draft-ietf-mile-jsoniodef-00.txt   draft-ietf-mile-jsoniodef-01.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft M. Suzuki Internet-Draft M. Suzuki
Intended status: Standards Track NICT Intended status: Standards Track NICT
Expires: March 30, 2018 September 26, 2017 Expires: May 14, 2018 November 10, 2017
JSON binding of IODEF JSON binding of IODEF
draft-ietf-mile-jsoniodef-00 draft-ietf-mile-jsoniodef-01
Abstract Abstract
RFC 7970 [RFC7970] provides XML-based data representation on incident RFC 7970 [RFC7970] provides XML-based data representation on incident
information, but the use of the IODEF data model is not limited to information, but the use of the IODEF data model is not limited to
XML. JSON representation is sometimes preferred since it is easy to XML. JSON representation is sometimes preferred since it is easy to
handle from certain programming environments. This draft represents handle from certain programming environments. This draft represents
the IODEF data model in JSON. Note that this 00 version draft is the IODEF data model in JSON.
prepared for the purpose of encouraging discussion on the need for
JSON representation.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 30, 2018. This Internet-Draft will expire on May 14, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
2. The IODEF Information Model in JSON . . . . . . . . . . . . . 4 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 4
2.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 4 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 4 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 5 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 4
2.3.1. restriction Attribute . . . . . . . . . . . . . . . . 5 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 5
2.3.2. observable-id Attribute . . . . . . . . . . . . . . . 5 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 5
2.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 6 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 5
2.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 6 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 5
2.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 6 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 5
2.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 7 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 5
2.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 7 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 6
2.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 7 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 6
2.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 8 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 6
2.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 8 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 6
2.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 8 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 6
2.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 9 2.13. Uniform Resource Locator Strings . . . . . . . . . . . . 6
2.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 9 2.14. Identifiers and Identifier References . . . . . . . . . . 7
2.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 9 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 7
2.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 9 2.16. StructuredInfo . . . . . . . . . . . . . . . . . . . . . 7
2.11.1. Reference Class . . . . . . . . . . . . . . . . . . 10 3. The IODEF Information Model in JSON . . . . . . . . . . . . . 8
2.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 10 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 8
2.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 10 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 8
2.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 10 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 9
2.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 11 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 9
2.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 11 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 9
2.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 11 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 9
2.13. History Class . . . . . . . . . . . . . . . . . . . . . . 11 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 10
2.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 12 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 10
2.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 12 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 11
2.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 13 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 11
2.16. System Class . . . . . . . . . . . . . . . . . . . . . . 13 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 11
2.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 13 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 12
2.17.1. Address Class . . . . . . . . . . . . . . . . . . . 14 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 12
2.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 14 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 12
2.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 14 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 13
2.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 14 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 13
2.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 15 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 14
2.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 15 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 14
2.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 15 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 15
2.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 16 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 15
2.19.2. ApplicationHeader Class . . . . . . . . . . . . . . 16 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 15
3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 16
2.20. EmailData Class . . . . . . . . . . . . . . . . . . . . . 16 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 16
2.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 16 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 17
2.21.1. RecordPattern Class . . . . . . . . . . . . . . . . 17 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 17
2.22. WindowsRegistryKeysModified Class . . . . . . . . . . . . 17 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 17
2.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 17 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 18
2.23. CertificateData Class . . . . . . . . . . . . . . . . . . 17 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 18
2.23.1. Certificate Class . . . . . . . . . . . . . . . . . 18 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 19
2.24. FileData Class . . . . . . . . . . . . . . . . . . . . . 18 3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 19
2.24.1. File Class . . . . . . . . . . . . . . . . . . . . . 19 3.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 20
2.25. HashData Class . . . . . . . . . . . . . . . . . . . . . 19 3.17.1. Address Class . . . . . . . . . . . . . . . . . . . 20
2.25.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 19 3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 20
2.25.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 19 3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21
2.26. SignatureData Class . . . . . . . . . . . . . . . . . . . 20 3.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 21
2.27. Indicator Class . . . . . . . . . . . . . . . . . . . . . 20 3.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 22
2.27.1. IndicatorID Class . . . . . . . . . . . . . . . . . 20 3.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 22
2.27.2. AlternativeIndicatorID Class . . . . . . . . . . . . 21 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 22
2.27.3. Observable Class . . . . . . . . . . . . . . . . . . 21 3.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 23
2.27.4. IndicatorExpression Class . . . . . . . . . . . . . 21 3.19.2. ApplicationHeader Class . . . . . . . . . . . . . . 23
2.27.5. ObservableReference Class . . . . . . . . . . . . . 22 3.20. EmailData Class . . . . . . . . . . . . . . . . . . . . . 23
2.27.6. IndicatorReference Class . . . . . . . . . . . . . . 22 3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 24
2.27.7. AttackPhase Class . . . . . . . . . . . . . . . . . 22 3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 24
3. Notable differences from RFC 7970 (to be deleted) . . . . . . 22 3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 25
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.22. WindowsRegistryKeysModified Class . . . . . . . . . . . . 25
4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 23 3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 25
4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 23 3.23. CertificateData Class . . . . . . . . . . . . . . . . . . 26
5. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 25 3.23.1. Certificate Class . . . . . . . . . . . . . . . . . 26
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58 3.24. FileData Class . . . . . . . . . . . . . . . . . . . . . 27
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 3.24.1. File Class . . . . . . . . . . . . . . . . . . . . . 27
8. Security Considerations . . . . . . . . . . . . . . . . . . . 59 3.25. HashData Class . . . . . . . . . . . . . . . . . . . . . 27
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.25.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 28
9.1. Normative References . . . . . . . . . . . . . . . . . . 59 3.25.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 28
9.2. Informative References . . . . . . . . . . . . . . . . . 59 3.26. SignatureData Class . . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 60 3.27. Indicator Class . . . . . . . . . . . . . . . . . . . . . 29
3.27.1. IndicatorID Class . . . . . . . . . . . . . . . . . 30
3.27.2. AlternativeIndicatorID Class . . . . . . . . . . . . 30
3.27.3. Observable Class . . . . . . . . . . . . . . . . . . 30
3.27.4. BulkObservable Class . . . . . . . . . . . . . . . . 31
3.27.5. BulkObservableFormat Class . . . . . . . . . . . . . 31
3.27.6. IndicatorExpression Class . . . . . . . . . . . . . 32
3.27.7. ObservableReference Class . . . . . . . . . . . . . 32
3.27.8. IndicatorReference Class . . . . . . . . . . . . . . 32
3.27.9. AttackPhase Class . . . . . . . . . . . . . . . . . 33
4. Notable differences from RFC 7970 (to be deleted) . . . . . . 33
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33
5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 34
6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 36
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 55
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55
9. Security Considerations . . . . . . . . . . . . . . . . . . . 55
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55
10.1. Normative References . . . . . . . . . . . . . . . . . . 55
10.2. Informative References . . . . . . . . . . . . . . . . . 56
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56
1. Introduction 1. Introduction
RFC 7970 [RFC7970] defines an data model for sharing incident RFC 7970 [RFC7970] defines an data model for sharing incident
information. It facilitates automated exchange of information among information. It facilitates automated exchange of information among
parties over networks. The data model can be implemented in a form parties over networks. The data model can be implemented in a form
of XML, but it is not always suitable for implementation. JSON-based of XML, but it is not always suitable for implementation. JSON-based
representation is often useful. representation is often useful.
Therefore, in this document, we provide a means to represent IODEF Therefore, in this document, we provide a means to represent IODEF
data model in JSON. data model in JSON.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. The IODEF Information Model in JSON 2. IODEF Data Types
The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the
JSON IODEF, with some syntax changes for some of the types.
2.1. Integers
An integer is represented in the information model by the INTEGER
data type. Integer data MUST be encoded in Base 10, and is
implemented as an "integer" type per JSON schema [jsonschema].
2.2. Real Numbers
A real (floating-point) number is represented in the information
model by the REAL data type. Real data MUST be encoded in Base 10,
and is implemented in the data model as an "number" type per JSON
schema [jsonschema].
2.3. Characters and Strings
A single character is represented in the information model by the
CHARACTER data type. A string is represented by the STRING data
type. Special characters MUST be encoded using entity references.The
CHARACTER and STRING data types are implemented in the data model as
an "string" type per JSON schema [jsonschema].
2.4. Multilingual Strings
A string that needs to be represented in a human-readable language
different than the default encoding of the document is represented in
the information model by the ML_STRING data type. This data type is
implemented as an object with "value", "lang", and "translation-id"
elements as defined in Section 6. Examples are shown below.
"MLStringType": {
"value": "free-form text", //STRING
"lang": "en", //ENUM
"translation-id": "jp2en0023" //STRING
}
2.5. Binary Strings
2.5.1. Base64 Bytes
A binary octet encoded with base64 is represented in the information
model by the BYTE data type. A sequence of these octets is of the
BYTE[] data type. The BYTE and BYTE[] data types are implemented in
the data model as an "string" type per JSON schema [jsonschema].
2.5.2. Hexadecimal Bytes
A binary octet encoded as a character tuple consistent of two
hexadecimal digits is represented in the information model by the
HEXBIN data type. A sequence of these octets is of the HEXBIN[] data
type. The HEXBIN and HEXBIN[] data types are implemented in the data
model as an "string" type per JSON schema [jsonschema].
2.6. Enumerated Types
An enumerated type is represented in the information model by the
ENUM data type. It is an ordered list of acceptable string values.
Each value has a representative keyword. The ENUM data type is
implemented in the data model as values of an enum array per JSON
schema [jsonschema].
2.7. Date-Time String
A date-time string that describes a particular instant in time is
represented in the information model by the DATETIME data type.
Ranges are not supported. The DATETIME data type is implemented in
the data model as an "string" type per JSON schema [jsonschema].
2.8. Timezone String
A timezone offset from UTC is represented in the information model by
the TIMEZONE data type. It is formatted according to the following
regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". The
TIMEZONE data type is implemented in the data model as an "string"
type per JSON schema [jsonschema].
2.9. Port Lists
A list of network ports is represented in the information model by
the PORTLIST data type. A PORTLIST consists of a comma-separated
list of numbers and ranges (N-M means ports N through M, inclusive).
It is formatted according to the following regular expression:
"\d+(\-\d+)?(,\d+(\-\d+)?)*". For example,
"2,5-15,30,32,40-50,55-60". The PORTLIST data type is implemented in
the data model as an "string" type per JSON schema [jsonschema]
2.10. Postal Address
A postal address is represented in the information model by the
POSTAL data type. The format of the POSTAL data type is documented
in Section 2.23 of [RFC4519] as a free-form multi-line string
separated by the "$" character. The POSTAL data type is implemented
in the data model as the aforementioned ML_STRING type.
2.11. Telephone Number
A telephone number is represented in the information model by the
PHONE data type. The format of the PHONE data type is documented in
[E.164]. The PHONE data type is implemented in the data model as an
"string" type per JSON schema [jsonschema].
2.12. Email String
An email address is represented in the information model by the EMAIL
data type. The format of the EMAIL data type is documented in
Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531]. The EMAIL
data type is implemented in the data model as an "string" type per
JSON schema [jsonschema].
2.13. Uniform Resource Locator Strings
A uniform resource locator (URL) is represented in the information
model by the URL data type. The format of the URL data type is
documented in [RFC3986].
The URL data type is implemented as an "string" type per JSON schema
[jsonschema].
2.14. Identifiers and Identifier References
An identifier unique to the IODEF document is represented in the
information model by the ID data type. A reference to this
identifier is represented by the IDREF data type. These data types
are implemented in the model as an "string" type per JSON schema
[jsonschema].
2.15. Software
A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by
using a reference, a URL, or with free-form text. The SOFTWARE data
type is implemented as an object with "SoftwareReference", "URL", and
"Description" elements as defined in Section 6. Examples are shown
below.
"SoftwareType": {
"SoftwareReference": {...}, //SoftwareReference
"Description": {"value":"MS Windows"}, //ML_STRING
}
2.16. StructuredInfo
Information provided in a form of structured string, such as ID, or
structured information, such as XML documents, is represented in the
information model by the StructuredInfo data type. Note that this
type was originally specified in RFC7203. The StructuredInfo data
type is implemented as an object with "SpecID", "ext-SpecID",
"ContentID", "RawData", "Reference" elements. An example for
embedding a structured ID is shown below.
"StructuredInformation": {
"SpecID": "cve", //ENUM
"ContentID": "CVE-2007-5000", //STRING
}
When embedding the raw data, base64 conversion should be used for
encoding the data, as shown below.
"StructuredInformation": {
"SpecID": "oval", //ENUM
"RawData": "<<<strings encoded with base64>>>", //STRING
}
3. The IODEF Information Model in JSON
The data model of IODEF is defined in RFC 7970 [RFC7970], and this The data model of IODEF is defined in RFC 7970 [RFC7970], and this
section illustrates their representations in JSON. Note that the section illustrates their representations in JSON. Note that the
complete JSON schema is defined in Section 5. complete JSON schema is defined in Section 6.
2.1. IODEF-Document Class 3.1. IODEF-Document Class
The IODEF-Document class is the top level class in the IODEF data This class is the top level class in the IODEF data model. Its class
model. This class is defined in Section 3.1 of RFC 7970 [RFC7970] elements and an example are shown below. See Section 3.1 of RFC 7970
and has the following fields: "version", "lang", "format-id", [RFC7970] for the intended meanings of these elements.
"private-enum-name", "private-enum-id", "Incident", and
"AdditionalData". An example of this class in JSON is as follows.
Note that JSON representation in this draft treats attributes and
elements of each class defined in RFC 7970 [RFC7970] equally and is
agnostic on the order of their appearances.
