
? iodef-ext-role => text, ? iodef-Description => [+ MLStringType],
iodef-type => "person" / "organization" / "ext-value", ? iodef-AdditionalData => [+ ExtensionType]
? iodef-ext-type => text, }
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-ContactName => [+ MLStringType],
? iodef-ContactTitle => [+ MLStringType],
? iodef-Description => [+ MLStringType],
? iodef-RegistryHandle => [+ RegistryHandle],
? iodef-PostalAddress => [+ PostalAddress],
? iodef-Email => [+ Email],
? iodef-Telephone => [+ Telephone],
? iodef-Timezone => TimeZonetype,
? iodef-Contact => [+ Contact],
? iodef-AdditionalData => [+ ExtensionType]
}
RegistryHandle = { Campaign = {
iodef-handle => text, ? iodef-restriction => restriction .default "private",
iodef-registry => "internic" / "apnic" / "arin" / "lacnic" / "ripe" / ? iodef-ext-restriction => text,
"afrinic" / "local" / "ext-value", ? iodef-CampaignID => [+ text],
? iodef-ext-registry => text ? iodef-URL => [+ URLtype],
} ? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType]
}
PostalAddress = { Contact = {
? iodef-type => "street" / "mailing" / "ext-value", iodef-role => "creator" / "reporter" / "admin" / "tech" /
? iodef-ext-type => text, "provider" / "user" / "billing" / "legal" / "irt" / "abuse" /
iodef-PAddress => PAddressType, "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" /
? iodef-Description => [+ MLStringType] "victim" / "victim-notified" / "ext-value",
} ? iodef-ext-role => text,
iodef-type => "person" / "organization" / "ext-value",
? iodef-ext-type => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-ContactName => [+ MLStringType],
? iodef-ContactTitle => [+ MLStringType],
? iodef-Description => [+ MLStringType],
? iodef-RegistryHandle => [+ RegistryHandle],
? iodef-PostalAddress => [+ PostalAddress],
? iodef-Email => [+ Email],
? iodef-Telephone => [+ Telephone],
? iodef-Timezone => TimeZonetype,
? iodef-Contact => [+ Contact],
? iodef-AdditionalData => [+ ExtensionType]
}
Email = { RegistryHandle = {
? iodef-type => "direct" / "hotline" / "ext-value", iodef-handle => text,
? iodef-ext-type => text, iodef-registry => "internic" / "apnic" / "arin" / "lacnic" /
iodef-EmailTo => text, "ripe" / "afrinic" / "local" / "ext-value",
? iodef-Description => [+ MLStringType] ? iodef-ext-registry => text
} }
Telephone = { PostalAddress = {
? iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value", ? iodef-type => "street" / "mailing" / "ext-value",
? iodef-ext-type => text, ? iodef-ext-type => text,
iodef-TelephoneNumber => text, iodef-PAddress => PAddressType,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Discovery = { Email = {
? iodef-source => "nidps" /"hips" /"siem" /"av" /"third-party-monitoring" / ? iodef-type => "direct" / "hotline" / "ext-value",
"incident" / "os-log" / "application-log" / "device-log" / ? iodef-ext-type => text,
"network-flow" / "passive-dns" / "investigation" / "audit" / iodef-EmailTo => text,
"internal-notification" / "external-notification" / ? iodef-Description => [+ MLStringType]
"leo" / "partner" / "actor" / "unknown" / "ext-value", }
? iodef-ext-source => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-Description => [+ MLStringType],
? iodef-Contact => [+ Contact],
? iodef-DetectionPattern => [+ DetectionPattern]
}
DetectionPattern = { Telephone = {
? iodef-restriction => restriction .default "private", ? iodef-type => "wired" / "mobile" / "fax" / "hotline" /
? iodef-ext-restriction => text, "ext-value",
? iodef-observable-id => IDtype, ? iodef-ext-type => text,
(iodef-Description => [+ MLStringType] // iodef-DetectionConfiguration => [+ text]), iodef-TelephoneNumber => text,
iodef-Application => SoftwareType ? iodef-Description => [+ MLStringType]
} }
Method = { Discovery = {
? iodef-restriction => restriction .default "private", ? iodef-source => "nidps" / "hips" / "siem" / "av" /
? iodef-ext-restriction => text, "third-party-monitoring" / "incident" / "os-log" /
? iodef-Reference => [+ Reference], "application-log" / "device-log" / "network-flow" /
? iodef-Description => [+ MLStringType], "passive-dns" / "investigation" / "audit" /
? iodef-AttackPattern => [+ StructuredInfo], "internal-notification" / "external-notification" /
? iodef-Vulnerability => [+ StructuredInfo], "leo" / "partner" / "actor" / "unknown" / "ext-value",
? iodef-Weakness => [+ StructuredInfo], ? iodef-ext-source => text,
? iodef-AdditionalData => [+ ExtensionType] ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-Description => [+ MLStringType],
? iodef-Contact => [+ Contact],
? iodef-DetectionPattern => [+ DetectionPattern]
}
} DetectionPattern = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
(iodef-Description => [+ MLStringType] //
iodef-DetectionConfiguration => [+ text]),
iodef-Application => SoftwareType
}
StructuredInfo = { Method = {
iodef-SpecID => SpecID, ? iodef-restriction => restriction .default "private",
? iodef-ext-SpecID => text, ? iodef-ext-restriction => text,
? iodef-ContentID => text, ? iodef-Reference => [+ Reference],
? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]), ? iodef-Description => [+ MLStringType],
? iodef-Platform => [+ Platform], ? iodef-AttackPattern => [+ STRUCTUREDINFO],
? iodef-Scoring => [+ Scoring] ? iodef-Vulnerability => [+ STRUCTUREDINFO],
} ? iodef-Weakness => [+ STRUCTUREDINFO],
? iodef-AdditionalData => [+ ExtensionType]
}
Platform = { STRUCTUREDINFO = {
iodef-SpecID => SpecID,
? iodef-ext-SpecID => text,
? iodef-ContentID => text,
? iodef-RawData => [+ BYTE],
? iodef-Reference => [+ Reference]
}
Scoring = {
iodef-SpecID => SpecID, iodef-SpecID => SpecID,
? iodef-ext-SpecID => text, ? iodef-ext-SpecID => text,
? iodef-ContentID => text, ? iodef-ContentID => text,
? iodef-RawData => [+ BYTE], ? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]),
? iodef-Reference => [+ Reference] ? iodef-Platform => [+ Platform],
} ? iodef-Scoring => [+ Scoring]
Reference = { }
? iodef-observable-id => IDtype,
? iodef-ReferenceName => ReferenceName,
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType]
}
ReferenceName = {
iodef-specIndex => integer,
iodef-ID => IDtype
}
Assessment = {
? iodef-occurrence => "actual" / "potential",
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
? iodef-IncidentCategory => [+ MLStringType],
iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} /
{iodef-BusinessImpact => BusinessImpact /
{iodef-TimeImpact => TimeImpact} /
{iodef-MonetaryImpact => MonetaryImpact} /
{iodef-IntendedImpact => BusinessImpact}],
? iodef-Counter => [+ Counter],
? iodef-MitigatingFactor => [+ MLStringType],
? iodef-Cause => [+ MLStringType],
? iodef-Confidence => Confidence,
? iodef-AdditionalData => [+ ExtensionType]
}
SystemImpact = {
? iodef-severity => "low" / "medium" / "high",
? iodef-completion => "failed" / "succeeded",
iodef-type => "takeover-account" / "takeover-service" / "takeover-system" /
"cps-manipulation" / "cps-damage" / "availability-data" /
"availability-account" / "availability-service" /
"availability-system" / "damaged-system" / "damaged-data" /
"breach-proprietary" / "breach-privacy" / "breach-credential" /
"breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown",
? iodef-ext-type => text,
? iodef-Description => [+ MLStringType]
}
BusinessImpact = { Platform = {
? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" / iodef-SpecID => SpecID,
"ext-value" .default "unknown", ? iodef-ext-SpecID => text,
? iodef-ext-severity => text, ? iodef-ContentID => text,
iodef-type => "breach-proprietary" / "breach-privacy" / ? iodef-RawData => [+ BYTE],
"breach-credential" / "loss-of-integrity" / "loss-of-service" / ? iodef-Reference => [+ Reference]
"theft-financial" / "theft-service" / "degraded-reputation" / }
"asset-damage" / "asset-manipulation" / "legal" / "extortion" / Scoring = {
"unknown" / "ext-value" .default "unknown", iodef-SpecID => SpecID,
? iodef-ext-type => text, ? iodef-ext-SpecID => text,
? iodef-Description => [+ MLStringType] ? iodef-ContentID => text,
} ? iodef-RawData => [+ BYTE],
? iodef-Reference => [+ Reference]
}
Reference = {
? iodef-observable-id => IDtype,
? iodef-ReferenceName => ReferenceName,
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType]
}
TimeImpact = { ReferenceName = {
iodef-value => PositiveFloatType, iodef-specIndex => integer,
? iodef-severity => "low" / "medium" / "high", iodef-ID => IDtype
iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value", }
? iodef-ext-metric => text,
? iodef-duration => duration .default "hour",
? iodef-ext-duration => text
}
MonetaryImpact = { Assessment = {
iodef-value => PositiveFloatType, ? iodef-occurrence => "actual" / "potential",
? iodef-severity => "low" / "medium" / "high", ? iodef-restriction => restriction .default "private",
? iodef-currency => text ? iodef-ext-restriction => text,
} ? iodef-observable-id => IDtype,
? iodef-IncidentCategory => [+ MLStringType],
iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} /
{iodef-BusinessImpact => BusinessImpact /
{iodef-TimeImpact => TimeImpact} /
{iodef-MonetaryImpact => MonetaryImpact} /
{iodef-IntendedImpact => BusinessImpact}],
? iodef-Counter => [+ Counter],
? iodef-MitigatingFactor => [+ MLStringType],
? iodef-Cause => [+ MLStringType],
? iodef-Confidence => Confidence,
? iodef-AdditionalData => [+ ExtensionType]
}
Confidence = { SystemImpact = {
iodef-value => float32, ? iodef-severity => "low" / "medium" / "high",
iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value", ? iodef-completion => "failed" / "succeeded",
? iodef-ext-rating => text iodef-type => "takeover-account" / "takeover-service" /
} "takeover-system" / "cps-manipulation" / "cps-damage" /
"availability-data" / "availability-account" /
"availability-service" / "availability-system" / "damaged-system" /
"damaged-data" / "breach-proprietary" / "breach-privacy" /
"breach-credential" / "breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown",
? iodef-ext-type => text,
? iodef-Description => [+ MLStringType]
}
History = { BusinessImpact = {
? iodef-restriction => restriction .default "private", ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" /
? iodef-ext-restriction => text, "ext-value" .default "unknown",
iodef-HistoryItem => [+ HistoryItem] ? iodef-ext-severity => text,
} iodef-type => "breach-proprietary" / "breach-privacy" /
"breach-credential" / "loss-of-integrity" / "loss-of-service" /
"theft-financial" / "theft-service" / "degraded-reputation" /
"asset-damage" / "asset-manipulation" / "legal" / "extortion" /
"unknown" / "ext-value" .default "unknown",
? iodef-ext-type => text,
? iodef-Description => [+ MLStringType]
}
HistoryItem = { TimeImpact = {
iodef-action => action .default "other", iodef-value => PositiveFloatType,
? iodef-ext-action => text, ? iodef-severity => "low" / "medium" / "high",
? iodef-restriction => restriction .default "private", iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value",
? iodef-ext-restriction => text, ? iodef-ext-metric => text,
? iodef-observable-id => IDtype, ? iodef-duration => duration .default "hour",
