summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8727.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc8727.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc8727.txt')
-rw-r--r--doc/rfc/rfc8727.txt4160
1 files changed, 4160 insertions, 0 deletions
diff --git a/doc/rfc/rfc8727.txt b/doc/rfc/rfc8727.txt
new file mode 100644
index 0000000..993d608
--- /dev/null
+++ b/doc/rfc/rfc8727.txt
@@ -0,0 +1,4160 @@
+
+
+
+
+Internet Engineering Task Force (IETF) T. Takahashi
+Request for Comments: 8727 NICT
+Category: Standards Track R. Danyliw
+ISSN: 2070-1721 CERT
+ M. Suzuki
+ NICT
+ August 2020
+
+
+ JSON Binding of the Incident Object Description Exchange Format
+
+Abstract
+
+ The Incident Object Description Exchange Format (IODEF) defined in
+ RFC 7970 provides an information model and a corresponding XML data
+ model for exchanging incident and indicator information. This
+ document gives implementers and operators an alternative format to
+ exchange the same information by defining an alternative data model
+ implementation in JSON and its encoding in Concise Binary Object
+ Representation (CBOR).
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc8727.
+
+Copyright Notice
+
+ Copyright (c) 2020 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction
+ 1.1. Requirements Language
+ 2. IODEF Data Types
+ 2.1. Abstract Data Type to JSON Data Type Mapping
+ 2.2. Complex JSON Types
+ 2.2.1. Integer
+ 2.2.2. Multilingual Strings
+ 2.2.3. Enum
+ 2.2.4. Software and Software Reference
+ 2.2.5. Structured Information
+ 2.2.6. EXTENSION
+ 3. IODEF JSON Data Model
+ 3.1. Classes and Elements
+ 3.2. Mapping between JSON and XML IODEF
+ 4. Examples
+ 4.1. Minimal Example
+ 4.2. Indicators from a Campaign
+ 5. Mapkeys
+ 6. The IODEF Data Model (CDDL)
+ 7. IANA Considerations
+ 8. Security Considerations
+ 9. References
+ 9.1. Normative References
+ 9.2. Informative References
+ Appendix A. Data Types Used in This Document
+ Appendix B. The IODEF Data Model (JSON Schema)
+ Acknowledgments
+ Authors' Addresses
+
+1. Introduction
+
+ The Incident Object Description Exchange Format (IODEF) [RFC7970]
+ defines a data representation for security incident reports and
+ indicators commonly exchanged by operational security teams. It
+ facilitates the automated exchange of this information to enable
+ mitigation and watch-and-warning. An information model using Unified
+ Modeling Language (UML) is defined in Section 3 of [RFC7970] and a
+ corresponding Extensible Markup Language (XML) schema data model is
+ defined in Section 8 of [RFC7970]. This UML-based information model
+ and XML-based data model are referred to as IODEF UML and IODEF XML,
+ respectively, in this document.
+
+ IODEF documents are structured and thus suitable for machine
+ processing. They will streamline incident response operations.
+ Another well-used and structured format that is suitable for machine
+ processing is JavaScript Object Notation (JSON) [RFC8259]. To
+ facilitate the automation of incident response operations, IODEF
+ documents and implementations should support JSON representation and
+ its encoding in Concise Binary Object Representation (CBOR)
+ [RFC7049].
+
+ This document defines an alternate implementation of the IODEF UML
+ information model by specifying a JSON data model using Concise Data
+ Definition Language (CDDL) [RFC8610] and a JSON Schema [JSON-SCHEMA].
+ This JSON data model is referred to as IODEF JSON in this document.
+ IODEF JSON provides all of the expressivity of IODEF XML. It gives
+ implementers and operators an alternative format to exchange the same
+ information.
+
+ The normative IODEF JSON data model is found in Section 6. Sections
+ 2 and 3 describe the data types and elements of this data model.
+ Section 4 provides examples.
+
+1.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+2. IODEF Data Types
+
+ IODEF JSON implements the abstract data types specified in Section 2
+ of [RFC7970].
+
+2.1. Abstract Data Type to JSON Data Type Mapping
+
+ IODEF JSON uses native and derived JSON data types. Table 1
+ describes the mapping between the abstract data types in Section 2 of
+ [RFC7970] and their corresponding implementations in IODEF JSON.
+
+ +=================+==========================+================+
+ | IODEF Data Type | Reference | JSON Data Type |
+ +=================+==========================+================+
+ | INTEGER | Section 2.1 of [RFC7970] | integer; see |
+ | | | Section 2.2.1 |
+ +-----------------+--------------------------+----------------+
+ | REAL | Section 2.2 of [RFC7970] | "number" per |
+ | | | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | CHARACTER | Section 2.3 of [RFC7970] | "string" per |
+ | | | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | STRING | Section 2.3 of [RFC7970] | "string" per |
+ | | | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | ML_STRING | Section 2.4 of [RFC7970] | see |
+ | | | Section 2.2.2 |
+ +-----------------+--------------------------+----------------+
+ | BYTE | Section 2.5.1 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | BYTE[] | Section 2.5.1 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | HEXBIN | Section 2.5.2 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | HEXBIN[] | Section 2.5.2 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | ENUM | Section 2.6 of [RFC7970] | see |
+ | | | Section 2.2.3 |
+ +-----------------+--------------------------+----------------+
+ | DATETIME | Section 2.7 of [RFC7970] | "string" per |
+ | | | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | TIMEZONE | Section 2.8 of [RFC7970] | "string" per |
+ | | | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | PORTLIST | Section 2.9 of [RFC7970] | "string" per |
+ | | | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | POSTAL | Section 2.10 of | ML_STRING; see |
+ | | [RFC7970] | Section 2.2.2 |
+ +-----------------+--------------------------+----------------+
+ | PHONE | Section 2.11 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | EMAIL | Section 2.12 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | URL | Section 2.13 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | ID | Section 2.14 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | IDREF | Section 2.14 of | "string" per |
+ | | [RFC7970] | [RFC8259] |
+ +-----------------+--------------------------+----------------+
+ | SOFTWARE | Section 2.15 of | see |
+ | | [RFC7970] | Section 2.2.4 |
+ +-----------------+--------------------------+----------------+
+ | STRUCTUREDINFO | Section 4.4 of [RFC7203] | see |
+ | | | Section 2.2.5 |
+ +-----------------+--------------------------+----------------+
+ | EXTENSION | Section 2.16 of | see |
+ | | [RFC7970] | Section 2.2.6 |
+ +-----------------+--------------------------+----------------+
+
+ Table 1: JSON Data Types
+
+ +=================+================+=============================+
+ | IODEF Data Type | CBOR Data Type | CDDL Prelude [RFC8610] |
+ +=================+================+=============================+
+ | INTEGER | 0, 1, 6 tag 2, | integer |
+ | | 6 tag 3 | |
+ +-----------------+----------------+-----------------------------+
+ | REAL | 7 bits 26 | float32 |
+ +-----------------+----------------+-----------------------------+
+ | CHARACTER | 3 | text |
+ +-----------------+----------------+-----------------------------+
+ | STRING | 3 | text |
+ +-----------------+----------------+-----------------------------+
+ | ML_STRING | 5 | Maps/Structs (Section 3.5.1 |
+ | | | of [RFC8610]) |
+ +-----------------+----------------+-----------------------------+
+ | BYTE | 6 tag 22 | eb64legacy |
+ +-----------------+----------------+-----------------------------+
+ | BYTE[] | 6 tag 22 | eb64legacy |
+ +-----------------+----------------+-----------------------------+
+ | HEXBIN | 6 tag 23 | eb16 |
+ +-----------------+----------------+-----------------------------+
+ | HEXBIN[] | 6 tag 23 | eb16 |
+ +-----------------+----------------+-----------------------------+
+ | ENUM | - | Choices (Section 2.2.2 of |
+ | | | [RFC8610]) |
+ +-----------------+----------------+-----------------------------+
+ | DATETIME | 6 tag 0 | tdate |
+ +-----------------+----------------+-----------------------------+
+ | TIMEZONE | 3 | text |
+ +-----------------+----------------+-----------------------------+
+ | PORTLIST | 3 | text |
+ +-----------------+----------------+-----------------------------+
+ | POSTAL | 3 | ML_STRING (Section 2.2.2) |
+ +-----------------+----------------+-----------------------------+
+ | PHONE | 3 | text |
+ +-----------------+----------------+-----------------------------+
+ | EMAIL | 3 | text |
+ +-----------------+----------------+-----------------------------+
+ | URL | 6 tag 32 | uri |
+ +-----------------+----------------+-----------------------------+
+ | ID | 3 | text |
+ +-----------------+----------------+-----------------------------+
+ | IDREF | 3 | text |
+ +-----------------+----------------+-----------------------------+
+ | SOFTWARE | 5 | Maps/Structs (Section 3.5.1 |
+ | | | of [RFC8610]) |
+ +-----------------+----------------+-----------------------------+
+ | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1 |
+ | | | of [RFC8610]) |
+ +-----------------+----------------+-----------------------------+
+ | EXTENSION | 5 | Maps/Structs (Section 3.5.1 |
+ | | | of [RFC8610]) |
+ +-----------------+----------------+-----------------------------+
+
+ Table 2: CBOR Data Types
+
+2.2. Complex JSON Types
+
+2.2.1. Integer
+
+ An integer is a subset of the "number" type of JSON, which represents
+ signed digits encoded in Base 10. The definition of this integer is
+ "[ minus ] int" per [RFC8259], Section 6.
+
+2.2.2. Multilingual Strings
+
+ A string that needs to be represented in a human-readable language
+ different from the default encoding of the document is represented in
+ the information model by the ML_STRING data type. This data type is
+ implemented as either an object with "value", "lang", and
+ "translation-id" elements or a text string as defined in Section 6.
+ An example is shown below.
+
+ "MLStringType": {
+ "value": "free-form text", # STRING
+ "lang": "en", # ENUM
+ "translation-id": "jp2en0023" # STRING
+ }
+
+ Note that in figures throughout this document, some supplementary
+ information follows "#", but these are not valid syntax in JSON;
+ instead, they are intended to facilitate reader understanding.
+
+2.2.3. Enum
+
+ Enum is an ordered list of acceptable string values. Each value has
+ a representative keyword. Within the data model, the enumerated type
+ keywords are used as attribute values.
+
+2.2.4. Software and Software Reference
+
+ A particular version of software is represented in the information
+ model by the SOFTWARE data type. This software can be described by
+ using a reference, a Uniform Resource Locator (URL) [RFC3986], or
+ free-form text. The SOFTWARE data type is implemented as an object
+ with "SoftwareReference", "URL", and "Description" elements as
+ defined in Section 6. Examples are shown below.
+
+ "SoftwareType": {
+ "SoftwareReference": {...}, # SoftwareReference
+ "Description": ["MS Windows"] # STRING
+ }
+
+ SoftwareReference class is a reference to a particular version of
+ software. Examples are shown below.
+
+ "SoftwareReference": {
+ "value": "cpe:/a:google:chrome:59.0.3071.115", # STRING
+ "spec-name": "cpe", # ENUM
+ "dtype": "string" # ENUM
+ }
+
+2.2.5. Structured Information
+
+ Information provided in the form of a structured string, such as an
+ ID, or structured information, such as XML documents, is represented
+ in the information model by the STRUCTUREDINFO data type. Note that
+ this type was originally specified in Section 4.4 of [RFC7203] as a
+ basic structure of its extension classes. The STRUCTUREDINFO data
+ type is implemented as an object with "SpecID", "ext-SpecID",
+ "ContentID", "RawData", and "Reference" elements. An example for
+ embedding a structured ID is shown below.
+
+ "STRUCTUREDINFO": {
+ "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM
+ "ContentID": "CWE-89" # STRING
+ }
+
+ When embedding the raw data, it should be encoded as a BYTE type
+ object, as shown below.
+
+ "STRUCTUREDINFO": {
+ "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM
+ "RawData": "<<< encoded structured data >>>" # BYTE
+ }
+
+ When embedding the raw data, base64 encoding defined in Section 4 of
+ [RFC4648] MUST be used for JSON IODEF while binary representation
+ MUST be used for CBOR IODEF.
+
+2.2.6. EXTENSION
+
+ Information not otherwise represented in the IODEF can be added using
+ the EXTENSION data type. This data type is a generic extension
+ mechanism. The EXTENSION data type is implemented as an
+ ExtensionType object with "value", "name", "dtype", "ext-dtype",
+ "meaning", "formatid", "restriction", "ext-restriction", and
+ "observable-id" elements. An example for embedding a structured ID
+ is shown below.
+
+ "ExtensionType": {
+ "value": "xxxxxxx", # STRING
+ "name": "Syslog", # STRING
+ "dtype": "string", # ENUM
+ "meaning": "Syslog from the security appliance X" # STRING
+ }
+
+ Note that this data type is specified in [RFC7970] as its generic
+ extension mechanism. If a data item has internal structure that is
+ intended to be processed outside of the IODEF framework, one may
+ consider using the STRUCTUREDINFO data type mentioned in
+ Section 2.2.5.
+
+3. IODEF JSON Data Model
+
+3.1. Classes and Elements
+
+ The following table shows the list of IODEF classes and their
+ elements and the corresponding sections in [RFC7970]. Note that the
+ complete JSON schema is defined in Section 6 using CDDL.