"IODEF-Document": { Class elements:
"version": "2.0", //STRING
"lang": "en", //ENUM
"format-id": "RFC7970", //STRING
"Incident": [ ... ] //Incident
}
Figure 1: IODEF-Document Class in JSON version, lang?, format-id?, private-enum-name?, private-enum-id?,
Incident+, AdditionalData*
2.2. Incident Class Example:
"IODEF-Document": {
"version": "2.1", //STRING
"lang": "en", //ENUM
"format-id": "RFC7970-json", //STRING
"Incident": [ ... ] //Incident
}
3.2. Incident Class
The Incident class describes commonly exchanged information when The Incident class describes commonly exchanged information when
reporting or sharing derived analysis from security incidents. This reporting or sharing derived analysis from security incidents. Its
class is defined in Section 3.2 of RFC 7970 [RFC7970]. It has the class elements and an example are shown below. See Section 3.2 of
following fields: "purpose", "lang", "restriction", "ext- RFC 7970 [RFC7970] for the intended meanings of these elements.
restriction", "IncidentID", "RelatedActivity", "GenrationTime",
"Description", "Assessment", "Methods", "Contact", "EventData",
"IndicatorData", "History", and "AdditionalData". An example of this
class in JSON is as follows.
"Incident": { Class elements:
"purpose": "reporting", //ENUM
"lang": "en", //STRING
"restriction": "green", //ENUM
"IncidentID": { ... }, //IncidentID Class
"RelatedActivity": [ ... ], //RelatedActivity Class
"GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime
"Description": ["Incident class description field"], //ML_STRING
"Assessment": [ ... ], //Assessment
"Method": [ ... ], //Method
"Contact": [ ... ] //Contact
"EventData": [ ... ], //EventData
"IndicatorData": { ... } //IndicatorData
"History": { ... }, //History
"AdditionalData": [ ... ], //AdditionalData
}
Figure 2: Incident Class in JSON purpose, ext-purpose?, status?, ext-status?, lang?, restriction?,
ext-restriction?, observable-id?, IncidentID, AlternativeID?,
RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?,
ReportTime?, GenrationTime?, Description*, Discovery*, Assessment*,
Method*, Contact+, EventData*, IndicatorData?, History?,
AdditionalData*
2.3. Common Attributes Example:
"Incident": {
"purpose": "reporting", //ENUM
"lang": "en", //STRING
"restriction": "green", //ENUM
"IncidentID": { ... }, //IncidentID Class
"RelatedActivity": [ ... ], //RelatedActivity Class
"GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime
"Description": [{"value":"Incident in the HQ"}], //ML_STRING
"Assessment": [ ... ], //Assessment
"Method": [ ... ], //Method
"Contact": [ ... ] //Contact
"EventData": [ ... ], //EventData
"IndicatorData": { ... } //IndicatorData
"History": { ... }, //History
"AdditionalData": [ ... ], //AdditionalData
}
3.3. Common Attributes
There are a number of recurring attributes used in the information There are a number of recurring attributes used in the information
model. They are documented in this section. model. They are documented in this section.
2.3.1. restriction Attribute 3.3.1. restriction Attribute
RFC 7970 [RFC7970] defines the restriction Attribute as one of common RFC 7970 [RFC7970] defines the restriction Attribute as one of common
attributes. It is defined as below: attributes. It is defined as below:
"restriction":{"enum": ["public", "partner", "need-to-know", "private", "default", "white", "green", "amber", "red", "ext-value"]} "restriction":{"enum": ["public", "partner", "need-to-know", "private",
"default", "white", "green", "amber", "red", "ext-value"]}
Figure 3: restrition in JSON
Note that you must use "ext-restriction" field (STRING type) when the Note that you must use "ext-restriction" field (STRING type) when the
value of "restriction" field is set to "ext-value". The example on value of "restriction" field is set to "ext-value".
the use of the "ext-restriction" field is shown below.
"restriction": "ext-value" // ENUM
"ext-restriction": "registration required" // STRING
Figure 4: ext-restrition in JSON
2.3.2. observable-id Attribute 3.3.2. observable-id Attribute
RFC 7970 [RFC7970] defines the observable-id attribute as one of RFC 7970 [RFC7970] defines the observable-id attribute as one of
common attributes. The value of this attribute is a unique common attributes. The value of this attribute is a unique
identifier in the scope of the document.It is defined as below: identifier, in string type, in the scope of the document.It is
defined as below:
"observable-id": {"type": "string"}, 3.4. IncidentID Class
Figure 5: observable-id in JSON The class elements and an example are shown below. See Section 3.4
of RFC 7970 [RFC7970] for the intended meanings of these elements.
2.4. IncidentID Class Class elements:
This class is defined in Section 3.4 of RFC 7970 [RFC7970]. It has id, name, instance?, restriction?, ext-restriction?
the following fields: "IncidentID", "id", "name", "instance", Example:
"restriction", and "ext-restriction". The example below represents
how to describe this class in JSON.
"IncidentID": { "IncidentID": {
"id": "nict20150518-0001", // STRING "id": "nict20150518-0001", // STRING
"name": "NICT_cert", // STRING "name": "NICT_cert", // STRING
"instance": "cyberlab" // STRING "instance": "cyberlab" // STRING
"restriction": "ext-value" // ENUM "restriction": "ext-value" // ENUM
"ext-restriction": "registration required" // STRING "ext-restriction": "registration required" // STRING
} }
Figure 6: IncidentID Class in JSON 3.5. AlternativeID Class
2.5. AlternativeID Class The class elements and an example are shown below. See Section 3.5
of RFC 7970 [RFC7970] for the intended meanings of these elements.
This class is defined in Section 3.5 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"AltervativeID": { restriction?, ext-restriction?, IncidentID+
"restriction": "private", //ENUM
"IncidentID": [<<<omitted>>>] //IncidentID
}
Figure 7: AlternativeID Class in JSON Example:
2.6. RelatedActivity Class "AltervativeID": {
"restriction": "private", //ENUM
"IncidentID": [<<<omitted>>>] //IncidentID
}
This class is defined in Section 3.6 of RFC 7970 [RFC7970]. The 3.6. RelatedActivity Class
example below represents how to describe this class in JSON.
"RelatedActivity": { The class elements and an example are shown below. See Section 3.6
"restriction": "private", //ENUM of RFC 7970 [RFC7970] for the intended meanings of these elements.
"ThreatActor": [ //ThreatActor
{
"ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY",
"Description": "Aggressive Butterfly"
}
],
"Campaign": [ //Campaign
{
"CampaignID": "C-2015-59405",
"Description": "Orange Giraffe"
}
]
}
Figure 8: RelatedActivity Class in JSON Class elements:
2.7. ThreatActor Class restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*,
Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData*
This class is defined in Section 3.7 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"ThreatActor": { "RelatedActivity": {
"ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", "restriction": "private", //ENUM
"Description": "Aggressive Butterfly" "ThreatActor": [{...}], //ThreatActor class
} "Campaign": [{...}] //Campaign class
}
Figure 9: ThreatActor Class in JSON 3.7. ThreatActor Class
2.8. Campaign Class The class elements and an example are shown below. See Section 3.7
of RFC 7970 [RFC7970] for the intended meanings of these elements.
This class is defined in Section 3.8 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"Campaign": { restriction?, ext-restriction?, ThreatActorID*, URL*, Description*,
"CampaignID": "C-2015-59405", //STRING AdditionalData*
"Description": "Orange Giraffe" //ML_STRING
}
Figure 10: Campaign Class in JSON Example:
2.9. Contact Class "ThreatActor": {
"ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING
"Description": {"value":"Aggressive Butterfly"} //ML_STRING
}
This class is defined in Section 3.9 of RFC 7970 [RFC7970]. The 3.8. Campaign Class
example below represents how to describe this class in JSON.
"Contact": { The class elements and an example are shown below. See Section 3.8
"type": "organization", of RFC 7970 [RFC7970] for the intended meanings of these elements.
"role": "creator",
"ContactName": "CSIRT for example.com",
"email": {
"emailTo": "contact@csirt.example.com"
}
}
Figure 11: Contact Class in JSON Class elements:
2.9.1. RegistryHandle Class restriction?, ext-restriction?, CampaignID*, URL*, Description*,
AdditionalData*
This class is defined in Section 3.9.1 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"RegistryHandle": { "Campaign": {
"RegistryHandleName": "MyAPNIC", "CampaignID": "C-2015-59405", //STRING
"registry": "apnic", "Description": {"value":"Orange Giraffe"} //ML_STRING
} }
Figure 12: RegistryHandle Class in JSON 3.9. Contact Class
2.9.2. PostalAddress Class The class elements and an example are shown below. See Section 3.9
of RFC 7970 [RFC7970] for the intended meanings of these elements.
This class is defined in Section 3.9.2 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"PostalAddress": { role, ext-role?, type, ext-type?, restriction?, ext-restriction?,
"type": "mailing", ContactName*, ContactTitle*, Description*, RegistryHandle*,
"PAddress": "184-8795", PostalAddress*, Email*, Telephone*, Timezone?, Contact*,
"Description": "4-2-1 Nukui-Kitamachi Koganei Tokyo, Japan" AdditionalData*
},
Figure 13: PostalAddress Class in JSON Example:
2.9.3. Email Class "Contact": {
"role": "creator", //ENUM
"type": "organization", //ENUM
"ContactName": {"value":"CSIRT for example.com"}, //ML_STRING
"ContactTitle": {"value":"Senior Research Engineer"} //ML_STRING
"email": {...}, //Email Class
"Telephone": {...}, //Telephone Class
"Timezone": "+09:00" //TIMEZONE
}
This class is defined in Section 3.9.3 of RFC 7970 [RFC7970]. The 3.9.1. RegistryHandle Class
example below represents how to describe this class in JSON.
"Email": { The class elements and an example are shown below. See Section 3.9.1
"emailTo": "contact@csirt.example.com" of RFC 7970 [RFC7970] for the intended meanings of these elements.
},
Figure 14: Email Class in JSON Class elements:
2.9.4. Telephone Class handle, registry, ext-registry?
This class is defined in Section 3.9.4 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"Telephone": { "RegistryHandle": {
"TelephoneNumber": "+81423275862" "handle": "MyAPNIC", //STRING
}, "registry": "apnic", //ENUM
}
Figure 15: Telephone Class in JSON 3.9.2. PostalAddress Class
2.10. Discovery Class The class elements and an example are shown below. See Section 3.9.2
of RFC 7970 [RFC7970] for the intended meanings of these elements.
This class is defined in Section 3.10 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"Discovery": { type?, ext-type?, PAddress, Description*
"DetectionPattern": {
"Application": {
"Description": "Microsoft Win"
}
}
}
Figure 16: Discovery Class in JSON Example:
2.10.1. DetectionPattern Class "PostalAddress": {
"type": "mailing", //ENUM
"PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan", //POSTAL
"Description": {"value":"Office address"} //ML_STRING
},
This class is defined in Section 3.10.1 of RFC 7970 [RFC7970]. The 3.9.3. Email Class
example below represents how to describe this class in JSON.
"DetectionPattern": { The class elements and an example are shown below. See Section 3.9.3
"Application": { of RFC 7970 [RFC7970] for the intended meanings of these elements.
"Description": "Microsoft Win"
}
}
Figure 17: DetectionPattern Class in JSON Class elements:
2.11. Method Class type?, ext-type?, EmailTo, Description*
This class is defined in Section 3.11 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"Method": { "Email": {
"Vulnerability": {} "type": "direct", //ENUM
} "emailTo": "contact@csirt.example.com", //EMAIL
"Description": {"value":"Administrator's address"} //ML_STRING
},
Figure 18: Method Class in JSON 3.9.4. Telephone Class
2.11.1. Reference Class The class elements and an example are shown below. See Section 3.9.4
of RFC 7970 [RFC7970] for the intended meanings of these elements.
This class is defined in Section 3.11.1 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"Reference":{ type?, ext-type?, TelephoneNumber, Description*
"URL":"http://www.nict.go.jp"
}
Figure 19: Reference Class in JSON Example:
2.12. Assessment Class "Telephone": {
"type": "wired", //ENUM
"TelephoneNumber": "+818012345678", //PHONE
"Description": {"value":"Admin's moble"} //ML_STRING
},
This class is defined in Section 3.12 of RFC 7970 [RFC7970]. The 3.10. Discovery Class
example below represents how to describe this class in JSON.
"Assessment": { The class elements and an example are shown below. See Section 3.10
"BusinessImpact": { of RFC 7970 [RFC7970] for the intended meanings of these elements.
"type": "breach-proprietary"
}
}
Figure 20: Assessment Class in JSON Class elements:
2.12.1. SystemImpact Class source?, ext-source?, restriction?, ext-restriction?, Description*,
Contact*, DetectionPattern*
This class is defined in Section 3.12.1 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"SystemImpact":{ "Discovery": {
"severity":"low", "source": "nidps", //ENUM
"type":"unknown" "restriction": "need-to-know" //ENUM
}, "Contact": {...}, //Contact class
"DetectionPattern": {...}, //DetectionPattern class
"Description":{"value":"IDS provided an alert"} //ML_STRING
}
}
Figure 21: SystemImpact Class in JSON 3.10.1. DetectionPattern Class
2.12.2. BusinessImpact Class The class elements and an example are shown below. See
Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
This class is defined in Section 3.12.2 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"BusinessImpact": { restriction?, ext-restriction?, observable-id?, Application,
"type": "breach-proprietary" Description*, DetectionConfiguration*
}
Figure 22: BusinessImpact Class in JSON Example:
2.12.3. TimeImpact Class "DetectionPattern": {
"Application": {...}, //SOFTWARE
"Description": {"value":"The specified application
needs to be reviewed"}, //ML_STRING
}
}
This class is defined in Section 3.12.3 of RFC 7970 [RFC7970]. The 3.11. Method Class
example below represents how to describe this class in JSON.