iodef-DateTime => DATETIME, ? iodef-ext-duration => text
? iodef-IncidentID => IncidentID, }
? iodef-Contact => Contact,
? iodef-Description => [+ MLStringType],
? iodef-DefinedCOA => [+ text],
? iodef-AdditionalData => [+ ExtensionType]
}
EventData = { MonetaryImpact = {
? iodef-restriction => restriction .default "default", iodef-value => PositiveFloatType,
? iodef-ext-restriction => text, ? iodef-severity => "low" / "medium" / "high",
? iodef-observable-id => IDtype, ? iodef-currency => text
? iodef-Description => [+ MLStringType], }
? iodef-DetectTime => DATETIME,
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-RecoveryTime => DATETIME,
? iodef-ReportTime => DATETIME,
? iodef-Contact => [+ Contact],
? iodef-Discovery => [+ Discovery],
? iodef-Assessment => Assessment,
? iodef-Method => [+ Method],
? iodef-System => [+ System],
? iodef-Expectation => [+ Expectation],
? iodef-RecordData => [+ RecordData],
? iodef-EventData => [+ EventData],
? iodef-AdditionalData => [+ ExtensionType]
} Confidence = {
iodef-value => float32,
iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" /
"ext-value",
? iodef-ext-rating => text
}
Expectation = { History = {
? iodef-action => action .default "other", ? iodef-restriction => restriction .default "private",
? iodef-ext-action => text, ? iodef-ext-restriction => text,
? iodef-severity => "low" / "medium" / "high", iodef-HistoryItem => [+ HistoryItem]
? iodef-restriction => restriction .default "default", }
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
? iodef-Description => [+ MLStringType],
? iodef-DefinedCOA => [+ text],
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-Contact => Contact
}
System = { HistoryItem = {
? iodef-category => "source" / "target" / "intermediate" / "sensor" / iodef-action => action .default "other",
"infrastructure" / "ext-value", ? iodef-ext-action => text,
? iodef-ext-category => text, ? iodef-restriction => restriction .default "private",
? iodef-interface => text, ? iodef-ext-restriction => text,
? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown", ? iodef-observable-id => IDtype,
? iodef-virtual => "yes" / "no" / "unknown" .default "unknown", iodef-DateTime => DATETIME,
? iodef-ownership => "organization" / "personal" / "partner" / "customer" / ? iodef-IncidentID => IncidentID,
"no-relationship" / "unknown" / "ext-value", ? iodef-Contact => Contact,
? iodef-ext-ownership => text, ? iodef-Description => [+ MLStringType],
? iodef-restriction => restriction .default "private", ? iodef-DefinedCOA => [+ text],
? iodef-ext-restriction => text, ? iodef-AdditionalData => [+ ExtensionType]
? iodef-observable-id => IDtype, }
iodef-Node => Node,
? iodef-NodeRole => [+ NodeRole],
? iodef-Service => [+ Service],
? iodef-OperatingSystem => [+ SoftwareType],
? iodef-Counter => [+ Counter],
? iodef-AssetID => [+ text],
? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType]
}
Node = { EventData = {
(iodef-DomainData => [+ DomainData] // iodef-Address => [+ Address]), ? iodef-restriction => restriction .default "default",
? iodef-PostalAddress => PostalAddress, ? iodef-ext-restriction => text,
? iodef-Location => [+ MLStringType], ? iodef-observable-id => IDtype,
? iodef-Counter => [+ Counter] ? iodef-Description => [+ MLStringType],
} ? iodef-DetectTime => DATETIME,
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-RecoveryTime => DATETIME,
? iodef-ReportTime => DATETIME,
? iodef-Contact => [+ Contact],
? iodef-Discovery => [+ Discovery],
? iodef-Assessment => Assessment,
? iodef-Method => [+ Method],
? iodef-System => [+ System],
? iodef-Expectation => [+ Expectation],
? iodef-RecordData => [+ RecordData],
? iodef-EventData => [+ EventData],
? iodef-AdditionalData => [+ ExtensionType]
}
Address = { Expectation = {
iodef-value => text, ? iodef-action => action .default "other",
iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / ? iodef-ext-action => text,
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / ? iodef-severity => "low" / "medium" / "high",
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / ? iodef-restriction => restriction .default "default",
"ext-value" .default "ipv6-addr", ? iodef-ext-restriction => text,
? iodef-ext-category => text, ? iodef-observable-id => IDtype,
? iodef-vlan-name => text, ? iodef-Description => [+ MLStringType],
? iodef-vlan-num => integer, ? iodef-DefinedCOA => [+ text],
? iodef-observable-id => IDtype ? iodef-StartTime => DATETIME,
} ? iodef-EndTime => DATETIME,
? iodef-Contact => Contact
}
NodeRole = { System = {
iodef-category => "client" / "client-enterprise" / "client-partner" / ? iodef-category => "source" / "target" / "intermediate" /
"client-remote" / "client-kiosk" / "client-mobile" / "sensor" / "infrastructure" / "ext-value",
"server-internal" / "server-public" / "www" / "mail" / ? iodef-ext-category => text,
"webmail" / "messaging" / "streaming" / "voice" / "file" / ? iodef-interface => text,
"ftp" / "p2p" / "name" / "directory" / "credential" / ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown",
"print" / "application" / "database" / "backup" / "dhcp" / ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown",
"assessment" / "source-control" / "config-management" / ? iodef-ownership => "organization" / "personal" / "partner" /
"monitoring" / "infra" / "infra-firewall" / "infra-router" / "customer" / "no-relationship" / "unknown" / "ext-value",
"infra-switch" / "camera" / "proxy" / "remote-access" / ? iodef-ext-ownership => text,
"log" / "virtualization" / "pos" / "scada" / ? iodef-restriction => restriction .default "private",
"scada-supervisory" / "sinkhole" / "honeypot" / ? iodef-ext-restriction => text,
"anomyzation" / "c2-server" / "malware-distribution" / ? iodef-observable-id => IDtype,
"drop-server" / "hop-point" / "reflector" / iodef-Node => Node,
"phishing-site" / "spear-phishing-site" / "recruiting-site" / ? iodef-NodeRole => [+ NodeRole],
"fraudulent-site" / "ext-value", ? iodef-Service => [+ Service],
? iodef-ext-category => text, ? iodef-OperatingSystem => [+ SoftwareType],
? iodef-Description => [+ MLStringType] ? iodef-Counter => [+ Counter],
} ? iodef-AssetID => [+ text],
? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType]
}
Counter = { Node = {
iodef-value => float32, (iodef-DomainData => [+ DomainData] //
iodef-type => "count" / "peak" / "average" / "ext-value", iodef-Address => [+ Address]),
? iodef-ext-type => text, ? iodef-PostalAddress => PostalAddress,
iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / ? iodef-Location => [+ MLStringType],
"message" / "event" / "host" / "site" / "organization" / ? iodef-Counter => [+ Counter]
"ext-value", }
? iodef-ext-unit => text,
? iodef-meaning => text,
? iodef-duration => duration .default "hour",
? iodef-ext-duration => text
}
DomainData = { Address = {
iodef-system-status => "spoofed" / "fraudulent" / "innocent-hacked" / iodef-value => text,
"innocent-hijacked" / "unknown" / "ext-value", iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" /
? iodef-ext-system-status => text, "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
iodef-domain-status => "reservedDelegation" / "assignedAndActive" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
"ext-value" .default "ipv6-addr",
? iodef-ext-category => text,
? iodef-vlan-name => text,
? iodef-vlan-num => integer,
? iodef-observable-id => IDtype
}
"assignedAndInactive" / "assignedAndOnHold" / NodeRole = {
"revoked" / "transferPending" / "registryLock" / iodef-category => "client" / "client-enterprise" /
"registrarLock" / "other" / "unknown" / "ext-value", "client-partner" / "client-remote" / "client-kiosk" /
? iodef-ext-domain-status => text, "client-mobile" / "server-internal" / "server-public" /
? iodef-observable-id => IDtype, "www" / "mail" / "webmail" / "messaging" / "streaming" /
iodef-Name => text, "voice" / "file" / "ftp" / "p2p" / "name" / "directory" /
? iodef-DateDomainWasChecked => DATETIME, "credential" / "print" / "application" / "database" /
? iodef-RegistrationDate => DATETIME, "backup" / "dhcp" / "assessment" / "source-control" /
? iodef-ExpirationDate => DATETIME, "config-management" / "monitoring" / "infra" / "infra-firewall" /
? iodef-RelatedDNS => [+ ExtensionType], "infra-router" / "infra-switch" / "camera" / "proxy" /
? iodef-NameServers => [+ NameServers], "remote-access" / "log" / "virtualization" / "pos" / "scada" /
? iodef-DomainContacts => DomainContacts "scada-supervisory" / "sinkhole" / "honeypot" /
} "anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hop-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value",
? iodef-ext-category => text,
? iodef-Description => [+ MLStringType]
}
NameServers = { Counter = {
iodef-Server => text, iodef-value => float32,
iodef-Address => [+ Address] iodef-type => "count" / "peak" / "average" / "ext-value",
} ? iodef-ext-type => text,
iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" /
"alert" / "message" / "event" / "host" / "site" / "organization" /
"ext-value",
? iodef-ext-unit => text,
? iodef-meaning => text,
? iodef-duration => duration .default "hour",
? iodef-ext-duration => text
}
DomainContacts = { DomainData = {
(iodef-SameDomainContact => text // iodef-Contact => [+ Contact]) iodef-system-status => "spoofed" / "fraudulent" /
} "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value",
? iodef-ext-system-status => text,
iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value",
? iodef-ext-domain-status => text,
? iodef-observable-id => IDtype,
iodef-Name => text,
? iodef-DateDomainWasChecked => DATETIME,
? iodef-RegistrationDate => DATETIME,
? iodef-ExpirationDate => DATETIME,
? iodef-RelatedDNS => [+ ExtensionType],
? iodef-NameServers => [+ NameServers],
? iodef-DomainContacts => DomainContacts
}
Service = { NameServers = {
? iodef-ip-protocol => integer, iodef-Server => text,
? iodef-observable-id => IDtype, iodef-Address => [+ Address]
? iodef-ServiceName => ServiceName, }
? iodef-Port => integer,
? iodef-Portlist => PortlistType,
? iodef-ProtoCode => integer,
? iodef-ProtoType => integer,
? iodef-ProtoField => integer,
? iodef-ApplicationHeaderField => [+ ExtensionType],
? iodef-EmailData => EmailData,
? iodef-Application => SoftwareType
}
ServiceName = { DomainContacts = {
? iodef-IANAService => text, (iodef-SameDomainContact => text // iodef-Contact => [+ Contact])
? iodef-URL => [+ URLtype], }
? iodef-Description => [+ MLStringType]
}
EmailData = { Service = {
? iodef-observable-id => IDtype, ? iodef-ip-protocol => integer,
? iodef-EmailTo => [+ text], ? iodef-observable-id => IDtype,
? iodef-EmailFrom => text, ? iodef-ServiceName => ServiceName,
? iodef-EmailSubject => text, ? iodef-Port => integer,
? iodef-EmailX-Mailer => text, ? iodef-Portlist => PortlistType,
? iodef-EmailHeaderField => [+ ExtensionType], ? iodef-ProtoCode => integer,
? iodef-EmailHeaders => text, ? iodef-ProtoType => integer,
? iodef-EmailBody => text, ? iodef-ProtoField => integer,
? iodef-EmailMessage => text, ? iodef-ApplicationHeaderField => [+ ExtensionType],
