MILE                                                        T. Takahashi
Internet-Draft                                                 M. Suzuki
Intended status: Standards Track                                    NICT
Expires: March 30, May 14, 2018                               September 26,                                  November 10, 2017

                         JSON binding of IODEF
                      draft-ietf-mile-jsoniodef-00
                      draft-ietf-mile-jsoniodef-01

Abstract

   RFC 7970 [RFC7970] provides XML-based data representation on incident
   information, but the use of the IODEF data model is not limited to
   XML.  JSON representation is sometimes preferred since it is easy to
   handle from certain programming environments.  This draft represents
   the IODEF data model in JSON.  Note that this 00 version draft is
   prepared for the purpose of encouraging discussion on the need for
   JSON representation.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 30, May 14, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3   4
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  The  IODEF Information Model in JSON Data Types  . . . . . . . . . . . . .   4
     2.1.  IODEF-Document Class . . . . . . . . .   4
     2.1.  Integers  . . . . . . . . .   4
     2.2.  Incident Class . . . . . . . . . . . . . . .   4
     2.2.  Real Numbers  . . . . . .   4
     2.3.  Common Attributes . . . . . . . . . . . . . . . .   4
     2.3.  Characters and Strings  . . . .   5
       2.3.1.  restriction Attribute . . . . . . . . . . . . .   4
     2.4.  Multilingual Strings  . . .   5
       2.3.2.  observable-id Attribute . . . . . . . . . . . . . . .   5
     2.4.  IncidentID Class
     2.5.  Binary Strings  . . . . . . . . . . . . . . . . . . . .   6
     2.5.  AlternativeID Class .   5
       2.5.1.  Base64 Bytes  . . . . . . . . . . . . . . . . . .   6
     2.6.  RelatedActivity Class . .   5
       2.5.2.  Hexadecimal Bytes . . . . . . . . . . . . . . . .   6
     2.7.  ThreatActor Class . .   5
     2.6.  Enumerated Types  . . . . . . . . . . . . . . . . . .   7
     2.8.  Campaign Class . .   5
     2.7.  Date-Time String  . . . . . . . . . . . . . . . . . . .   7
     2.9.  Contact Class .   5
     2.8.  Timezone String . . . . . . . . . . . . . . . . . . . . .   7
       2.9.1.  RegistryHandle Class   6
     2.9.  Port Lists  . . . . . . . . . . . . . . . .   8
       2.9.2.  PostalAddress Class . . . . . . .   6
     2.10. Postal Address  . . . . . . . . . .   8
       2.9.3.  Email Class . . . . . . . . . . .   6
     2.11. Telephone Number  . . . . . . . . . .   8
       2.9.4.  Telephone Class . . . . . . . . . .   6
     2.12. Email String  . . . . . . . . .   9
     2.10. Discovery Class . . . . . . . . . . . . .   6
     2.13. Uniform Resource Locator Strings  . . . . . . . .   9
       2.10.1.  DetectionPattern Class . . . .   6
     2.14. Identifiers and Identifier References . . . . . . . . . .   7
     2.15. Software  .   9
     2.11. Method Class . . . . . . . . . . . . . . . . . . . . . .   9
       2.11.1.  Reference Class .   7
     2.16. StructuredInfo  . . . . . . . . . . . . . . . . .  10
     2.12. Assessment Class . . . .   7
   3.  The IODEF Information Model in JSON . . . . . . . . . . . . .   8
     3.1.  IODEF-Document Class  . . .  10
       2.12.1.  SystemImpact Class . . . . . . . . . . . . . . .   8
     3.2.  Incident Class  . .  10
       2.12.2.  BusinessImpact Class . . . . . . . . . . . . . . . .  10
       2.12.3.  TimeImpact Class . . .   8
     3.3.  Common Attributes . . . . . . . . . . . . . . .  11
       2.12.4.  MonetaryImpact Class . . . . .   9
       3.3.1.  restriction Attribute . . . . . . . . . . .  11
       2.12.5.  Confidence Class . . . . .   9
       3.3.2.  observable-id Attribute . . . . . . . . . . . . .  11
     2.13. History Class . .   9
     3.4.  IncidentID Class  . . . . . . . . . . . . . . . . . . . .  11
       2.13.1.  HistoryItem   9
     3.5.  AlternativeID Class . . . . . . . . . . . . . . . . .  12
     2.14. EventData Class . . .  10
     3.6.  RelatedActivity Class . . . . . . . . . . . . . . . . . .  12
     2.15. Expectation  10
     3.7.  ThreatActor Class . . . . . . . . . . . . . . . . . . . .  13
     2.16. System  11
     3.8.  Campaign Class  . . . . . . . . . . . . . . . . . . . . . .  13
     2.17. Node  11
     3.9.  Contact Class . . . . . . . . . . . . . . . . . . . . . . .  13
       2.17.1.  Address  11
       3.9.1.  RegistryHandle Class  . . . . . . . . . . . . . . . . . . .  14
       2.17.2.  NodeRole  12
       3.9.2.  PostalAddress Class . . . . . . . . . . . . . . . . .  12
       3.9.3.  Email Class . .  14
       2.17.3.  Counter Class . . . . . . . . . . . . . . . . . . .  14
     2.18. DomainData  12
       3.9.4.  Telephone Class . . . . . . . . . . . . . . . . . . . .  14
       2.18.1.  Nameserver  13
     3.10. Discovery Class . . . . . . . . . . . . . . . . . .  15
       2.18.2.  DomainContacts Class . . .  13
       3.10.1.  DetectionPattern Class . . . . . . . . . . . . . . .  15
     2.19. Service  14
     3.11. Method Class  . . . . . . . . . . . . . . . . . . . . . .  15
       2.19.1.  ServiceName  14
       3.11.1.  Reference Class  . . . . . . . . . . . . . . . . .  16
       2.19.2.  ApplicationHeader .  15
     3.12. Assessment Class  . . . . . . . . . . . . . .  16