"TimeImpact":{ The class elements and an example are shown below. See Section 3.11
"value":"5 hours", of RFC 7970 [RFC7970] for the intended meanings of these elements.
"metric":"elapsed"
}
Figure 23: TimeImpact Class in JSON Class elements:
2.12.4. MonetaryImpact Class restriction?, ext-restriction?, Reference*, Description*,
AttackPattern*, Vulnerability*, Weakness*
This class is defined in Section 3.12.4 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"MonetaryImpact":{} "Method": {
"AttackPattern": {...} //StructuredInfo
"Vulnerability": {...} //StructuredInfo
}
Figure 24: MonetaryImpact Class in JSON 3.11.1. Reference Class
2.12.5. Confidence Class The class elements and an example are shown below. See
Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
This class is defined in Section 3.12.5 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"Confidence": { observable-id?, ReferenceName?, URL*, Description*
"rating": "medium"
}
Figure 25: Confidence Class in JSON Example:
2.13. History Class "Reference":{
"URL":"http://www.nict.go.jp" //URL
}
This class is defined in Section 3.13 of RFC 7970 [RFC7970]. The 3.12. Assessment Class
example below represents how to describe this class in JSON.
"History": { The class elements and an example are shown below. See Section 3.12
"HistoryItem": { of RFC 7970 [RFC7970] for the intended meanings of these elements.
"DateTime": "2015-10-15T11:18:00-05:00",
"action": "investigate"
}
},
Figure 26: History Class in JSON Class elements:
2.13.1. HistoryItem Class occurence?, restriction?, ext-restriction?, observable-id?,
IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*,
MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*,
Cause*, Confidence?, AdditionalData*
This class is defined in Section 3.13.1 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"HistoryItem": { "Assessment": {
"DateTime": "2015-10-15T11:18:00-05:00", "SystemImpact": {...}, //SystemImpact class
"action": "investigate" "BusinessImpact": {...}, //BusinessImpact class
} "TimeImpact": {...}, //TimeImpact class
"MonetaryImpact": {...}, //MonetaryImpact class
"IntendedImpact": {...}, //IntendedImpact class
"Counter": "5", //Counter class
"MitigationFactor": {"value":"Rebooting is required"}//ML_STRING
"Cause": {"value":"Malware Infection"} //ML_STRING
}
}
Figure 27: HistoryItem Class in JSON 3.12.1. SystemImpact Class
2.14. EventData Class The class elements and an example are shown below. See
Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
This class is defined in Section 3.14 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"EventData": { severity?, completion?, type, ext-type?, Description*
"ReportTime": "2016-06-01 18:05:33",
"System": {
"category": "source",
"Node": {
"Address": {
"category": "ipv4-addr",
"AddressValue": "192.228.139.118"
},
"Location": "OrgID=7"
},
"Service": {
"ip-protocol": 6,
"Port": 49183
}
},
Figure 28: EventData Class in JSON Example:
2.15. Expectation Class "SystemImpact":{
"severity":"high", //ENUM
"completion": "successful" //ENUM
"type":"integrity-data" //ENUM
"Description":{"value":"The web page was falsified"} //ML_STRING
},
This class is defined in Section 3.15 of RFC 7970 [RFC7970]. The 3.12.2. BusinessImpact Class
example below represents how to describe this class in JSON.
"Expectation": { The class elements and an example are shown below. See
"action": "investigate" Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of
}, these elements.
Figure 29: Expectation Class in JSON Class elements:
2.16. System Class severity?, ext-severity?, type, ext-type?, Description*
This class is defined in Section 3.17 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"System": { "BusinessImpact": {
"category": "source", "severity":"medium", //ENUM
"Node": { "completion": "successful" //ENUM
"Address": { "type": "degraded-reputation" //ENUM
"category": "ipv4-addr", "Description":{"value":"The web page was falsified"} //ML_STRING
"AddressValue": "192.228.139.118" }
},
"Location": "OrgID=7"
},
"Service": {
"ip-protocol": 6,
"Port": 49183
}
Figure 30: System Class in JSON 3.12.3. TimeImpact Class
2.17. Node Class The class elements and an example are shown below. See
Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
This class is defined in Section 3.18 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"Node": { value, severity?, metric, ext-metric?, duration?, ext-duration?
"Address": {
"category": "ipv4-addr",
"AddressValue": "192.228.139.118"
},
Figure 31: Node Class in JSON Example:
2.17.1. Address Class "TimeImpact":{
"time": "240" //REAL
"metric": "elapsed" //ENUM
"duration": "minutes" //ENUM
}
This class is defined in Section 3.18.1 of RFC 7970 [RFC7970]. The 3.12.4. MonetaryImpact Class
example below represents how to describe this class in JSON.
"Address": { The class elements and an example are shown below. See
"category": "ipv4-addr", Section 3.12.4 of RFC 7970 [RFC7970] for the intended meanings of
"AddressValue": "192.228.139.118" these elements.
},
Figure 32: Address Class in JSON Class elements:
2.17.2. NodeRole Class value, severity?, currency?
This class is defined in Section 3.18.2 of RFC 7970 [RFC7970]. The Example:
example below represents how to describe this class in JSON.
"NodeRole": { "MonetaryImpact":{
"category": "client" "money": "10000", //REAL
}, "severity": "medium", //ENUM
"currency": "USD", //STRING
}
Figure 33: NodeRole Class in JSON 3.12.5. Confidence Class
2.17.3. Counter Class The class elements and an example are shown below. See
Section 3.12.5 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
This class is defined in Section 3.18.3 of RFC 7970 [RFC7970]. The Class elements:
example below represents how to describe this class in JSON.
"Counter": { value, rating, ext-rating?
"value": "3",
"type": "count",
"unit": "packet"
}
Figure 34: Counter Class in JSON Example:
2.18. DomainData Class "Confidence": {
"value": "5" //REAL
"rating": "medium" //ENUM
}
This class is defined in Section 3.19 of RFC 7970 [RFC7970]. The 3.13. History Class
example below represents how to describe this class in JSON.
"DomainData": { The class elements and an example are shown below. See Section 3.13
"system-status": "innocent-hacked", of RFC 7970 [RFC7970] for the intended meanings of these elements.
"domain-status": "assignedAndInactive",
"Name": "temp1.nict.go.jp"
},
Figure 35: DomainData Class in JSON Class elements:
2.18.1. Nameserver Class restriction?, ext-restriction?, HistoryItem+
Example:
"History": {
"restriction": "need-to-know" //ENUM
"HistoryItem": { ... } //HistoryItem class
},
3.13.1. HistoryItem Class
The class elements and an example are shown below. See
Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
action, ext-action?, restriction?, ext-restriction?, observable-id?,
DateTime, IncidentID?, Contact?, Description*, DefinedCOA*,
AdditionalData*
Example:
"HistoryItem": {
"action": "investigate" //ENUM
"restriction": "need-to-know" //ENUM
"DateTime": "2015-10-15T11:18:00-05:00", //DateTime
"IncidentID" { ...}, //IncidentID class
}
3.14. EventData Class
The class elements and an example are shown below. See Section 3.14
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
restriction?, ext-restriction?, observable-id?, Description*,
DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?,
Contact*, Discovery*, Assessment?, Method*, Flow*, Expectation*,
Record?, EventData*, AdditionalData*
Example:
"EventData": {
"ReportTime": "2016-06-01 18:05:33",
"Contact": { ...}, //Contact class
"Assessment": { ...}, //Assessment class
"Method": { ...}, //Method class
"System": { ... }, //System class
"Expectation": { ...}, //Expectation class
3.15. Expectation Class
The class elements and an example are shown below. See Section 3.15
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
action?, ext-action?, severity?, restriction?, ext-restriction?,
Description*, DefinedCOA*, StartTime?, EndTime?, Contact?
Example:
"Expectation": {
"action": "investigate" //ENUM
"severity": "medium" //ENUM
"restriction": "need-to-know" //ENUM
},
3.16. System Class
The class elements and an example are shown below. See Section 3.17
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
category?, ext-category?, interface?, spoofed?, virtual?, ownership?,
ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*,
Service*, OperatingSystem*, Counter*, AssetID*, Description*,
AdditionalData*
Example:
"System": {
"category": "source", //ENUM
"Node": { ... }, //Node class
"Service": { ... }, //Service class
},
3.17. Node Class
The class elements and an example are shown below. See Section 3.18
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
DomainData*, Address*, PostalAddress?, Location*, Counter*
Example:
"Node": {
"Address": { ... }, //Address class
"Location": {"value":"OrgID=7"} //ML_STRING
}
3.17.1. Address Class
The class elements and an example are shown below. See
Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
value, category, ext-category?, vlan-name?, vlan-num?, observable-id?
Example:
"Address": {
"value": """192.228.139.118", //STRING
"category": "ipv4-addr", //ENUM
},
3.17.2. NodeRole Class
The class elements and an example are shown below. See
Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
category, ext-category?, Description*
Example:
"NodeRole": {
"category": "client" //ENUM
"Description": {"value":"The computer at room A"} //ML_STRING
},
3.17.3. Counter Class
The class elements and an example are shown below. See
Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of
these elements.
Class elements:
value, type, ext-type?, unit, ext-unit?, meaning?, duration?, ext-
duration?
Example:
"Counter": {
"value": "3", //REAL
"type": "count", //ENUM
"unit": "packet" //ENUM
"meaning": {"value":"The number of scan packets
are counted"}, //ML_STRING
}
3.18. DomainData Class
The class elements and an example are shown below. See Section 3.19
of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements:
system-status, ext-system-status?, domain-status, ext-domain-status?,
observable-id?, Name, DateDomainWasChecked?, RegistrationDate?,
ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts?
Example:
"DomainData": {
"system-status": "innocent-hacked", //ENUM
"domain-status": "assignedAndInactive", //STRING
"Name": "temp1.nict.go.jp" //STRING
},
3.18.1. Nameserver Class
This class is defined in Section 3.19.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.19.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"NameServers": { Class elements:
"Server": "vgw.nict.go.jp",
"Address": {
"AddressValue": "133.243.18.5",
"category": "ipv4-addr"
}
}
Figure 36: Nameserver Class in JSON Server, Address*
2.18.2. DomainContacts Class Example:
"NameServers": {
"Server": "vgw.nict.go.jp", //STRING
"Address": {
"AddressValue": "133.243.18.5", //STRING
"category": "ipv4-addr" //ENUM
}
}
3.18.2. DomainContacts Class
This class is defined in Section 3.19.2 of RFC 7970 [RFC7970]. The This class is defined in Section 3.19.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"DomainContacts": { Class elements:
"Contact": {
"role": "user",
"type": "organization"
}
}
Figure 37: DomainContacts Class in JSON SameDomainContact?, Contact+
2.19. Service Class Example:
"DomainContacts": {
"Contact": {
"role": "user", //ENUM
"type": "organization" //ENUM
}
}
3.19. Service Class
This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"Service": { Class elements:
"ServiceName": {
"Description": "It seems to be a scan from an infected machine."
},
"ip-protocol": 6,
"Port": 49183
}
Figure 38: Service Class in JSON ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?,
ProtoCode?, ProtoType?, ProtoField?, ApplicationHeader?, EmailData?,
Application?
Example:
2.19.1. ServiceName Class "Service": {
"ServiceName": {
"Description": "It seems to be a scan from an infected machine."
},
"ip-protocol": 6, //INTEGER
"Port": 49183 //INTEGER
}
3.19.1. ServiceName Class
This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"ServiceName": { Class elements:
"Description": "It seems to be a scan from an infected machine."
},
Figure 39: ServiceName Class in JSON IANAService?, URL*, Description*
2.19.2. ApplicationHeader Class Example:
"ServiceName": {
"IANAService": "telnet" //STRING
"URL": "https://en.wikipedia.org/wiki/Telnet" //STRING
"Description": "It seems to be a scan from an infected machine." //STRING
},
3.19.2. ApplicationHeader Class
This class is defined in Section 3.20.2 of RFC 7970 [RFC7970]. The This class is defined in Section 3.20.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"ApplicationHeader": {} Class elements:
Figure 40: ApplicationHeader Class in JSON ApplicationHeaderField+
2.20. EmailData Class Example:
"ApplicationHeader": {
"ApplicationHeaderField": {}
}
3.20. EmailData Class
This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"EmailData":{} Class elements:
Figure 41: EmailData Class in JSON observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?,
EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?,
HashData*, SignatureData*
2.21. Record Class Example:
"EmailData":{
"EmailTo": "user1@example.org" //EMAIL
"EmailFrom": "user2@example.com" //EMAIL
"EmailSubject": "example email" //STRING
"EmailX-Mailer": "example mailer v1.1.0" //STRING
"EmailBody": "example email" //STRING
}
3.21. Record Class
This class is defined in Section 3.22 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
restriction?, ext-restriction?, RecordData+
Example:
"Record": {
"RecordData": {
"RecordPattern": {
"type": "regex", //ENUM
"value": "[0-9][A-Z]"
}
},
"RecordItem": {}
},
3.21.1. RecordData Class
This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"Record": { Class elements:
"RecordPattern": {
"type": "regex",
"value": "[0-9][A-Z]"
},
"RecordItem": {}
},
Figure 42: Record Class in JSON restriction?, ext-restriction?, observable-id?, DateTime?,
Description*, Application?, RecordPattern*, RecordItem*, URL*,
FileData*, WindowsRegistryKeysModified*, CertificateData*,
AdditionalData*
2.21.1. RecordPattern Class Example:
"RecordData": {
"RecordPattern": {
"type": "regex",
"value": "[0-9][A-Z]"
}
},
3.21.2. RecordPattern Class
This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"RecordPattern": { Class elements:
"type": "regex",
"value": "[0-9][A-Z]"
},
Figure 43: RecordPattern Class in JSON type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?,
value
2.22. WindowsRegistryKeysModified Class Example:
"RecordPattern": {
"type": "regex",
"value": "[0-9][A-Z]"
},
3.22. WindowsRegistryKeysModified Class
This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"WindowsRegistryKeysModified": { Class elements:
"Key": {
"KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx",
"KeyName":"HKEY_LOCAL_MACHINExxxxxxx",
}
}
Figure 44: WindowsRegistryKeysModified Class in JSON observable-id?, Key+
2.22.1. Key Class Example:
"WindowsRegistryKeysModified": {
"Key": {
"KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING
"KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING
}
}
3.22.1. Key Class
This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"Key": { Class elements:
"KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx",
"KeyName":"HKEY_LOCAL_MACHINExxxxxxx",
}
Figure 45: Key Class in JSON registryaction?, ext-registryaction?, observable-id?, KeyName,
KeyValue?