? iodef-HashData => [+ HashData], ? iodef-EmailData => EmailData,
? iodef-Signature => [+ BYTE] ? iodef-Application => SoftwareType
} }
RecordData = { ServiceName = {
? iodef-restriction => restriction .default "private", ? iodef-IANAService => text,
? iodef-ext-restriction => text, ? iodef-URL => [+ URLtype],
? iodef-observable-id => IDtype, ? iodef-Description => [+ MLStringType]
? iodef-DateTime => DATETIME, }
? iodef-Description => [+ MLStringType],
? iodef-Application => SoftwareType,
? iodef-RecordPattern => [+ RecordPattern],
? iodef-RecordItem => [+ ExtensionType],
? iodef-URL => [+ URLtype],
? iodef-FileData => [+ FileData],
? iodef-WindowsRegistryKeysModified => [+ WindowsRegistryKeysModified],
? iodef-CertificateData => [+ CertificateData],
? iodef-AdditionalData => [+ ExtensionType]
}
RecordPattern = { EmailData = {
iodef-value => text, ? iodef-observable-id => IDtype,
iodef-type => "regex" / "binary" / "xpath" / "ext-value" .default "regex", ? iodef-EmailTo => [+ text],
? iodef-ext-type => text, ? iodef-EmailFrom => text,
? iodef-offset => integer, ? iodef-EmailSubject => text,
? iodef-offsetunit => "line" / "byte" / "ext-value" .default "line", ? iodef-EmailX-Mailer => text,
? iodef-ext-offsetunit => text, ? iodef-EmailHeaderField => [+ ExtensionType],
? iodef-instance => integer ? iodef-EmailHeaders => text,
} ? iodef-EmailBody => text,
? iodef-EmailMessage => text,
? iodef-HashData => [+ HashData],
? iodef-Signature => [+ BYTE]
}
WindowsRegistryKeysModified = { RecordData = {
? iodef-observable-id => IDtype, ? iodef-restriction => restriction .default "private",
iodef-Key => [+ Key] ? iodef-ext-restriction => text,
} ? iodef-observable-id => IDtype,
? iodef-DateTime => DATETIME,
? iodef-Description => [+ MLStringType],
? iodef-Application => SoftwareType,
? iodef-RecordPattern => [+ RecordPattern],
? iodef-RecordItem => [+ ExtensionType],
? iodef-URL => [+ URLtype],
? iodef-FileData => [+ FileData],
? iodef-WindowsRegistryKeysModified =>
[+ WindowsRegistryKeysModified],
? iodef-CertificateData => [+ CertificateData],
? iodef-AdditionalData => [+ ExtensionType]
}
Key = { RecordPattern = {
? iodef-registryaction => "add-key" / "add-value" / "delete-key" / iodef-value => text,
"delete-value" / "modify-key" / "modify-value" / iodef-type => "regex" / "binary" / "xpath" /
"ext-value", "ext-value" .default "regex",
? iodef-ext-registryaction => text, ? iodef-ext-type => text,
? iodef-observable-id => IDtype, ? iodef-offset => integer,
iodef-KeyName => text, ? iodef-offsetunit => "line" / "byte" /
? iodef-KeyValue => text "ext-value" .default "line",
? iodef-ext-offsetunit => text,
? iodef-instance => integer
}
} WindowsRegistryKeysModified = {
? iodef-observable-id => IDtype,
iodef-Key => [+ Key]
}
CertificateData = { Key = {
? iodef-restriction => restriction .default "private", ? iodef-registryaction => "add-key" / "add-value" / "delete-key" /
? iodef-ext-restriction => text, "delete-value" / "modify-key" / "modify-value" /
? iodef-observable-id => IDtype, "ext-value",
iodef-Certificate => [+ Certificate] ? iodef-ext-registryaction => text,
} ? iodef-observable-id => IDtype,
iodef-KeyName => text,
? iodef-KeyValue => text
}
Certificate = { CertificateData = {
? iodef-observable-id => IDtype, ? iodef-restriction => restriction .default "private",
iodef-X509Data => BYTE, ? iodef-ext-restriction => text,
? iodef-Description => [+ MLStringType] ? iodef-observable-id => IDtype,
} iodef-Certificate => [+ Certificate]
}
FileData = { Certificate = {
? iodef-restriction => restriction .default "private", ? iodef-observable-id => IDtype,
? iodef-ext-restriction => text, iodef-X509Data => BYTE,
? iodef-observable-id => IDtype, ? iodef-Description => [+ MLStringType]
iodef-File => [+ File] }
}
File = { FileData = {
? iodef-observable-id => IDtype, ? iodef-restriction => restriction .default "private",
? iodef-FileName => text, ? iodef-ext-restriction => text,
? iodef-FileSize => integer, ? iodef-observable-id => IDtype,
? iodef-FileType => text, iodef-File => [+ File]
? iodef-URL => [+ URLtype], }
? iodef-HashData => HashData,
? iodef-Signature => [+ BYTE],
? iodef-AssociatedSoftware => SoftwareType,
? iodef-FileProperties => [+ ExtensionType]
}
HashData = { File = {
iodef-scope => "file-contents" / "file-pe-section" / "file-pe-iat" / ? iodef-observable-id => IDtype,
"file-pe-resource" / "file-pdf-object" / "email-hash" / ? iodef-FileName => text,
"email-headers-hash" / "email-body-hash" / "ext-value", ? iodef-FileSize => integer,
? iodef-HashTargetID => text, ? iodef-FileType => text,
? iodef-Hash => [+ Hash], ? iodef-URL => [+ URLtype],
? iodef-FuzzyHash => [+ FuzzyHash] ? iodef-HashData => HashData,
} ? iodef-Signature => [+ BYTE],
? iodef-AssociatedSoftware => SoftwareType,
? iodef-FileProperties => [+ ExtensionType]
}
Hash = { HashData = {
iodef-DigestMethod => BYTE, iodef-scope => "file-contents" / "file-pe-section" /
iodef-DigestValue => BYTE, "file-pe-iat" / "file-pe-resource" / "file-pdf-object" /
? iodef-CanonicalizationMethod => BYTE, "email-hash" / "email-headers-hash" / "email-body-hash" /
? iodef-Application => SoftwareType "ext-value",
? iodef-HashTargetID => text,
? iodef-Hash => [+ Hash],
? iodef-FuzzyHash => [+ FuzzyHash]
}
} Hash = {
iodef-DigestMethod => BYTE,
iodef-DigestValue => BYTE,
? iodef-CanonicalizationMethod => BYTE,
? iodef-Application => SoftwareType
}
FuzzyHash = { FuzzyHash = {
iodef-FuzzyHashValue => [+ ExtensionType], iodef-FuzzyHashValue => [+ ExtensionType],
? iodef-Application => SoftwareType, ? iodef-Application => SoftwareType,
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Indicator = { Indicator = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
iodef-IndicatorID => IndicatorID, iodef-IndicatorID => IndicatorID,
? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID], ? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-StartTime => DATETIME, ? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME, ? iodef-EndTime => DATETIME,
? iodef-Confidence => Confidence, ? iodef-Confidence => Confidence,
? iodef-Contact => [+ Contact], ? iodef-Contact => [+ Contact],
(iodef-Observable => Observable // iodef-uid-ref => IDREFType // (iodef-Observable => Observable // iodef-uid-ref => IDREFType //
iodef-IndicatorExpression => IndicatorExpression // iodef-IndicatorExpression => IndicatorExpression //
iodef-IndicatorReference => IndicatorReference), iodef-IndicatorReference => IndicatorReference),
? iodef-NodeRole => [+ NodeRole], ? iodef-NodeRole => [+ NodeRole],
? iodef-AttackPhase => [+ AttackPhase], ? iodef-AttackPhase => [+ AttackPhase],
? iodef-Reference => [+ Reference], ? iodef-Reference => [+ Reference],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
IndicatorID = { IndicatorID = {
iodef-id => IDtype, iodef-id => IDtype,
iodef-name => text, iodef-name => text,
iodef-version => text iodef-version => text
} }
AlternativeIndicatorID = { AlternativeIndicatorID = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
iodef-IndicatorID => [+ IndicatorID] iodef-IndicatorID => [+ IndicatorID]
} }
Observable = { Observable = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? (iodef-System => System // iodef-Address => Address // ? (iodef-System => System // iodef-Address => Address //
iodef-DomainData => DomainData // iodef-EmailData => EmailData // iodef-DomainData => DomainData //
iodef-Service => Service // iodef-EmailData => EmailData //
iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified // iodef-Service => Service //
iodef-FileData => FileData //iodef-CertificateData => CertificateData // iodef-WindowsRegistryKeysModified =>
iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>RecordData // WindowsRegistryKeysModified //
iodef-EventData => EventData // iodef-Incident => Incident // iodef-FileData => FileData //iodef-CertificateData =>
iodef-Expectation => Expectation // iodef-Reference => Reference // CertificateData //
iodef-Assessment => Assessment // iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>
iodef-DetectionPattern => DetectionPattern // RecordData //
iodef-HistoryItem => HistoryItem // iodef-EventData => EventData // iodef-Incident => Incident //
iodef-BulkObservable => BulkObservable // iodef-Expectation => Expectation // iodef-Reference =>
iodef-AdditionalData => [+ ExtensionType]) Reference //
} iodef-Assessment => Assessment //
iodef-DetectionPattern => DetectionPattern //
iodef-HistoryItem => HistoryItem //
iodef-BulkObservable => BulkObservable //
iodef-AdditionalData => [+ ExtensionType])
}
BulkObservable = { BulkObservable = {
? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" /
"mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / "ipv6-net-mask" / "mac" / "site-uri" / "domain-name" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv4" / "domain-to-ipv6" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" /
"windows-reg-key" / "file-hash" / "email-x-mailer" / "ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" /
"email-subject" / "http-user-agent" / "http-request-uri" / "email-x-mailer" / "email-subject" / "http-user-agent" /
"mutex" / "file-path" / "user-name" / "ext-value", "http-request-uri" / "mutex" / "file-path" / "user-name" /
? iodef-ext-type => text, "ext-value",
? iodef-BulkObservableFormat => BulkObservableFormat, ? iodef-ext-type => text,
iodef-BulkObservableList => text, ? iodef-BulkObservableFormat => BulkObservableFormat,
? iodef-AdditionalData => [+ ExtensionType] iodef-BulkObservableList => text,
} ? iodef-AdditionalData => [+ ExtensionType]
}
BulkObservableFormat = { BulkObservableFormat = {
(iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType]) (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType])
} }
IndicatorExpression = { IndicatorExpression = {
? iodef-operator => "not" / "and" / "or" / "xor" .default "and", ? iodef-operator => "not" / "and" / "or" / "xor" .default "and",
? iodef-ext-operator => text, ? iodef-ext-operator => text,
? iodef-IndicatorExpression => [+ IndicatorExpression], ? iodef-IndicatorExpression => [+ IndicatorExpression],
? iodef-Observable => [+ Observable], ? iodef-Observable => [+ Observable],
? iodef-uid-ref => [+ IDREFType], ? iodef-uid-ref => [+ IDREFType],
? iodef-IndicatorReference => [+ IndicatorReference], ? iodef-IndicatorReference => [+ IndicatorReference],
? iodef-Confidence => Confidence, ? iodef-Confidence => Confidence,
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
IndicatorReference = { IndicatorReference = {
(iodef-uid-ref => IDREFType // iodef-euid-ref => text), (iodef-uid-ref => IDREFType // iodef-euid-ref => text),
? iodef-version => text ? iodef-version => text
} }
AttackPhase = { AttackPhase = {
? iodef-AttackPhaseID => [+ text], ? iodef-AttackPhaseID => [+ text],
? iodef-URL => [+ URLtype], ? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Figure 9: Data Model in CDDL Figure 5: Data Model in CDDL
7. IANA Considerations 7. IANA Considerations
This document does not require any IANA actions. This document has no IANA actions.