+
+ +===========================+============================+==========+
+ | IODEF Class | Class, Element, and |Section in|
+ | | Attribute |[RFC7970] |
+ +===========================+============================+==========+
+ | IODEF-Document | version | 3.1 |
+ | | lang? | |
+ | | format-id? | |
+ | | private-enum-name? | |
+ | | private-enum-id? | |
+ | | Incident+ | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | Incident | purpose | 3.2 |
+ | | ext-purpose? | |
+ | | status? | |
+ | | ext-status? | |
+ | | lang? | |
+ | | restriction? | |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | IncidentID | |
+ | | AlternativeID? | |
+ | | RelatedActivity* | |
+ | | DetectTime? | |
+ | | StartTime? | |
+ | | EndTime? | |
+ | | RecoveryTime? | |
+ | | ReportTime? | |
+ | | GenerationTime | |
+ | | Description* | |
+ | | Discovery* | |
+ | | Assessment* | |
+ | | Method* | |
+ | | Contact+ | |
+ | | EventData* | |
+ | | Indicator* | |
+ | | History? | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | IncidentID | id | 3.4 |
+ | | name | |
+ | | instance? | |
+ | | restriction? | |
+ | | ext-restriction? | |
+ +---------------------------+----------------------------+----------+
+ | AlternativeID | restriction? | 3.5 |
+ | | ext-restriction? | |
+ | | IncidentID+ | |
+ +---------------------------+----------------------------+----------+
+ | RelatedActivity | restriction? | 3.6 |
+ | | ext-restriction? | |
+ | | IncidentID* | |
+ | | URL* | |
+ | | ThreatActor* | |
+ | | Campaign* | |
+ | | IndicatorID* | |
+ | | Confidence? | |
+ | | Description* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | ThreatActor | restriction? | 3.7 |
+ | | ext-restriction? | |
+ | | ThreatActorID* | |
+ | | URL* | |
+ | | Description* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | Campaign | restriction? | 3.8 |
+ | | ext-restriction? | |
+ | | CampaignID* | |
+ | | URL* | |
+ | | Description* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | Contact | role | 3.9 |
+ | | ext-role? | |
+ | | type | |
+ | | ext-type? | |
+ | | restriction? | |
+ | | ext-restriction? | |
+ | | ContactName* | |
+ | | ContactTitle* | |
+ | | Description* | |
+ | | RegistryHandle* | |
+ | | PostalAddress* | |
+ | | Email* | |
+ | | Telephone* | |
+ | | Timezone? | |
+ | | Contact* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | RegistryHandle | handle | 3.9.1 |
+ | | registry | |
+ | | ext-registry? | |
+ +---------------------------+----------------------------+----------+
+ | PostalAddress | type? | 3.9.2 |
+ | | ext-type? | |
+ | | PAddress | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | Email | type? | 3.9.3 |
+ | | ext-type? | |
+ | | EmailTo | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | Telephone | type? | 3.9.4 |
+ | | ext-type? | |
+ | | TelephoneNumber | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | Discovery | source? | 3.10 |
+ | | ext-source? | |
+ | | restriction? | |
+ | | ext-restriction? | |
+ | | Description* | |
+ | | Contact* | |
+ | | DetectionPattern* | |
+ +---------------------------+----------------------------+----------+
+ | DetectionPattern | restriction? | 3.10.1 |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | Application | |
+ | | Description* | |
+ | | DetectionConfiguration* | |
+ +---------------------------+----------------------------+----------+
+ | Method | restriction? | 3.11 |
+ | | ext-restriction? | |
+ | | Reference* | |
+ | | Description* | |
+ | | AttackPattern* | |
+ | | Vulnerability* | |
+ | | Weakness* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | Weakness | restriction? | 4.5.5 in |
+ | | ext-restriction? |[RFC7203] |
+ +---------------------------+----------------------------+----------+
+ | Reference | observable-id? | 3.11.1 |
+ | | ReferenceName? | |
+ | | URL* | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | Assessment | occurrence? | 3.12 |
+ | | restriction? | |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | IncidentCategory* | |
+ | | SystemImpact* | |
+ | | BusinessImpact* | |
+ | | TimeImpact* | |
+ | | MonetaryImpact* | |
+ | | IntendedImpact* | |
+ | | Counter* | |
+ | | MitigatingFactor* | |
+ | | Cause* | |
+ | | Confidence? | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | SystemImpact | severity? | 3.12.1 |
+ | | completion? | |
+ | | type | |
+ | | ext-type? | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | BusinessImpact | severity? | 3.12.2 |
+ | | ext-severity? | |
+ | | type | |
+ | | ext-type? | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | TimeImpact | value | 3.12.3 |
+ | | severity? | |
+ | | metric | |
+ | | ext-metric? | |
+ | | duration? | |
+ | | ext-duration? | |
+ +---------------------------+----------------------------+----------+
+ | MonetaryImpact | value | 3.12.4 |
+ | | severity? | |
+ | | currency? | |
+ +---------------------------+----------------------------+----------+
+ | Confidence | value | 3.12.5 |
+ | | rating | |
+ | | ext-rating? | |
+ +---------------------------+----------------------------+----------+
+ | History | restriction? | 3.13 |
+ | | ext-restriction? | |
+ | | HistoryItem+ | |
+ +---------------------------+----------------------------+----------+
+ | HistoryItem | action | 3.13.1 |
+ | | ext-action? | |
+ | | restriction? | |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | DateTime | |
+ | | IncidentID? | |
+ | | Contact? | |
+ | | Description* | |
+ | | DefinedCOA* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | EventData | restriction? | 3.14 |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | Description* | |
+ | | DetectTime? | |
+ | | StartTime? | |
+ | | EndTime? | |
+ | | RecoveryTime? | |
+ | | ReportTime? | |
+ | | Contact* | |
+ | | Discovery* | |
+ | | Assessment? | |
+ | | Method* | |
+ | | System* | |
+ | | Expectation* | |
+ | | RecordData* | |
+ | | EventData* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | Expectation | action? | 3.15 |
+ | | ext-action? | |
+ | | severity? | |
+ | | restriction? | |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | Description* | |
+ | | DefinedCOA* | |
+ | | StartTime? | |
+ | | EndTime? | |
+ | | Contact? | |
+ +---------------------------+----------------------------+----------+
+ | System | category? | 3.17 |
+ | | ext-category? | |
+ | | interface? | |
+ | | spoofed? | |
+ | | virtual? | |
+ | | ownership? | |
+ | | ext-ownership? | |
+ | | restriction? | |
+ | | ext-restriction? | |
+ | | Node | |
+ | | NodeRole* | |
+ | | Service* | |
+ | | OperatingSystem* | |
+ | | Counter* | |
+ | | AssetID* | |
+ | | Description* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | Node | DomainData* | 3.18 |
+ | | Address* | |
+ | | PostalAddress? | |
+ | | Location* | |
+ | | Counter* | |
+ +---------------------------+----------------------------+----------+
+ | Address | value | 3.18.1 |
+ | | category | |
+ | | ext-category? | |
+ | | vlan-name? | |
+ | | vlan-num? | |
+ | | observable-id? | |
+ +---------------------------+----------------------------+----------+
+ | NodeRole | category | 3.18.2 |
+ | | ext-category? | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | Counter | value | 3.18.3 |
+ | | type | |
+ | | ext-type? | |
+ | | unit | |
+ | | ext-unit? | |
+ | | meaning? | |
+ | | duration? | |
+ | | ext-duration? | |
+ +---------------------------+----------------------------+----------+
+ | DomainData | system-status | 3.19 |
+ | | ext-system-status? | |
+ | | domain-status | |
+ | | ext-domain-status? | |
+ | | observable-id? | |
+ | | Name | |
+ | | DateDomainWasChecked? | |
+ | | RegistrationDate? | |
+ | | ExpirationDate? | |
+ | | RelatedDNS* | |
+ | | Nameservers* | |
+ | | DomainContacts? | |
+ +---------------------------+----------------------------+----------+
+ | Nameservers | Server | 3.19.1 |
+ | | Address* | |
+ +---------------------------+----------------------------+----------+
+ | DomainContacts | SameDomainContact? | 3.19.2 |
+ | | Contact+ | |
+ +---------------------------+----------------------------+----------+
+ | Service | ip-protocol? | 3.20 |
+ | | observable-id? | |
+ | | ServiceName? | |
+ | | Port? | |
+ | | Portlist? | |
+ | | ProtoCode? | |
+ | | ProtoType? | |
+ | | ProtoField? | |
+ | | ApplicationHeaderField* | |
+ | | EmailData? | |
+ | | Application? | |
+ +---------------------------+----------------------------+----------+
+ | ServiceName | IANAService? | 3.20.1 |
+ | | URL* | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | EmailData | observable-id? | 3.21 |
+ | | EmailTo* | |
+ | | EmailFrom? | |
+ | | EmailSubject? | |
+ | | EmailX-Mailer? | |
+ | | EmailHeaderField* | |
+ | | EmailHeaders? | |
+ | | EmailBody? | |
+ | | EmailMessage? | |
+ | | HashData* | |
+ | | Signature* | |
+ +---------------------------+----------------------------+----------+
+ | RecordData | restriction? | 3.22.1 |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | DateTime? | |
+ | | Description* | |
+ | | Application? | |
+ | | RecordPattern* | |
+ | | RecordItem* | |
+ | | URL* | |
+ | | FileData* | |
+ | |WindowsRegistryKeysModified*| |
+ | | CertificateData* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | RecordPattern | type | 3.22.2 |
+ | | ext-type? | |
+ | | offset? | |
+ | | offsetunit? | |
+ | | ext-offsetunit? | |
+ | | instance? | |
+ | | value | |
+ +---------------------------+----------------------------+----------+
+ |WindowsRegistryKeysModified| observable-id? | 3.23 |
+ | | Key+ | |
+ +---------------------------+----------------------------+----------+
+ | Key | registryaction? | 3.23.1 |
+ | | ext-registryaction? | |
+ | | observable-id? | |
+ | | KeyName | |
+ | | KeyValue? | |
+ +---------------------------+----------------------------+----------+
+ | CertificateData | restriction? | 3.24 |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | Certificate+ | |
+ +---------------------------+----------------------------+----------+
+ | Certificate | observable-id? | 3.24.1 |
+ | | X509Data | |
+ | | Description* | |
+ +---------------------------+----------------------------+----------+
+ | FileData | restriction? | 3.25 |
+ | | ext-restriction? | |
+ | | observable-id? | |
+ | | File+ | |
+ +---------------------------+----------------------------+----------+
+ | File | observable-id? | 3.25.1 |
+ | | FileName? | |
+ | | FileSize? | |
+ | | FileType? | |
+ | | URL* | |
+ | | HashData? | |
+ | | Signature* | |
+ | | AssociatedSoftware? | |
+ | | FileProperties* | |
+ +---------------------------+----------------------------+----------+
+ | HashData | scope | 3.26 |
+ | | HashTargetID? | |
+ | | Hash* | |
+ | | FuzzyHash* | |
+ +---------------------------+----------------------------+----------+
+ | Hash | DigestMethod | 3.26.1 |
+ | | DigestValue | |
+ | | CanonicalizationMethod? | |
+ | | Application? | |
+ +---------------------------+----------------------------+----------+
+ | FuzzyHash | FuzzyHashValue+ | 3.26.2 |
+ | | Application? | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | Indicator | restriction? | 3.29 |
+ | | ext-restriction? | |
+ | | IndicatorID | |
+ | | AlternativeIndicatorID* | |
+ | | Description* | |
+ | | StartTime? | |
+ | | EndTime? | |
+ | | Confidence? | |
+ | | Contact* | |
+ | | Observable? | |
+ | | uid-ref? | |
+ | | IndicatorExpression? | |
+ | | IndicatorReference? | |
+ | | NodeRole* | |
+ | | AttackPhase* | |
+ | | Reference* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | IndicatorID | id | 3.29.1 |
+ | | name | |
+ | | version | |
+ +---------------------------+----------------------------+----------+
+ | AlternativeIndicatorID | restriction? | 3.29.2 |
+ | | ext-restriction? | |
+ | | IndicatorID+ | |
+ +---------------------------+----------------------------+----------+
+ | Observable | restriction? | 3.29.3 |
+ | | ext-restriction? | |
+ | | System? | |
+ | | Address? | |
+ | | DomainData? | |
+ | | Service? | |
+ | | EmailData? | |
+ | |WindowsRegistryKeysModified?| |
+ | | FileData? | |
+ | | CertificateData? | |
+ | | RegistryHandle? | |
+ | | RecordData? | |
+ | | EventData? | |
+ | | Incident? | |
+ | | Expectation? | |
+ | | Reference? | |
+ | | Assessment? | |
+ | | DetectionPattern? | |
+ | | HistoryItem? | |
+ | | BulkObservable? | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | BulkObservable | type? | 3.29.3.1 |
+ | | ext-type? | |
+ | | BulkObservableFormat? | |
+ | | BulkObservableList | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | BulkObservableFormat | Hash? |3.29.3.1.1|
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | IndicatorExpression | operator? | 3.29.4 |
+ | | ext-operator? | |
+ | | IndicatorExpression* | |
+ | | Observable* | |
+ | | uid-ref* | |
+ | | IndicatorReference* | |
+ | | Confidence? | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+ | IndicatorReference | uid-ref? | 3.29.7 |
+ | | euid-ref? | |
+ | | version? | |
+ +---------------------------+----------------------------+----------+
+ | AttackPhase | AttackPhaseID* | 3.29.8 |
+ | | URL* | |
+ | | Description* | |
+ | | AdditionalData* | |
+ +---------------------------+----------------------------+----------+
+
+ Table 3: IODEF Classes
+
+3.2. Mapping between JSON and XML IODEF
+
+ * Attributes and elements of each class in the XML IODEF document
+ are both presented as JSON attributes in the JSON IODEF document,
+ and the order of their appearances is ignored.
+
+ * Flow class is deleted, and classes with its instances now directly
+ have instances of the EventData class that used to belong to the
+ Flow class.
+
+ * ApplicationHeader class is deleted, and classes with its instances
+ now directly have instances of the ApplicationHeaderField class
+ that used to belong to the ApplicationHeader class.
+
+ * SignatureData class is deleted, and classes with its instances now
+ directly have instances of the Signature class that used to belong
+ to the SignatureData class.
+
+ * IndicatorData class is deleted, and classes with its instances now
+ directly have instances of the Indicator class that used to belong
+ to the IndicatorData class.
+
+ * ObservableReference class is deleted, and classes with its
+ instances now directly have uid-ref as an element.
+
+ * Record class is deleted, and classes with its instances now
+ directly have instances of the RecordData class that used to
+ belong to the Record class.
+
+ * The MLStringType was modified to support simple string by allowing
+ the type to have not only a predefined object type but also a text
+ type, in order to allow simple descriptions of elements of the
+ type. Implementations need to be capable of parsing an
+ MLStringType that could take the form of both text and an object.
+
+ * The elements of the ML_STRING type in the XML IODEF document are
+ presented as either STRING type or ML_STRING type in the JSON
+ IODEF document. When converting from the XML IODEF document to
+ the JSON IODEF document, or vice versa, the information contained
+ in the original data of the ML_STRING type must be preserved.
+ When STRING is used instead of ML_STRING, parsers can assume that
+ its "xml:lang" is set to "en".
+
+ * Data models of the extension classes defined by [RFC7203] and
+ referenced by [RFC7970] are represented by the STRUCTUREDINFO
+ class defined in this document.
+
+ * Signature, X509Data, and RawData are encoded using base64 encoding
+ for JSON IODEF and binary representation for CBOR IODEF to
+ represent them as BYTE objects.
+
+ * EmailBody represents a whole message body including MIME structure
+ in the same manner defined in [RFC7970]. In case of an email
+ composed of a MIME multipart, the EmailBody contains multiple body
+ parts separated by boundary strings.
+
+ * The "ipv6-net-mask" type attribute of the BulkObservable class
+ remains available for the purpose of backward compatibility, but
+ the use of this attribute is not recommended because IPv6 does not
+ use netmask any more.
+
+ * ENUM values in this document are extensible and managed by IANA,
+ which is also the case in [RFC7970]. The values in the table are
+ used both by [RFC7970] implementations and by their JSON (and
+ CBOR) bindings as specified by this document.
+
+ * This document uses JSON's "number" type to represent integers that
+ only have full precision for integer values between -2^(53) and
+ 2^(53). When dealing with integers outside the range, this issue
+ needs to be considered.
+
+ * Binaries are encoded in bytes. Note that XML IODEF in [RFC7970]
+ uses HEXBIN due to the incapability of XML for embedding binaries
+ as they are.
+
+4. Examples
+
+ This section provides examples of IODEF documents. These examples do
+ not represent the full capabilities of the data model or the only way
+ to encode particular information.
+
+4.1. Minimal Example
+
+ A document containing only the mandatory elements and attributes is
+ shown below in JSON and CBOR, respectively.
+
+ {
+ "version": "2.0",
+ "lang": "en",
+ "Incident": [{
+ "purpose": "reporting",
+ "restriction": "private",
+ "IncidentID": {
+ "id": "492382",
+ "name": "csirt.example.com"
+ },
+ "GenerationTime": "2015-07-18T09:00:00-05:00",
+ "Contact": [{
+ "type": "organization",
+ "role": "creator",
+ "Email": [{"EmailTo": "contact@csirt.example.com"}]
+ }]
+ }]
+ }
+
+ Figure 1: A Minimal Example in JSON
+
+ A3 # map(3)
+ 37 # negative(23)
+ 63 # text(3)
+ 322E30 # "2.0"
+ 36 # negative(22)
+ 62 # text(2)
+ 656E # "en"
+ 32 # negative(18)
+ 81 # array(1)
+ A5 # map(5)
+ 21 # negative(1)
+ 69 # text(9)
+ 7265706F7274696E67 # "reporting"
+ 29 # negative(9)
+ 67 # text(7)
+ 70726976617465 # "private"
+ 02 # unsigned(2)
+ A2 # map(2)
+ 12 # unsigned(18)
+ 66 # text(6)
+ 343932333832 # "492382"
+ 2E # negative(14)
+ 71 # text(17)
+ 63736972742E6578616D706C652E636F6D
+ # "csirt.example.com"
+ 0A # unsigned(10)
+ 78 19 # text(25)
+ 323031352D30372D31385430393A30303A30302D30353A3030
+ # "2015-07-18T09:00:00
+ # -05:00"
+ 0E # unsigned(14)
+ 81 # array(1)
+ A3 # map(3)
+ 18 1C # unsigned(28)
+ 6C # text(12)
+ 6F7267616E697A6174696F6E # "organization"
+ 18 1A # unsigned(26)
+ 67 # text(7)
+ 63726561746F72 # "creator"
+ 18 22 # unsigned(34)
+ 81 # array(1)
+ A1 # map(1)
+ 18 29 # unsigned(41)
+ 78 19 # text(25)
+ 636F6E746163744063736972742E6578616D70
+ 6C652E636F6D
+ # "contact@csirt.example.com"
+
+ Figure 2: A Minimal Example in CBOR
+
+4.2. Indicators from a Campaign
+
+ An example of C2 domains from a given campaign is shown below in JSON
+ and CBOR, respectively.