2.23. CertificateData Class Example:
"Key": {
"KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING
"KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING
}
3.23. CertificateData Class
This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"CertificateData": { Class elements:
"Certificate": {
"X509Data": {
"X509IssuerSerial": {
"X509IssuerName": "CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP",
"X509SerialNumber": "12345678"
},
"X509SKI": "31d97bd7"
}
}
}
Figure 46: CertificateData Class in JSON restriction?, ext-restriction?, observable-id?, Certificate+
2.23.1. Certificate Class Example:
"CertificateData": {
"Certificate": {
"X509Data": "xxxxxxxx" //STRING
}
}
3.23.1. Certificate Class
This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. X509Data class contains base64 encoded form of X.509 certificate or
chain as described in Section 4.4.4 of [W3C.XMLSIG]. The example
below represents how to describe this class in JSON.
"Certificate": { Class elements:
"X509Data": {
"X509IssuerSerial": {
"X509IssuerName": "CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP",
"X509SerialNumber": "12345678"
},
"X509SKI": "31d97bd7"
}
}
Figure 47: Certificate Class in JSON observable-id?, X509Data, Description*
2.24. FileData Class Example:
"Certificate": {
"X509Data": "xxxxxxxx" //STRING
}
3.24. FileData Class
This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"FileData": { Class elements:
"File": {
"FileName": "dummy.exe"
}
},
Figure 48: FileData Class in JSON restriction?, ext-restriction?, observable-id?, File+
2.24.1. File Class Example:
"FileData": {
"File": {
"FileName": "dummy.exe" //STRING
}
},
3.24.1. File Class
This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"File": { Class elements:
"FileName": "dummy.exe"
}
Figure 49: File Class in JSON observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?,
SignatureData?, AssociatedSoftware?, FileProperties*
2.25. HashData Class Example:
"File": {
"FileName": "dummy.exe" //STRING
}
3.25. HashData Class
This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"HashData": { Class elements:
"scope": "file-contents",
"Hash": {
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1",
"DigestValue": "xxxxxxxxxxx"
}
}
Figure 50: HashData Class in JSON scope, HashTargetID?, Hash*, FuzzyHash*
2.25.1. Hash Class Example:
"HashData": {
"scope": "file-contents", //ENUM
"Hash": {
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
"DigestValue": "xxxxxxxxxxx" //STRING
}
}
3.25.1. Hash Class
This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"Hash": { Class elements:
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1",
"DigestValue": "xxxxxxxxxxx"
}
Figure 51: Hash Class in JSON DigestMethod, DigestValue, CanonicalizationMethod?, Application?
2.25.2. FuzzyHash Class Example:
"Hash": {
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
"DigestValue": "xxxxxxxxxxx" //STRING
}
3.25.2. FuzzyHash Class
This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"FuzzyHash": { Class elements:
"FuzzyHashValue": {}
}
Figure 52: FuzzyHash Class in JSON FuzzyHashValue+, Application?, AdditionalData?
2.26. SignatureData Class Example:
"FuzzyHash": {
"FuzzyHashValue": {}
}
3.26. SignatureData Class
This class is defined in Section 3.27 of RFC 7970 [RFC7970]. The This class is defined in Section 3.27 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. Signature class contains base64 encoded form of signature as
described in Section 4.2 of [W3C.XMLSIG]. The example below
represents how to describe this class in JSON.
"SignatureData": { Class elements:
"Signature": "xxxxxxxx"
}
Figure 53: SignatureData Class in JSON Signature+
2.27. Indicator Class Example:
"SignatureData": {
"Signature": "xxxxxxxx" //STRING
}
3.27. Indicator Class
This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"Indicator": { Class elements:
"IndicatorID": {
"id": "G90823490",
"name": "csirt.example.com",
"version": "1"
},
"Description": "C2 domains",
"StartTime": "2014-12-02T11:18:00-05:00",
"Observable": {
"BulkObservable": {
"type": "fqdn"
},
"BulkObservableList": [
"kj290023j09r34.example.com",
"09ijk23jfj0k8.example.net",
"klknjwfjiowjefr923.example.org",
"oimireik79msd.example.org"
]
}
}
Figure 54: Indicator Class in JSON restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*,
Description*, StartTime?, EndTime?, Confidence?, Contact*,
Observable?, ObservableReference?, IndicatorExpression?,
IndicatorReference?, NodeRole*, AttackPhase*, Reference*,
AdditionalData*
2.27.1. IndicatorID Class Example:
"Indicator": {
"IndicatorID": {
"id": "G90823490", //STRING
"name": "csirt.example.com", //STRING
"version": "1" //STRING
},
"Description": "C2 domains", //ML_STRING
"StartTime": "2014-12-02T11:18:00-05:00", //Datetime
"Observable": {
"BulkObservable": {
"type": "fqdn" //ENUM
},
"BulkObservableList": [
"kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRIN
]
}
}
3.27.1. IndicatorID Class
This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"IndicatorID": { Class elements:
"id": "G90823490",
"name": "csirt.example.com",
"version": "1"
},
Figure 55: IndicatorID Class in JSON id, name, version
2.27.2. AlternativeIndicatorID Class Example:
"IndicatorID": {
"id": "G90823490", //STRING
"name": "csirt.example.com", //STRING
"version": "1" //STRING
}
3.27.2. AlternativeIndicatorID Class
This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"AlternativeIndicatorID": { Class elements:
"IndicatorReference": {
"uid-ref": "xxxxx"
}
},
Figure 56: AlternativeIndicatorID Class in JSON restriction?, ext-restriction?, IndicatorReference+
2.27.3. Observable Class Example:
"AlternativeIndicatorID": {
"IndicatorReference": {
"uid-ref": "xxxxx"
}
},
3.27.3. Observable Class
This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"Observable": { Class elements:
"BulkObservable": {
"type": "fqdn"
},
"BulkObservableList": [
"kj290023j09r34.example.com",
"09ijk23jfj0k8.example.net",
"klknjwfjiowjefr923.example.org",
"oimireik79msd.example.org"
]
}
Figure 57: Observable Class in JSON restriction?, ext-restriction?, System?, Address?, DomainData?,
Service?, EmailData?, WindowsRegistryKeysModified?, FileData?,
CertificateData?, RegistryHandle?, RecordData?, EventData?,
Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?,
HistoryItem?, BulkObservable?, AdditionalData*
2.27.4. IndicatorExpression Class Example:
"Observable": {
"BulkObservable": {
"type": "fqdn" //ENUM
},
"BulkObservableList": [
"kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRING
]
}
3.27.4. BulkObservable Class
This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
type?, ext-type?, BulkObservableFormat?, BulkObservableList,
AdditionalData*
Example:
"BulkObservable": {
"type": "fqdn" //ENUM
},
"BulkObservableList": [
"kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRING
]
3.27.5. BulkObservableFormat Class
This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970].
The example below represents how to describe this class in JSON.
Class elements:
Hash?, AdditionalData*
Example:
"BulkObservableFormat": {
"Hash": {
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
"DigestValue": "xxxxxxxxxxx" //STRING
}
}
3.27.6. IndicatorExpression Class
This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"IndicatorExpression": {} Class elements:
Figure 58: IndicatorExpression Class in JSON operator?, ext-operator?, IndicatorExpression*, Observable*,
ObservableReference*, IndicatorReference*, Confidence?,
AdditionalData*
2.27.5. ObservableReference Class Example:
"IndicatorExpression": {
"ObservableReference": {
"uid-ref": "xxxxx"
}
}
3.27.7. ObservableReference Class
This class is defined in Section 3.29.6 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.6 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"ObservableReference": { Class elements:
"uid-ref": "xxxxx"
},
Figure 59: ObservableReference Class in JSON uid-ref
2.27.6. IndicatorReference Class Example:
"ObservableReference": {
"uid-ref": "xxxxx"
},
3.27.8. IndicatorReference Class
This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"IndicatorReference": { Class elements:
"uid-ref": "xxxxx"
}
Figure 60: IndicatorReference Class in JSON uid-ref?, euid-ref?, version?
2.27.7. AttackPhase Class Example:
"IndicatorReference": {
"uid-ref": "xxxxx"
}
3.27.9. AttackPhase Class
This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
"AttackPhase": { Class elements:
"Description": "Currently, the infected host is scanning arbitrary hosts to find next targets."
}
Figure 61: AttackPhase Class in JSON AttackPhaseID*, URL*, Description*, AdditionalData*
3. Notable differences from RFC 7970 (to be deleted) Example:
"AttackPhase": {
"Description": "Currently, the infected host is scanning arbitrary hosts to find next targets." //ML_STRING
}
4. Notable differences from RFC 7970 (to be deleted)
o This document treats attributes and elements of each class defined
in RFC 7970 [RFC7970] equally and is agnostic on the order of
their appearances.
o Flow class is deleted, and EventData class now has the instance of o Flow class is deleted, and EventData class now has the instance of
System class. System class.
o Record class is deleted, and the link to the Record class are o Record class is deleted, and the link to the Record class are
directly connected to RecordData class, which is then renamed to directly connected to RecordData class, which is then renamed to
Record class. Record class.
4. Examples 5. Examples
This section provides example of IODEF documents. These examples do This section provides example of IODEF documents. These examples do
not represent the full capabilities of the data model or the the only not represent the full capabilities of the data model or the the only
way to encode particular information. way to encode particular information.
4.1. Minimal Example 5.1. Minimal Example
A document containing only the mandatory elements and attributes. A document containing only the mandatory elements and attributes.