8. Security Considerations 8. Security Considerations
This document provides a mapping from XML IODEF defined in [RFC7970] This document provides a mapping from XML IODEF defined in [RFC7970]
to JSON, and Section 3.2 describes several issues that arise when to JSON, and Section 3.2 describes several issues that arise when
converting XML IODEF and JSON IODEF. Though it does not provide any converting XML IODEF and JSON IODEF. Though it does not provide any
further security considerations than the one described in [RFC7970], further security considerations other than the one described in
impelementers of this document should be aware of those issues to [RFC7970], implementers of this document should be aware of those
avoid any unintended outcome. issues to avoid any unintended outcome.
9. Acknowledgments
We would like to thank Henk Birkholz, Carsten Bormann, Benjamin
Kaduk, Alexey Melnikov, Yasuaki Morita, and Takahiko Nagata for their
insightful comments on this document and CDDL.
10. References 9. References
10.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
skipping to change at page 51, line 30 skipping to change at line 2649
Interchange Format", STD 90, RFC 8259, Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017, DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>. <https://www.rfc-editor.org/info/rfc8259>.
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>. June 2019, <https://www.rfc-editor.org/info/rfc8610>.
10.2. Informative References 9.2. Informative References
[I-D.handrews-json-schema-validation] [JSON-SCHEMA]
Wright, A., Andrews, H., and B. Hutton, "JSON Schema Wright, A., Andrews, H., and B. Hutton, "JSON Schema
Validation: A Vocabulary for Structural Validation of Validation: A Vocabulary for Structural Validation of
JSON", draft-handrews-json-schema-validation-02 (work in JSON", Work in Progress, Internet-Draft, draft-handrews-
progress), September 2019. json-schema-validation-02, 17 September 2019,
<https://tools.ietf.org/html/draft-handrews-json-schema-
validation-02>.
Appendix A. Data Types used in this document Appendix A. Data Types Used in This Document
The CDDL prelude used in this document is mapped to JSON as shown in The CDDL prelude used in this document is mapped to JSON as shown in
the table below. the table below.
+-----------------+-------------------+----------------------------+ +==============+=========+==========+=============================+
| CDDL Prelude | Use of JSON | Instance | Validation | | CDDL Prelude | Use of | Instance | Validation |
+-----------------+-------------------+----------------------------+ | | JSON | | |
| bytes | n/a | string | tool available | +==============+=========+==========+=============================+
| text | string | string | unnecessary | | bytes | n/a | string | tool available |
| tdate | n/a | string | 7.3.1 date-time | +--------------+---------+----------+-----------------------------+
| integer | n/a | number | integer | | text | string | string | unnecessary |
| eb64legacy | n/a | string | tool available | +--------------+---------+----------+-----------------------------+
| uri | n/a | string | 7.3.6 uri | | tdate | n/a | string | date-time per Section 7.3.1 |
| float32 | float32 | number | unnecessary | | | | | of [JSON-SCHEMA] |
+-----------------+-------------------+----------------------------+ +--------------+---------+----------+-----------------------------+
| integer | n/a | number | integer |
+--------------+---------+----------+-----------------------------+
| eb64legacy | n/a | string | tool available |
+--------------+---------+----------+-----------------------------+
| uri | n/a | string | uri per Section 7.3.6 of |
| | | | [JSON-SCHEMA] |
+--------------+---------+----------+-----------------------------+
| float32 | float32 | number | unnecessary |
+--------------+---------+----------+-----------------------------+
Figure 10: CDDL Prelude mapping in JSON Table 5: CDDL Prelude Mapping in JSON
Appendix B. The IODEF Data Model (JSON Schema) Appendix B. The IODEF Data Model (JSON Schema)
This section provides a JSON schema This section provides a JSON schema [JSON-SCHEMA] that defines the
[I-D.handrews-json-schema-validation] that defines the IODEF Data IODEF data model defined in this document. Note that this section is
Model defined in this draft. Note that this section is Informative. informative.
{ "$schema": "http://json-schema.org/draft-04/schema#",
"definitions": {
"action": {"enum": ["nothing","contact-source-site",
"contact-target-site","contact-sender","investigate",
"block-host","block-network","block-port","rate-limit-host",
"rate-limit-network","rate-limit-port","redirect-traffic",
"honeypot","upgrade-software","rebuild-asset","harden-asset",
"remediate-other","status-triage","status-new-info",
"watch-and-report","training","defined-coa","other",
"ext-value"]},
"duration":{"enum":["second","minute","hour","day","month",
"quarter","year","ext-value"]},
"SpecID":{
"enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]},
"lang": {
"type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
"purpose": {"enum": ["traceback","mitigation","reporting","watch",
"other","ext-value"]},
"restriction":{"enum":["public","partner","need-to-know","private",
"default","white","green","amber","red","ext-value"]},
"status": {"enum": ["new","in-progress","forwarded","resolved",
"future","ext-value"]},
"DATETIME": {"type": "string","format": "date-time"},
"BYTE": {"type": "string"},
"PortlistType": {
"type": "string","pattern": "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"},
"TimeZonetype": {
"type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
"URLtype": { { "$schema": "https://json-schema.org/draft-04/schema#",
"type": "string", "definitions": {
"pattern": "action": {"enum": ["nothing", "contact-source-site",
"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, "contact-target-site", "contact-sender", "investigate",
"IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, "block-host", "block-network", "block-port",
"IDREFType": {"$ref": "#/definitions/IDtype"}, "rate-limit-host", "rate-limit-network",
"MLStringType": { "rate-limit-port", "redirect-traffic", "honeypot",
"oneOf": [{"type": "string"}, "upgrade-software", "rebuild-asset", "harden-asset",
{"type": "object", "remediate-other", "status-triage", "status-new-info",
"properties": { "watch-and-report", "training", "defined-coa", "other",
"value": {"type": "string"}, "ext-value"]},
"lang": {"$ref": "#/definitions/lang"}, "duration":{"enum":["second", "minute", "hour", "day",
"translation-id": {"type": "string"}}, "month", "quarter", "year", "ext-value"]},
"required": ["value"], "SpecID":{
"additionalProperties":false}]}, "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2",
"PositiveFloatType": {"type": "number","minimum": 0}, "private"]},
"PAddressType": {"$ref": "#/definitions/MLStringType"}, "lang": {
"ExtensionType": { "type":"string", "pattern":
"type": "object", "^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
"properties": { "purpose": {"enum": ["traceback", "mitigation",
"value": {"type": "string"}, "reporting", "watch", "other", "ext-value"]},
"name": {"type": "string"}, "restriction":{"enum": ["public", "partner",
"dtype":{"enum":["boolean","byte","bytes","character", "json", "need-to-know", "private", "default", "white", "green",
"date-time","ntpstamp","integer","portlist","real","string", "amber", "red", "ext-value"]},
"file","path","frame","packet","ipv4-packet","ipv6-packet", "status": {"enum": ["new", "in-progress", "forwarded",
"url", "csv","winreg","xml","ext-value"],"default": "string"}, "resolved", "future", "ext-value"]},
"ext-dtype": {"type": "string"}, "DATETIME": {"type": "string", "format": "date-time"},
"meaning": {"type": "string"}, "BYTE": {"type": "string"},
"formatid": {"type": "string"}, "PortlistType": {
"restriction": { "type": "string", "pattern":
"$ref": "#/definitions/restriction","default": "private"}, "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"},
"ext-restriction": {"type": "string"}, "TimeZonetype": {
"observable-id": {"$ref": "#/definitions/IDtype"}}, "type":"string", "pattern":
"required": ["value","dtype"], "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
"additionalProperties":false}, "URLtype": {
"ExtensionTypeList": { "type": "string",
"type": "array", "pattern":
"items": {"$ref": "#/definitions/ExtensionType"}, "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))
"minItems": 1}, ?(#(.*))?"},
"SoftwareType": { "IDtype": {"type": "string", "pattern":
"type": "object", "[a-zA-Z_][a-zA-Z0-9_.-]*"},
"properties": { "IDREFType": {"$ref": "#/definitions/IDtype"},
"SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, "MLStringType": {
"URL": { "oneOf": [{"type": "string"},
"type": "array", {"type": "object",
"items": {"$ref": "#/definitions/URLtype", "properties": {
"minItems": 1}}, "value": {"type": "string"},
"Description": { "lang": {"$ref": "#/definitions/lang"},
"type": "array", "translation-id": {"type": "string"}},
"items": {"$ref": "#/definitions/MLStringType"}, "required": ["value"],
"minItems": 1 }}, "additionalProperties":false}]},
"required": [], "PositiveFloatType": {"type": "number", "minimum": 0},
"additionalProperties": false}, "PAddressType": {"$ref": "#/definitions/MLStringType"},
"SoftwareReference": { "ExtensionType": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, "name": {"type": "string"},
"ext-spec-name": {"type": "string"}, "dtype":{"enum":["boolean", "byte", "bytes",
"dtype": {"enum": ["bytes","integer","real","string","xml", "character", "json", "date-time", "ntpstamp",
"ext-value"] , "default": "string"}, "integer", "portlist", "real", "string", "file",
"ext-dtype": {"type": "string"}}, "path", "frame", "packet", "ipv4-packet",
"required": ["spec-name"], "ipv6-packet", "url", "csv", "winreg",
"additionalProperties": false}, "xml", "ext-value"], "default": "string"},
"StructuredInfo": { "ext-dtype": {"type": "string"},
"type": "object", "meaning": {"type": "string"},
"properties": { "formatid": {"type": "string"},
"SpecID": {"$ref":"#/definitions/SpecID"}, "restriction": {
"ext-SpecID": {"type": "string"}, "$ref": "#/definitions/restriction", "default":
"ContentID": {"type": "string"}, "private"},
"RawData": { "ext-restriction": {"type": "string"},
"type": "array", "observable-id": {"$ref": "#/definitions/IDtype"}},
"items": {"$ref":"#/definitions/BYTE"}, "required": ["value", "dtype"],
"minItems": 1 "additionalProperties":false},
}, "ExtensionTypeList": {
"Reference": { "type": "array",