     2.20. EmailData Class . . . . . .  15
       3.12.1.  SystemImpact Class . . . . . . . . . . . . . . . .  16
     2.21. Record .  15
       3.12.2.  BusinessImpact Class . . . . . . . . . . . . . . . .  16
       3.12.3.  TimeImpact Class . . . . . .  16
       2.21.1.  RecordPattern Class . . . . . . . . . . . .  16
       3.12.4.  MonetaryImpact Class . . . .  17
     2.22. WindowsRegistryKeysModified Class . . . . . . . . . . . .  17
       2.22.1.  Key
       3.12.5.  Confidence Class . . . . . . . . . . . . . . . . . .  17
     3.13. History Class . . . .  17
     2.23. CertificateData Class . . . . . . . . . . . . . . . . . .  17
       2.23.1.  Certificate
       3.13.1.  HistoryItem Class  . . . . . . . . . . . . . . . . .  18
     2.24. FileData
     3.14. EventData Class . . . . . . . . . . . . . . . . . . . . .  18
       2.24.1.  File
     3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . .  19
     2.25. HashData
     3.16. System Class  . . . . . . . . . . . . . . . . . . . . . .  19
       2.25.1.  Hash
     3.17. Node Class  . . . . . . . . . . . . . . . . . . . . .  19
       2.25.2.  FuzzyHash . .  20
       3.17.1.  Address Class  . . . . . . . . . . . . . . . . . .  19
     2.26. SignatureData .  20
       3.17.2.  NodeRole Class . . . . . . . . . . . . . . . . . . .  20
     2.27. Indicator
       3.17.3.  Counter Class  . . . . . . . . . . . . . . . . . . .  21
     3.18. DomainData Class  . . . .  20
       2.27.1.  IndicatorID . . . . . . . . . . . . . . . .  21
       3.18.1.  Nameserver Class . . . . . . . . . . . . . . . . .  20
       2.27.2.  AlternativeIndicatorID .  22
       3.18.2.  DomainContacts Class . . . . . . . . . . . .  21
       2.27.3.  Observable . . . .  22
     3.19. Service Class . . . . . . . . . . . . . . . . . .  21
       2.27.4.  IndicatorExpression . . . .  22
       3.19.1.  ServiceName Class  . . . . . . . . . . . . .  21
       2.27.5.  ObservableReference . . . .  23
       3.19.2.  ApplicationHeader Class  . . . . . . . . . . . . .  22
       2.27.6.  IndicatorReference .  23
     3.20. EmailData Class . . . . . . . . . . . . . .  22
       2.27.7.  AttackPhase . . . . . . .  23
     3.21. Record Class  . . . . . . . . . . . . . . . . .  22
   3.  Notable differences from RFC 7970 (to be deleted) . . . . .  24
       3.21.1.  RecordData Class .  22
   4.  Examples . . . . . . . . . . . . . . . . .  24
       3.21.2.  RecordPattern Class  . . . . . . . . .  22
     4.1.  Minimal Example . . . . . . .  25
     3.22. WindowsRegistryKeysModified Class . . . . . . . . . . . .  25
       3.22.1.  Key Class  . .  23
     4.2.  Indicators from a Campaign . . . . . . . . . . . . . . .  23
   5.  The IODEF Data Model (JSON Schema) . . . .  25
     3.23. CertificateData Class . . . . . . . . .  25
   6.  Acknowledgements . . . . . . . . .  26
       3.23.1.  Certificate Class  . . . . . . . . . . . . .  58
   7.  IANA Considerations . . . .  26
     3.24. FileData Class  . . . . . . . . . . . . . . . . .  59
   8.  Security Considerations . . . .  27
       3.24.1.  File Class . . . . . . . . . . . . . . .  59
   9.  References . . . . . .  27
     3.25. HashData Class  . . . . . . . . . . . . . . . . . . .  59
     9.1.  Normative References . .  27
       3.25.1.  Hash Class . . . . . . . . . . . . . . . .  59
     9.2.  Informative References . . . . .  28
       3.25.2.  FuzzyHash Class  . . . . . . . . . . . .  59
   Authors' Addresses . . . . . .  28
     3.26. SignatureData Class . . . . . . . . . . . . . . . . .  60