{
"version": "2.0",
"lang": "en",
"Incident": [
{
"purpose": "reporting",
"restriction": "private",
"IncidentID": {
"id": 492382,
"name": "csirt.example.com"
},
"GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [
{ {
"version": "2.0", "type": "organization",
"lang": "en", "role": "creator",
"Incident": [ "email": {
{ "emailTo": "contact@csirt.example.com"
"purpose": "reporting", }
"restriction": "private",
"IncidentID": {
"id": 492382,
"name": "csirt.example.com"
},
"GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [
{
"type": "organization",
"role": "creator",
"email": {
"emailTo": "contact@csirt.example.com"
}
}
]
}
]
} }
]
}
]
}
Figure 62: JSON representation example 1 5.2. Indicators from a Campaign
4.2. Indicators from a Campaign
An example of C2 domains from a given campaign. An example of C2 domains from a given campaign.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incidents": [ "Incidents": [
{ {
"purpose": "watch", "purpose": "watch",
"restriction": "green", "restriction": "green",
skipping to change at page 25, line 10 skipping to change at page 36, line 4
"Observable": { "Observable": {
"BulkObservable": { "BulkObservable": {
"type": "fqdn" "type": "fqdn"
}, },
"BulkObservableList": [ "BulkObservableList": [
"kj290023j09r34.example.com", "kj290023j09r34.example.com",
"09ijk23jfj0k8.example.net", "09ijk23jfj0k8.example.net",
"klknjwfjiowjefr923.example.org", "klknjwfjiowjefr923.example.org",
"oimireik79msd.example.org" "oimireik79msd.example.org"
] ]
} }
} }
] ]
} }
] ]
} }
Figure 63: JSON representation example 2 6. The IODEF Data Model (JSON Schema)
5. The IODEF Data Model (JSON Schema)
{
{
"$schema": "http://json-schema.org/draft-04/schema#",
"definitions": {
"lang": {
"enum": [
"en",
"jp"
]
},
"restriction": {
"enum": [
"public",
"partner",
"need-to-know",
"private",
"default",
"white",
"green",
"amber",
"red",
"ext-value"
]
},
"URLtype": {
"type": "string"
},
"IDtype": {
"type": "string"
},
"ExtensionType": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"dtype": {
"enum": [
"boolean",
"byte",
"bytes",
"character",
"date-time",
"ntpstamp",
"integer",
"portlist",
"real",
"string",
"file",
"path",
"frame",
"packet",
"ipv4-packet",
"ipv6-packet",
"url",
"csv",
"winreg",
"xml",
"ext-value"
]
},
"ext-dtype": {
"type": "string"
},
"meaning": {
"type": "string"
},
"formatid": {
"type": "string"
},
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
}
} { "$schema": "http://json-schema.org/draft-04/schema#",
}, "definitions": {
"SoftwareType": { "action": {"enum": ["nothing","contact-source-site","contact-target-site",
"type": "object", "contact-sender", "investigate","block-host","block-network",
"properties": { "block-port","rate-limit-host","rate-limit-network",
"SoftwareReference": { "rate-limit-port","redirect-traffic","honeypot",
"$ref": "#/definitions/SoftwareReference" "upgrade-software","rebuild-asset","harden-asset",
}, "remediate-other","status-triage","status-new-info",
"URL": { "watch-and-report","training","defined-coa","ext-value"]},
"$ref": "#/definitions/URLtype" "duration": {"enum": ["second","minute","hour","day","month","quarter",
}, "year","ext-value"]},
"Description": { "lang": {"enum": ["en","jp"]},
"type": "string" "purpose": {"enum": ["traceback","mitigation","reporting","watch","other",
} "ext-value"]},
}, "restriction": {"enum": ["public","partner","need-to-know","private",
"required": [], "default","white","green","amber","red","ext-value"]},
"additionalProperties": false "status": {"enum": ["new","in-progress","forwarded","resolved","future",
}, "ext-value"]},
"SoftwareReference": { "DATETIME": {"type": "string"},
"type": "object", "PORTLIST": {"type": "string"},
"properties": { "URLtype": {"type": "string"},
"value": { "IDtype": {"type": "string"},
"type": "string" "ExtensionType": {
}, "type": "object",
"spec-name": { "properties": {
"type": "string" "name": {"type": "string"},
}, "dtype": {"enum": ["boolean","byte","bytes","character","date-time",
"ext-spec-name": { "ntpstamp","integer","portlist","real","string","file",
"type": "string" "path","frame","packet","ipv4-packet","ipv6-packet","url",
}, "csv","winreg","xml","ext-value"]},
"dtype": { "ext-dtype": {"type": "string"},
"type": "string" "meaning": {"type": "string"},
}, "formatid": {"type": "string"},
"ext-dtype": { "restriction": {"$ref": "#/definitions/restriction"},
"type": "string" "ext-restriction": {"type": "string"},
} "observable-id": {"$ref": "#/definitions/IDtype"}}},
}, "ExtensionTypeList": {
"required": [ "type": "array",
"spec-name" "items": {"$ref": "#/definitions/ExtensionType"}},
],
"additionalProperties": false
},
"Incident": {
"title": "Incident",
"description": "JSON schema for Incident class",
"type": "object",
"properties": {
"purpose": {
"enum": [
"traceback",
"mitigation",
"reporting",
"watch",
"other",
"ext-value"
]
},
"ext-purpose": {
"type": "string"
},
"status": {
"enum": [
"blabla"
]
},
"ext-status": {
"type": "string"
},
"lang": {
"$ref": "#/definitions/lang"
},
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"IncidentID": {
"$ref": "#/definitions/IncidentID"
},
"AlternativeID": {
"type": "object"
},
"RelatedActivity": {
"type": "array",
"items": {
"$ref": "#/definitions/RelatedActivity"
}
},
"DetectTime": {
"type": "string"
},
"StartTime": {
"type": "string"
},
"EndTime": {
"type": "string"
},
"RecoveryTime": {
"type": "string"
},
"ReportTime": {
"type": "string"
},
"GenerationTime": {
"type": "string"
},
"Description": {
"type": "array",
"items": {
"type": "string"
}
},
"Discovery": {
"type": "array",
"items": {
"$ref": "#/definitions/Discovery"
}
},
"Assessment": {
"type": "array",
"items": {
"$ref": "#/definitions/Assessment"
}
},
"Methods": {
"type": "array",
"items": {
"$ref": "#/definitions/Method"
}
},
"Contacts": {
"type": "array",
"items": {
"$ref": "#/definitions/Contact"
}
},
"EventData": {
"type": "array",
"items": {
"$ref": "#/definitions/EventData"
} "SoftwareType": {
}, "type": "object",
"IndicatorList": { "properties": {
"type": "array", "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"},
"items": { "URL": {"$ref": "#/definitions/URLtype"},
"$ref": "#/definitions/Indicator" "Description": {"type": "string"}},
}, "required": [],
}, "additionalProperties": false},
"History": { "SoftwareReference": {
"$ref": "#/definitions/History" "type": "object",
}, "properties": {
"AdditionalData": { "value": {"type": "string"},
"type": "array", "spec-name": {"type": "string"},
"items": { "ext-spec-name": {"type": "string"},
"$ref": "#/definitions/ExtensionType" "dtype": {"type": "string"},
} "ext-dtype": {"type": "string"}},
} "required": ["spec-name"],
}, "additionalProperties": false},
"required": [ "StructuredInfo": {
"IncidentID", "type": "object",
"GenerationTime", "properties": {
"Contacts", "specID": {"type": "string"},
"purpose" "ext-specID": {"type": "string"},
], "contentID": {"type": "string"},
"additionalProperties": false "RawData": {"type": "string"},
}, "URL": {"$ref": "#/definitions/URLtype"}},
"IncidentID": { "required": ["specID"],
"title": "IncidentID", "additionalProperties": false},
"description": "JSON schema for IncidentID class", "Incident": {
"type": "object", "title": "Incident",
"properties": { "description": "JSON schema for Incident class",
"id": { "type": "object",
"type": "string" "properties": {
}, "purpose": {"$ref": "#/definitions/purpose"},
"name": { "ext-purpose": {"type": "string"},
"type": "string" "status": {"$ref": "#/definitions/status"},
}, "ext-status": {"type": "string"},
"instance": { "lang": {"$ref": "#/definitions/lang"},
"type": "string" "restriction": {"$ref": "#/definitions/restriction"},
}, "ext-restriction": {"type": "string"},
"restriction": { "observable-id": {"$ref": "#/definitions/IDtype"},
"$ref": "#/definitions/restriction" "IncidentID": {"$ref": "#/definitions/IncidentID"},
}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"},
"ext-restriction": { "RelatedActivity": {
"type": "string" "type": "array","items": {"$ref": "#/definitions/RelatedActivity"}},
} "DetectTime": {"type": "string"},
}, "StartTime": {"type": "string"},
"required": [ "EndTime": {"type": "string"},
"name" "RecoveryTime": {"type": "string"},
], "ReportTime": {"type": "string"},
"additionalProperties": false "GenerationTime": {"type": "string"},
}, "Description": {"type": "array","items": {"type": "string"}},
"RelatedActivity": { "Discovery": {
"properties": { "type": "array","items": {"$ref": "#/definitions/Discovery"}},
"restriction": { "Assessment": {
"$ref": "#/definitions/restriction" "type": "array","items": {"$ref": "#/definitions/Assessment"}},
}, "Methods": {
"ext-restriction": { "type": "array","items": {"$ref": "#/definitions/Method"}},
"type": "string" "Contacts": {
}, "type": "array","items": {"$ref": "#/definitions/Contact"}},
"IncidentID": { "EventData": {
"type": "array", "type": "array","items": {"$ref": "#/definitions/EventData"}},
"items": { "IndicatorList": {
"$ref": "#/definitions/IncidentID" "type": "array","items": {"$ref": "#/definitions/Indicator"}},
} "History": {"$ref": "#/definitions/History"},
}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"URL": { "required": ["IncidentID","GenerationTime","Contacts","purpose"],
"type": "array", "additionalProperties": false},
"items": { "IncidentID": {
"$ref": "#/definitions/URLtype" "title": "IncidentID",
} "description": "JSON schema for IncidentID class",
}, "type": "object",
"ThreatActor": { "properties": {
"type": "array", "id": {"type": "string"},
"items": { "name": {"type": "string"},
"$ref": "#/definitions/ThreatActor" "instance": {"type": "string"},
} "restriction": {"$ref": "#/definitions/restriction"},
}, "ext-restriction": {"type": "string"}},
"Campaign": { "required": ["name"],
"type": "array", "additionalProperties": false},
"items": { "AlternativeID": {
"$ref": "#/definitions/Campaign" "title": "AlternativeID",
} "description": "JSON schema for AlternativeID class",
}, "type": "object",
"IndicatorID": { "properties": {
"type": "array", "IncidentID": {
"items": { "type": "array","items":{"$ref": "#/definitions/IncidentID"}},
"$ref": "#/definitions/IndicatorID" "restriction": {"$ref": "#/definitions/restriction"},
} "ext-restriction": {"type": "string"}},
}, "required": ["IncidentID"],
"Confidence": { "additionalProperties": false},
"$ref": "#/definitions/Confidence" "RelatedActivity": {
}, "properties": {
"Description": { "restriction": {"$ref": "#/definitions/restriction"},
"type": "array", "ext-restriction": {"type": "string"},
"items": { "IncidentID": {
"type": "string" "type": "array","items": {"$ref": "#/definitions/IncidentID"}},
} "URL": {
}, "type": "array","items": {"$ref": "#/definitions/URLtype"}},
"AdditionalData": { "ThreatActor": {
"type": "array", "type": "array","items": {"$ref": "#/definitions/ThreatActor"}},
"items": { "Campaign": {
"$ref": "#/definitions/ExtensionType" "type": "array","items": {"$ref": "#/definitions/Campaign"}},
} "IndicatorID": {
} "type": "array","items": {"$ref": "#/definitions/IndicatorID"}},
}, "Confidence": {"$ref": "#/definitions/Confidence"},
"additionalProperties": false "Description": { "type": "array","items": {"type": "string"}},
}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"ThreatActor": { "additionalProperties": false},
"properties": { "ThreatActor": {
"restriction": { "properties": {
"$ref": "#/definitions/restriction" "restriction": {"$ref": "#/definitions/restriction"},
}, "ext-restriction": {"type": "string"},
"ext-restriction": { "ThreatActorID": {"type": "array", "items": {"type": "string"}},
"type": "string" "Description": {"type": "array", "items": {"type": "string"}},
}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
"ThreatActorID": { "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"type": "string" "additionalProperties": false},
}, "Campaign": {
"Description": { "properties": {
"type": "string" "restriction": {"$ref": "#/definitions/restriction"},
}, "ext-restriction": {"type": "string"},
"URL": { "CampaignID": {"type": "array", "items": {"type": "string"}},
"$ref": "#/definitions/URLtype" "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
}, "Description": {"type": "array", "items": {"type": "string"}},
"AdditionalData": { "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
"type": "array", "Contact": {
"items": { "type": "object",
"$ref": "#/definitions/ExtensionType" "properties": {
} "role": {
} "enum": ["creator","reporter","admin","tech","provider","user",
}, "billing","legal","irt","abuse","cc","cc-irt","leo",
"additionalProperties": false "vendor","vendor-support","victim","victim-notified",
}, "ext-value"]},
"Campaign": { "ext-role": {"type": "string"},
"properties": { "type": {"enum": ["person","organization","ext-value"]},
"restriction": { "ext-type": {"type": "string"},
"$ref": "#/definitions/restriction" "restriction": {"$ref": "#/definitions/restriction"},
}, "ext-restriction": {"type": "string"},
"ext-restriction": { "ContactName": {"type": "array", "items": {"type": "string"}},
"type": "string" "ContactTitle": {"type": "array", "items": {"type": "string"}},
}, "Description": {"type": "array", "items": {"type": "string"}},
"CampaignID": {}, "RegistryHandle": {
"URL": { "type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}},
"$ref": "#/definitions/URLtype"
},
"Description": {
"type": "string"
},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
}
}
},
"Contact": {
"type": "object",
"properties": {
"role": {},
"ext-role": {},
"type": {},
"ext-type": {},
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"ContactName": {},
"ContactTitle": {},
"Description": {
"type": "string"
},
"RegistryHandle": {},
"PostalAddress": {},
"Email": {},
"Telephone": {
"$ref": "#/definitions/Telephone"
},
"Timezone": {},
"Contact": {
"$ref": "#/definitions/Contact"
},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
}
},
"required": [
"role",
"type"
],
"additionalProperties": false
},
"RegistryHandle": {
"type": "object",
"properties": {
"RegistryHandleName": {},
"registry": {},
"ext-registry": {}
},
"required": [
"registry"
],
"additionalProperties": false
},
"PostalAddress": {
"type": "object",
"properties": {
"type": {
"type": "string"
},
"ext-type": {
"type": "string"
},
"PAddress": {
"type": "string"
},
"Description": {
"type": "string"
}
},
"required": [
"PAddress"
],
"additionalProperties": false
},
"Email": {
"type": "object",
"properties": {
"type": {},
"ext-type": {},
"EmailTo": {},
"Description": {
"type": "string"
}