"type": "array", "items": {"$ref": "#/definitions/ExtensionType"},
"items": {"$ref": "#/definitions/Reference"}, "minItems": 1},
"minItems": 1 "SoftwareType": {
}, "type": "object",
"Platform": { "properties": {
"type": "array", "SoftwareReference":{
"items": {"$ref": "#/definitions/Platform"}, "$ref":"#/definitions/SoftwareReference"},
"minItems": 1 "URL": {
}, "type": "array",
"Scoring": { "items": {"$ref": "#/definitions/URLtype",
"type": "array", "minItems": 1}},
"items": {"$ref": "#/definitions/Scoring"}, "Description": {
"minItems": 1}}, "type": "array",
"allOf": [ "items": {"$ref": "#/definitions/MLStringType"},
{"required": ["SpecID"]}, "minItems": 1 }},
{"anyOf": [ "required": [],
"additionalProperties": false},
"SoftwareReference": {
"type": "object",
"properties": {
"value": {"type": "string"},
"spec-name": {"enum": ["custom", "cpe", "swid",
"ext-value"]},
"ext-spec-name": {"type": "string"},
"dtype": {"enum": ["bytes", "integer", "real", "string",
"xml", "ext-value"], "default": "string"},
"ext-dtype": {"type": "string"}},
"required": ["spec-name"],
"additionalProperties": false},
"STRUCTUREDINFO": {
"type": "object",
"properties": {
"SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"},
"RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1
},
"Platform": {
"type": "array",
"items": {"$ref": "#/definitions/Platform"},
"minItems": 1
},
"Scoring": {
"type": "array",
"items": {"$ref": "#/definitions/Scoring"},
"minItems": 1}},
"allOf": [
{"required": ["SpecID"]},
{"anyOf": [
{"oneOf": [
{"required":["Reference"]},
{"required":["RawData"]}]},
{ "not" : {"required":["Reference", "RawData"]}}]}],
"additionalProperties": false},
"Platform": {
"type": "object",
"properties": {
"SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"},
"RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1}},
"required": ["SpecID"],
"additionalProperties": false},
"Scoring": {
"type": "object",
"properties": {
"SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"},
"RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1}},
"required": ["SpecID"],
"additionalProperties": false},
"Incident": {
"title": "Incident",
"description": "JSON schema for Incident class",
"type": "object",
"properties": {
"purpose": {"$ref": "#/definitions/purpose"},
"ext-purpose": {"type": "string"},
"status": {"$ref": "#/definitions/status"},
"ext-status": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentID": {"$ref": "#/definitions/IncidentID"},
"AlternativeID": {
"$ref":"#/definitions/AlternativeID"},
"RelatedActivity": {
"type": "array",
"items": {"$ref": "#/definitions/RelatedActivity"},
"minItems": 1},
"DetectTime": {"$ref": "#/definitions/DATETIME"},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"$ref": "#/definitions/DATETIME"},
"GenerationTime": {"$ref": "#/definitions/DATETIME"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Discovery": {
"type": "array",
"items": {"$ref": "#/definitions/Discovery"},
"minItems": 1},
"Assessment": {
"type": "array",
"items": {"$ref": "#/definitions/Assessment"},
"minItems": 1},
"Method": {
"type": "array",
"items": {"$ref": "#/definitions/Method"},
"minItems": 1},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"EventData": {
"type": "array",
"items": {"$ref": "#/definitions/EventData"},
"minItems": 1},
"Indicator": {
"type": "array",
"items": {"$ref": "#/definitions/Indicator"},
"minItems": 1},
"History": {"$ref": "#/definitions/History"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IncidentID", "GenerationTime", "Contact",
"purpose"],
"additionalProperties": false},
"IncidentID": {
"title": "IncidentID",
"description": "JSON schema for IncidentID class",
"type": "object",
"properties": {
"id": {"type": "string"},
"name": {"type": "string"},
"instance": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}},
"required": ["id", "name"],
"additionalProperties": false},
"AlternativeID": {
"title": "AlternativeID",
"description": "JSON schema for AlternativeID class",
"type": "object",
"properties": {
"IncidentID": {
"type": "array",
"items":{"$ref": "#/definitions/IncidentID"},
"minItems": 1},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}},
"required": ["IncidentID"],
"additionalProperties": false},
"RelatedActivity": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"IncidentID": {
"type": "array",
"items": {"$ref": "#/definitions/IncidentID"},
"minItems": 1},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"ThreatActor": {
"type": "array",
"items": {"$ref": "#/definitions/ThreatActor"},
"minItems": 1},
"Campaign": {
"type": "array",
"items": {"$ref": "#/definitions/Campaign"},
"minItems": 1},
"IndicatorID": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorID"},
"minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"},
"Description": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"AdditionalData": {
"$ref": "#/definitions/ExtensionTypeList"}},
"additionalProperties": false},
"ThreatActor": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"ThreatActorID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"URL": {
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false},
"Campaign": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"CampaignID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"URL": {
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}}},
"Contact": {
"type": "object",
"properties": {
"role": {
"enum":["creator", "reporter", "admin", "tech",
"provider", "user", "billing", "legal",
"irt", "abuse", "cc", "cc-irt", "leo",
"vendor", "vendor-support", "victim",
"victim-notified", "ext-value"]},
"ext-role": {"type": "string"},
"type": {
"enum": ["person", "organization", "ext-value"]},
"ext-type": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"ContactName": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"ContactTitle": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"RegistryHandle": {
"type":"array",
"items":{"$ref":"#/definitions/RegistryHandle"},
"minItems": 1},
"PostalAddress": {
"type":"array",
"items":{"$ref":"#/definitions/PostalAddress"},
"minItems": 1},
"Email": {
"type": "array",
"items": {"$ref": "#/definitions/Email"},
"minItems": 1},
"Telephone": {
"type": "array",
"items": {"$ref": "#/definitions/Telephone"},
"minItems": 1},
"Timezone": {"$ref": "#/definitions/TimeZonetype"},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["role", "type"],
"additionalProperties": false},
"RegistryHandle": {
"type": "object",
"properties": {
"handle": {"type": "string"},
"registry": {
"enum": ["internic", "apnic", "arin", "lacnic",
"ripe", "afrinic", "local", "ext-value"]},
"ext-registry": {"type": "string"}},
"required": ["handle", "registry"],
"additionalProperties": false},
"PostalAddress": {
"type": "object",
"properties": {
"type": {
"enum": ["street", "mailing", "ext-value"]},
"ext-type": {"type": "string"},
"PAddress": {"$ref": "#/definitions/PAddressType"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["PAddress"],
"additionalProperties": false},
"Email": {
"type": "object",
"properties": {
"type": {
"enum":["direct", "hotline", "ext-value"]},
"ext-type": {"type": "string"},
"EmailTo": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["EmailTo"],
"additionalProperties": false},
"Telephone": {
"type": "object",
"properties": {
"type": {
"enum":["wired", "mobile", "fax", "hotline",
"ext-value"]},
"ext-type": {"type": "string"},
"TelephoneNumber": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["TelephoneNumber"],
"additionalProperties": false},
"Discovery": {
"type": "object",
"properties": {
"source": {
"enum":["nidps", "hips", "siem", "av",
"third-party-monitoring", "incident", "os-log",
"application-log", "device-log", "network-flow",
"passive-dns", "investigation", "audit",
"internal-notification", "external-notification",
"leo", "partner", "actor", "unknown", "ext-value"]},
"ext-source": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"DetectionPattern": {
"type":"array",
"items":{"$ref":"#/definitions/DetectionPattern"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"DetectionPattern": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Application": {"$ref": "#/definitions/SoftwareType"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"DetectionConfiguration": {
"type": "array",
"items": {"type": "string"},
"minItems": 1}},
"allOf": [
{"required": ["Application"]},
{"oneOf": [
{"required":["Description"]},
{"required":["DetectionConfiguration"]}]}],
"additionalProperties": false},
"Method": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AttackPattern": {
"type":"array",
"items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1},
"Vulnerability": {
"type":"array",
"items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1},
"Weakness": {
"type":"array",
"items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"Reference": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"ReferenceName": {
"$ref":"#/definitions/ReferenceName"},
"URL":{
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"ReferenceName" : {
"type": "object",
"properties": {
"specIndex": {"type": "number"},
"ID": {"$ref":"#/definitions/IDtype"}},
"required": ["specIndex", "ID"],
"additionalProperties": false},
"Assessment": {
"type": "object",
"properties": {
"occurrence": {"enum":["actual", "potential"]},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentCategory": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Impact": {
"type": "array",
"items": {
"properties": {
"SystemImpact":{
"$ref":"#/definitions/SystemImpact"},
"BusinessImpact":{
"$ref":"#/definitions/BusinessImpact"},
"TimeImpact":{"$ref":"#/definitions/TimeImpact"},
"MonetaryImpact":{
"$ref":"#/definitions/MonetaryImpact"},
"IntendedImpact":{
"$ref":"#/definitions/BusinessImpact"}},
"additionalProperties":false},
"minItems" : 1
},
"Counter": {
"type": "array",
"items": {"$ref": "#/definitions/Counter"},
"minItems": 1},
"MitigatingFactor": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Cause": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Impact"],
"additionalProperties": false},
"SystemImpact": {
"type": "object",
"properties": {
"severity": {"enum":["low", "medium", "high"]},
"completion": {"enum":["failed", "succeeded"]},
"type": {
"enum":["takeover-account", "takeover-service",
"takeover-system", "cps-manipulation", "cps-damage",
"availability-data", "availability-account",
"availability-service", "availability-system",
"damaged-system", "damaged-data",
"breach-proprietary", "breach-privacy",
"breach-credential", "breach-configuration",
"integrity-data", "integrity-configuration",
"integrity-hardware", "traffic-redirection",