1.  Introduction

   RFC 7970 [RFC7970] defines an data model for sharing incident
   information.  It facilitates automated exchange of information among
   parties over networks.  The data model can be implemented in a form
   of XML, but it is not always suitable for implementation.  JSON-based
   representation is often useful.

   Therefore, in this document, we provide a means to . .  28
     3.27. Indicator Class . . . . . . . . . . . . . . . . . . . . .  29
       3.27.1.  IndicatorID Class  . . . . . . . . . . . . . . . . .  30
       3.27.2.  AlternativeIndicatorID Class . . . . . . . . . . . .  30
       3.27.3.  Observable Class . . . . . . . . . . . . . . . . . .  30
       3.27.4.  BulkObservable Class . . . . . . . . . . . . . . . .  31
       3.27.5.  BulkObservableFormat Class . . . . . . . . . . . . .  31
       3.27.6.  IndicatorExpression Class  . . . . . . . . . . . . .  32
       3.27.7.  ObservableReference Class  . . . . . . . . . . . . .  32
       3.27.8.  IndicatorReference Class . . . . . . . . . . . . . .  32
       3.27.9.  AttackPhase Class  . . . . . . . . . . . . . . . . .  33
   4.  Notable differences from RFC 7970 (to be deleted) . . . . . .  33
   5.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  33
     5.1.  Minimal Example . . . . . . . . . . . . . . . . . . . . .  33
     5.2.  Indicators from a Campaign  . . . . . . . . . . . . . . .  34
   6.  The IODEF Data Model (JSON Schema)  . . . . . . . . . . . . .  36
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  55
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  55
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  55
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  55
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  55
     10.2.  Informative References . . . . . . . . . . . . . . . . .  56
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  56

1.  Introduction

   RFC 7970 [RFC7970] defines an data model for sharing incident
   information.  It facilitates automated exchange of information among
   parties over networks.  The data model can be implemented in a form
   of XML, but it is not always suitable for implementation.  JSON-based
   representation is often useful.