}, "PostalAddress": {
"required": [ "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}},
"EmailTo" "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}},
], "Telephone": {
"additionalProperties": false "type": "array", "items": {"$ref": "#/definitions/Telephone"}},
}, "Timezone": {"type": "string"},
"Telephone": { "Contact": {
"type": "object", "type": "array", "items": {"$ref": "#/definitions/Contact"}},
"properties": { "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"type": {}, "required": ["role","type"],
"ext-type": {}, "additionalProperties": false},
"TelephoneNumber": {}, "RegistryHandle": {
"Description": { "type": "object",
"type": "string" "properties": {
} "handle": {"type": "string"},
}, "registry": {
"required": [ "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local",
"TelephoneNumber" "ext-value"]},
], "ext-registry": {"type": "string"}},
"additionalProperties": false "required": ["registry"],
}, "additionalProperties": false},
"Discovery": { "PostalAddress": {
"type": "object", "type": "object",
"properties": { "properties": {
"source": {}, "type": {"type": "string"},
"ext-source": {}, "ext-type": {"type": "string"},
"restriction": { "PAddress": {"type": "string"},
"$ref": "#/definitions/restriction" "Description": {"type": "array", "items": {"type": "string"}}},
}, "required": ["PAddress"],
"ext-restriction": { "additionalProperties": false},
"type": "string" "Email": {
}, "type": "object",
"Description": { "properties": {
"type": "string" "type": {
}, "enum":["direct","hotline","ext-value"]},
"Contact": { "ext-type": {"type": "string"},
"$ref": "#/definitions/Contact" "EmailTo": {"type": "string"},
}, "Description": {"type": "array", "items": {"type": "string"}}},
"DetectionPattern": { "required": ["EmailTo"],
"$ref": "#/definitions/DetectionPattern" "additionalProperties": false},
} "Telephone": {
}, "type": "object",
"required": [], "properties": {
"additionalProperties": false "type": {
}, "enum":["wired","mobile","fax","hotline","ext-value"]},
"DetectionPattern": { "ext-type": {"type": "string"},
"type": "object", "TelephoneNumber": {"type": "string"},
"properties": { "Description": {"type": "array", "items": {"type": "string"}}},
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"Application": {
"$ref": "#/definitions/SoftwareType"
},
"Description": {
"type": "string"
},
"DetectionConfiguration": {}
},
"required": [
"Application"
],
"additionalProperties": false
},
"Method": {
"type": "object",
"properties": {
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"References": {
"type": "array",
"items": {
"$ref": "#/definitions/Reference"
}
},
"Description": {
"type": "string"
},
"AttackPattern": {},
"Vulnerability": {},
"Weakness": {},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
} "required": ["TelephoneNumber"],
}, "additionalProperties": false},
"required": [], "Discovery": {
"additionalProperties": false "type": "object",
}, "properties": {
"Reference": { "source": {
"type": "object", "enum":["nidps","hips","siem","av","third-party-monitoring",
"properties": { "incident","os-log","application-log","device-log",
"observable-id": { "network-flow","passive-dns","investigation","audit",
"$ref": "#/definitions/IDtype" "internal-notification","external-notification","leo",
}, "partner","actor","unknown","ext-value"]},
"ReferenceName": {}, "ext-source": {"type": "string"},
"URL": { "restriction": {"$ref": "#/definitions/restriction"},
"$ref": "#/definitions/URLtype" "ext-restriction": {"type": "string"},
}, "Description": {"type": "array", "items": {"type": "string"}},
"Description": { "Contact": {
"type": "string" "type": "array", "items": {"$ref": "#/definitions/Contact"}},
} "DetectionPattern": {
}, "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}},
"required": [], "required": [],
"additionalProperties": false "additionalProperties": false},
}, "DetectionPattern": {
"Assessment": { "type": "object",
"type": "object", "properties": {
"properties": { "restriction": {"$ref": "#/definitions/restriction"},
"occurrence": {}, "ext-restriction": {"type": "string"},
"restriction": { "observable-id": {"$ref": "#/definitions/IDtype"},
"$ref": "#/definitions/restriction" "Application": {"$ref": "#/definitions/SoftwareType"},
}, "Description": {"type": "array", "items": {"type": "string"}},
"ext-restriction": { "DetectionConfiguration": {
"type": "string" "type": "array", "items": {"type": "string"}}},
}, "required": ["Application"],
"observable-id": { "additionalProperties": false},
"$ref": "#/definitions/IDtype" "Method": {
}, "type": "object",
"IncidentCategory": {}, "properties": {
"SystemImpact": { "restriction": {"$ref": "#/definitions/restriction"},
"$ref": "#/definitions/SystemImpact" "ext-restriction": {"type": "string"},
}, "References": {
"BusinessImpact": {}, "type": "array","items": {"$ref": "#/definitions/Reference"}},
"TimeImpact": { "Description": {"type": "array", "items": {"type": "string"}},
"$ref": "#/definitions/TimeImpact" "AttackPattern": {
}, "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
"MonetaryImpact": { "Vulnerability": {
"$ref": "#/definitions/MonetaryImpact" "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
}, "Weakness": {
"IntendedImpact": {}, "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
"Counter": { "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"$ref": "#/definitions/Counter"
},
"MitigatingFactor": {},
"Cause": {},
"Confidence": {
"$ref": "#/definitions/Confidence"
},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
}
},
"required": [],
"additionalProperties": false
},
"SystemImpact": {
"type": "object",
"properties": {
"severity": {},
"completion": {},
"type": {},
"ext-type": {},
"Description": {
"type": "string"
}
},
"required": [
"type"
],
"additionalProperties": false
},
"BusinessImpact": {
"type": "object",
"properties": {
"severity": {},
"ext-severity": {},
"type": {},
"ext-type": {},
"Description": {
"type": "string"
}
},
"required": [
"type"
],
"additionalProperties": false
}, "required": [],
"TimeImpact": { "additionalProperties": false},
"type": "object", "Reference": {
"properties": { "type": "object",
"value": {}, "properties": {
"severity": {}, "observable-id": {"$ref": "#/definitions/IDtype"},
"metric": {}, "ReferenceName": {"type": "string"},
"ext-metric": {}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
"duration": {}, "Description": {"type": "array", "items": {"type": "string"}}},
"ext-duration": {} "required": [],
}, "additionalProperties": false},
"required": [ "Assessment": {
"metric" "type": "object",
], "properties": {
"additionalProperties": false "occurrence": {"enum":["actual","potential"]},
}, "restriction": {"$ref": "#/definitions/restriction"},
"MonetaryImpact": { "ext-restriction": {"type": "string"},
"type": "object", "observable-id": {"$ref": "#/definitions/IDtype"},
"properties": { "IncidentCategory": {"type": "array", "items": {"type": "string"}},
"MonetaryImpactValue": {}, "SystemImpact": {
"severity": {}, "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}},
"currency": {} "BusinessImpact": {
}, "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}},
"required": [], "TimeImpact": {
"additionalProperties": false "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}},
}, "MonetaryImpact": {
"Confidence": { "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}},
"type": "object", "IntendedImpact": {
"properties": { "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}},
"ConfidenceValue": {}, "Counter": {
"rating": {}, "type": "array", "items": {"$ref": "#/definitions/Counter"}},
"ext-rating": {} "MitigatingFactor": {
}, "type": "array", "items": {"$type": "string"}},
"required": [ "Cause": {"type": "array", "items": {"$type": "string"}},
"rating" "Confidence": {"$ref": "#/definitions/Confidence"},
], "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false "required": [],
}, "additionalProperties": false},
"History": { "SystemImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": { "severity": {
"$ref": "#/definitions/restriction" "enum":["low","medium","high"]},
}, "completion": {"enum":["failed","succeeded"]},
"ext-restriction": { "type": {
"type": "string" "enum":["takeover-account","takeover-service","takeover-system",
}, "cps-manipulation","cps-damage","availability-data",
"HistoryItem": {} "availability-account","availability-service",
"availability-system","damaged-system","damaged-data",
"breach-proprietary","breach-privacy","breach-credential",
"breach-configuration","integrity-data",
"integrity-configuration","integrity-hardware",
"traffic-redirection","monitoring-traffic","monitoring-host",
"policy","unknown","ext-value"]},
"ext-type": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}},
"required": ["type"],
"additionalProperties": false},
"BusinessImpact": {
"type": "object",
"properties": {
"severity": {
"enum":["none","low","medium","high","unknown","ext-value"]},
"ext-severity": {"type":"string"},
"type": {
"enum":["breach-proprietary","breach-privacy","breach-credential",
"loss-of-integrity","loss-of-service","theft-financial",
"theft-service","degraded-reputation","asset-damage",
"asset-manipulation","legal","extortion","unknown",
"ext-value"]},
"ext-type": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}},
"required": ["type"],
"additionalProperties": false},
"TimeImpact": {
"type": "object",
"properties": {
"value": {"type": "number"},
"severity": {"enum": ["low","medium","high"]},
"metric": {"enum": ["labor","elapsed","downtime","ext-value"]},
"ext-metric": {"type": "string"},
"duration": {"$ref":"#/definitions/duration"},
"ext-duration": {"type": "string"}},
"required": ["metric"],
"additionalProperties": false},
"MonetaryImpact": {
"type": "object",
"properties": {
"value": {"type": "number"},
"severity": {"enum":["low","medium","high"]},
"currency": {"type": "string"}},
"required": [],
"additionalProperties": false},
"Confidence": {
"type": "object",
"properties": {
"value": {"type": "number"},
"rating": {
"enum": ["low","medium","high","numeric","unknown","ext-value"]},
"ext-rating": {"type":"string"}},
"required": ["rating"],
"additionalProperties": false},
"History": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"HistoryItem": {
"type": "array","items": {"$ref": "#/definitions/HistoryItem"}}},
"required": ["HistoryItem"],
"additionalProperties": false},
"HistoryItem": {
"type": "object",
"properties": {
"action": {"$ref": "#/definitions/action"},
"ext-action": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"},
"IncidentID": {"$ref": "#/definitions/IncidentID"},
"Contact": {"$ref": "#/definitions/Contact"},
"Description": {"type": "array","items": {"type": "string"}},
"DefinedCOA": {"type": "array","items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["DateTime","action"],
"additionalProperties": false},
"EventData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array","items": {"type": "string"}},
"DetectTime": {"type": "string"},
"StartTime": {"type": "string"},
"EndTime": {"type": "string"},
"RecoveryTime": {"type": "string"},
"ReportTime": {"type": "string"},
"Contact": {
"type": "array","items": {"$ref": "#/definitions/Contact"}},
"Discovery": {
"type": "array","items": {"$ref": "#/definitions/Discovery"}},
"Assessment": {"$ref": "#/definitions/Assessment"},
"Method": {
"type": "array","items": {"$ref": "#/definitions/Method"}},
"System": {
"type": "array","items": {"$ref": "#/definitions/System"}},
"Expectation": {
"type": "array","items": {"$ref": "#/definitions/Expectation"}},
"Record": {"$ref": "#/definitions/Record"},
"EventData": {
"type": "array","items": {"$ref": "#/definitions/EventData"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["ReportTime"],
"additionalProperties": false},
"Expectation": {
"type": "object",
"properties": {
"action": {"$ref":"#/definitions/action"},
"ext-action": {"type": "string"},
"severity": {"enum": ["low","medium","high"]},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array","items": {"type": "string"}},
"DefinedCOA": {"type": "array","items": {"type": "string"}},
"StartTime": {"type": "string"},
"EndTime": {"type": "string"},
"Contact": {"$ref": "#/definitions/Contact"}},
"required": [],
"additionalProperties": false},
"System": {
"type": "object",
"properties": {
"category": {
"enum": ["source","target","intermediate","sensor","infrastructure",
"ext-value"]},
"ext-category": {"type": "string"},
"interface": {"type": "string"},
"spoofed": {"enum": ["unknown","yes","no"]},
"virtual": {"enum": ["yes","no","unknown"]},
"ownership": {
"enum":["organization","personal","partner","customer",
"no-relationship","unknown","ext-value"]},
"ext-ownership": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Node": {"$ref": "#/definitions/Node"},
"NodeRole": {
"type": "array","items": {"$ref": "#/definitions/NodeRole"}},
}, "Service": {
"required": [ "type": "array","items": {"$ref": "#/definitions/Service"}},
"HistoryItem" "OperatingSystem": {
], "type": "array","items": {"$ref": "#/definitions/SoftwareType"}},
"additionalProperties": false "Counter": {
}, "type": "array","items": {"$ref": "#/definitions/Counter"}},
"HistoryItem": { "AssetID": {"type": "array","items": {"type": "string"}},
"type": "object", "Description": {"type": "array","items": {"type": "string"}},
"properties": { "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"action": {}, "required": ["Node"],
"ext-action": {}, "additionalProperties": false},
"restriction": { "Node": {
"$ref": "#/definitions/restriction" "type": "object",
}, "properties": {
"ext-restriction": { "DomainData": {
"type": "string" "type": "array","items": {"$ref": "#/definitions/DomainData"}},
}, "Address": {
"observable-id": { "type": "array","items": {"$ref": "#/definitions/Address"}},
"$ref": "#/definitions/IDtype" "PostalAddress": {"type": "string"},
}, "Location": {"type": "array","items": {"type": "string"}},
"DateTime": {}, "Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}},
"IncidentID": {}, "required": [],
"Contact": { "additionalProperties": false},
"$ref": "#/definitions/Contact" "Address": {
}, "type": "object",
"Description": { "properties": {
"type": "string" "value": {"type": "string"},
}, "category": {
"DefinedCOA": {}, "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
"AdditionalData": { "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
"type": "array", "ipv6-net-masked","mac","site-url","ext-value"]},
"items": { "ext-category": {"type": "string"},