+
+ {
+ "version": "2.0",
+ "lang": "en",
+ "Incident": [{
+ "purpose": "watch",
+ "restriction": "green",
+ "IncidentID": {
+ "id": "897923",
+ "name": "csirt.example.com"
+ },
+ "RelatedActivity": [{
+ "ThreatActor": [{
+ "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"],
+ "Description": ["Aggressive Butterfly"]}],
+ "Campaign": [{
+ "CampaignID": ["C-2015-59405"],
+ "Description": ["Orange Giraffe"]
+ }]
+ }],
+ "GenerationTime": "2015-10-02T11:18:00-05:00",
+ "Description": ["Summarizes the Indicators of Compromise for the
+ Orange Giraffe campaign of the Aggressive Butterfly crime
+ gang."],
+ "Assessment": [{
+ "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}]
+ }],
+ "Contact": [{
+ "type": "organization",
+ "role": "creator",
+ "ContactName": ["CSIRT for example.com"],
+ "Email": [{
+ "EmailTo": "contact@csirt.example.com"
+ }]
+ }],
+ "Indicator": [{
+ "IndicatorID": {
+ "id": "G90823490",
+ "name": "csirt.example.com",
+ "version": "1"
+ },
+ "Description": ["C2 domains"],
+ "StartTime": "2014-12-02T11:18:00-05:00",
+ "Observable": {
+ "BulkObservable": {
+ "type": "domain-name",
+ "BulkObservableList": "kj290023j09r34.example.com"}
+ }
+ }]
+ }]
+ }
+
+ Figure 3: Indicators from a Campaign in JSON
+
+ A3 # map(3)
+ 37 # negative(23)
+ 63 # text(3)
+ 322E30 # "2.0"
+ 36 # negative(22)
+ 62 # text(2)
+ 656E # "en"
+ 32 # negative(18)
+ 81 # array(1)
+ A9 # map(9)
+ 21 # negative(1)
+ 65 # text(5)
+ 7761746368 # "watch"
+ 29 # negative(9)
+ 65 # text(5)
+ 677265656E # "green"
+ 02 # unsigned(2)
+ A2 # map(2)
+ 12 # unsigned(18)
+ 66 # text(6)
+ 383937393233 # "897923"
+ 2E # negative(14)
+ 71 # text(17)
+ 63736972742E6578616D706C652E636F6D
+ # "csirt.example.com"
+ 04 # unsigned(4)
+ 81 # array(1)
+ A2 # map(2)
+ 14 # unsigned(20)
+ 81 # array(1)
+ A2 # map(2)
+ 18 18 # unsigned(24)
+ 81 # array(1)
+ 78 1A # text(26)
+ 54412D31322D414747524553534956452D4
+ 25554544552464C59
+ # "TA-12-AGGRESSIVE
+ # -BUTTERFLY"
+ 24 # negative(4)
+ 81 # array(1)
+ 74 # text(20)
+ 41676772657373697665204275747465726
+ 66C79
+ # "Aggressive Butterfly"
+ 15 # unsigned(21)
+ 81 # array(1)
+ A2 # map(2)
+ 18 19 # unsigned(25)
+ 81 # array(1)
+ 6C # text(12)
+ 432D323031352D3539343035
+ # "C-2015-59405"
+ 24 # negative(4)
+ 81 # array(1)
+ 6E # text(14)
+ 4F72616E67652047697261666665
+ # "Orange Giraffe"
+ 0A # unsigned(10)
+ 78 19 # text(25)
+ 323031352D31302D30325431313A31383A30302D30353A3030
+ # "2015-10-02T11:18:00-05:00"
+ 24 # negative(4)
+ 81 # array(1)
+ 78 6F # text(111)
+ 53756D6D6172697A65732074686520496E64696361746F7
+ 273206F6620436F6D70726F6D69736520666F7220746865
+ 204F72616E676520476972616666652063616D706169676
+ E206F662074686520416767726573736976652042757474
+ 6572666C79206372696D652067616E672E
+ # "Summarizes the Indicators
+ # of Compromise for the
+ # Orange Giraffe campaign
+ # of the Aggressive
+ # Butterfly crime gang."
+ 0C # unsigned(12)
+ 81 # array(1)
+ A1 # map(1)
+ 18 3F # unsigned(63)
+ 81 # array(1)
+ A1 # map(1)
+ 18 41 # unsigned(65)
+ A1 # map(1)
+ 18 1C # unsigned(28)
+ 72 # text(18)
+ 6272656163682D70726F7072696574617279
+ # "breach-proprietary"
+ 0E # unsigned(14)
+ 81 # array(1)
+ A4 # map(4)
+ 18 1C # unsigned(28)
+ 6C # text(12)
+ 6F7267616E697A6174696F6E
+ # "organization"
+ 18 1A # unsigned(26)
+ 67 # text(7)
+ 63726561746F72 # "creator"
+ 18 1E # unsigned(30)
+ 81 # array(1)
+ 75 # text(21)
+ 435349525420666F72206578616D706C652E636F6D
+ # "CSIRT for example.com"
+ 18 22 # unsigned(34)
+ 81 # array(1)
+ A1 # map(1)
+ 18 29 # unsigned(41)
+ 78 19 # text(25)
+ 636F6E746163744063736972742E6578616D70
+ 6C652E636F6D
+ # "contact@csirt.example.com"
+ 10 # unsigned(16)
+ 81 # array(1)
+ A4 # map(4)
+ 16 # unsigned(22)
+ A3 # map(3)
+ 12 # unsigned(18)
+ 69 # text(9)
+ 473930383233343930 # "G90823490"
+ 2E # negative(14)
+ 71 # text(17)
+ 63736972742E6578616D706C652E636F6D
+ # "csirt.example.com"
+ 37 # negative(23)
+ 61 # text(1)
+ 31 # "1"
+ 24 # negative(4)
+ 81 # array(1)
+ 6A # text(10)
+ 433220646F6D61696E73 # "C2 domains"
+ 06 # unsigned(6)
+ 78 19 # text(25)
+ 323031342D31322D30325431313A31383A30302D30353A3030
+ # "2014-12-02T11:18:00-05:00"
+ 18 AB # unsigned(171)
+ A1 # map(1)
+ 18 B0 # unsigned(176)
+ A2 # map(2)
+ 18 1C # unsigned(28)
+ 6B # text(11)
+ 646F6D61696E2D6E616D65
+ # "domain-name"
+ 18 B2 # unsigned(178)
+ 78 1A # text(26)
+ 6B6A3239303032336A30397233342E6578616D
+ 706C652E636F6D
+ # "kj290023j09r34.example.com"
+
+ Figure 4: Indicators from a Campaign in CBOR
+
+5. Mapkeys
+
+ The mapkeys are provided in Table 4 for minimizing the CBOR size.
+
+ +===================================+=========+
+ | mapkey | cborkey |
+ +===================================+=========+
+ | iodef-version | -24 |
+ +-----------------------------------+---------+
+ | iodef-lang | -23 |
+ +-----------------------------------+---------+
+ | iodef-format-id | -22 |
+ +-----------------------------------+---------+
+ | iodef-private-enum-name | -21 |
+ +-----------------------------------+---------+
+ | iodef-private-enum-id | -20 |
+ +-----------------------------------+---------+
+ | iodef-Incident | -19 |
+ +-----------------------------------+---------+
+ | iodef-AdditionalData | -18 |
+ +-----------------------------------+---------+
+ | iodef-value | -17 |
+ +-----------------------------------+---------+
+ | iodef-translation-id | -16 |
+ +-----------------------------------+---------+
+ | iodef-name | -15 |
+ +-----------------------------------+---------+
+ | iodef-dtype | -14 |
+ +-----------------------------------+---------+
+ | iodef-ext-dtype | -13 |
+ +-----------------------------------+---------+
+ | iodef-meaning | -12 |
+ +-----------------------------------+---------+
+ | iodef-formatid | -11 |
+ +-----------------------------------+---------+
+ | iodef-restriction | -10 |
+ +-----------------------------------+---------+
+ | iodef-ext-restriction | -9 |
+ +-----------------------------------+---------+
+ | iodef-observable-id | -8 |
+ +-----------------------------------+---------+
+ | iodef-SoftwareReference | -7 |
+ +-----------------------------------+---------+
+ | iodef-URL | -6 |
+ +-----------------------------------+---------+
+ | iodef-Description | -5 |
+ +-----------------------------------+---------+
+ | iodef-spec-name | -4 |
+ +-----------------------------------+---------+
+ | iodef-ext-spec-name | -3 |
+ +-----------------------------------+---------+
+ | iodef-purpose | -2 |
+ +-----------------------------------+---------+
+ | iodef-ext-purpose | -1 |
+ +-----------------------------------+---------+
+ | iodef-status | 0 |
+ +-----------------------------------+---------+
+ | iodef-ext-status | 1 |
+ +-----------------------------------+---------+
+ | iodef-IncidentID | 2 |
+ +-----------------------------------+---------+
+ | iodef-AlternativeID | 3 |
+ +-----------------------------------+---------+
+ | iodef-RelatedActivity | 4 |
+ +-----------------------------------+---------+
+ | iodef-DetectTime | 5 |
+ +-----------------------------------+---------+
+ | iodef-StartTime | 6 |
+ +-----------------------------------+---------+
+ | iodef-EndTime | 7 |
+ +-----------------------------------+---------+
+ | iodef-RecoveryTime | 8 |
+ +-----------------------------------+---------+
+ | iodef-ReportTime | 9 |
+ +-----------------------------------+---------+
+ | iodef-GenerationTime | 10 |
+ +-----------------------------------+---------+
+ | iodef-Discovery | 11 |
+ +-----------------------------------+---------+
+ | iodef-Assessment | 12 |
+ +-----------------------------------+---------+
+ | iodef-Method | 13 |
+ +-----------------------------------+---------+
+ | iodef-Contact | 14 |
+ +-----------------------------------+---------+
+ | iodef-EventData | 15 |
+ +-----------------------------------+---------+
+ | iodef-Indicator | 16 |
+ +-----------------------------------+---------+
+ | iodef-History | 17 |
+ +-----------------------------------+---------+
+ | iodef-id | 18 |
+ +-----------------------------------+---------+
+ | iodef-instance | 19 |
+ +-----------------------------------+---------+
+ | iodef-ThreatActor | 20 |
+ +-----------------------------------+---------+
+ | iodef-Campaign | 21 |
+ +-----------------------------------+---------+
+ | iodef-IndicatorID | 22 |
+ +-----------------------------------+---------+
+ | iodef-Confidence | 23 |
+ +-----------------------------------+---------+
+ | iodef-ThreatActorID | 24 |
+ +-----------------------------------+---------+
+ | iodef-CampaignID | 25 |
+ +-----------------------------------+---------+
+ | iodef-role | 26 |
+ +-----------------------------------+---------+
+ | iodef-ext-role | 27 |
+ +-----------------------------------+---------+
+ | iodef-type | 28 |
+ +-----------------------------------+---------+
+ | iodef-ext-type | 29 |
+ +-----------------------------------+---------+
+ | iodef-ContactName | 30 |
+ +-----------------------------------+---------+
+ | iodef-ContactTitle | 31 |
+ +-----------------------------------+---------+
+ | iodef-RegistryHandle | 32 |
+ +-----------------------------------+---------+
+ | iodef-PostalAddress | 33 |
+ +-----------------------------------+---------+
+ | iodef-Email | 34 |
+ +-----------------------------------+---------+
+ | iodef-Telephone | 35 |
+ +-----------------------------------+---------+
+ | iodef-Timezone | 36 |
+ +-----------------------------------+---------+
+ | iodef-handle | 37 |
+ +-----------------------------------+---------+
+ | iodef-registry | 38 |
+ +-----------------------------------+---------+
+ | iodef-ext-registry | 39 |
+ +-----------------------------------+---------+
+ | iodef-PAddress | 40 |
+ +-----------------------------------+---------+
+ | iodef-EmailTo | 41 |
+ +-----------------------------------+---------+
+ | iodef-TelephoneNumber | 42 |
+ +-----------------------------------+---------+
+ | iodef-source | 43 |
+ +-----------------------------------+---------+
+ | iodef-ext-source | 44 |
+ +-----------------------------------+---------+
+ | iodef-DetectionPattern | 45 |
+ +-----------------------------------+---------+
+ | iodef-DetectionConfiguration | 46 |
+ +-----------------------------------+---------+
+ | iodef-Application | 47 |
+ +-----------------------------------+---------+
+ | iodef-Reference | 48 |
+ +-----------------------------------+---------+
+ | iodef-AttackPattern | 49 |
+ +-----------------------------------+---------+
+ | iodef-Vulnerability | 50 |
+ +-----------------------------------+---------+
+ | iodef-Weakness | 51 |
+ +-----------------------------------+---------+
+ | iodef-SpecID | 52 |
+ +-----------------------------------+---------+
+ | iodef-ext-SpecID | 53 |
+ +-----------------------------------+---------+
+ | iodef-ContentID | 54 |
+ +-----------------------------------+---------+
+ | iodef-RawData | 55 |
+ +-----------------------------------+---------+
+ | iodef-Platform | 56 |
+ +-----------------------------------+---------+
+ | iodef-Scoring | 57 |
+ +-----------------------------------+---------+
+ | iodef-ReferenceName | 58 |
+ +-----------------------------------+---------+
+ | iodef-specIndex | 59 |
+ +-----------------------------------+---------+
+ | iodef-ID | 60 |
+ +-----------------------------------+---------+
+ | iodef-occurrence | 61 |
+ +-----------------------------------+---------+
+ | iodef-IncidentCategory | 62 |
+ +-----------------------------------+---------+
+ | iodef-Impact | 63 |
+ +-----------------------------------+---------+
+ | iodef-SystemImpact | 64 |
+ +-----------------------------------+---------+
+ | iodef-BusinessImpact | 65 |
+ +-----------------------------------+---------+
+ | iodef-TimeImpact | 66 |
+ +-----------------------------------+---------+
+ | iodef-MonetaryImpact | 67 |
+ +-----------------------------------+---------+
+ | iodef-IntendedImpact | 68 |
+ +-----------------------------------+---------+
+ | iodef-Counter | 69 |
+ +-----------------------------------+---------+
+ | iodef-MitigatingFactor | 70 |
+ +-----------------------------------+---------+
+ | iodef-Cause | 71 |
+ +-----------------------------------+---------+
+ | iodef-severity | 72 |
+ +-----------------------------------+---------+
+ | iodef-completion | 73 |
+ +-----------------------------------+---------+
+ | iodef-ext-severity | 74 |
+ +-----------------------------------+---------+
+ | iodef-metric | 75 |
+ +-----------------------------------+---------+
+ | iodef-ext-metric | 76 |
+ +-----------------------------------+---------+
+ | iodef-duration | 77 |
+ +-----------------------------------+---------+
+ | iodef-ext-duration | 78 |
+ +-----------------------------------+---------+
+ | iodef-currency | 79 |
+ +-----------------------------------+---------+
+ | iodef-rating | 80 |
+ +-----------------------------------+---------+
+ | iodef-ext-rating | 81 |
+ +-----------------------------------+---------+
+ | iodef-HistoryItem | 82 |
+ +-----------------------------------+---------+
+ | iodef-action | 83 |
+ +-----------------------------------+---------+
+ | iodef-ext-action | 84 |
+ +-----------------------------------+---------+
+ | iodef-DateTime | 85 |
+ +-----------------------------------+---------+
+ | iodef-DefinedCOA | 86 |
+ +-----------------------------------+---------+
+ | iodef-System | 87 |
+ +-----------------------------------+---------+
+ | iodef-Expectation | 88 |
+ +-----------------------------------+---------+
+ | iodef-RecordData | 89 |
+ +-----------------------------------+---------+
+ | iodef-category | 90 |
+ +-----------------------------------+---------+
+ | iodef-ext-category | 91 |
+ +-----------------------------------+---------+
+ | iodef-interface | 92 |
+ +-----------------------------------+---------+
+ | iodef-spoofed | 93 |
+ +-----------------------------------+---------+
+ | iodef-virtual | 94 |
+ +-----------------------------------+---------+
+ | iodef-ownership | 95 |
+ +-----------------------------------+---------+
+ | iodef-ext-ownership | 96 |
+ +-----------------------------------+---------+
+ | iodef-Node | 97 |
+ +-----------------------------------+---------+
+ | iodef-NodeRole | 98 |
+ +-----------------------------------+---------+
+ | iodef-Service | 99 |
+ +-----------------------------------+---------+
+ | iodef-OperatingSystem | 100 |
+ +-----------------------------------+---------+
+ | iodef-AssetID | 101 |
+ +-----------------------------------+---------+
+ | iodef-DomainData | 102 |
+ +-----------------------------------+---------+
+ | iodef-Address | 103 |
+ +-----------------------------------+---------+
+ | iodef-Location | 104 |
+ +-----------------------------------+---------+
+ | iodef-vlan-name | 105 |
+ +-----------------------------------+---------+
+ | iodef-vlan-num | 106 |
+ +-----------------------------------+---------+
+ | iodef-unit | 107 |
+ +-----------------------------------+---------+
+ | iodef-ext-unit | 108 |
+ +-----------------------------------+---------+
+ | iodef-system-status | 109 |
+ +-----------------------------------+---------+
+ | iodef-ext-system-status | 110 |
+ +-----------------------------------+---------+
+ | iodef-domain-status | 111 |