   Therefore, in this document, we provide a means to represent IODEF
   data model in JSON.

1.1.  Requirements Language JSON.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  IODEF Data Types

   The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the
   JSON IODEF, with some syntax changes for some of the types.

2.1.  Integers

   An integer is represented in the information model by the INTEGER
   data type.  Integer data MUST be encoded in Base 10, and is
   implemented as an "integer" type per JSON schema [jsonschema].

2.2.  Real Numbers

   A real (floating-point) number is represented in the information
   model by the REAL data type.  Real data MUST be encoded in Base 10,
   and is implemented in the data model as an "number" type per JSON
   schema [jsonschema].

2.3.  Characters and Strings

   A single character is represented in the information model by the
   CHARACTER data type.  A string is represented by the STRING data
   type.  Special characters MUST be encoded using entity references.The
   CHARACTER and STRING data types are implemented in the data model as
   an "string" type per JSON schema [jsonschema].

2.4.  Multilingual Strings

   A string that needs to be represented in a human-readable language
   different than the default encoding of the document is represented in
   the information model by the ML_STRING data type.  This data type is
   implemented as an object with "value", "lang", and "translation-id"
   elements as defined in Section 6.  Examples are shown below.

   "MLStringType": {
     "value": "free-form text",                              //STRING
     "lang": "en",                                             //ENUM
     "translation-id": "jp2en0023"                           //STRING
   }

2.5.  Binary Strings

2.5.1.  Base64 Bytes

   A binary octet encoded with base64 is represented in the information
   model by the BYTE data type.  A sequence of these octets is of the
   BYTE[] data type.  The BYTE and BYTE[] data types are implemented in
   the data model as an "string" type per JSON schema [jsonschema].

2.5.2.  Hexadecimal Bytes

   A binary octet encoded as a character tuple consistent of two
   hexadecimal digits is represented in the information model by the
   HEXBIN data type.  A sequence of these octets is of the HEXBIN[] data
   type.  The HEXBIN and HEXBIN[] data types are implemented in the data
   model as an "string" type per JSON schema [jsonschema].

2.6.  Enumerated Types

   An enumerated type is represented in the information model by the
   ENUM data type.  It is an ordered list of acceptable string values.
   Each value has a representative keyword.  The ENUM data type is
   implemented in the data model as values of an enum array per JSON
   schema [jsonschema].

2.7.  Date-Time String

   A date-time string that describes a particular instant in time is
   represented in the information model by the DATETIME data type.
   Ranges are not supported.  The DATETIME data type is implemented in
   the data model as an "string" type per JSON schema [jsonschema].

2.8.  Timezone String

   A timezone offset from UTC is represented in the information model by
   the TIMEZONE data type.  It is formatted according to the following
   regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".  The
   TIMEZONE data type is implemented in the data model as an "string"
   type per JSON schema [jsonschema].

2.9.  Port Lists

   A list of network ports is represented in the information model by
   the PORTLIST data type.  A PORTLIST consists of a comma-separated
   list of numbers and ranges (N-M means ports N through M, inclusive).
   It is formatted according to the following regular expression:
   "\d+(\-\d+)?(,\d+(\-\d+)?)*".  For example,
   "2,5-15,30,32,40-50,55-60".  The PORTLIST data type is implemented in
   the data model as an "string" type per JSON schema [jsonschema]

2.10.  Postal Address

   A postal address is represented in the information model by the
   POSTAL data type.  The format of the POSTAL data type is documented
   in Section 2.23 of [RFC4519] as a free-form multi-line string
   separated by the "$" character.  The POSTAL data type is implemented
   in the data model as the aforementioned ML_STRING type.