"monitoring-traffic", "monitoring-host",
"policy", "unknown", "ext-value"]},
"ext-type": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["type"],
"additionalProperties": false},
"BusinessImpact": {
"type": "object",
"properties": {
"severity": {"enum":["none", "low", "medium", "high",
"unknown", "ext-value"], "default": "unknown"},
"ext-severity": {"type":"string"},
"type": {"enum":["breach-proprietary",
"breach-privacy", "breach-credential",
"loss-of-integrity", "loss-of-service",
"theft-financial", "theft-service",
"degraded-reputation", "asset-damage",
"asset-manipulation", "legal", "extortion",
"unknown", "ext-value"]},
"ext-type": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["type"],
"additionalProperties": false},
"TimeImpact": {
"type": "object",
"properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum": ["low", "medium", "high"]},
"metric": {"enum": ["labor", "elapsed", "downtime",
"ext-value"]},
"ext-metric": {"type": "string"},
"duration": {
"$ref":"#/definitions/duration", "default": "hour"},
"ext-duration": {"type": "string"}},
"required": ["value", "metric"],
"additionalProperties": false},
"MonetaryImpact": {
"type": "object",
"properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum":["low", "medium", "high"]},
"currency": {"type": "string"}},
"required": ["value"],
"additionalProperties": false},
"Confidence": {
"type": "object",
"properties": {
"value": {"type": "number"},
"rating": {"enum": ["low", "medium", "high", "numeric",
"unknown", "ext-value"]},
"ext-rating": {"type":"string"}},
"required": ["value", "rating"],
"additionalProperties": false},
"History": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"HistoryItem": {
"type": "array",
"items": {"$ref": "#/definitions/HistoryItem"},
"minItems": 1}},
"required": ["HistoryItem"],
"additionalProperties": false},
"HistoryItem": {
"type": "object",
"properties": {
"action": {
"$ref": "#/definitions/action", "default": "other"},
"ext-action": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"},
"IncidentID": {"$ref": "#/definitions/IncidentID"},
"Contact": {"$ref": "#/definitions/Contact"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"DefinedCOA": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["DateTime", "action"],
"additionalProperties": false},
"EventData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array",
"items": { "$ref":"#/definitions/MLStringType"}},
"DetectTime": {"$ref": "#/definitions/DATETIME"},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"$ref": "#/definitions/DATETIME"},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"Discovery": {
"type": "array",
"items": {"$ref": "#/definitions/Discovery"},
"minItems": 1},
"Assessment": {"$ref": "#/definitions/Assessment"},
"Method": {
"type": "array",
"items": {"$ref": "#/definitions/Method"},
"minItems": 1},
"System": {
"type": "array",
"items": {"$ref": "#/definitions/System"},
"minItems": 1},
"Expectation": {
"type": "array",
"items": {"$ref": "#/definitions/Expectation"},
"minItems": 1},
"RecordData": {
"type": "array",
"items": {"$ref": "#/definitions/RecordData"},
"minItems": 1},
"EventData": {
"type": "array",
"items": {"$ref": "#/definitions/EventData"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"Expectation": {
"type": "object",
"properties": {
"action": {
"$ref":"#/definitions/action", "default": "other"},
"ext-action": {"type": "string"},
"severity": {"enum": ["low", "medium", "high"]},
"restriction": {"$ref": "#/definitions/restriction",
"default": "default"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"DefinedCOA": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"Contact": {"$ref": "#/definitions/Contact"}},
"required": [],
"additionalProperties": false},
"System": {
"type": "object",
"properties": {
"category": {
"enum": ["source", "target", "intermediate", "sensor",
"infrastructure", "ext-value"]},
"ext-category": {"type": "string"},
"interface": {"type": "string"},
"spoofed": {
"enum": ["unknown", "yes", "no"], "default":"unknown"},
"virtual": {
"enum": ["yes", "no", "unknown"], "default":"unknown"},
"ownership": {
"enum":["organization", "personal", "partner",
"customer", "no-relationship", "unknown",
"ext-value"]},
"ext-ownership": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Node": {"$ref": "#/definitions/Node"},
"NodeRole": {
"type": "array",
"items": {"$ref": "#/definitions/NodeRole"},
"minItems": 1},
"Service": {
"type": "array",
"items": {"$ref": "#/definitions/Service"},
"minItems": 1},
"OperatingSystem": {
"type": "array",
"items": {"$ref": "#/definitions/SoftwareType"},
"minItems": 1},
"Counter": {
"type": "array",
"items": {"$ref": "#/definitions/Counter"},
"minItems": 1},
"AssetID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Node"],
"additionalProperties": false},
"Node": {
"type": "object",
"properties": {
"DomainData": {
"type": "array",
"items": {"$ref": "#/definitions/DomainData"},
"minItems": 1},
"Address": {
"type": "array",
"items": {"$ref": "#/definitions/Address"},
"minItems": 1},
"PostalAddress": {
"$ref": "#/definitions/PostalAddress"},
"Location": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Counter": {
"type":"array",
"items":{"$ref":"#/definitions/Counter"},
"minItems": 1}},
"anyOf": [
{"required": ["DomainData"]},
{"required": ["Address"]}
],
"additionalProperties": false},
"Address": {
"type": "object",
"properties": {
"value": {"type": "string"},
"category": {
"enum":["asn", "atm", "e-mail", "ipv4-addr", "ipv4-net",
"ipv4-net-masked", "ipv4-net-mask", "ipv6-addr",
"ipv6-net", "ipv6-net-masked", "mac", "site-uri",
"ext-value"], "default": "ipv6-addr"},
"ext-category": {"type": "string"},
"vlan-name": {"type": "string"},
"vlan-num": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["value", "category"],
"additionalProperties": false},
"NodeRole": {
"type": "object",
"properties": {
"category": {
"enum":["client", "client-enterprise",
"client-partner", "client-remote", "client-kiosk",
"client-mobile", "server-internal", "server-public",
"www", "mail", "webmail", "messaging", "streaming",
"voice", "file", "ftp", "p2p", "name", "directory",
"credential", "print", "application", "database",
"backup", "dhcp", "assessment", "source-control",
"config-management", "monitoring", "infra",
"infra-firewall", "infra-router", "infra-switch",
"camera", "proxy", "remote-access", "log",
"virtualization", "pos", "scada",
"scada-supervisory", "sinkhole", "honeypot",
"anomyzation", "c2-server", "malware-distribution",
"drop-server", "hop-point", "reflector",
"phishing-site", "spear-phishing-site",
"recruiting-site", "fraudulent-site",
"ext-value"]},
"ext-category": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["category"],
"additionalProperties": false},
"Counter": {
"type": "object",
"properties": {
"value": {"type": "number"},
"type": {
"enum": ["count", "peak", "average", "ext-value"]},
"ext-type": {"type": "string"},
"unit":{"enum":["byte", "mbit", "packet", "flow",
"session", "alert", "message", "event", "host",
"site", "organization", "ext-value"]},
"ext-unit": {"type": "string"},
"meaning": {"type": "string"},
"duration": {
"$ref":"#/definitions/duration", "default": "hour"},
"ext-duration": {"type": "string"}},
"required": ["value", "type", "unit"],
"additionalProperties": false},
"DomainData": {
"type": "object",
"properties": {
"system-status": {
"enum": ["spoofed", "fraudulent", "innocent-hacked",
"innocent-hijacked", "unknown", "ext-value"]},
"ext-system-status": {"type": "string"},
"domain-status": {
"enum": [ "reservedDelegation", "assignedAndActive",
"assignedAndInactive", "assignedAndOnHold",
"revoked", "transferPending",
"registryLock", "registrarLock",
"other", "unknown", "ext-value"]},
"ext-domain-status": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Name": {"type": "string"},
"DateDomainWasChecked": {
"$ref": "#/definitions/DATETIME"},
"RegistrationDate": {
"$ref": "#/definitions/DATETIME"},
"ExpirationDate": {"$ref": "#/definitions/DATETIME"},
"RelatedDNS": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"NameServers": {
"type": "array",
"items": {"$ref": "#/definitions/NameServers"},
"minItems": 1},
"DomainContacts": {
"$ref": "#/definitions/DomainContacts"}},
"required": ["Name", "system-status", "domain-status"],
"additionalProperties": false},
"NameServers": {
"type": "object",
"properties": {
"Server": {"type": "string"},
"Address": {
"type":"array",
"items":{"$ref":"#/definitions/Address"},
"minItems": 1}},
"required": ["Server", "Address"],
"additionalProperties": false},
"DomainContacts": {
"type": "object",
"properties": {
"SameDomainContact": {"type": "string"},
"Contact": {
"type":"array",
"items":{"$ref":"#/definitions/Contact"},
"minItems": 1}},
"oneOf": [
{"required": ["SameDomainContact"]},
{"required": ["Contact"]}],
"additionalProperties": false},
"Service": {
"type": "object",
"properties": {
"ip-protocol": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"ServiceName": {"$ref": "#/definitions/ServiceName"},
"Port": {"type": "number"},
"Portlist": {"$ref": "#/definitions/PortlistType"},
"ProtoCode": {"type": "number"},
"ProtoType": {"type": "number"},
"ProtoField": {"type": "number"},
"ApplicationHeaderField":{
"$ref":"#/definitions/ExtensionTypeList"},
"EmailData": {"$ref": "#/definitions/EmailData"},
"Application": {
"$ref": "#/definitions/SoftwareType"}},
"required": [],
"additionalProperties": false},
"ServiceName": {
"type": "object",
"properties": {
"IANAService": {"type": "string"},
"URL": {
"type": "array", "items": {
"$ref": "#/definitions/URLtype"}},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"EmailData": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"EmailTo": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"EmailFrom": {"type": "string"},
"EmailSubject": {"type": "string"},
"EmailX-Mailer": {"type": "string"},
"EmailHeaderField": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"EmailHeaders": {"type": "string"},
"EmailBody": {"type": "string"},
"EmailMessage": {"type": "string"},
"HashData": {
"type": "array",
"items": {"$ref": "#/definitions/HashData"},
"minItems": 1},
"Signature": {
"type": "array",
"items": {"$ref": "#/definitions/BYTE"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"RecordData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"},
"RecordPattern": {
"type": "array",
"items": {"$ref": "#/definitions/RecordPattern"},
"minItems": 1},
"RecordItem": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"FileData": {
"type": "array",
"items": {"$ref": "#/definitions/FileData"},
"minItems": 1},
"WindowsRegistryKeysModified": {
"type": "array",