+ +-----------------------------------+---------+
+ | iodef-ext-domain-status | 112 |
+ +-----------------------------------+---------+
+ | iodef-Name | 113 |
+ +-----------------------------------+---------+
+ | iodef-DateDomainWasChecked | 114 |
+ +-----------------------------------+---------+
+ | iodef-RegistrationDate | 115 |
+ +-----------------------------------+---------+
+ | iodef-ExpirationDate | 116 |
+ +-----------------------------------+---------+
+ | iodef-RelatedDNS | 117 |
+ +-----------------------------------+---------+
+ | iodef-NameServers | 118 |
+ +-----------------------------------+---------+
+ | iodef-DomainContacts | 119 |
+ +-----------------------------------+---------+
+ | iodef-Server | 120 |
+ +-----------------------------------+---------+
+ | iodef-SameDomainContact | 121 |
+ +-----------------------------------+---------+
+ | iodef-ip-protocol | 122 |
+ +-----------------------------------+---------+
+ | iodef-ServiceName | 123 |
+ +-----------------------------------+---------+
+ | iodef-Port | 124 |
+ +-----------------------------------+---------+
+ | iodef-Portlist | 125 |
+ +-----------------------------------+---------+
+ | iodef-ProtoCode | 126 |
+ +-----------------------------------+---------+
+ | iodef-ProtoType | 127 |
+ +-----------------------------------+---------+
+ | iodef-ProtoField | 128 |
+ +-----------------------------------+---------+
+ | iodef-ApplicationHeaderField | 129 |
+ +-----------------------------------+---------+
+ | iodef-EmailData | 130 |
+ +-----------------------------------+---------+
+ | iodef-IANAService | 131 |
+ +-----------------------------------+---------+
+ | iodef-EmailFrom | 132 |
+ +-----------------------------------+---------+
+ | iodef-EmailSubject | 133 |
+ +-----------------------------------+---------+
+ | iodef-EmailX-Mailer | 134 |
+ +-----------------------------------+---------+
+ | iodef-EmailHeaderField | 135 |
+ +-----------------------------------+---------+
+ | iodef-EmailHeaders | 136 |
+ +-----------------------------------+---------+
+ | iodef-EmailBody | 137 |
+ +-----------------------------------+---------+
+ | iodef-EmailMessage | 138 |
+ +-----------------------------------+---------+
+ | iodef-HashData | 139 |
+ +-----------------------------------+---------+
+ | iodef-Signature | 140 |
+ +-----------------------------------+---------+
+ | iodef-RecordPattern | 141 |
+ +-----------------------------------+---------+
+ | iodef-RecordItem | 142 |
+ +-----------------------------------+---------+
+ | iodef-FileData | 143 |
+ +-----------------------------------+---------+
+ | iodef-WindowsRegistryKeysModified | 144 |
+ +-----------------------------------+---------+
+ | iodef-CertificateData | 145 |
+ +-----------------------------------+---------+
+ | iodef-offset | 146 |
+ +-----------------------------------+---------+
+ | iodef-offsetunit | 147 |
+ +-----------------------------------+---------+
+ | iodef-ext-offsetunit | 148 |
+ +-----------------------------------+---------+
+ | iodef-Key | 149 |
+ +-----------------------------------+---------+
+ | iodef-registryaction | 150 |
+ +-----------------------------------+---------+
+ | iodef-ext-registryaction | 151 |
+ +-----------------------------------+---------+
+ | iodef-KeyName | 152 |
+ +-----------------------------------+---------+
+ | iodef-KeyValue | 153 |
+ +-----------------------------------+---------+
+ | iodef-Certificate | 154 |
+ +-----------------------------------+---------+
+ | iodef-X509Data | 155 |
+ +-----------------------------------+---------+
+ | iodef-File | 156 |
+ +-----------------------------------+---------+
+ | iodef-FileName | 157 |
+ +-----------------------------------+---------+
+ | iodef-FileSize | 158 |
+ +-----------------------------------+---------+
+ | iodef-FileType | 159 |
+ +-----------------------------------+---------+
+ | iodef-AssociatedSoftware | 160 |
+ +-----------------------------------+---------+
+ | iodef-FileProperties | 161 |
+ +-----------------------------------+---------+
+ | iodef-scope | 162 |
+ +-----------------------------------+---------+
+ | iodef-HashTargetID | 163 |
+ +-----------------------------------+---------+
+ | iodef-Hash | 164 |
+ +-----------------------------------+---------+
+ | iodef-FuzzyHash | 165 |
+ +-----------------------------------+---------+
+ | iodef-DigestMethod | 166 |
+ +-----------------------------------+---------+
+ | iodef-DigestValue | 167 |
+ +-----------------------------------+---------+
+ | iodef-CanonicalizationMethod | 168 |
+ +-----------------------------------+---------+
+ | iodef-FuzzyHashValue | 169 |
+ +-----------------------------------+---------+
+ | iodef-AlternativeIndicatorID | 170 |
+ +-----------------------------------+---------+
+ | iodef-Observable | 171 |
+ +-----------------------------------+---------+
+ | iodef-uid-ref | 172 |
+ +-----------------------------------+---------+
+ | iodef-IndicatorExpression | 173 |
+ +-----------------------------------+---------+
+ | iodef-IndicatorReference | 174 |
+ +-----------------------------------+---------+
+ | iodef-AttackPhase | 175 |
+ +-----------------------------------+---------+
+ | iodef-BulkObservable | 176 |
+ +-----------------------------------+---------+
+ | iodef-BulkObservableFormat | 177 |
+ +-----------------------------------+---------+
+ | iodef-BulkObservableList | 178 |
+ +-----------------------------------+---------+
+ | iodef-operator | 179 |
+ +-----------------------------------+---------+
+ | iodef-ext-operator | 180 |
+ +-----------------------------------+---------+
+ | iodef-euid-ref | 181 |
+ +-----------------------------------+---------+
+ | iodef-AttackPhaseID | 182 |
+ +-----------------------------------+---------+
+
+ Table 4: Mapkeys
+
+6. The IODEF Data Model (CDDL)
+
+ This section provides the IODEF data model. Note that mapkeys are
+ described at the beginning of the CDDL data model for better
+ readability.
+
+ start = iodef
+
+ ;;; iodef.json: IODEF-Document
+
+ iodef-version = -24
+ iodef-lang = -23
+ iodef-format-id = -22
+ iodef-private-enum-name = -21
+ iodef-private-enum-id = -20
+ iodef-Incident = -19
+ iodef-AdditionalData = -18
+ iodef-value = -17
+ iodef-translation-id = -16
+ iodef-name = -15
+ iodef-dtype = -14
+ iodef-ext-dtype = -13
+ iodef-meaning = -12
+ iodef-formatid = -11
+ iodef-restriction = -10
+ iodef-ext-restriction = -9
+ iodef-observable-id = -8
+ iodef-SoftwareReference = -7
+ iodef-URL = -6
+ iodef-Description = -5
+ iodef-spec-name = -4
+ iodef-ext-spec-name = -3
+ iodef-purpose = -2
+ iodef-ext-purpose = -1
+ iodef-status = 0
+ iodef-ext-status = 1
+ iodef-IncidentID = 2
+ iodef-AlternativeID = 3
+ iodef-RelatedActivity = 4
+ iodef-DetectTime = 5
+ iodef-StartTime = 6
+ iodef-EndTime = 7
+ iodef-RecoveryTime = 8
+ iodef-ReportTime = 9
+ iodef-GenerationTime = 10
+ iodef-Discovery = 11
+ iodef-Assessment = 12
+ iodef-Method = 13
+ iodef-Contact = 14
+ iodef-EventData = 15
+ iodef-Indicator = 16
+ iodef-History = 17
+ iodef-id = 18
+ iodef-instance = 19
+ iodef-ThreatActor = 20
+ iodef-Campaign = 21
+ iodef-IndicatorID = 22
+ iodef-Confidence = 23
+ iodef-ThreatActorID = 24
+ iodef-CampaignID = 25
+ iodef-role = 26
+ iodef-ext-role = 27
+ iodef-type = 28
+ iodef-ext-type = 29
+ iodef-ContactName = 30
+ iodef-ContactTitle = 31
+ iodef-RegistryHandle = 32
+ iodef-PostalAddress = 33
+ iodef-Email = 34
+ iodef-Telephone = 35
+ iodef-Timezone = 36
+ iodef-handle = 37
+ iodef-registry = 38
+ iodef-ext-registry = 39
+ iodef-PAddress = 40
+ iodef-EmailTo = 41
+ iodef-TelephoneNumber = 42
+ iodef-source = 43
+ iodef-ext-source = 44
+ iodef-DetectionPattern = 45
+ iodef-DetectionConfiguration = 46
+ iodef-Application = 47
+ iodef-Reference = 48
+ iodef-AttackPattern = 49
+ iodef-Vulnerability = 50
+ iodef-Weakness = 51
+ iodef-SpecID = 52
+ iodef-ext-SpecID = 53
+ iodef-ContentID = 54
+ iodef-RawData = 55
+ iodef-Platform = 56
+ iodef-Scoring = 57
+ iodef-ReferenceName = 58
+ iodef-specIndex = 59
+ iodef-ID = 60
+ iodef-occurrence = 61
+ iodef-IncidentCategory = 62
+ iodef-Impact = 63
+ iodef-SystemImpact = 64
+ iodef-BusinessImpact = 65
+ iodef-TimeImpact = 66
+ iodef-MonetaryImpact = 67
+ iodef-IntendedImpact = 68
+ iodef-Counter = 69
+ iodef-MitigatingFactor = 70
+ iodef-Cause = 71
+ iodef-severity = 72
+ iodef-completion = 73
+ iodef-ext-severity = 74
+ iodef-metric = 75
+ iodef-ext-metric = 76
+ iodef-duration = 77
+ iodef-ext-duration = 78
+ iodef-currency = 79
+ iodef-rating = 80
+ iodef-ext-rating = 81
+ iodef-HistoryItem = 82
+ iodef-action = 83
+ iodef-ext-action = 84
+ iodef-DateTime = 85
+ iodef-DefinedCOA = 86
+ iodef-System = 87
+ iodef-Expectation = 88
+ iodef-RecordData = 89
+ iodef-category = 90
+ iodef-ext-category = 91
+ iodef-interface = 92
+ iodef-spoofed = 93
+ iodef-virtual = 94
+ iodef-ownership = 95
+ iodef-ext-ownership = 96
+ iodef-Node = 97
+ iodef-NodeRole = 98
+ iodef-Service = 99
+ iodef-OperatingSystem = 100
+ iodef-AssetID = 101
+ iodef-DomainData = 102
+ iodef-Address = 103
+ iodef-Location = 104
+ iodef-vlan-name = 105
+ iodef-vlan-num = 106
+ iodef-unit = 107
+ iodef-ext-unit = 108
+ iodef-system-status = 109
+ iodef-ext-system-status = 110
+ iodef-domain-status = 111
+ iodef-ext-domain-status = 112
+ iodef-Name = 113
+ iodef-DateDomainWasChecked = 114
+ iodef-RegistrationDate = 115
+ iodef-ExpirationDate = 116
+ iodef-RelatedDNS = 117
+ iodef-NameServers = 118
+ iodef-DomainContacts = 119
+ iodef-Server = 120
+ iodef-SameDomainContact = 121
+ iodef-ip-protocol = 122
+ iodef-ServiceName = 123
+ iodef-Port = 124
+ iodef-Portlist = 125
+ iodef-ProtoCode = 126
+ iodef-ProtoType = 127
+ iodef-ProtoField = 128
+ iodef-ApplicationHeaderField = 129
+ iodef-EmailData = 130
+ iodef-IANAService = 131
+ iodef-EmailFrom = 132
+ iodef-EmailSubject = 133
+ iodef-EmailX-Mailer = 134
+ iodef-EmailHeaderField = 135
+ iodef-EmailHeaders = 136
+ iodef-EmailBody = 137
+ iodef-EmailMessage = 138
+ iodef-HashData = 139
+ iodef-Signature = 140
+ iodef-RecordPattern = 141
+ iodef-RecordItem = 142
+ iodef-FileData = 143
+ iodef-WindowsRegistryKeysModified = 144
+ iodef-CertificateData = 145
+ iodef-offset = 146
+ iodef-offsetunit = 147
+ iodef-ext-offsetunit = 148
+ iodef-Key = 149
+ iodef-registryaction = 150
+ iodef-ext-registryaction = 151
+ iodef-KeyName = 152
+ iodef-KeyValue = 153
+ iodef-Certificate = 154
+ iodef-X509Data = 155
+ iodef-File = 156
+ iodef-FileName = 157
+ iodef-FileSize = 158
+ iodef-FileType = 159
+ iodef-AssociatedSoftware = 160
+ iodef-FileProperties = 161
+ iodef-scope = 162
+ iodef-HashTargetID = 163
+ iodef-Hash = 164
+ iodef-FuzzyHash = 165
+ iodef-DigestMethod = 166
+ iodef-DigestValue = 167
+ iodef-CanonicalizationMethod = 168
+ iodef-FuzzyHashValue = 169
+ iodef-AlternativeIndicatorID = 170
+ iodef-Observable = 171
+ iodef-uid-ref = 172
+ iodef-IndicatorExpression = 173
+ iodef-IndicatorReference = 174
+ iodef-AttackPhase = 175
+ iodef-BulkObservable = 176
+ iodef-BulkObservableFormat = 177
+ iodef-BulkObservableList = 178
+ iodef-operator = 179
+ iodef-ext-operator = 180
+ iodef-euid-ref = 181
+ iodef-AttackPhaseID = 182
+
+ iodef = {
+ iodef-version => text,
+ ? iodef-lang => lang,
+ ? iodef-format-id => text
+ ? iodef-private-enum-name => text,
+ ? iodef-private-enum-id => text,
+ iodef-Incident => [+ Incident],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ duration = "second" / "minute" / "hour" / "day" / "month" /
+ "quarter" / "year" / "ext-value"
+ lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
+
+ restriction = "public" / "partner" / "need-to-know" / "private" /
+ "default" / "white" / "green" / "amber" / "red" /
+ "ext-value"
+ SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
+ IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
+ IDREFType = IDtype
+ URLtype = uri
+ TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
+ PortlistType = text .regexp
+ "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
+ action = "nothing" / "contact-source-site" / "contact-target-site" /
+ "contact-sender" / "investigate" / "block-host" /
+ "block-network" / "block-port" / "rate-limit-host" /
+ "rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
+ "honeypot" / "upgrade-software" / "rebuild-asset" /
+ "harden-asset" / "remediate-other" / "status-triage" /
+ "status-new-info" / "watch-and-report" / "training" /
+ "defined-coa" / "other" / "ext-value"
+
+ DATETIME = tdate
+
+ BYTE = eb64legacy
+
+ MLStringType = {
+ iodef-value => text,
+ ? iodef-lang => lang,
+ ? iodef-translation-id => text
+ } / text
+
+ PositiveFloatType = float32 .gt 0
+
+ PAddressType = MLStringType
+
+ ExtensionType = {
+ iodef-value => text,
+ ? iodef-name => text,
+ iodef-dtype => "boolean" / "byte" / "bytes" / "character" /
+ "date-time" / "ntpstamp" / "integer" / "portlist" / "real" /
+ "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
+ "json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" /
+ "ext-value"
+ .default "string"
+ ? iodef-ext-dtype => text,
+ ? iodef-meaning => text,
+ ? iodef-formatid => text,
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ }
+
+ SoftwareType = {
+ ? iodef-SoftwareReference => SoftwareReference,
+ ? iodef-URL => [+ URLtype],
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ SoftwareReference = {
+ ? iodef-value => text,
+ iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
+ ? iodef-ext-spec-name => text,
+ ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" /
+ "ext-value" .default "string",
+ ? iodef-ext-dtype => text
+ }
+
+ Incident = {
+ iodef-purpose => "traceback" / "mitigation" / "reporting" /
+ "watch" / "other" / "ext-value",
+ ? iodef-ext-purpose => text,
+ ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" /
+ "future" / "ext-value",
+ ? iodef-ext-status => text,
+ ? iodef-lang => lang,
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ iodef-IncidentID => IncidentID,
+ ? iodef-AlternativeID => AlternativeID,
+ ? iodef-RelatedActivity => [+ RelatedActivity],
+ ? iodef-DetectTime => DATETIME,
+ ? iodef-StartTime => DATETIME,
+ ? iodef-EndTime => DATETIME,
+ ? iodef-RecoveryTime => DATETIME,
+ ? iodef-ReportTime => DATETIME,
+ iodef-GenerationTime => DATETIME,
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-Discovery => [+ Discovery],
+ ? iodef-Assessment => [+ Assessment],
+ ? iodef-Method => [+ Method],
+ iodef-Contact => [+ Contact],
+ ? iodef-EventData => [+ EventData],
+ ? iodef-Indicator => [+ Indicator],
+ ? iodef-History => History,
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ IncidentID = {
+ iodef-id => text,
+ iodef-name => text,
+ ? iodef-instance => text,
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text
+ }
+
+ AlternativeID = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ iodef-IncidentID => [+ IncidentID]
+ }
+
+ RelatedActivity = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-IncidentID => [+ IncidentID],
+ ? iodef-URL => [+ URLtype],
+ ? iodef-ThreatActor => [+ ThreatActor],
+ ? iodef-Campaign => [+ Campaign],
+ ? iodef-IndicatorID => [+ IndicatorID],
+ ? iodef-Confidence => Confidence,