"$ref": "#/definitions/ExtensionType" "vlan-name": {"type": "string"},
} "vlan-num": {"type": "integer"},
} "observable-id": {"$ref": "#/definitions/IDtype"}},
}, "required": ["category"],
"required": [ "additionalProperties": false},
"DateTime", "NodeRole": {
"action" "type": "object",
], "properties": {
"additionalProperties": false "category": {
}, "enum":["client","client-enterprise","clent-partner","client-remote",
"EventData": { "client-kiosk","client-mobile","server-internal",
"type": "object", "server-public","www","mail","webmail","messaging",
"properties": { "streaming","voice","file","ftp","p2p","name","directory",
"restriction": { "credential","print","application","database","backup",
"$ref": "#/definitions/restriction" "dhcp","assessment","source-control","config-management",
}, "monitoring","infra","infra-firewall","infra-router",
"ext-restriction": { "infra-switch","camera","proxy","remote-access","log",
"type": "string" "virtualization","pos", "scada", "scada-supervisory",
}, "sinkhole","honeypot","anomyzation","c2-server",
"observable-id": { "malware-distribution","drop-server","hot-point","reflector",
"$ref": "#/definitions/IDtype" "phishing-site","spear-phishing-site","recruiting-site",
}, "fraudulent-site","ext-value"]},
"Description": { "ext-category": {"type": "string"},
"type": "string" "Description": {"type": "array","items": {"type": "string"}}},
}, "required": ["category"],
"DetectTime": {}, "additionalProperties": false},
"StartTime": {}, "Counter": {
"EndTime": {}, "type": "object",
"RecoveryTime": {}, "properties": {
"ReportTime": { "value": {"type": "string"},
"type": "string" "type": {"enum": ["count","peak","average","ext-value"]},
}, "ext-type": {"type": "string"},
"Contact": { "unit": {"enum": ["byte","mbit","packet","flow","session","alert",
"$ref": "#/definitions/Contact" "message","event","host","site","organization","ext-value"]},
}, "ext-unit": {"type": "string"},
"Discovery": { "meaning": {"type": "string"},
"$ref": "#/definitions/Discovery" "duration": {"$ref":"#/definitions/duration"},
}, "ext-duration": {"type": "string"}},
"Assessment": {}, "required": ["type","unit"],
"Method": { "additionalProperties": false},
"$ref": "#/definitions/Method" "DomainData": {
}, "type": "object",
"System": { "properties": {
"$ref": "#/definitions/System" "system-status": {
}, "enum": ["spoofed","fraudulent","innocent-hacked",
"Expectation": { "innocent-hijacked","unknown","ext-value"]},
"$ref": "#/definitions/Expectation" "ext-system-status": {"type": "string"},
}, "domain-status": {
"Record": { "enum": [
"$ref": "#/definitions/Record" "reservedDelegation","assignedAndActive","assignedAndInactive",
}, "assignedAndOnHold","revoked","transferPending","registryLock",
"EventData": { "registrarLock","other","unknown","ext-value"]},
"$ref": "#/definitions/EventData" "ext-domain-status": {"type": "string"},
}, "observable-id": {"$ref": "#/definitions/IDtype"},
"AdditionalData": { "Name": {"type": "string"},
"type": "array", "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"},
"items": { "RegistrationDate": {"$ref": "#/definitions/DATETIME"},
"$ref": "#/definitions/ExtensionType" "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
} "RelatedDNS": {
} "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
}, "NameServers": {
"required": [ "type": "array","items": {"$ref": "#/definitions/NameServers"}},
"ReportTime" "DomainContacts": {
], "type": "array","items": {"$ref": "#/definitions/DomainContacts"}}},
"additionalProperties": false
},
"Expectation": {
"type": "object",
"properties": {
"action": {},
"ext-action": {},
"severity": {},
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"Description": {
"type": "string"
},
"DefinedCOA": {},
"StartTime": {},
"EndTime": {},
"Contact": {
"$ref": "#/definitions/Contact"
}
},
"required": [],
"additionalProperties": false
},
"System": {
"type": "object",
"properties": {
"category": {
"enum": [
"source",
"target",
"intermediate",
"sensor",
"infrastructure",
"ext-value"
]
},
"ext-category": {},
"interface": {},
"spoofed": {},
"virtual": {},
"ownership": {},
"ext-ownership": {},
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"Node": {
"$ref": "#/definitions/Node"
},
"NodeRole": {
"$ref": "#/definitions/NodeRole"
},
"Service": {
"$ref": "#/definitions/Service"
},
"OperatingSystem": {},
"Counter": {
"$ref": "#/definitions/Counter"
},
"AssetID": {},
"Description": {
"type": "string"
},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
}
},
"required": [
"Node"
],
"additionalProperties": false
},
"Node": {
"type": "object",
"properties": {
"DomainData": {
"$ref": "#/definitions/DomainData"
},
"Address": {
"$ref": "#/definitions/Address"
},
"PostalAddress": {},
"Location": {
"type": "string"
},
"Counter": {
"$ref": "#/definitions/Counter"
}
},
"required": [],
"additionalProperties": false
},
"Address": {
"type": "object",
"properties": {
"AddressValue": {},
"category": {},
"ext-category": {},
"vlan-name": {},
"vlan-num": {
"type": "integer"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
}
},
"required": [
"category"
],
"additionalProperties": false
},
"NodeRole": {
"type": "object",
"properties": {
"category": {},
"ext-category": {},
"Description": {
"type": "string"
}
},
"required": [
"category"
],
"additionalProperties": false
},
"Counter": {
"type": "object",
"properties": {
"value": {
"type": "string"
},
"type": {},
"ext-type": {},
"unit": {},
"ext-unit": {},
"meaning": {},
"duration": {},
"ext-duration": {}
},
"required": [
"type",
"unit"
],
"additionalProperties": false
},
"DomainData": {
"type": "object",
"properties": {
"system-status": {},
"ext-system-status": {},
"domain-status": {},
"ext-domain-status": {},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"Name": {},
"DateDomainWasChecked": {},
"RegistrationDate": {},
"ExpirationDate": {},
"RelatedDNS": {},
"NameServers": {
"$ref": "#/definitions/NameServers"
},
"DomainContacts": {
"$ref": "#/definitions/DomainContacts"
}
},
"required": [
"Name",
"system-status",
"domain-status"
],
"additionalProperties": false
},
"NameServers": {
"type": "object",
"properties": {
"Server": {},
"Address": {
"$ref": "#/definitions/Address"
}
},
"required": [
"Server",
"Address"
],
"additionalProperties": false
},
"DomainContacts": {
"type": "object",
"properties": {
"SameDomainContact": {},
"Contact": {
"$ref": "#/definitions/Contact"
}
},
"required": [
"Contact"
],
"additionalProperties": false
},
"Service": {
"type": "object",
"properties": {
"ip-protocol": {},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"ServiceName": {},
"Port": {},
"Portlist": {},
"ProtoCode": {},
"ProtoType": {},
"ProtoField": {},
"ApplicationHeader": {},
"EmailData": {},
"Application": {}
},
"required": [],
"additionalProperties": false
},
"ServiceName": {
"type": "object",
"properties": {
"IANAService": {},
"URL": {
"$ref": "#/definitions/URLtype"
},
"Description": {
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"ApplicationHeader": {
"type": "object",
"properties": {
"ApplicationHeaderField": {}
},
"required": [
"ApplictionHeaderField"
],
"additionalProperties": false
},
"EmailData": {
"type": "object",
"properties": {
"EmailTo": {},
"EmailFrom": {},
"EmailSubject": {},
"EmailX-Mailer": {},
"EmailHeaderField": {},
"EmailHeaders": {},
"EmailBody": {},
"EmailMessage": {},
"HashData": {
"$ref": "#/definitions/HashData"
},
"SignatureData": {
"$ref": "#/definitions/SignatureData"
}
},
"required": [],
"additionalProperties": false
},
"Record": {
"type": "object",
"properties": {
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"DateTime": {},
"Description": {
"type": "string"
},
"Applicadtion": {},
"RecordPattern": {},
"RecordItem": {},
"URL": {
"$ref": "#/definitions/URLtype"
},
"FileData": {
"$ref": "#/definitions/FileData"
},
"WindowsRegistryKeysModified": {},
"CertificateData": {
"$ref": "#/definitions/CertificateData"
},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
}
},
"required": [],
"additionalProperties": false
},
"RecordPattern": {
"type": "object",
"properties": {
"RecordPatternValue": {},
"type": {},
"ext-type": {},
"offset": {},
"offsetunit": {},
"ext-offsetunit": {},
"instance": {
"type": "integer"
}
},
"required": [
"type"
],
"additionalProperties": false
},
"WindowsRegistryKeysModified": {
"type": "object",
"properties": {
"observabile-id": {},
"Key": {}
},
"required": [
"Key"
],
"additionalProperties": false
},
"Key": {
"type": "object",
"properties": {
"registryaction": {},
"ext-registryaction": {},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"KeyName": {},
"KeyValue": {}
},
"required": [
"KeyName"
],
"additionalProperties": false
},
"CertificateData": {
"type": "object",
"properties": {
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"Certificate": {
"$ref": "#/definitions/Certificate"
}
},
"required": [
"Certificate"
],
"additionalProperties": false
},
"Certificate": {
"type": "object",
"properties": {
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"X509Data": {},
"Description": {
"type": "string"
}
},
"required": [
"X509Data"
],
"additionalProperties": false
},
"FileData": {
"type": "object",
"properties": {
"restriction": {
"$ref": "#/definitions/restriction"
},
"ext-restriction": {
"type": "string"
},
"observable-id": {
"$ref": "#/definitions/IDtype"
},
"File": {
"$ref": "#/definitions/File"
}
},
"required": [
"File"
],
"additionalProperties": false
},
"File": {
"type": "object",
"properties": {
"FileName": {
"type": "string"
},
"FileSize": {},
"FileType": {},
"URL": {
"$ref": "#/definitions/URLtype"
},
"HashData": {
"$ref": "#/definitions/HashData"
},
"SignatureData": {
"$ref": "#/definitions/SignatureData"
},
"AssociatedSoftware": {},
"FileProperties": {}
},
"required": [],
"additionalProperties": false
},
"HashData": {
"type": "object",
"properties": {
"scope": {},
"HashTargetID": {},
"Hash": {
"$ref": "#/definitions/Hash"
},
"FuzzyHash": {
"$ref": "#/definitions/FuzzyHash"
}
},
"required": [
"scope"
],
"additionalProperties": false
},
"Hash": {
"type": "object",
"properties": {
"DigestMethod": {
"type": "string"
},
"DigestValue": {
"type": "string"
},
"CanonicalizationMethod": {},
"Application": {}
},
"required": [
"DigestMethod",
"DigestValue"
],
"additionalProperties": false
}, "required": ["Name","system-status","domain-status"],
"FuzzyHash": { "additionalProperties": false},
"type": "object", "NameServers": {
"properties": { "type": "object",
"FuzzyHashValue": { "properties": {
"$ref": "#/definitions/ExtensionType" "Server": {"type": "string"},
}, "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}},
"Application": {}, "required": ["Server","Address"],
"AdditionalData": { "additionalProperties": false},
"type": "array", "DomainContacts": {
"items": { "type": "object",
"$ref": "#/definitions/ExtensionType" "properties": {
} "SameDomainContact": {"type": "string"},
} "Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}},
}, "required": ["Contact"],
"required": [ "additionalProperties": false},
"FuzzyHashValue" "Service": {
], "type": "object",
"additionalProperties": false "properties": {
}, "ip-protocol": {"type": "integer"},
"SignatureData": { "observable-id": {"$ref": "#/definitions/IDtype"},
"type": "object", "ServiceName": {"$ref": "#/definitions/ServiceName"},
"properties": { "Port": {"type": "integer"},
"Signature": { "Portlist": {"$ref": "#/definitions/PORTLIST"},
"SignatureValue": "xxxxxxxx", "ProtoCode": {"type": "integer"},
"id": "xxxxxxxx" "ProtoType": {"type": "integer"},
} "ProtoField": {"type": "integer"},
}, "ApplicationHeader": {"$ref": "#/definitions/ApplicationHeader"},
"required": [ "EmailData": {"$ref": "#/definitions/EmailData"},
"Signature" "Application": {"$ref": "#/definitions/SoftwareType"}},
], "required": [],
"additionalProperties": false "additionalProperties": false},
}, "ServiceName": {
"Indicator": { "type": "object",
"type": "object", "properties": {
"properties": { "IANAService": {"type": "string"},
"restriction": { "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"$ref": "#/definitions/restriction" "Description": {"type": "array","items": {"type": "string"}}},
}, "required": [],
"ext-restriction": { "additionalProperties": false},
"type": "string" "ApplicationHeader": {
}, "type": "object",
"IndicatorID": { "properties": {
"$ref": "#/definitions/IndicatorID" "ApplicationHeaderField": {
}, "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
"AlternativeIndicatorID": { "required": ["ApplicationHeaderField"],
"$ref": "#/definitions/AlternativeIndicatorID" "additionalProperties": false},
}, "EmailData": {
"Description": { "type": "object",
"type": "string" "properties": {
}, "observable-id": {"$ref": "#/definitions/IDtype"},
"StartTime": {}, "EmailTo": {"type": "array","items": {"type": "string"}},
"EndTime": {}, "EmailFrom": {"type": "string"},
"Confidence": { "EmailSubject": {"type": "string"},
"$ref": "#/definitions/Confidence" "EmailX-Mailer": {"type": "string"},
}, "EmailHeaderField": {
"Contact": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"$ref": "#/definitions/Contact" "EmailHeaders": {"type": "string"},
}, "EmailBody": {"type": "string"},
"Observable": {}, "EmailMessage": {"type": "string"},
"ObservableReference": { "HashData": {
"$ref": "#/definitions/ObservableReference" "type": "array","items": {"$ref": "#/definitions/HashData"}},
}, "SignatureData": {
"IndicatorExpression": { "type": "array","items": {"$ref": "#/definitions/SignatureData"}}},
"$ref": "#/definitions/IndicatorExpression" "required": [],
}, "additionalProperties": false},
"IndicatorReference": { "Record":{
"$ref": "#/definitions/IndicatorReference" "type": "object",
}, "properties":{
"NodeRole": { "restriction": {"$ref": "#/definitions/restriction"},
"$ref": "#/definitions/NodeRole" "ext-restriction": {"type": "string"},
}, "RecordData": {
"AttackPhase": { "type": "array","items": {"$ref": "#/definitions/RecordData"}}},
"$ref": "#/definitions/AttackPhase" "required":["RecordData"],
}, "additionalProperties": false},
"Reference": { "RecordData": {
"$ref": "#/definitions/Reference" "type": "object",
}, "properties": {
"AdditionalData": { "restriction": {"$ref": "#/definitions/restriction"},
"type": "array", "ext-restriction": {"type": "string"},
"items": { "observable-id": {"$ref": "#/definitions/IDtype"},
"$ref": "#/definitions/ExtensionType" "DateTime": {"$ref": "#/definitions/DATETIME"},
} "Description": {"type": "array","items": {"type": "string"}},
} "Applicadtion": {"$ref": "#/definitions/SoftwareType"},