"items": {
"$ref":"#/definitions/WindowsRegistryKeysModified"},
"minItems": 1},
"CertificateData": {
"type":"array",
"items":{"$ref":"#/definitions/CertificateData"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"RecordPattern": {
"type": "object",
"properties": {
"value": {"type": "string"},
"type": {
"enum": ["regex", "binary", "xpath", "ext-value"],
"default": "regex"},
"ext-type": {"type": "string"},
"offset": {"type": "number"},
"offsetunit": {"enum":["line", "byte", "ext-value"] ,
"default": "line"},
"ext-offsetunit": {"type": "string"},
"instance": {"type": "number"}},
"required": ["value", "type"],
"additionalProperties": false},
"WindowsRegistryKeysModified": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"Key": {
"type": "array",
"items": {"$ref": "#/definitions/Key"},
"minItems": 1}},
"required": ["Key"],
"additionalProperties": false},
"Key": {
"type": "object",
"properties": {
"registryaction": {"enum": ["add-key", "add-value",
"delete-key", "delete-value",
"modify-key", "modify-value",
"ext-value"]},
"ext-registryaction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"KeyName": {"type":"string"},
"KeyValue": {"type": "string"}},
"required": ["KeyName"],
"additionalProperties": false},
"CertificateData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Certificate": {
"type": "array",
"items": {"$ref": "#/definitions/Certificate"},
"minItems": 1}},
"required": ["Certificate"],
"additionalProperties": false},
"Certificate": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"X509Data": {"$ref": "#/definitions/BYTE"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["X509Data"],
"additionalProperties": false},
"FileData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"File": {
"type": "array",
"items": {"$ref": "#/definitions/File"},
"minItems": 1}},
"required": ["File"],
"additionalProperties": false},
"File": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"FileName": {"type": "string"},
"FileSize": {"type": "number"},
"FileType": {"type": "string"},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"HashData": {"$ref": "#/definitions/HashData"},
"Signature": {
"type": "array",
"items": {"$ref": "#/definitions/BYTE"},
"minItems": 1},
"AssociatedSoftware": {
"$ref": "#/definitions/SoftwareType"},
"FileProperties": {
"type":"array",
"items":{"$ref":"#/definitions/ExtensionType"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"HashData": {
"type": "object",
"properties": {
"scope": {"enum": ["file-contents", "file-pe-section",
"file-pe-iat", "file-pe-resource", "file-pdf-object",
"email-hash", "email-headers-hash", "email-body-hash",
"ext-value"]},
"HashTargetID": {"type": "string"},
"Hash": {
"type": "array",
"items": {"$ref": "#/definitions/Hash"},
"minItems": 1},
"FuzzyHash": {
"type": "array",
"items": {"$ref": "#/definitions/FuzzyHash"},
"minItems": 1}},
"required": ["scope"],
"additionalProperties": false},
"Hash": {
"type": "object",
"properties": {
"DigestMethod": {"$ref": "#/definitions/BYTE"},
"DigestValue": {"$ref": "#/definitions/BYTE"},
"CanonicalizationMethod": {
"$ref": "#/definitions/BYTE"},
"Application": {
"$ref": "#/definitions/SoftwareType"}},
"required": ["DigestMethod", "DigestValue"],
"additionalProperties": false},
"FuzzyHash": {
"type": "object",
"properties": {
"FuzzyHashValue": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["FuzzyHashValue"],
"additionalProperties": false},
"Indicator": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"IndicatorID": {"$ref": "#/definitions/IndicatorID"},
"AlternativeIndicatorID": {
"type": "array",
"items": {
"$ref": "#/definitions/AlternativeIndicatorID"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"Confidence": {"$ref": "#/definitions/Confidence"},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"Observable": {"$ref": "#/definitions/Observable"},
"uid-ref": {"$ref": "#/definitions/IDREFType"},
"IndicatorExpression":{
"$ref":"#/definitions/IndicatorExpression"},
"IndicatorReference":{
"$ref": "#/definitions/IndicatorReference"},
"NodeRole": {
"type": "array",
"items": {"$ref": "#/definitions/NodeRole"},
"minItems": 1},
"AttackPhase": {
"type": "array",
"items": {"$ref": "#/definitions/AttackPhase"},
"minItems": 1},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"allOf": [
{"required": ["IndicatorID"]},
{"oneOf": [ {"oneOf": [
{"required":["Observable"]},
{"required":["uid-ref"]},
{"required":["IndicatorExpression"]},
{"required":["IndicatorReference"]}]}],
"additionalProperties": false},
"IndicatorID": {
"type": "object",
"properties": {
"id": {"type": "string"},
"name": {"type": "string"},
"version": {"type": "string"}},
"required": ["id", "name", "version"],
"additionalProperties": false},
"AlternativeIndicatorID": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"IndicatorID": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorID"},
"minItems": 1}},
"required": ["IndicatorID"],
"additionalProperties": false},
"Observable": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"System": {"$ref": "#/definitions/System"},
"Address": {"$ref": "#/definitions/Address"},
"DomainData": {"$ref": "#/definitions/DomainData"},
"EmailData": {"$ref": "#/definitions/EmailData"},
"Service": {"$ref": "#/definitions/Service"},
"WindowsRegistryKeysModified": {
"$ref": "#/definitions/WindowsRegistryKeysModified"},
"FileData": {"$ref": "#/definitions/FileData"},
"CertificateData": {
"$ref": "#/definitions/CertificateData"},
"RegistryHandle": {
"$ref": "#/definitions/RegistryHandle"},
"RecordData": {"$ref": "#/definitions/RecordData"},
"EventData": {"$ref": "#/definitions/EventData"},
"Incident": {"$ref": "#/definitions/Incident"},
"Expectation": {"$ref": "#/definitions/Expectation"},
"Reference": {"$ref": "#/definitions/Reference"},
"Assessment": {"$ref": "#/definitions/Assessment"},
"DetectionPattern": {
"$ref": "#/definitions/DetectionPattern"},
"HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"BulkObservable": {
"$ref": "#/definitions/BulkObservable"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"oneOf": [
{"required":["System"]},
{"required":["Address"]},
{"required":["DomainData"]},
{"required":["EmailData"]},
{"required":["Service"]},
{"required":["WindowsRegistryKeysModified"]},
{"required":["FileData"]},
{"required":["CertificateData"]},
{"required":["RegistryHandle"]},
{"required":["RecordData"]},
{"required":["EventData"]},
{"required":["Incident"]},
{"required":["Expectation"]},
{"required":["Reference"]}, {"required":["Reference"]},
{"required":["RawData"]}]}, {"required":["Assessment"]},
{ "not" : {"required":["Reference", "RawData"]}}]}], {"required":["DetectionPattern"]},
{"required":["HistoryItem"]},
"additionalProperties": false}, {"required":["BulkObservable"]},
"Platform": { {"required":["AdditionalData"]}],
"type": "object", "additionalProperties": false},
"properties": { "BulkObservable": {
"SpecID": {"$ref":"#/definitions/SpecID"}, "type": "object",
"ext-SpecID": {"type": "string"}, "properties": {
"ContentID": {"type": "string"}, "type": {"enum": ["asn", "atm", "e-mail", "ipv4-addr",
"RawData": { "ipv4-net", "ipv4-net-mask", "ipv6-addr", "ipv6-net",
"type": "array", "ipv6-net-mask", "mac", "site-uri", "domain-name",
"items": {"$ref":"#/definitions/BYTE"}, "domain-to-ipv4", "domain-to-ipv6",
"minItems": 1 "domain-to-ipv4-timestamp",
}, "domain-to-ipv6-timestamp", "ipv4-port", "ipv6-port",
"Reference": { "windows-reg-key", "file-hash", "email-x-mailer",
"type": "array", "email-subject", "http-user-agent",
"items": {"$ref": "#/definitions/Reference"}, "http-request-url", "mutex", "file-path", "user-name",
"minItems": 1}}, "ext-value"]},
"required": ["SpecID"], "ext-type": {"type": "string"},
"additionalProperties": false}, "BulkObservableFormat":{
"Scoring": { "$ref": "#/definitions/BulkObservableFormat"},
"type": "object", "BulkObservableList": {"type": "string"},
"properties": { "AdditionalData": {
"SpecID": {"$ref":"#/definitions/SpecID"}, "$ref":"#/definitions/ExtensionTypeList"}},
"ext-SpecID": {"type": "string"}, "required": ["BulkObservableList"],
"ContentID": {"type": "string"}, "additionalProperties": false},
"RawData": { "BulkObservableFormat": {
"type": "array", "type": "object",
"items": {"$ref":"#/definitions/BYTE"}, "properties": {
"minItems": 1 "Hash": {"$ref": "#/definitions/Hash"},
}, "AdditionalData": {
"Reference": { "$ref":"#/definitions/ExtensionTypeList"}},
"type": "array", "oneOf": [
"items": {"$ref": "#/definitions/Reference"}, {"required": ["Hash"]},
"minItems": 1}}, {"required": ["AdditionalData"]}
"required": ["SpecID"], ],
"additionalProperties": false}, "additionalProperties": false},
"Incident": { "IndicatorExpression": {
"title": "Incident", "type": "object",
"description": "JSON schema for Incident class", "properties": {
"type": "object", "operator": {
"properties": { "enum": ["not", "and", "or", "xor"], "default": "and"},
"purpose": {"$ref": "#/definitions/purpose"}, "ext-operator": {"type": "string"},
"ext-purpose": {"type": "string"}, "IndicatorExpression": {
"status": {"$ref": "#/definitions/status"}, "type": "array",
"ext-status": {"type": "string"}, "items": {
"lang": {"$ref": "#/definitions/lang"}, "$ref": "#/definitions/IndicatorExpression"},
"restriction": {"$ref": "#/definitions/restriction", "minItems": 1},
"default": "private"}, "Observable": {
"ext-restriction": {"type": "string"}, "type": "array",
"observable-id": {"$ref": "#/definitions/IDtype"}, "items": {"$ref": "#/definitions/Observable"},
"IncidentID": {"$ref": "#/definitions/IncidentID"}, "minItems": 1},
"AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "uid-ref": {
"RelatedActivity": { "type": "array",
"type": "array", "items": {"$ref": "#/definitions/IDREFType"},
"items": {"$ref": "#/definitions/RelatedActivity"}, "minItems": 1},
"minItems": 1}, "IndicatorReference": {
"DetectTime": {"$ref": "#/definitions/DATETIME"}, "type": "array",
"StartTime": {"$ref": "#/definitions/DATETIME"}, "items": {
"EndTime": {"$ref": "#/definitions/DATETIME"}, "$ref": "#/definitions/IndicatorReference"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "minItems": 1},
"ReportTime": {"$ref": "#/definitions/DATETIME"}, "Confidence": {"$ref":"#/definitions/Confidence"},
"GenerationTime": {"$ref": "#/definitions/DATETIME"}, "AdditionalData": {
"Description": { "$ref":"#/definitions/ExtensionTypeList"}},
"type": "array", "required": [],
"items": {"$ref": "#/definitions/MLStringType"}, "additionalProperties": false},
"minItems": 1}, "IndicatorReference": {
"Discovery": { "type": "object",
"type": "array", "properties": {
"items": {"$ref": "#/definitions/Discovery"}, "uid-ref": {"$ref":"#/definitions/IDREFType"},