+ ? iodef-Description => [+ text],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ ThreatActor = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-ThreatActorID => [+ text],
+ ? iodef-URL => [+ URLtype],
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ Campaign = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-CampaignID => [+ text],
+ ? iodef-URL => [+ URLtype],
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ Contact = {
+ iodef-role => "creator" / "reporter" / "admin" / "tech" /
+ "provider" / "user" / "billing" / "legal" / "irt" / "abuse" /
+ "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" /
+ "victim" / "victim-notified" / "ext-value",
+ ? iodef-ext-role => text,
+ iodef-type => "person" / "organization" / "ext-value",
+ ? iodef-ext-type => text,
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-ContactName => [+ MLStringType],
+ ? iodef-ContactTitle => [+ MLStringType],
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-RegistryHandle => [+ RegistryHandle],
+ ? iodef-PostalAddress => [+ PostalAddress],
+ ? iodef-Email => [+ Email],
+ ? iodef-Telephone => [+ Telephone],
+ ? iodef-Timezone => TimeZonetype,
+ ? iodef-Contact => [+ Contact],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ RegistryHandle = {
+ iodef-handle => text,
+ iodef-registry => "internic" / "apnic" / "arin" / "lacnic" /
+ "ripe" / "afrinic" / "local" / "ext-value",
+ ? iodef-ext-registry => text
+ }
+
+ PostalAddress = {
+ ? iodef-type => "street" / "mailing" / "ext-value",
+ ? iodef-ext-type => text,
+ iodef-PAddress => PAddressType,
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ Email = {
+ ? iodef-type => "direct" / "hotline" / "ext-value",
+ ? iodef-ext-type => text,
+ iodef-EmailTo => text,
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ Telephone = {
+ ? iodef-type => "wired" / "mobile" / "fax" / "hotline" /
+ "ext-value",
+ ? iodef-ext-type => text,
+ iodef-TelephoneNumber => text,
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ Discovery = {
+ ? iodef-source => "nidps" / "hips" / "siem" / "av" /
+ "third-party-monitoring" / "incident" / "os-log" /
+ "application-log" / "device-log" / "network-flow" /
+ "passive-dns" / "investigation" / "audit" /
+ "internal-notification" / "external-notification" /
+ "leo" / "partner" / "actor" / "unknown" / "ext-value",
+ ? iodef-ext-source => text,
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-Contact => [+ Contact],
+ ? iodef-DetectionPattern => [+ DetectionPattern]
+ }
+
+ DetectionPattern = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ (iodef-Description => [+ MLStringType] //
+ iodef-DetectionConfiguration => [+ text]),
+ iodef-Application => SoftwareType
+ }
+
+ Method = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-Reference => [+ Reference],
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-AttackPattern => [+ STRUCTUREDINFO],
+ ? iodef-Vulnerability => [+ STRUCTUREDINFO],
+ ? iodef-Weakness => [+ STRUCTUREDINFO],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ STRUCTUREDINFO = {
+ iodef-SpecID => SpecID,
+ ? iodef-ext-SpecID => text,
+ ? iodef-ContentID => text,
+ ? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]),
+ ? iodef-Platform => [+ Platform],
+ ? iodef-Scoring => [+ Scoring]
+ }
+
+ Platform = {
+ iodef-SpecID => SpecID,
+ ? iodef-ext-SpecID => text,
+ ? iodef-ContentID => text,
+ ? iodef-RawData => [+ BYTE],
+ ? iodef-Reference => [+ Reference]
+ }
+ Scoring = {
+ iodef-SpecID => SpecID,
+ ? iodef-ext-SpecID => text,
+ ? iodef-ContentID => text,
+ ? iodef-RawData => [+ BYTE],
+ ? iodef-Reference => [+ Reference]
+ }
+ Reference = {
+ ? iodef-observable-id => IDtype,
+ ? iodef-ReferenceName => ReferenceName,
+ ? iodef-URL => [+ URLtype],
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ ReferenceName = {
+ iodef-specIndex => integer,
+ iodef-ID => IDtype
+ }
+
+ Assessment = {
+ ? iodef-occurrence => "actual" / "potential",
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ ? iodef-IncidentCategory => [+ MLStringType],
+ iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} /
+ {iodef-BusinessImpact => BusinessImpact /
+ {iodef-TimeImpact => TimeImpact} /
+ {iodef-MonetaryImpact => MonetaryImpact} /
+ {iodef-IntendedImpact => BusinessImpact}],
+ ? iodef-Counter => [+ Counter],
+ ? iodef-MitigatingFactor => [+ MLStringType],
+ ? iodef-Cause => [+ MLStringType],
+ ? iodef-Confidence => Confidence,
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ SystemImpact = {
+ ? iodef-severity => "low" / "medium" / "high",
+ ? iodef-completion => "failed" / "succeeded",
+ iodef-type => "takeover-account" / "takeover-service" /
+ "takeover-system" / "cps-manipulation" / "cps-damage" /
+ "availability-data" / "availability-account" /
+ "availability-service" / "availability-system" / "damaged-system" /
+ "damaged-data" / "breach-proprietary" / "breach-privacy" /
+ "breach-credential" / "breach-configuration" / "integrity-data" /
+ "integrity-configuration" / "integrity-hardware" /
+ "traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
+ "policy" / "unknown" / "ext-value" .default "unknown",
+ ? iodef-ext-type => text,
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ BusinessImpact = {
+ ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" /
+ "ext-value" .default "unknown",
+ ? iodef-ext-severity => text,
+ iodef-type => "breach-proprietary" / "breach-privacy" /
+ "breach-credential" / "loss-of-integrity" / "loss-of-service" /
+ "theft-financial" / "theft-service" / "degraded-reputation" /
+ "asset-damage" / "asset-manipulation" / "legal" / "extortion" /
+ "unknown" / "ext-value" .default "unknown",
+ ? iodef-ext-type => text,
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ TimeImpact = {
+ iodef-value => PositiveFloatType,
+ ? iodef-severity => "low" / "medium" / "high",
+ iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value",
+ ? iodef-ext-metric => text,
+ ? iodef-duration => duration .default "hour",
+ ? iodef-ext-duration => text
+ }
+
+ MonetaryImpact = {
+ iodef-value => PositiveFloatType,
+ ? iodef-severity => "low" / "medium" / "high",
+ ? iodef-currency => text
+ }
+
+ Confidence = {
+ iodef-value => float32,
+ iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" /
+ "ext-value",
+ ? iodef-ext-rating => text
+ }
+
+ History = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ iodef-HistoryItem => [+ HistoryItem]
+ }
+
+ HistoryItem = {
+ iodef-action => action .default "other",
+ ? iodef-ext-action => text,
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ iodef-DateTime => DATETIME,
+ ? iodef-IncidentID => IncidentID,
+ ? iodef-Contact => Contact,
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-DefinedCOA => [+ text],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ EventData = {
+ ? iodef-restriction => restriction .default "default",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-DetectTime => DATETIME,
+ ? iodef-StartTime => DATETIME,
+ ? iodef-EndTime => DATETIME,
+ ? iodef-RecoveryTime => DATETIME,
+ ? iodef-ReportTime => DATETIME,
+ ? iodef-Contact => [+ Contact],
+ ? iodef-Discovery => [+ Discovery],
+ ? iodef-Assessment => Assessment,
+ ? iodef-Method => [+ Method],
+ ? iodef-System => [+ System],
+ ? iodef-Expectation => [+ Expectation],
+ ? iodef-RecordData => [+ RecordData],
+ ? iodef-EventData => [+ EventData],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ Expectation = {
+ ? iodef-action => action .default "other",
+ ? iodef-ext-action => text,
+ ? iodef-severity => "low" / "medium" / "high",
+ ? iodef-restriction => restriction .default "default",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-DefinedCOA => [+ text],
+ ? iodef-StartTime => DATETIME,
+ ? iodef-EndTime => DATETIME,
+ ? iodef-Contact => Contact
+ }
+
+ System = {
+ ? iodef-category => "source" / "target" / "intermediate" /
+ "sensor" / "infrastructure" / "ext-value",
+ ? iodef-ext-category => text,
+ ? iodef-interface => text,
+ ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown",
+ ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown",
+ ? iodef-ownership => "organization" / "personal" / "partner" /
+ "customer" / "no-relationship" / "unknown" / "ext-value",
+ ? iodef-ext-ownership => text,
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ iodef-Node => Node,
+ ? iodef-NodeRole => [+ NodeRole],
+ ? iodef-Service => [+ Service],
+ ? iodef-OperatingSystem => [+ SoftwareType],
+ ? iodef-Counter => [+ Counter],
+ ? iodef-AssetID => [+ text],
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ Node = {
+ (iodef-DomainData => [+ DomainData] //
+ iodef-Address => [+ Address]),
+ ? iodef-PostalAddress => PostalAddress,
+ ? iodef-Location => [+ MLStringType],
+ ? iodef-Counter => [+ Counter]
+ }
+
+ Address = {
+ iodef-value => text,
+ iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" /
+ "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
+ "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
+ "ext-value" .default "ipv6-addr",
+ ? iodef-ext-category => text,
+ ? iodef-vlan-name => text,
+ ? iodef-vlan-num => integer,
+ ? iodef-observable-id => IDtype
+ }
+
+ NodeRole = {
+ iodef-category => "client" / "client-enterprise" /
+ "client-partner" / "client-remote" / "client-kiosk" /
+ "client-mobile" / "server-internal" / "server-public" /
+ "www" / "mail" / "webmail" / "messaging" / "streaming" /
+ "voice" / "file" / "ftp" / "p2p" / "name" / "directory" /
+ "credential" / "print" / "application" / "database" /
+ "backup" / "dhcp" / "assessment" / "source-control" /
+ "config-management" / "monitoring" / "infra" / "infra-firewall" /
+ "infra-router" / "infra-switch" / "camera" / "proxy" /
+ "remote-access" / "log" / "virtualization" / "pos" / "scada" /
+ "scada-supervisory" / "sinkhole" / "honeypot" /
+ "anomyzation" / "c2-server" / "malware-distribution" /
+ "drop-server" / "hop-point" / "reflector" /
+ "phishing-site" / "spear-phishing-site" / "recruiting-site" /
+ "fraudulent-site" / "ext-value",
+ ? iodef-ext-category => text,
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ Counter = {
+ iodef-value => float32,
+ iodef-type => "count" / "peak" / "average" / "ext-value",
+ ? iodef-ext-type => text,
+ iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" /
+ "alert" / "message" / "event" / "host" / "site" / "organization" /
+ "ext-value",
+ ? iodef-ext-unit => text,
+ ? iodef-meaning => text,
+ ? iodef-duration => duration .default "hour",
+ ? iodef-ext-duration => text
+ }
+
+ DomainData = {
+ iodef-system-status => "spoofed" / "fraudulent" /
+ "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value",
+ ? iodef-ext-system-status => text,
+ iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
+ "assignedAndInactive" / "assignedAndOnHold" /
+ "revoked" / "transferPending" / "registryLock" /
+ "registrarLock" / "other" / "unknown" / "ext-value",
+ ? iodef-ext-domain-status => text,
+ ? iodef-observable-id => IDtype,
+ iodef-Name => text,
+ ? iodef-DateDomainWasChecked => DATETIME,
+ ? iodef-RegistrationDate => DATETIME,
+ ? iodef-ExpirationDate => DATETIME,
+ ? iodef-RelatedDNS => [+ ExtensionType],
+ ? iodef-NameServers => [+ NameServers],
+ ? iodef-DomainContacts => DomainContacts
+ }
+
+ NameServers = {
+ iodef-Server => text,
+ iodef-Address => [+ Address]
+ }
+
+ DomainContacts = {
+ (iodef-SameDomainContact => text // iodef-Contact => [+ Contact])
+ }
+
+ Service = {
+ ? iodef-ip-protocol => integer,
+ ? iodef-observable-id => IDtype,
+ ? iodef-ServiceName => ServiceName,
+ ? iodef-Port => integer,
+ ? iodef-Portlist => PortlistType,
+ ? iodef-ProtoCode => integer,
+ ? iodef-ProtoType => integer,
+ ? iodef-ProtoField => integer,
+ ? iodef-ApplicationHeaderField => [+ ExtensionType],
+ ? iodef-EmailData => EmailData,
+ ? iodef-Application => SoftwareType
+ }
+
+ ServiceName = {
+ ? iodef-IANAService => text,
+ ? iodef-URL => [+ URLtype],
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ EmailData = {
+ ? iodef-observable-id => IDtype,
+ ? iodef-EmailTo => [+ text],
+ ? iodef-EmailFrom => text,
+ ? iodef-EmailSubject => text,
+ ? iodef-EmailX-Mailer => text,
+ ? iodef-EmailHeaderField => [+ ExtensionType],
+ ? iodef-EmailHeaders => text,
+ ? iodef-EmailBody => text,
+ ? iodef-EmailMessage => text,
+ ? iodef-HashData => [+ HashData],
+ ? iodef-Signature => [+ BYTE]
+ }
+
+ RecordData = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ ? iodef-DateTime => DATETIME,
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-Application => SoftwareType,
+ ? iodef-RecordPattern => [+ RecordPattern],
+ ? iodef-RecordItem => [+ ExtensionType],
+ ? iodef-URL => [+ URLtype],
+ ? iodef-FileData => [+ FileData],
+ ? iodef-WindowsRegistryKeysModified =>
+ [+ WindowsRegistryKeysModified],
+ ? iodef-CertificateData => [+ CertificateData],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ RecordPattern = {
+ iodef-value => text,
+ iodef-type => "regex" / "binary" / "xpath" /
+ "ext-value" .default "regex",
+ ? iodef-ext-type => text,
+ ? iodef-offset => integer,
+ ? iodef-offsetunit => "line" / "byte" /
+ "ext-value" .default "line",
+ ? iodef-ext-offsetunit => text,
+ ? iodef-instance => integer
+ }
+
+ WindowsRegistryKeysModified = {
+ ? iodef-observable-id => IDtype,
+ iodef-Key => [+ Key]
+ }
+
+ Key = {
+ ? iodef-registryaction => "add-key" / "add-value" / "delete-key" /
+ "delete-value" / "modify-key" / "modify-value" /
+ "ext-value",
+ ? iodef-ext-registryaction => text,
+ ? iodef-observable-id => IDtype,
+ iodef-KeyName => text,
+ ? iodef-KeyValue => text
+ }
+
+ CertificateData = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ iodef-Certificate => [+ Certificate]
+ }
+
+ Certificate = {
+ ? iodef-observable-id => IDtype,
+ iodef-X509Data => BYTE,
+ ? iodef-Description => [+ MLStringType]
+ }
+
+ FileData = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? iodef-observable-id => IDtype,
+ iodef-File => [+ File]
+ }
+
+ File = {
+ ? iodef-observable-id => IDtype,
+ ? iodef-FileName => text,
+ ? iodef-FileSize => integer,
+ ? iodef-FileType => text,
+ ? iodef-URL => [+ URLtype],
+ ? iodef-HashData => HashData,
+ ? iodef-Signature => [+ BYTE],
+ ? iodef-AssociatedSoftware => SoftwareType,
+ ? iodef-FileProperties => [+ ExtensionType]
+ }
+
+ HashData = {
+ iodef-scope => "file-contents" / "file-pe-section" /
+ "file-pe-iat" / "file-pe-resource" / "file-pdf-object" /
+ "email-hash" / "email-headers-hash" / "email-body-hash" /
+ "ext-value",
+ ? iodef-HashTargetID => text,
+ ? iodef-Hash => [+ Hash],
+ ? iodef-FuzzyHash => [+ FuzzyHash]
+ }
+
+ Hash = {
+ iodef-DigestMethod => BYTE,
+ iodef-DigestValue => BYTE,
+ ? iodef-CanonicalizationMethod => BYTE,
+ ? iodef-Application => SoftwareType
+ }
+
+ FuzzyHash = {
+ iodef-FuzzyHashValue => [+ ExtensionType],
+ ? iodef-Application => SoftwareType,
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ Indicator = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ iodef-IndicatorID => IndicatorID,
+ ? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID],
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-StartTime => DATETIME,
+ ? iodef-EndTime => DATETIME,
+ ? iodef-Confidence => Confidence,
+ ? iodef-Contact => [+ Contact],
+ (iodef-Observable => Observable // iodef-uid-ref => IDREFType //
+ iodef-IndicatorExpression => IndicatorExpression //