2.11.  Telephone Number

   A telephone number is represented in the information model by the
   PHONE data type.  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", format of the PHONE data type is documented in
   [E.164].  The PHONE data type is implemented in the data model as an
   "string" type per JSON schema [jsonschema].

2.12.  Email String

   An email address is represented in the information model by the EMAIL
   data type.  The format of the EMAIL data type is documented in
   Section 3.4.1 of [RFC5322] and "OPTIONAL" Section 3.3 of [RFC6531].  The EMAIL
   data type is implemented in this the data model as an "string" type per
   JSON schema [jsonschema].

2.13.  Uniform Resource Locator Strings

   A uniform resource locator (URL) is represented in the information
   model by the URL data type.  The format of the URL data type is
   documented in [RFC3986].

   The URL data type is implemented as an "string" type per JSON schema
   [jsonschema].

2.14.  Identifiers and Identifier References

   An identifier unique to the IODEF document are is represented in the
   information model by the ID data type.  A reference to be interpreted this
   identifier is represented by the IDREF data type.  These data types
   are implemented in the model as an "string" type per JSON schema
   [jsonschema].

2.15.  Software

   A particular version of software is represented in the information
   model by the SOFTWARE data type.  This software can be described by
   using a reference, a URL, or with free-form text.  The SOFTWARE data
   type is implemented as an object with "SoftwareReference", "URL", and
   "Description" elements as defined in RFC 2119 [RFC2119].

2. Section 6.  Examples are shown
   below.

   "SoftwareType": {
     "SoftwareReference": {...},                  //SoftwareReference
     "Description": {"value":"MS Windows"},       //ML_STRING
   }

2.16.  StructuredInfo

   Information provided in a form of structured string, such as ID, or
   structured information, such as XML documents, is represented in the
   information model by the StructuredInfo data type.  Note that this
   type was originally specified in RFC7203.  The StructuredInfo data
   type is implemented as an object with "SpecID", "ext-SpecID",
   "ContentID", "RawData", "Reference" elements.  An example for
   embedding a structured ID is shown below.

   "StructuredInformation": {
     "SpecID": "cve",                                          //ENUM
     "ContentID": "CVE-2007-5000",                           //STRING
   }

   When embedding the raw data, base64 conversion should be used for
   encoding the data, as shown below.

   "StructuredInformation": {
     "SpecID": "oval",                                         //ENUM
     "RawData": "<<<strings encoded with base64>>>",         //STRING
   }

3.  The IODEF Information Model in JSON

   The data model of IODEF is defined in RFC 7970 [RFC7970], and this
   section illustrates their representations in JSON.  Note that the
   complete JSON schema is defined in Section 5.

2.1. 6.

3.1.  IODEF-Document Class

   The IODEF-Document

   This class is the top level class in the IODEF data model.  This  Its class is defined in Section 3.1 of RFC 7970 [RFC7970]
   and has the following fields: "version", "lang", "format-id",
   "private-enum-name", "private-enum-id", "Incident",
   elements and
   "AdditionalData".  An an example are shown below.  See Section 3.1 of this class in JSON is as follows.
   Note that JSON representation in this draft treats attributes and
   elements of each class defined in RFC 7970
   [RFC7970] equally and is
   agnostic on for the order intended meanings of their appearances. these elements.

   Class elements:

   version, lang?, format-id?, private-enum-name?, private-enum-id?,
   Incident+, AdditionalData*

   Example:

 "IODEF-Document": {
   "version": "2.0", "2.1",                                       //STRING
   "lang": "en",                                             //ENUM
   "format-id": "RFC7970", "RFC7970-json",                                 //STRING
   "Incident": [ ... ]                                   //Incident
 }

                  Figure 1: IODEF-Document Class in JSON

2.2.