"minItems": 1}, "euid-ref": {"type": "string"},
"Assessment": { "version": {"type": "string"}},
"type": "array", "oneOf": [
"items": {"$ref": "#/definitions/Assessment"}, {"required": ["uid-ref"]},
"minItems": 1}, {"required": ["euid-ref"]}
"Method": { ],
"type": "array", "additionalProperties": false},
"items": {"$ref": "#/definitions/Method"}, "AttackPhase": {
"minItems": 1}, "type": "object",
"Contact": { "properties": {
"type": "array", "AttackPhaseID": {
"items": {"$ref": "#/definitions/Contact"}, "type": "array",
"minItems": 1}, "items": {"type": "string"},
"EventData": { "minItems": 1},
"type": "array", "URL": {
"items": {"$ref": "#/definitions/EventData"}, "type": "array",
"minItems": 1}, "items": {"$ref": "#/definitions/URLtype"},
"Indicator": { "minItems": 1},
"type": "array", "Description": {
"items": {"$ref": "#/definitions/Indicator"}, "type": "array",
"minItems": 1}, "items": {"$ref": "#/definitions/MLStringType"},
"History": {"$ref": "#/definitions/History"}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"required": ["IncidentID","GenerationTime","Contact","purpose"], "$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false}, "required": [],
"IncidentID": { "additionalProperties": false}},
"title": "IncidentID", "title": "IODEF-Document",
"description": "JSON schema for IncidentID class", "description": "JSON schema for IODEF-Document class",
"type": "object", "type": "object",
"properties": { "properties": {
"id": {"type": "string"}, "version": {"type": "string"},
"name": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"},
"instance": {"type": "string"}, "format-id": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "private-enum-name": {"type": "string"},
"default": "private"}, "private-enum-id": {"type": "string"},
"ext-restriction": {"type": "string"}}, "Incident": {
"required": ["id","name"],
"additionalProperties": false},
"AlternativeID": {
"title": "AlternativeID",
"description": "JSON schema for AlternativeID class",
"type": "object",
"properties": {
"IncidentID": {
"type": "array",
"items":{"$ref": "#/definitions/IncidentID"},
"minItems": 1},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}},
"required": ["IncidentID"],
"additionalProperties": false},
"RelatedActivity": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"IncidentID": {
"type": "array",
"items": {"$ref": "#/definitions/IncidentID"},
"minItems": 1},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"ThreatActor": {
"type": "array",
"items": {"$ref": "#/definitions/ThreatActor"},
"minItems": 1},
"Campaign": {
"type": "array",
"items": {"$ref": "#/definitions/Campaign"},
"minItems": 1},
"IndicatorID": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorID"},
"minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"},
"Description": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false},
"ThreatActor": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"ThreatActorID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"URL": {
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false},
"Campaign": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"CampaignID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"URL": {
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
"Contact": {
"type": "object",
"properties": {
"role": {
"enum":["creator","reporter","admin","tech","provider","user",
"billing","legal","irt","abuse","cc","cc-irt","leo",
"vendor","vendor-support","victim","victim-notified",
"ext-value"]},
"ext-role": {"type": "string"},
"type": {"enum": ["person","organization","ext-value"]},
"ext-type": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"ContactName": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"ContactTitle": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"RegistryHandle": {
"type":"array",
"items":{"$ref":"#/definitions/RegistryHandle"},
"minItems": 1},
"PostalAddress": {
"type":"array",
"items":{"$ref":"#/definitions/PostalAddress"},
"minItems": 1},
"Email": {
"type": "array",
"items": {"$ref": "#/definitions/Email"},
"minItems": 1},
"Telephone": {
"type": "array",
"items": {"$ref": "#/definitions/Telephone"},
"minItems": 1},
"Timezone": {"$ref": "#/definitions/TimeZonetype"},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["role","type"],
"additionalProperties": false},
"RegistryHandle": {
"type": "object",
"properties": {
"handle": {"type": "string"},
"registry": {
"enum": ["internic","apnic","arin","lacnic","ripe","afrinic",
"local","ext-value"]},
"ext-registry": {"type": "string"}},
"required": ["handle","registry"],
"additionalProperties": false},
"PostalAddress": {
"type": "object",
"properties": {
"type": {
"enum": ["street","mailing","ext-value"]},
"ext-type": {"type": "string"},
"PAddress": {"$ref": "#/definitions/PAddressType"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["PAddress"],
"additionalProperties": false},
"Email": {
"type": "object",
"properties": {
"type": {
"enum":["direct","hotline","ext-value"]},
"ext-type": {"type": "string"},
"EmailTo": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["EmailTo"],
"additionalProperties": false},
"Telephone": {
"type": "object",
"properties": {
"type": {
"enum":["wired","mobile","fax","hotline","ext-value"]},
"ext-type": {"type": "string"},
"TelephoneNumber": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["TelephoneNumber"],
"additionalProperties": false},
"Discovery": {
"type": "object",
"properties": {
"source": {
"enum":["nidps","hips","siem","av","third-party-monitoring",
"incident","os-log","application-log","device-log",
"network-flow","passive-dns","investigation","audit",
"internal-notification","external-notification","leo",
"partner","actor","unknown","ext-value"]},
"ext-source": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"DetectionPattern": {
"type":"array",
"items":{"$ref":"#/definitions/DetectionPattern"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"DetectionPattern": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Application": {"$ref": "#/definitions/SoftwareType"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"DetectionConfiguration": {
"type": "array",
"items": {"type": "string"},
"minItems": 1}},
"allOf": [
{"required": ["Application"]},
{"oneOf": [
{"required":["Description"]},
{"required":["DetectionConfiguration"]}]}],
"additionalProperties": false},
"Method": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AttackPattern": {
"type":"array",
"items":{"$ref":"#/definitions/StructuredInfo"},
"minItems": 1},
"Vulnerability": {
"type":"array",
"items":{"$ref":"#/definitions/StructuredInfo"},
"minItems": 1},
"Weakness": {
"type":"array",
"items":{"$ref":"#/definitions/StructuredInfo"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"Reference": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"ReferenceName": {"$ref":"#/definitions/ReferenceName"},
"URL":{
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"ReferenceName" : {
"type": "object",
"properties": {
"specIndex": {"type": "number"},
"ID": {"$ref":"#/definitions/IDtype"}},
"required": ["specIndex","ID"],
"additionalProperties": false},
"Assessment": {
"type": "object",
"properties": {
"occurrence": {"enum":["actual","potential"]},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentCategory": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Impact": {
"type": "array", "type": "array",
"items": { "items": {"$ref": "#/definitions/Incident"},
"properties": { "minItems": 1},
"SystemImpact":{"$ref":"#/definitions/SystemImpact"}, "AdditionalData": {
"BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, "$ref":"#/definitions/ExtensionTypeList"}},
"TimeImpact":{"$ref":"#/definitions/TimeImpact"}, "required": ["version", "Incident"],
"MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, "additionalProperties": false}
"IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}},
"additionalProperties":false},
"minItems" : 1
},
"Counter": {
"type": "array",
"items": {"$ref": "#/definitions/Counter"},
"minItems": 1},
"MitigatingFactor": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Cause": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Impact"],
"additionalProperties": false},
"SystemImpact": {
"type": "object",
"properties": {
"severity": {"enum":["low","medium","high"]},
"completion": {"enum":["failed","succeeded"]},
"type": {
"enum":["takeover-account","takeover-service",
"takeover-system","cps-manipulation","cps-damage",
"availability-data","availability-account",
"availability-service","availability-system",
"damaged-system","damaged-data","breach-proprietary",
"breach-privacy","breach-credential",
"breach-configuration","integrity-data",
"integrity-configuration","integrity-hardware",
"traffic-redirection","monitoring-traffic",
"monitoring-host","policy","unknown","ext-value"]},
"ext-type": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["type"],
"additionalProperties": false},
"BusinessImpact": {
"type": "object",
"properties": {
"severity": {"enum":["none","low","medium","high","unknown",
"ext-value"],"default": "unknown"},
"ext-severity": {"type":"string"},
"type": {"enum":["breach-proprietary","breach-privacy",
"breach-credential","loss-of-integrity","loss-of-service",
"theft-financial","theft-service","degraded-reputation",
"asset-damage","asset-manipulation","legal","extortion",
"unknown","ext-value"]},
"ext-type": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["type"],
"additionalProperties": false},
"TimeImpact": {
"type": "object",
"properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum": ["low","medium","high"]},
"metric": {"enum": ["labor","elapsed","downtime","ext-value"]},
"ext-metric": {"type": "string"},
"duration": {"$ref":"#/definitions/duration","default": "hour"},
"ext-duration": {"type": "string"}},
"required": ["value","metric"],
"additionalProperties": false},
"MonetaryImpact": {
"type": "object",
"properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum":["low","medium","high"]},
"currency": {"type": "string"}},
"required": ["value"],
"additionalProperties": false},
"Confidence": {
"type": "object",
"properties": {
"value": {"type": "number"},
"rating": {"enum": ["low","medium","high","numeric","unknown",
"ext-value"]},
"ext-rating": {"type":"string"}},
"required": ["value","rating"],
"additionalProperties": false},
"History": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"HistoryItem": {
"type": "array",
"items": {"$ref": "#/definitions/HistoryItem"},
"minItems": 1}},
"required": ["HistoryItem"],
"additionalProperties": false},
"HistoryItem": {<