+ iodef-IndicatorReference => IndicatorReference),
+ ? iodef-NodeRole => [+ NodeRole],
+ ? iodef-AttackPhase => [+ AttackPhase],
+ ? iodef-Reference => [+ Reference],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ IndicatorID = {
+ iodef-id => IDtype,
+ iodef-name => text,
+ iodef-version => text
+ }
+
+ AlternativeIndicatorID = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ iodef-IndicatorID => [+ IndicatorID]
+ }
+
+ Observable = {
+ ? iodef-restriction => restriction .default "private",
+ ? iodef-ext-restriction => text,
+ ? (iodef-System => System // iodef-Address => Address //
+ iodef-DomainData => DomainData //
+ iodef-EmailData => EmailData //
+ iodef-Service => Service //
+ iodef-WindowsRegistryKeysModified =>
+ WindowsRegistryKeysModified //
+ iodef-FileData => FileData //iodef-CertificateData =>
+ CertificateData //
+ iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>
+ RecordData //
+ iodef-EventData => EventData // iodef-Incident => Incident //
+ iodef-Expectation => Expectation // iodef-Reference =>
+ Reference //
+ iodef-Assessment => Assessment //
+ iodef-DetectionPattern => DetectionPattern //
+ iodef-HistoryItem => HistoryItem //
+ iodef-BulkObservable => BulkObservable //
+ iodef-AdditionalData => [+ ExtensionType])
+ }
+
+ BulkObservable = {
+ ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" /
+ "ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" /
+ "ipv6-net-mask" / "mac" / "site-uri" / "domain-name" /
+ "domain-to-ipv4" / "domain-to-ipv6" /
+ "domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" /
+ "ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" /
+ "email-x-mailer" / "email-subject" / "http-user-agent" /
+ "http-request-uri" / "mutex" / "file-path" / "user-name" /
+ "ext-value",
+ ? iodef-ext-type => text,
+ ? iodef-BulkObservableFormat => BulkObservableFormat,
+ iodef-BulkObservableList => text,
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ BulkObservableFormat = {
+ (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType])
+ }
+
+ IndicatorExpression = {
+ ? iodef-operator => "not" / "and" / "or" / "xor" .default "and",
+ ? iodef-ext-operator => text,
+ ? iodef-IndicatorExpression => [+ IndicatorExpression],
+ ? iodef-Observable => [+ Observable],
+ ? iodef-uid-ref => [+ IDREFType],
+ ? iodef-IndicatorReference => [+ IndicatorReference],
+ ? iodef-Confidence => Confidence,
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ IndicatorReference = {
+ (iodef-uid-ref => IDREFType // iodef-euid-ref => text),
+ ? iodef-version => text
+ }
+
+ AttackPhase = {
+ ? iodef-AttackPhaseID => [+ text],
+ ? iodef-URL => [+ URLtype],
+ ? iodef-Description => [+ MLStringType],
+ ? iodef-AdditionalData => [+ ExtensionType]
+ }
+
+ Figure 5: Data Model in CDDL
+
+7. IANA Considerations
+
+ This document has no IANA actions.
+
+8. Security Considerations
+
+ This document provides a mapping from XML IODEF defined in [RFC7970]
+ to JSON, and Section 3.2 describes several issues that arise when
+ converting XML IODEF and JSON IODEF. Though it does not provide any
+ further security considerations other than the one described in
+ [RFC7970], implementers of this document should be aware of those
+ issues to avoid any unintended outcome.
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
+ Resource Identifier (URI): Generic Syntax", STD 66,
+ RFC 3986, DOI 10.17487/RFC3986, January 2005,
+ <https://www.rfc-editor.org/info/rfc3986>.
+
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
+ <https://www.rfc-editor.org/info/rfc4648>.
+
+ [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object
+ Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
+ October 2013, <https://www.rfc-editor.org/info/rfc7049>.
+
+ [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
+ Incident Object Description Exchange Format (IODEF)
+ Extension for Structured Cybersecurity Information",
+ RFC 7203, DOI 10.17487/RFC7203, April 2014,
+ <https://www.rfc-editor.org/info/rfc7203>.
+
+ [RFC7970] Danyliw, R., "The Incident Object Description Exchange
+ Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
+ November 2016, <https://www.rfc-editor.org/info/rfc7970>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
+ Interchange Format", STD 90, RFC 8259,
+ DOI 10.17487/RFC8259, December 2017,
+ <https://www.rfc-editor.org/info/rfc8259>.
+
+ [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
+ Definition Language (CDDL): A Notational Convention to
+ Express Concise Binary Object Representation (CBOR) and
+ JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
+ June 2019, <https://www.rfc-editor.org/info/rfc8610>.
+
+9.2. Informative References
+
+ [JSON-SCHEMA]
+ Wright, A., Andrews, H., and B. Hutton, "JSON Schema
+ Validation: A Vocabulary for Structural Validation of
+ JSON", Work in Progress, Internet-Draft, draft-handrews-
+ json-schema-validation-02, 17 September 2019,
+ <https://tools.ietf.org/html/draft-handrews-json-schema-
+ validation-02>.
+
+Appendix A. Data Types Used in This Document
+
+ The CDDL prelude used in this document is mapped to JSON as shown in
+ the table below.
+
+ +==============+=========+==========+=============================+
+ | CDDL Prelude | Use of | Instance | Validation |
+ | | JSON | | |
+ +==============+=========+==========+=============================+
+ | bytes | n/a | string | tool available |
+ +--------------+---------+----------+-----------------------------+
+ | text | string | string | unnecessary |
+ +--------------+---------+----------+-----------------------------+
+ | tdate | n/a | string | date-time per Section 7.3.1 |
+ | | | | of [JSON-SCHEMA] |
+ +--------------+---------+----------+-----------------------------+
+ | integer | n/a | number | integer |
+ +--------------+---------+----------+-----------------------------+
+ | eb64legacy | n/a | string | tool available |
+ +--------------+---------+----------+-----------------------------+
+ | uri | n/a | string | uri per Section 7.3.6 of |
+ | | | | [JSON-SCHEMA] |
+ +--------------+---------+----------+-----------------------------+
+ | float32 | float32 | number | unnecessary |
+ +--------------+---------+----------+-----------------------------+
+
+ Table 5: CDDL Prelude Mapping in JSON
+
+Appendix B. The IODEF Data Model (JSON Schema)
+
+ This section provides a JSON schema [JSON-SCHEMA] that defines the
+ IODEF data model defined in this document. Note that this section is
+ informative.
+
+ { "$schema": "https://json-schema.org/draft-04/schema#",
+ "definitions": {
+ "action": {"enum": ["nothing", "contact-source-site",
+ "contact-target-site", "contact-sender", "investigate",
+ "block-host", "block-network", "block-port",
+ "rate-limit-host", "rate-limit-network",
+ "rate-limit-port", "redirect-traffic", "honeypot",
+ "upgrade-software", "rebuild-asset", "harden-asset",
+ "remediate-other", "status-triage", "status-new-info",
+ "watch-and-report", "training", "defined-coa", "other",
+ "ext-value"]},
+ "duration":{"enum":["second", "minute", "hour", "day",
+ "month", "quarter", "year", "ext-value"]},
+ "SpecID":{
+ "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2",
+ "private"]},
+ "lang": {
+ "type":"string", "pattern":
+ "^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
+ "purpose": {"enum": ["traceback", "mitigation",
+ "reporting", "watch", "other", "ext-value"]},
+ "restriction":{"enum": ["public", "partner",
+ "need-to-know", "private", "default", "white", "green",
+ "amber", "red", "ext-value"]},
+ "status": {"enum": ["new", "in-progress", "forwarded",
+ "resolved", "future", "ext-value"]},
+ "DATETIME": {"type": "string", "format": "date-time"},
+ "BYTE": {"type": "string"},
+ "PortlistType": {
+ "type": "string", "pattern":
+ "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"},
+ "TimeZonetype": {
+ "type":"string", "pattern":
+ "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
+ "URLtype": {
+ "type": "string",
+ "pattern":
+ "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))
+ ?(#(.*))?"},
+ "IDtype": {"type": "string", "pattern":
+ "[a-zA-Z_][a-zA-Z0-9_.-]*"},
+ "IDREFType": {"$ref": "#/definitions/IDtype"},
+ "MLStringType": {
+ "oneOf": [{"type": "string"},
+ {"type": "object",
+ "properties": {
+ "value": {"type": "string"},
+ "lang": {"$ref": "#/definitions/lang"},
+ "translation-id": {"type": "string"}},
+ "required": ["value"],
+ "additionalProperties":false}]},
+ "PositiveFloatType": {"type": "number", "minimum": 0},
+ "PAddressType": {"$ref": "#/definitions/MLStringType"},
+ "ExtensionType": {
+ "type": "object",
+ "properties": {
+ "value": {"type": "string"},
+ "name": {"type": "string"},
+ "dtype":{"enum":["boolean", "byte", "bytes",
+ "character", "json", "date-time", "ntpstamp",
+ "integer", "portlist", "real", "string", "file",
+ "path", "frame", "packet", "ipv4-packet",
+ "ipv6-packet", "url", "csv", "winreg",
+ "xml", "ext-value"], "default": "string"},
+ "ext-dtype": {"type": "string"},
+ "meaning": {"type": "string"},
+ "formatid": {"type": "string"},
+ "restriction": {
+ "$ref": "#/definitions/restriction", "default":
+ "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"}},
+ "required": ["value", "dtype"],
+ "additionalProperties":false},
+ "ExtensionTypeList": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/ExtensionType"},
+ "minItems": 1},
+ "SoftwareType": {
+ "type": "object",
+ "properties": {
+ "SoftwareReference":{
+ "$ref":"#/definitions/SoftwareReference"},
+ "URL": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/URLtype",
+ "minItems": 1}},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1 }},
+ "required": [],
+ "additionalProperties": false},
+ "SoftwareReference": {
+ "type": "object",
+ "properties": {
+ "value": {"type": "string"},
+ "spec-name": {"enum": ["custom", "cpe", "swid",
+ "ext-value"]},
+ "ext-spec-name": {"type": "string"},
+ "dtype": {"enum": ["bytes", "integer", "real", "string",
+ "xml", "ext-value"], "default": "string"},
+ "ext-dtype": {"type": "string"}},
+ "required": ["spec-name"],
+ "additionalProperties": false},
+ "STRUCTUREDINFO": {
+ "type": "object",
+ "properties": {
+ "SpecID": {"$ref":"#/definitions/SpecID"},
+ "ext-SpecID": {"type": "string"},
+ "ContentID": {"type": "string"},
+ "RawData": {
+ "type": "array",
+ "items": {"$ref":"#/definitions/BYTE"},
+ "minItems": 1
+ },
+ "Reference": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Reference"},
+ "minItems": 1
+ },
+ "Platform": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Platform"},
+ "minItems": 1
+ },
+ "Scoring": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Scoring"},
+ "minItems": 1}},
+ "allOf": [
+ {"required": ["SpecID"]},
+ {"anyOf": [
+ {"oneOf": [
+ {"required":["Reference"]},
+ {"required":["RawData"]}]},
+ { "not" : {"required":["Reference", "RawData"]}}]}],
+ "additionalProperties": false},
+ "Platform": {
+ "type": "object",
+ "properties": {
+ "SpecID": {"$ref":"#/definitions/SpecID"},
+ "ext-SpecID": {"type": "string"},
+ "ContentID": {"type": "string"},
+ "RawData": {
+ "type": "array",
+ "items": {"$ref":"#/definitions/BYTE"},
+ "minItems": 1
+ },
+ "Reference": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Reference"},
+ "minItems": 1}},
+ "required": ["SpecID"],
+ "additionalProperties": false},
+ "Scoring": {
+ "type": "object",
+ "properties": {
+ "SpecID": {"$ref":"#/definitions/SpecID"},
+ "ext-SpecID": {"type": "string"},
+ "ContentID": {"type": "string"},
+ "RawData": {
+ "type": "array",
+ "items": {"$ref":"#/definitions/BYTE"},
+ "minItems": 1
+ },
+ "Reference": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Reference"},
+ "minItems": 1}},
+ "required": ["SpecID"],
+ "additionalProperties": false},
+ "Incident": {
+ "title": "Incident",
+ "description": "JSON schema for Incident class",
+ "type": "object",
+ "properties": {
+ "purpose": {"$ref": "#/definitions/purpose"},
+ "ext-purpose": {"type": "string"},
+ "status": {"$ref": "#/definitions/status"},
+ "ext-status": {"type": "string"},
+ "lang": {"$ref": "#/definitions/lang"},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "IncidentID": {"$ref": "#/definitions/IncidentID"},
+ "AlternativeID": {
+ "$ref":"#/definitions/AlternativeID"},
+ "RelatedActivity": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/RelatedActivity"},
+ "minItems": 1},
+ "DetectTime": {"$ref": "#/definitions/DATETIME"},
+ "StartTime": {"$ref": "#/definitions/DATETIME"},
+ "EndTime": {"$ref": "#/definitions/DATETIME"},
+ "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
+ "ReportTime": {"$ref": "#/definitions/DATETIME"},
+ "GenerationTime": {"$ref": "#/definitions/DATETIME"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "Discovery": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Discovery"},
+ "minItems": 1},
+ "Assessment": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Assessment"},
+ "minItems": 1},
+ "Method": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Method"},
+ "minItems": 1},
+ "Contact": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Contact"},
+ "minItems": 1},
+ "EventData": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/EventData"},
+ "minItems": 1},
+ "Indicator": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Indicator"},
+ "minItems": 1},
+ "History": {"$ref": "#/definitions/History"},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": ["IncidentID", "GenerationTime", "Contact",
+ "purpose"],
+ "additionalProperties": false},
+ "IncidentID": {
+ "title": "IncidentID",
+ "description": "JSON schema for IncidentID class",
+ "type": "object",
+ "properties": {
+ "id": {"type": "string"},
+ "name": {"type": "string"},
+ "instance": {"type": "string"},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"}},
+ "required": ["id", "name"],
+ "additionalProperties": false},
+ "AlternativeID": {
+ "title": "AlternativeID",
+ "description": "JSON schema for AlternativeID class",
+ "type": "object",
+ "properties": {
+ "IncidentID": {
+ "type": "array",
+ "items":{"$ref": "#/definitions/IncidentID"},
+ "minItems": 1},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"}},
+ "required": ["IncidentID"],
+ "additionalProperties": false},
+ "RelatedActivity": {
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "IncidentID": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/IncidentID"},
+ "minItems": 1},
+ "URL": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/URLtype"},
+ "minItems": 1},
+ "ThreatActor": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/ThreatActor"},
+ "minItems": 1},
+ "Campaign": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Campaign"},
+ "minItems": 1},
+ "IndicatorID": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/IndicatorID"},
+ "minItems": 1},
+ "Confidence": {"$ref": "#/definitions/Confidence"},
+ "Description": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref": "#/definitions/ExtensionTypeList"}},
+ "additionalProperties": false},
+ "ThreatActor": {
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "ThreatActorID": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "URL": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/URLtype"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "additionalProperties": false},