3.2.  Incident Class

   The Incident class describes commonly exchanged information when
   reporting or sharing derived analysis from security incidents.  This  Its
   class is defined in elements and an example are shown below.  See Section 3.2 of
   RFC 7970 [RFC7970].  It has [RFC7970] for the
   following fields: "purpose", "lang", "restriction", "ext-
   restriction", "IncidentID", "RelatedActivity", "GenrationTime",
   "Description", "Assessment", "Methods", "Contact", "EventData",
   "IndicatorData", "History", and "AdditionalData".  An example intended meanings of this
   class in JSON is as follows. these elements.

   Class elements:

   purpose, ext-purpose?, status?, ext-status?, lang?, restriction?,
   ext-restriction?, observable-id?, IncidentID, AlternativeID?,
   RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?,
   ReportTime?, GenrationTime?, Description*, Discovery*, Assessment*,
   Method*, Contact+, EventData*, IndicatorData?, History?,
   AdditionalData*

   Example:

   "Incident": {
     "purpose": "reporting",                                   //ENUM
     "lang": "en",                                           //STRING
     "restriction": "green",                                   //ENUM
     "IncidentID": { ... },                        //IncidentID Class
     "RelatedActivity": [ ... ],              //RelatedActivity Class
     "GenerationTime": "2015-10-02T11:18:00-05:00",        //DateTime
     "Description": ["Incident class description field"], [{"value":"Incident in the HQ"}],     //ML_STRING
     "Assessment": [ ... ],                              //Assessment
     "Method": [ ... ],                                      //Method
     "Contact": [ ... ]                                     //Contact
     "EventData": [ ... ],                                //EventData
     "IndicatorData": { ... }                         //IndicatorData
     "History": { ... },                                    //History
     "AdditionalData": [ ... ],                      //AdditionalData
   }

                     Figure 2: Incident Class in JSON

2.3.

3.3.  Common Attributes

   There are a number of recurring attributes used in the information
   model.  They are documented in this section.

2.3.1.

3.3.1.  restriction Attribute

   RFC 7970 [RFC7970] defines the restriction Attribute as one of common
   attributes.  It is defined as below:

"restriction":{"enum": ["public", "partner", "need-to-know", "private",
              "default", "white", "green", "amber", "red", "ext-value"]}

                       Figure 3: restrition in JSON

   Note that you must use "ext-restriction" field (STRING type) when the
   value of "restriction" field is set to "ext-value".  The example on
   the use of the "ext-restriction" field is shown below.

      "restriction": "ext-value"                               // ENUM
      "ext-restriction": "registration required"             // STRING

                     Figure 4: ext-restrition in JSON

2.3.2.

3.3.2.  observable-id Attribute

   RFC 7970 [RFC7970] defines the observable-id attribute as one of
   common attributes.  The value of this attribute is a unique
   identifier
   identifier, in string type, in the scope of the document.It is
   defined as below:

                   "observable-id": {"type": "string"},

                      Figure 5: observable-id in JSON

2.4.

3.4.  IncidentID Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.4
   of RFC 7970 [RFC7970].  It has [RFC7970] for the following fields: "IncidentID", "id", "name", "instance",
   "restriction", and "ext-restriction".  The example below represents
   how to describe this class in JSON. intended meanings of these elements.

   Class elements:

   id, name, instance?, restriction?, ext-restriction?
   Example:

   "IncidentID": {
     "id": "nict20150518-0001",                             // STRING
     "name": "NICT_cert",                                   // STRING
     "instance": "cyberlab"                                 // STRING
     "restriction": "ext-value"                               // ENUM
     "ext-restriction": "registration required"             // STRING
   }

                    Figure 6: IncidentID Class in JSON

2.5.

3.5.  AlternativeID Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.5
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, IncidentID+

   Example:

   "AltervativeID": {
     "restriction": "private",                                 //ENUM
     "IncidentID": [<<<omitted>>>]                       //IncidentID
   }

                   Figure 7: AlternativeID Class in JSON

2.6.