}, "RecordPattern": {
"required": [ "type": "array","items": {"$ref": "#/definitions/RecordPattern"}},
"IndicatorID" "RecordItem": {
], "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"additionalProperties": false "URL": {
}, "type": "array","items": {"$ref": "#/definitions/URLtype"}},
"IndicatorID": { "FileData": {
"type": "object", "type": "array","items": {"$ref": "#/definitions/FileData"}},
"properties": { "WindowsRegistryKeysModified": {
"id": {}, "type": "array",
"name": { "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}},
"type": "string" "CertificateData": {
"type": "array","items": {"$ref": "#/definitions/CertificateData"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false
},
"RecordPattern": {
"type": "object",
"properties": {
"value": {"type": "string"},
"type": {"enum": ["regex","binary","xpath","ext-value"]},
"ext-type": {"type": "string"},
"offset": {"type": "integer"},
"offsetunit": {"enum":["line","byte","ext-value"]},
"ext-offsetunit": {"type": "string"},
"instance": {"type": "integer"}},
"required": ["type"],
"additionalProperties": false},
"WindowsRegistryKeysModified": {
"type": "object",
"properties": {
"observabile-id": {"$ref": "#/definitions/IDtype"},
"Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}},
"required": ["Key"],
"additionalProperties": false},
"Key": {
"type": "object",
"properties": {
"registryaction": {"enum": ["add-key","add-value","delete-key",
"delete-value","modify-key","modify-value",
"ext-value"]},
"ext-registryaction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"KeyName": {"type":"string"},
"KeyValue": {"type": "string"}},
"required": ["KeyName"],
"additionalProperties": false},
"CertificateData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Certificate": {
"type": "array","items": {"$ref": "#/definitions/Certificate"}}},
"required": ["Certificate"],
"additionalProperties": false},
"Certificate": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"X509Data": {type: "string"},
"Description": {"type": "array","items": {"type": "string"}}},
"required": ["X509Data"],
"additionalProperties": false},
"FileData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"File": {"type": "array","items": {"$ref": "#/definitions/File"}}},
"required": ["File"],
"additionalProperties": false},
"File": {
"type": "object",
"properties": {
"FileName": {"type": "string"},
"FileSize": {"type": "integer"},
"FileType": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"HashData": {"$ref": "#/definitions/HashData"},
"SignatureData": {"$ref": "#/definitions/SignatureData"},
"AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
"FileProperties": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
"required": [],
"additionalProperties": false},
"HashData": {
"type": "object",
"properties": {
"scope": {"enum": ["file-contents","file-pe-section","file-pe-iat",
"file-pe-resource","file-pdf-object","email-hash",
"email-hash-header","email-hash-body"]},
"HashTargetID": {"type": "string"},
"Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}},
"FuzzyHash": {
"type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}},
"required": ["scope"],
"additionalProperties": false},
"Hash": {
"type": "object",
"properties": {
"DigestMethod": {"type": "string"},
"DigestValue": {"type": "string"},
"CanonicalizationMethod": {},
"Application": {"$ref": "#/definitions/SoftwareType"}},
}, "required": ["DigestMethod","DigestValue"],
"version": { "additionalProperties": false},
"type": "string" "FuzzyHash": {
} "type": "object",
}, "properties": {
"required": [ "FuzzyHashValue": {
"name", "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"version" "Application": {"$ref": "#/definitions/SoftwareType"},
], "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false "required": ["FuzzyHashValue"],
}, "additionalProperties": false},
"AlternativeIndicatorID": { "SignatureData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": { "Signature": {"type": "array","items": {"type": "string"}}},
"$ref": "#/definitions/restriction" "required": ["Signature"],
}, "additionalProperties": false},
"ext-restriction": { "Indicator": {
"type": "string" "type": "object",
}, "properties": {
"IndicatorReference": { "restriction": {"$ref": "#/definitions/restriction"},
"$ref": "#/definitions/IndicatorReference" "ext-restriction": {"type": "string"},
} "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
}, "AlternativeIndicatorID": {
"required": [ "type": "array",
"IndicatorReference" "items": {"$ref": "#/definitions/AlternativeIndicatorID"}},
], "Description": {"type": "array","items": {"type": "string"}},
"additionalProperties": false "StartTime": {"$ref": "#/definitions/DATETIME"},
}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"Observable": { "Confidence": {"$ref": "#/definitions/Confidence"},
"type": "object", "Contact": {
"properties": { "type": "array","items": {"$ref": "#/definitions/Contact"}},
"restriction": { "Observable": {"$ref": "#/definitions/Observable"},
"$ref": "#/definitions/restriction" "ObservableReference": {"$ref": "#/definitions/ObservableReference"},
}, "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"},
"ext-restriction": { "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"},
"type": "string" "NodeRole": {
}, "type": "array","items": {"$ref": "#/definitions/NodeRole"}},
"System": {}, "AttackPhase": {
"Address": {}, "type": "array","items": {"$ref": "#/definitions/AttackPhase"}},
"DomainData": { "Reference": {
"$ref": "#/definitions/DomainData" "type": "array","items": {"$ref": "#/definitions/Reference"}},
}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"EmailData": {}, "required": ["IndicatorID"],
"Service": { "additionalProperties": false},
"$ref": "#/definitions/Service" "IndicatorID": {
}, "type": "object",
"WindowsRegistryKeysModified": {}, "properties": {
"FileData": { "id": {"type": "string"},
"$ref": "#/definitions/FileData" "name": {"type": "string"},
}, "version": {"type": "string"}},
"CertificateData": { "required": ["name","version"],
"$ref": "#/definitions/CertificateData" "additionalProperties": false},
}, "AlternativeIndicatorID": {
"RegistryHandle": {}, "type": "object",
"Record": { "properties": {
"$ref": "#/definitions/Record" "restriction": {"$ref": "#/definitions/restriction"},
}, "ext-restriction": {"type": "string"},
"EventData": {}, "IndicatorReference": {
"Incident": {}, "type": "array",
"Expectation": { "items": {"$ref": "#/definitions/IndicatorReference"}}},
"$ref": "#/definitions/Expectation" "required": ["IndicatorReference"],
}, "additionalProperties": false},
"Reference": { "Observable": {
"$ref": "#/definitions/Reference" "type": "object",
}, "properties": {
"Assessment": {}, "restriction": {"$ref": "#/definitions/restriction"},
"DetectionPattern": {}, "ext-restriction": {"type": "string"},
"HistoryItem": {}, "System": {"$ref": "#/definitions/System"},
"BulkObservable": { "Address": {"$ref": "#/definitions/Address"},
"type": "string" "DomainData": {"$ref": "#/definitions/DomainData"},
}, "EmailData": {"$ref": "#/definitions/EmailData"},
"AdditionalData": { "Service": {"$ref": "#/definitions/Service"},
"type": "array", "WindowsRegistryKeysModified": {
"items": { "$ref": "#/definitions/WindowsRegistryKeysModified"},
"$ref": "#/definitions/ExtensionType" "FileData": {"$ref": "#/definitions/FileData"},
} "CertificateData": {"$ref": "#/definitions/CertificateData"},
} "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"},
}, "Record": {"$ref": "#/definitions/Record"},
"required": [], "EventData": {"$ref": "#/definitions/EventData"},
"additionalProperties": false "Incident": {"$ref": "#/definitions/Incident"},
}, "Expectation": {"$ref": "#/definitions/Expectation"},
"BulkObservable": { "Reference": {"$ref": "#/definitions/Reference"},
"type": "object", "Assessment": {"$ref": "#/definitions/Assessment"},
"properties": { "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
"type": {}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"ext-type": {}, "BulkObservable": {"type": "string"},
"BulkObservableFormant": {}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"BulkObservableList": { "required": [],
"type": "string" "additionalProperties": false},
}, "BulkObservable": {
"AdditionalData": { "type": "object",
"type": "array", "properties": {
"items": { "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
"$ref": "#/definitions/ExtensionType" "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac",
} "site-url","domain-name","domain-to-ipv4","domain-to-ipv6",
"domain-to-ipv4-timestamp","domain-to-ipv6-timestamp",
"ipv4-port","ipv6-port","windows-reg-key","file-hash",
"email-x-mailer","email-subject","http-user-agent",
"http-request-url","mutex","file-path","user-name",
"ext-value"]},
"ext-type": {"type": "string"},
"BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"},
"BulkObservableList": {"type": "string"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"BulkObservableFormat": {
"type": "object",
"properties": {
"Hash": {"$ref": "#/definitions/Hash"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"IndicatorExpression": {
"type": "object",
"properties": {
"operator": {"enum": ["not","and","or","xor"]},
"ext-operator": {"type": "string"},
"IndicatorExpression": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorExpression"}},
"Observable": {
"type": "array","items": {"$ref": "#/definitions/Observable"}},
"ObservableReference": {
"type": "array",
"items": {"$ref": "#/definitions/ObservableReference"}},
"IndicatorReference": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorReference"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"ObservableReference": {
"type": "object",
"properties": {"uid-ref": {"type": "string"}},
"required": ["uid-ref"],
"additionalProperties": false},
"IndicatorReference": {
"type": "object",
"properties": {
"uid-ref": {"type": "string"},
"euid-ref": {"type": "string"},
"version": {"type": "string"}},
} "required": [],
}, "additionalProperties": false},
"required": [], "AttackPhase": {
"additionalProperties": false "type": "object",
}, "properties": {
"BulkObservableFormat": { "AttackPhaseID": {"type": "array","items": {"type": "string"}},
"type": "object", "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"properties": { "Description": {"type": "array","items": {"type": "string"}},
"Hash": { "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"$ref": "#/definitions/Hash" "required": [],
}, "additionalProperties": false}},
"AdditionalData": { "title": "IODEF-Document",
"type": "array", "description": "JSON schema for IODEF-Document class",
"items": { "type": "object",
"$ref": "#/definitions/ExtensionType" "properties": {
} "version": {"type": "string"},
} "lang": {"$ref": "#/definitions/lang"},
}, "format-id": {"type": "string"},
"required": [], "private-enum-name": {"type": "string"},
"additionalProperties": false "private-enum-id": {"type": "string"},
}, "Incident": {
"IndicatorExpression": { "type": "array","items": {"$ref": "#/definitions/Incident"}},
"type": "object", "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"properties": { "required": ["version","Incident"],
"operator": {}, "additionalProperties": false}
"ext-operator": {
"type": "string"
},
"IndicatorExpression": {
"$ref": "#/definitions/IndicatorExpression"
},
"Observable": {},
"ObservableReference": {
"$ref": "#/definitions/ObservableReference"
},
"IndicatorReference": {
"$ref": "#/definitions/IndicatorReference"
},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
}
},
"required": [],
"additionalProperties": false
},
"ObservableReference": {
"type": "object",
"properties": {
"uid-ref": {}
},
"required": [
"uid-ref"
],
"additionalProperties": false
},
"IndicatorReference": {
"type": "object",
"properties": {
"uid-ref": {},
"euid-ref": {
"type": "string"
},
"version": {
"type": "string"
}
},
"required": [],
"additionalProperties": false
},
"AttackPhase": {
"type": "object",
"properties": {
"AttackPhaseID": {
"type": "string"
},
"URL": {
"$ref": "#/definitions/URLtype"
},
"Description": {
"type": "string"
},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
}
},
"required": [],
"additionalProperties": false
}
},
"title": "IODEF-Document",
"description": "JSON schema for IODEF-Document class",
"type": "object",
"properties": {
"version": {
"type": "string"
},
"lang": {
"$ref": "#/definitions/lang"
},
"format-id": {
"type": "string"
},
"private-enum-name": {
"type": "string"
},
"private-enum-id": {
"type": "string"
},
"Incidents": {
"type": "array",
"items": {
"$ref": "#/definitions/Incident"
}
},
"AdditionalData": {
"type": "array",
"items": {
"$ref": "#/definitions/ExtensionType"
}
}
},
"required": [
"version",
"Incidents"
],
"additionalProperties": false
}
Figure 64: JSON schema Figure 1: JSON schema
6. Acknowledgements 7. Acknowledgements
TBD. TBD.
7. IANA Considerations 8. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
8. Security Considerations 9. Security Considerations
This memo does not provide any further security considerations than This memo does not provide any further security considerations than
the one described in RFC 7970 [RFC7970]. the one described in RFC 7970 [RFC7970].
9. References 10. References
9.1. Normative References 10.1. Normative References
[min_ref] authSurName, authInitials., "Minimal Reference", 2006. [jsonschema]
"JSON Schema", 2006.
http://json-schema.org/
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7970] Danyliw, R., "The Incident Object Description Exchange [RFC7970] Danyliw, R., "The Incident Object Description Exchange
Format Version 2", RFC 7970, DOI 10.17487/RFC7970, Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
November 2016, <https://www.rfc-editor.org/info/rfc7970>. November 2016, <https://www.rfc-editor.org/info/rfc7970>.
9.2. Informative References 10.2. Informative References
[DOMINATION] [DOMINATION]
Mad Dominators, Inc., "Ultimate Plan for Taking Over the Mad Dominators, Inc., "Ultimate Plan for Taking Over the
World", 1984, <http://www.example.com/dominator.html>. World", 1984, <http://www.example.com/dominator.html>.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
DOI 10.17487/RFC2629, June 1999, DOI 10.17487/RFC2629, June 1999,
<https://www.rfc-editor.org/info/rfc2629>. <https://www.rfc-editor.org/info/rfc2629>.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
 End of changes. 250 change blocks. 
2262 lines changed or deleted 2113 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/