+ "Campaign": {
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "CampaignID": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1},
+ "URL": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/URLtype"},
+ "minItems": 1},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}}},
+ "Contact": {
+ "type": "object",
+ "properties": {
+ "role": {
+ "enum":["creator", "reporter", "admin", "tech",
+ "provider", "user", "billing", "legal",
+ "irt", "abuse", "cc", "cc-irt", "leo",
+ "vendor", "vendor-support", "victim",
+ "victim-notified", "ext-value"]},
+ "ext-role": {"type": "string"},
+ "type": {
+ "enum": ["person", "organization", "ext-value"]},
+ "ext-type": {"type": "string"},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "ContactName": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "ContactTitle": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "RegistryHandle": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/RegistryHandle"},
+ "minItems": 1},
+ "PostalAddress": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/PostalAddress"},
+ "minItems": 1},
+ "Email": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Email"},
+ "minItems": 1},
+ "Telephone": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Telephone"},
+ "minItems": 1},
+ "Timezone": {"$ref": "#/definitions/TimeZonetype"},
+ "Contact": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Contact"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": ["role", "type"],
+ "additionalProperties": false},
+ "RegistryHandle": {
+ "type": "object",
+ "properties": {
+ "handle": {"type": "string"},
+ "registry": {
+ "enum": ["internic", "apnic", "arin", "lacnic",
+ "ripe", "afrinic", "local", "ext-value"]},
+ "ext-registry": {"type": "string"}},
+ "required": ["handle", "registry"],
+ "additionalProperties": false},
+ "PostalAddress": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "enum": ["street", "mailing", "ext-value"]},
+ "ext-type": {"type": "string"},
+ "PAddress": {"$ref": "#/definitions/PAddressType"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": ["PAddress"],
+ "additionalProperties": false},
+ "Email": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "enum":["direct", "hotline", "ext-value"]},
+ "ext-type": {"type": "string"},
+ "EmailTo": {"type": "string"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": ["EmailTo"],
+ "additionalProperties": false},
+ "Telephone": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "enum":["wired", "mobile", "fax", "hotline",
+ "ext-value"]},
+ "ext-type": {"type": "string"},
+ "TelephoneNumber": {"type": "string"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": ["TelephoneNumber"],
+ "additionalProperties": false},
+ "Discovery": {
+ "type": "object",
+ "properties": {
+ "source": {
+ "enum":["nidps", "hips", "siem", "av",
+ "third-party-monitoring", "incident", "os-log",
+ "application-log", "device-log", "network-flow",
+ "passive-dns", "investigation", "audit",
+ "internal-notification", "external-notification",
+ "leo", "partner", "actor", "unknown", "ext-value"]},
+ "ext-source": {"type": "string"},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "Contact": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Contact"},
+ "minItems": 1},
+ "DetectionPattern": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/DetectionPattern"},
+ "minItems": 1}},
+ "required": [],
+ "additionalProperties": false},
+ "DetectionPattern": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "Application": {"$ref": "#/definitions/SoftwareType"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "DetectionConfiguration": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1}},
+ "allOf": [
+ {"required": ["Application"]},
+ {"oneOf": [
+ {"required":["Description"]},
+ {"required":["DetectionConfiguration"]}]}],
+ "additionalProperties": false},
+ "Method": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "Reference": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Reference"},
+ "minItems": 1},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "AttackPattern": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
+ "minItems": 1},
+ "Vulnerability": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
+ "minItems": 1},
+ "Weakness": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": [],
+ "additionalProperties": false},
+ "Reference": {
+ "type": "object",
+ "properties": {
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "ReferenceName": {
+ "$ref":"#/definitions/ReferenceName"},
+ "URL":{
+ "type":"array",
+ "items":{"$ref":"#/definitions/URLtype"},
+ "minItems": 1},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": [],
+ "additionalProperties": false},
+ "ReferenceName" : {
+ "type": "object",
+ "properties": {
+ "specIndex": {"type": "number"},
+ "ID": {"$ref":"#/definitions/IDtype"}},
+ "required": ["specIndex", "ID"],
+ "additionalProperties": false},
+ "Assessment": {
+ "type": "object",
+ "properties": {
+ "occurrence": {"enum":["actual", "potential"]},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "IncidentCategory": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "Impact": {
+ "type": "array",
+ "items": {
+ "properties": {
+ "SystemImpact":{
+ "$ref":"#/definitions/SystemImpact"},
+ "BusinessImpact":{
+ "$ref":"#/definitions/BusinessImpact"},
+ "TimeImpact":{"$ref":"#/definitions/TimeImpact"},
+ "MonetaryImpact":{
+ "$ref":"#/definitions/MonetaryImpact"},
+ "IntendedImpact":{
+ "$ref":"#/definitions/BusinessImpact"}},
+ "additionalProperties":false},
+ "minItems" : 1
+ },
+ "Counter": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Counter"},
+ "minItems": 1},
+ "MitigatingFactor": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "Cause": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "Confidence": {"$ref": "#/definitions/Confidence"},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": ["Impact"],
+ "additionalProperties": false},
+ "SystemImpact": {
+ "type": "object",
+ "properties": {
+ "severity": {"enum":["low", "medium", "high"]},
+ "completion": {"enum":["failed", "succeeded"]},
+ "type": {
+ "enum":["takeover-account", "takeover-service",
+ "takeover-system", "cps-manipulation", "cps-damage",
+ "availability-data", "availability-account",
+ "availability-service", "availability-system",
+ "damaged-system", "damaged-data",
+ "breach-proprietary", "breach-privacy",
+ "breach-credential", "breach-configuration",
+ "integrity-data", "integrity-configuration",
+ "integrity-hardware", "traffic-redirection",
+ "monitoring-traffic", "monitoring-host",
+ "policy", "unknown", "ext-value"]},
+ "ext-type": {"type": "string"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": ["type"],
+ "additionalProperties": false},
+ "BusinessImpact": {
+ "type": "object",
+ "properties": {
+ "severity": {"enum":["none", "low", "medium", "high",
+ "unknown", "ext-value"], "default": "unknown"},
+ "ext-severity": {"type":"string"},
+ "type": {"enum":["breach-proprietary",
+ "breach-privacy", "breach-credential",
+ "loss-of-integrity", "loss-of-service",
+ "theft-financial", "theft-service",
+ "degraded-reputation", "asset-damage",
+ "asset-manipulation", "legal", "extortion",
+ "unknown", "ext-value"]},
+ "ext-type": {"type": "string"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": ["type"],
+ "additionalProperties": false},
+ "TimeImpact": {
+ "type": "object",
+ "properties": {
+ "value": {"$ref": "#/definitions/PositiveFloatType"},
+ "severity": {"enum": ["low", "medium", "high"]},
+ "metric": {"enum": ["labor", "elapsed", "downtime",
+ "ext-value"]},
+ "ext-metric": {"type": "string"},
+ "duration": {
+ "$ref":"#/definitions/duration", "default": "hour"},
+ "ext-duration": {"type": "string"}},
+ "required": ["value", "metric"],
+ "additionalProperties": false},
+ "MonetaryImpact": {
+ "type": "object",
+ "properties": {
+ "value": {"$ref": "#/definitions/PositiveFloatType"},
+ "severity": {"enum":["low", "medium", "high"]},
+ "currency": {"type": "string"}},
+ "required": ["value"],
+ "additionalProperties": false},
+ "Confidence": {
+ "type": "object",
+ "properties": {
+ "value": {"type": "number"},
+ "rating": {"enum": ["low", "medium", "high", "numeric",
+ "unknown", "ext-value"]},
+ "ext-rating": {"type":"string"}},
+ "required": ["value", "rating"],
+ "additionalProperties": false},
+ "History": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "HistoryItem": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/HistoryItem"},
+ "minItems": 1}},
+ "required": ["HistoryItem"],
+ "additionalProperties": false},
+ "HistoryItem": {
+ "type": "object",
+ "properties": {
+ "action": {
+ "$ref": "#/definitions/action", "default": "other"},
+ "ext-action": {"type": "string"},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "DateTime": {"$ref": "#/definitions/DATETIME"},
+ "IncidentID": {"$ref": "#/definitions/IncidentID"},
+ "Contact": {"$ref": "#/definitions/Contact"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "DefinedCOA": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": ["DateTime", "action"],
+ "additionalProperties": false},
+ "EventData": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "Description": {"type": "array",
+ "items": { "$ref":"#/definitions/MLStringType"}},
+ "DetectTime": {"$ref": "#/definitions/DATETIME"},
+ "StartTime": {"$ref": "#/definitions/DATETIME"},
+ "EndTime": {"$ref": "#/definitions/DATETIME"},
+ "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
+ "ReportTime": {"$ref": "#/definitions/DATETIME"},
+ "Contact": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Contact"},
+ "minItems": 1},
+ "Discovery": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Discovery"},
+ "minItems": 1},
+ "Assessment": {"$ref": "#/definitions/Assessment"},
+ "Method": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Method"},
+ "minItems": 1},
+ "System": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/System"},
+ "minItems": 1},
+ "Expectation": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Expectation"},
+ "minItems": 1},
+ "RecordData": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/RecordData"},
+ "minItems": 1},
+ "EventData": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/EventData"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": [],
+ "additionalProperties": false},
+ "Expectation": {
+ "type": "object",
+ "properties": {
+ "action": {
+ "$ref":"#/definitions/action", "default": "other"},
+ "ext-action": {"type": "string"},
+ "severity": {"enum": ["low", "medium", "high"]},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "default"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "DefinedCOA": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1},
+ "StartTime": {"$ref": "#/definitions/DATETIME"},
+ "EndTime": {"$ref": "#/definitions/DATETIME"},
+ "Contact": {"$ref": "#/definitions/Contact"}},
+ "required": [],
+ "additionalProperties": false},
+ "System": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "enum": ["source", "target", "intermediate", "sensor",
+ "infrastructure", "ext-value"]},
+ "ext-category": {"type": "string"},
+ "interface": {"type": "string"},
+ "spoofed": {
+ "enum": ["unknown", "yes", "no"], "default":"unknown"},
+ "virtual": {
+ "enum": ["yes", "no", "unknown"], "default":"unknown"},
+ "ownership": {
+ "enum":["organization", "personal", "partner",
+ "customer", "no-relationship", "unknown",
+ "ext-value"]},
+ "ext-ownership": {"type": "string"},
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "Node": {"$ref": "#/definitions/Node"},
+ "NodeRole": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/NodeRole"},
+ "minItems": 1},
+ "Service": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Service"},
+ "minItems": 1},
+ "OperatingSystem": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/SoftwareType"},
+ "minItems": 1},
+ "Counter": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Counter"},
+ "minItems": 1},
+ "AssetID": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": ["Node"],
+ "additionalProperties": false},
+ "Node": {
+ "type": "object",
+ "properties": {
+ "DomainData": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/DomainData"},
+ "minItems": 1},
+ "Address": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Address"},
+ "minItems": 1},
+ "PostalAddress": {
+ "$ref": "#/definitions/PostalAddress"},
+ "Location": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "Counter": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/Counter"},
+ "minItems": 1}},
+ "anyOf": [
+ {"required": ["DomainData"]},
+ {"required": ["Address"]}
+ ],
+ "additionalProperties": false},
+ "Address": {
+ "type": "object",
+ "properties": {
+ "value": {"type": "string"},
+ "category": {
+ "enum":["asn", "atm", "e-mail", "ipv4-addr", "ipv4-net",
+ "ipv4-net-masked", "ipv4-net-mask", "ipv6-addr",
+ "ipv6-net", "ipv6-net-masked", "mac", "site-uri",
+ "ext-value"], "default": "ipv6-addr"},
+ "ext-category": {"type": "string"},
+ "vlan-name": {"type": "string"},
+ "vlan-num": {"type": "number"},
+ "observable-id": {"$ref": "#/definitions/IDtype"}},
+ "required": ["value", "category"],
+ "additionalProperties": false},
+ "NodeRole": {
+ "type": "object",
+ "properties": {
+ "category": {
+ "enum":["client", "client-enterprise",
+ "client-partner", "client-remote", "client-kiosk",
+ "client-mobile", "server-internal", "server-public",
+ "www", "mail", "webmail", "messaging", "streaming",
+ "voice", "file", "ftp", "p2p", "name", "directory",
+ "credential", "print", "application", "database",
+ "backup", "dhcp", "assessment", "source-control",
+ "config-management", "monitoring", "infra",
+ "infra-firewall", "infra-router", "infra-switch",
+ "camera", "proxy", "remote-access", "log",
+ "virtualization", "pos", "scada",
+ "scada-supervisory", "sinkhole", "honeypot",
+ "anomyzation", "c2-server", "malware-distribution",
+ "drop-server", "hop-point", "reflector",
+ "phishing-site", "spear-phishing-site",
+ "recruiting-site", "fraudulent-site",
+ "ext-value"]},
+ "ext-category": {"type": "string"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": ["category"],
+ "additionalProperties": false},
+ "Counter": {
+ "type": "object",
+ "properties": {
+ "value": {"type": "number"},
+ "type": {
+ "enum": ["count", "peak", "average", "ext-value"]},
+ "ext-type": {"type": "string"},
+ "unit":{"enum":["byte", "mbit", "packet", "flow",
+ "session", "alert", "message", "event", "host",
+ "site", "organization", "ext-value"]},
+ "ext-unit": {"type": "string"},
+ "meaning": {"type": "string"},
+ "duration": {
+ "$ref":"#/definitions/duration", "default": "hour"},
+ "ext-duration": {"type": "string"}},
+ "required": ["value", "type", "unit"],
+ "additionalProperties": false},
+ "DomainData": {
+ "type": "object",
+ "properties": {
+ "system-status": {
+ "enum": ["spoofed", "fraudulent", "innocent-hacked",
+ "innocent-hijacked", "unknown", "ext-value"]},
+ "ext-system-status": {"type": "string"},
+ "domain-status": {
+ "enum": [ "reservedDelegation", "assignedAndActive",
+ "assignedAndInactive", "assignedAndOnHold",
+ "revoked", "transferPending",
+ "registryLock", "registrarLock",
+ "other", "unknown", "ext-value"]},