3.6.  RelatedActivity Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.6
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*,
   Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData*

   Example:

   "RelatedActivity": {
     "restriction": "private",                                 //ENUM
     "ThreatActor": [ [{...}],                      //ThreatActor
        {
          "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY",
          "Description": "Aggressive Butterfly"
        }
      ], class
     "Campaign": [ [{...}]                             //Campaign
        {
          "CampaignID": "C-2015-59405",
          "Description": "Orange Giraffe"
        }
      ] class
   }

                  Figure 8: RelatedActivity Class in JSON

2.7.

3.7.  ThreatActor Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.7
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, ThreatActorID*, URL*, Description*,
   AdditionalData*

   Example:

   "ThreatActor": {
     "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY",          //STRING
     "Description": "Aggressive Butterfly" {"value":"Aggressive Butterfly"}      //ML_STRING
   }

                    Figure 9: ThreatActor Class in JSON

2.8.

3.8.  Campaign Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.8
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, CampaignID*, URL*, Description*,
   AdditionalData*

   Example:

   "Campaign": {
     "CampaignID": "C-2015-59405",                           //STRING
     "Description": "Orange Giraffe" {"value":"Orange Giraffe"}            //ML_STRING
   }

                     Figure 10: Campaign Class in JSON

2.9.

3.9.  Contact Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.9
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   role, ext-role?, type, ext-type?, restriction?, ext-restriction?,
   ContactName*, ContactTitle*, Description*, RegistryHandle*,
   PostalAddress*, Email*, Telephone*, Timezone?, Contact*,
   AdditionalData*

   Example:

   "Contact": {
                  "type": "organization",
     "role": "creator",                                        //ENUM
     "type": "organization",                                   //ENUM
     "ContactName": "CSIRT {"value":"CSIRT for example.com", example.com"},    //ML_STRING
     "ContactTitle": {"value":"Senior Research Engineer"} //ML_STRING
     "email": {
                    "emailTo": "contact@csirt.example.com"
                  }
                }

                     Figure 11: Contact {...},                                    //Email Class in JSON

2.9.1.
     "Telephone": {...},                            //Telephone Class
     "Timezone": "+09:00"                                  //TIMEZONE
   }

3.9.1.  RegistryHandle Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.9.1
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   handle, registry, ext-registry?

   Example:

   "RegistryHandle": {
                      "RegistryHandleName":
     "handle": "MyAPNIC",                                    //STRING
     "registry": "apnic",                                      //ENUM
   }

                  Figure 12: RegistryHandle Class in JSON

2.9.2.

3.9.2.  PostalAddress Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.9.2
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   type?, ext-type?, PAddress, Description*

   Example:

   "PostalAddress": {
     "type": "mailing",                                        //ENUM
     "PAddress": "184-8795",
         "Description": "4-2-1 Nukui-Kitamachi "1-2-3 Kitamachi Koganei Tokyo, Japan" Japan",     //POSTAL
     "Description": {"value":"Office address"}            //ML_STRING
   },

                  Figure 13: PostalAddress Class in JSON

2.9.3.

3.9.3.  Email Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.9.3
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   type?, ext-type?, EmailTo, Description*

   Example:

   "Email": {
     "type": "direct",                                         //ENUM
     "emailTo": "contact@csirt.example.com" "contact@csirt.example.com",                  //EMAIL
     "Description": {"value":"Administrator's address"}   //ML_STRING
   },

                      Figure 14: Email Class in JSON

2.9.4.

3.9.4.  Telephone Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.9.4
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   type?, ext-type?, TelephoneNumber, Description*

   Example:

   "Telephone": {
     "type": "wired",                                          //ENUM
     "TelephoneNumber": "+81423275862" "+818012345678",                      //PHONE
     "Description": {"value":"Admin's moble"}             //ML_STRING
   },

                    Figure 15: Telephone Class in JSON

2.10.

3.10.  Discovery Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.10
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   source?, ext-source?, restriction?, ext-restriction?, Description*,
   Contact*, DetectionPattern*

   Example:

   "Discovery": {
     "source": "nidps",                                        //ENUM
     "restriction": "need-to-know"                             //ENUM
     "Contact": {...},                                //Contact class
     "DetectionPattern": {
                       "Application": {
                         "Description": "Microsoft Win"
                       } {...},              //DetectionPattern class
     "Description":{"value":"IDS provided an alert"}      //ML_STRING
     }
   }

                    Figure 16: Discovery Class in JSON

2.10.1.