+ "ext-domain-status": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "Name": {"type": "string"},
+ "DateDomainWasChecked": {
+ "$ref": "#/definitions/DATETIME"},
+ "RegistrationDate": {
+ "$ref": "#/definitions/DATETIME"},
+ "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
+ "RelatedDNS": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/ExtensionType"},
+ "minItems": 1},
+ "NameServers": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/NameServers"},
+ "minItems": 1},
+ "DomainContacts": {
+ "$ref": "#/definitions/DomainContacts"}},
+ "required": ["Name", "system-status", "domain-status"],
+ "additionalProperties": false},
+ "NameServers": {
+ "type": "object",
+ "properties": {
+ "Server": {"type": "string"},
+ "Address": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/Address"},
+ "minItems": 1}},
+ "required": ["Server", "Address"],
+ "additionalProperties": false},
+ "DomainContacts": {
+ "type": "object",
+ "properties": {
+ "SameDomainContact": {"type": "string"},
+ "Contact": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/Contact"},
+ "minItems": 1}},
+ "oneOf": [
+ {"required": ["SameDomainContact"]},
+ {"required": ["Contact"]}],
+ "additionalProperties": false},
+ "Service": {
+ "type": "object",
+ "properties": {
+ "ip-protocol": {"type": "number"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "ServiceName": {"$ref": "#/definitions/ServiceName"},
+ "Port": {"type": "number"},
+ "Portlist": {"$ref": "#/definitions/PortlistType"},
+ "ProtoCode": {"type": "number"},
+ "ProtoType": {"type": "number"},
+ "ProtoField": {"type": "number"},
+ "ApplicationHeaderField":{
+ "$ref":"#/definitions/ExtensionTypeList"},
+ "EmailData": {"$ref": "#/definitions/EmailData"},
+ "Application": {
+ "$ref": "#/definitions/SoftwareType"}},
+ "required": [],
+ "additionalProperties": false},
+ "ServiceName": {
+ "type": "object",
+ "properties": {
+ "IANAService": {"type": "string"},
+ "URL": {
+ "type": "array", "items": {
+ "$ref": "#/definitions/URLtype"}},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": [],
+ "additionalProperties": false},
+ "EmailData": {
+ "type": "object",
+ "properties": {
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "EmailTo": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1},
+ "EmailFrom": {"type": "string"},
+ "EmailSubject": {"type": "string"},
+ "EmailX-Mailer": {"type": "string"},
+ "EmailHeaderField": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/ExtensionType"},
+ "minItems": 1},
+ "EmailHeaders": {"type": "string"},
+ "EmailBody": {"type": "string"},
+ "EmailMessage": {"type": "string"},
+ "HashData": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/HashData"},
+ "minItems": 1},
+ "Signature": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/BYTE"},
+ "minItems": 1}},
+ "required": [],
+ "additionalProperties": false},
+ "RecordData": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "DateTime": {"$ref": "#/definitions/DATETIME"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "Application": {"$ref": "#/definitions/SoftwareType"},
+ "RecordPattern": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/RecordPattern"},
+ "minItems": 1},
+ "RecordItem": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/ExtensionType"},
+ "minItems": 1},
+ "URL": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/URLtype"},
+ "minItems": 1},
+ "FileData": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/FileData"},
+ "minItems": 1},
+ "WindowsRegistryKeysModified": {
+ "type": "array",
+ "items": {
+ "$ref":"#/definitions/WindowsRegistryKeysModified"},
+ "minItems": 1},
+ "CertificateData": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/CertificateData"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": [],
+ "additionalProperties": false},
+ "RecordPattern": {
+ "type": "object",
+ "properties": {
+ "value": {"type": "string"},
+ "type": {
+ "enum": ["regex", "binary", "xpath", "ext-value"],
+ "default": "regex"},
+ "ext-type": {"type": "string"},
+ "offset": {"type": "number"},
+ "offsetunit": {"enum":["line", "byte", "ext-value"] ,
+ "default": "line"},
+ "ext-offsetunit": {"type": "string"},
+ "instance": {"type": "number"}},
+ "required": ["value", "type"],
+ "additionalProperties": false},
+ "WindowsRegistryKeysModified": {
+ "type": "object",
+ "properties": {
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "Key": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Key"},
+ "minItems": 1}},
+ "required": ["Key"],
+ "additionalProperties": false},
+ "Key": {
+ "type": "object",
+ "properties": {
+ "registryaction": {"enum": ["add-key", "add-value",
+ "delete-key", "delete-value",
+ "modify-key", "modify-value",
+ "ext-value"]},
+ "ext-registryaction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "KeyName": {"type":"string"},
+ "KeyValue": {"type": "string"}},
+ "required": ["KeyName"],
+ "additionalProperties": false},
+ "CertificateData": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "Certificate": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Certificate"},
+ "minItems": 1}},
+ "required": ["Certificate"],
+ "additionalProperties": false},
+ "Certificate": {
+ "type": "object",
+ "properties": {
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "X509Data": {"$ref": "#/definitions/BYTE"},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1}},
+ "required": ["X509Data"],
+ "additionalProperties": false},
+ "FileData": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction"},
+ "ext-restriction": {"type": "string"},
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "File": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/File"},
+ "minItems": 1}},
+ "required": ["File"],
+ "additionalProperties": false},
+ "File": {
+ "type": "object",
+ "properties": {
+ "observable-id": {"$ref": "#/definitions/IDtype"},
+ "FileName": {"type": "string"},
+ "FileSize": {"type": "number"},
+ "FileType": {"type": "string"},
+ "URL": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/URLtype"},
+ "minItems": 1},
+ "HashData": {"$ref": "#/definitions/HashData"},
+ "Signature": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/BYTE"},
+ "minItems": 1},
+ "AssociatedSoftware": {
+ "$ref": "#/definitions/SoftwareType"},
+ "FileProperties": {
+ "type":"array",
+ "items":{"$ref":"#/definitions/ExtensionType"},
+ "minItems": 1}},
+ "required": [],
+ "additionalProperties": false},
+ "HashData": {
+ "type": "object",
+ "properties": {
+ "scope": {"enum": ["file-contents", "file-pe-section",
+ "file-pe-iat", "file-pe-resource", "file-pdf-object",
+ "email-hash", "email-headers-hash", "email-body-hash",
+ "ext-value"]},
+ "HashTargetID": {"type": "string"},
+ "Hash": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Hash"},
+ "minItems": 1},
+ "FuzzyHash": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/FuzzyHash"},
+ "minItems": 1}},
+ "required": ["scope"],
+ "additionalProperties": false},
+ "Hash": {
+ "type": "object",
+ "properties": {
+ "DigestMethod": {"$ref": "#/definitions/BYTE"},
+ "DigestValue": {"$ref": "#/definitions/BYTE"},
+ "CanonicalizationMethod": {
+ "$ref": "#/definitions/BYTE"},
+ "Application": {
+ "$ref": "#/definitions/SoftwareType"}},
+ "required": ["DigestMethod", "DigestValue"],
+ "additionalProperties": false},
+ "FuzzyHash": {
+ "type": "object",
+ "properties": {
+ "FuzzyHashValue": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/ExtensionType"},
+ "minItems": 1},
+ "Application": {"$ref": "#/definitions/SoftwareType"},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": ["FuzzyHashValue"],
+ "additionalProperties": false},
+ "Indicator": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
+ "AlternativeIndicatorID": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/AlternativeIndicatorID"},
+ "minItems": 1},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "StartTime": {"$ref": "#/definitions/DATETIME"},
+ "EndTime": {"$ref": "#/definitions/DATETIME"},
+ "Confidence": {"$ref": "#/definitions/Confidence"},
+ "Contact": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Contact"},
+ "minItems": 1},
+ "Observable": {"$ref": "#/definitions/Observable"},
+ "uid-ref": {"$ref": "#/definitions/IDREFType"},
+ "IndicatorExpression":{
+ "$ref":"#/definitions/IndicatorExpression"},
+ "IndicatorReference":{
+ "$ref": "#/definitions/IndicatorReference"},
+ "NodeRole": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/NodeRole"},
+ "minItems": 1},
+ "AttackPhase": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/AttackPhase"},
+ "minItems": 1},
+ "Reference": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Reference"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "allOf": [
+ {"required": ["IndicatorID"]},
+ {"oneOf": [
+ {"required":["Observable"]},
+ {"required":["uid-ref"]},
+ {"required":["IndicatorExpression"]},
+ {"required":["IndicatorReference"]}]}],
+ "additionalProperties": false},
+ "IndicatorID": {
+ "type": "object",
+ "properties": {
+ "id": {"type": "string"},
+ "name": {"type": "string"},
+ "version": {"type": "string"}},
+ "required": ["id", "name", "version"],
+ "additionalProperties": false},
+ "AlternativeIndicatorID": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "IndicatorID": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/IndicatorID"},
+ "minItems": 1}},
+ "required": ["IndicatorID"],
+ "additionalProperties": false},
+ "Observable": {
+ "type": "object",
+ "properties": {
+ "restriction": {"$ref": "#/definitions/restriction",
+ "default": "private"},
+ "ext-restriction": {"type": "string"},
+ "System": {"$ref": "#/definitions/System"},
+ "Address": {"$ref": "#/definitions/Address"},
+ "DomainData": {"$ref": "#/definitions/DomainData"},
+ "EmailData": {"$ref": "#/definitions/EmailData"},
+ "Service": {"$ref": "#/definitions/Service"},
+ "WindowsRegistryKeysModified": {
+ "$ref": "#/definitions/WindowsRegistryKeysModified"},
+ "FileData": {"$ref": "#/definitions/FileData"},
+ "CertificateData": {
+ "$ref": "#/definitions/CertificateData"},
+ "RegistryHandle": {
+ "$ref": "#/definitions/RegistryHandle"},
+ "RecordData": {"$ref": "#/definitions/RecordData"},
+ "EventData": {"$ref": "#/definitions/EventData"},
+ "Incident": {"$ref": "#/definitions/Incident"},
+ "Expectation": {"$ref": "#/definitions/Expectation"},
+ "Reference": {"$ref": "#/definitions/Reference"},
+ "Assessment": {"$ref": "#/definitions/Assessment"},
+ "DetectionPattern": {
+ "$ref": "#/definitions/DetectionPattern"},
+ "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
+ "BulkObservable": {
+ "$ref": "#/definitions/BulkObservable"},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "oneOf": [
+ {"required":["System"]},
+ {"required":["Address"]},
+ {"required":["DomainData"]},
+ {"required":["EmailData"]},
+ {"required":["Service"]},
+ {"required":["WindowsRegistryKeysModified"]},
+ {"required":["FileData"]},
+ {"required":["CertificateData"]},
+ {"required":["RegistryHandle"]},
+ {"required":["RecordData"]},
+ {"required":["EventData"]},
+ {"required":["Incident"]},
+ {"required":["Expectation"]},
+ {"required":["Reference"]},
+ {"required":["Assessment"]},
+ {"required":["DetectionPattern"]},
+ {"required":["HistoryItem"]},
+ {"required":["BulkObservable"]},
+ {"required":["AdditionalData"]}],
+ "additionalProperties": false},
+ "BulkObservable": {
+ "type": "object",
+ "properties": {
+ "type": {"enum": ["asn", "atm", "e-mail", "ipv4-addr",
+ "ipv4-net", "ipv4-net-mask", "ipv6-addr", "ipv6-net",
+ "ipv6-net-mask", "mac", "site-uri", "domain-name",
+ "domain-to-ipv4", "domain-to-ipv6",
+ "domain-to-ipv4-timestamp",
+ "domain-to-ipv6-timestamp", "ipv4-port", "ipv6-port",
+ "windows-reg-key", "file-hash", "email-x-mailer",
+ "email-subject", "http-user-agent",
+ "http-request-url", "mutex", "file-path", "user-name",
+ "ext-value"]},
+ "ext-type": {"type": "string"},
+ "BulkObservableFormat":{
+ "$ref": "#/definitions/BulkObservableFormat"},
+ "BulkObservableList": {"type": "string"},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": ["BulkObservableList"],
+ "additionalProperties": false},
+ "BulkObservableFormat": {
+ "type": "object",
+ "properties": {
+ "Hash": {"$ref": "#/definitions/Hash"},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "oneOf": [
+ {"required": ["Hash"]},
+ {"required": ["AdditionalData"]}
+ ],
+ "additionalProperties": false},
+ "IndicatorExpression": {
+ "type": "object",
+ "properties": {
+ "operator": {
+ "enum": ["not", "and", "or", "xor"], "default": "and"},
+ "ext-operator": {"type": "string"},
+ "IndicatorExpression": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/IndicatorExpression"},
+ "minItems": 1},
+ "Observable": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Observable"},
+ "minItems": 1},
+ "uid-ref": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/IDREFType"},
+ "minItems": 1},
+ "IndicatorReference": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/IndicatorReference"},
+ "minItems": 1},
+ "Confidence": {"$ref":"#/definitions/Confidence"},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": [],
+ "additionalProperties": false},
+ "IndicatorReference": {
+ "type": "object",
+ "properties": {
+ "uid-ref": {"$ref":"#/definitions/IDREFType"},
+ "euid-ref": {"type": "string"},
+ "version": {"type": "string"}},
+ "oneOf": [
+ {"required": ["uid-ref"]},
+ {"required": ["euid-ref"]}
+ ],
+ "additionalProperties": false},
+ "AttackPhase": {
+ "type": "object",
+ "properties": {
+ "AttackPhaseID": {
+ "type": "array",
+ "items": {"type": "string"},
+ "minItems": 1},
+ "URL": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/URLtype"},
+ "minItems": 1},
+ "Description": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/MLStringType"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": [],
+ "additionalProperties": false}},
+ "title": "IODEF-Document",
+ "description": "JSON schema for IODEF-Document class",
+ "type": "object",
+ "properties": {
+ "version": {"type": "string"},
+ "lang": {"$ref": "#/definitions/lang"},
+ "format-id": {"type": "string"},
+ "private-enum-name": {"type": "string"},
+ "private-enum-id": {"type": "string"},
+ "Incident": {
+ "type": "array",
+ "items": {"$ref": "#/definitions/Incident"},
+ "minItems": 1},
+ "AdditionalData": {
+ "$ref":"#/definitions/ExtensionTypeList"}},
+ "required": ["version", "Incident"],
+ "additionalProperties": false}
+
+ Figure 6: JSON Schema
+
+Acknowledgments
+
+ We would like to thank Henk Birkholz, Carsten Bormann, Benjamin
+ Kaduk, Alexey Melnikov, Yasuaki Morita, and Takahiko Nagata for their
+ insightful comments on this document and CDDL.
+
+Authors' Addresses
+
+ Takeshi Takahashi
+ National Institute of Information and Communications Technology
+ 4-2-1 Nukui-Kitamachi, Koganei, Tokyo
+ 184-8795
+ Japan
+
+ Phone: +81 42 327 5862
+ Email: takeshi_takahashi@nict.go.jp
+
+
+ Roman Danyliw
+ CERT, Software Engineering Institute, Carnegie Mellon University
+ 4500 Fifth Avenue
+ Pittsburgh, PA
+ United States of America
+
+ Email: rdd@cert.org
+
+
+ Mio Suzuki
+ National Institute of Information and Communications Technology
+ 4-2-1 Nukui-Kitamachi, Koganei, Tokyo
+ 184-8795
+ Japan
+
+ Email: mio@nict.go.jp