3.10.1.  DetectionPattern Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.10.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   restriction?, ext-restriction?, observable-id?, Application,
   Description*, DetectionConfiguration*

   Example:

   "DetectionPattern": {
     "Application": { {...},                                 //SOFTWARE
     "Description": "Microsoft Win" {"value":"The specified application
                    needs to be reviewed"},               //ML_STRING
     }
   }

                 Figure 17: DetectionPattern Class in JSON

2.11.

3.11.  Method Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.11
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, Reference*, Description*,
   AttackPattern*, Vulnerability*, Weakness*

   Example:

   "Method": {
     "AttackPattern": {...}                          //StructuredInfo
     "Vulnerability": {} {...}                          //StructuredInfo
   }

                      Figure 18: Method Class in JSON

2.11.1.

3.11.1.  Reference Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.11.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   observable-id?, ReferenceName?, URL*, Description*

   Example:

   "Reference":{
     "URL":"http://www.nict.go.jp"                              //URL
   }

                    Figure 19: Reference Class in JSON

2.12.

3.12.  Assessment Class

   This class is defined in Section 3.12 of RFC 7970 [RFC7970].

   The
   example below represents how to describe this class in JSON. elements and an example are shown below.  See Section 3.12
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   occurence?, restriction?, ext-restriction?, observable-id?,
   IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*,
   MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*,
   Cause*, Confidence?, AdditionalData*

   Example:

   "Assessment": {
     "SystemImpact": {...},                      //SystemImpact class
     "BusinessImpact": {
                         "type": "breach-proprietary" {...},                  //BusinessImpact class
     "TimeImpact": {...},                          //TimeImpact class
     "MonetaryImpact": {...},                  //MonetaryImpact class
     "IntendedImpact": {...},                  //IntendedImpact class
     "Counter": "5",                                  //Counter class
     "MitigationFactor": {"value":"Rebooting is required"}//ML_STRING
     "Cause": {"value":"Malware Infection"}               //ML_STRING
     }
   }

                    Figure 20: Assessment Class in JSON

2.12.1.

3.12.1.  SystemImpact Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.12.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   severity?, completion?, type, ext-type?, Description*

   Example:

   "SystemImpact":{
                              "severity":"low",
                              "type":"unknown"
     "severity":"high",                                        //ENUM
     "completion": "successful"                                //ENUM
     "type":"integrity-data"                                   //ENUM
     "Description":{"value":"The web page was falsified"} //ML_STRING
   },

                   Figure 21: SystemImpact Class in JSON

2.12.2.

3.12.2.  BusinessImpact Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.12.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   severity?, ext-severity?, type, ext-type?, Description*

   Example:

   "BusinessImpact": {
     "severity":"medium",                                      //ENUM
     "completion": "successful"                                //ENUM
     "type": "breach-proprietary" "degraded-reputation"                             //ENUM
     "Description":{"value":"The web page was falsified"} //ML_STRING
   }

                  Figure 22: BusinessImpact Class in JSON

2.12.3.

3.12.3.  TimeImpact Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.12.3 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, severity?, metric, ext-metric?, duration?, ext-duration?

   Example:

   "TimeImpact":{
                             "value":"5 hours",
                             "metric":"elapsed"
     "time": "240"                                             //REAL
     "metric": "elapsed"                                       //ENUM
     "duration": "minutes"                                     //ENUM
   }

                    Figure 23: TimeImpact Class in JSON

2.12.4.

3.12.4.  MonetaryImpact Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.12.4 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

                            "MonetaryImpact":{}

                  Figure 24: MonetaryImpact [RFC7970] for the intended meanings of
   these elements.

   Class in JSON

2.12.5. elements:

   value, severity?, currency?

   Example:

   "MonetaryImpact":{
     "money": "10000",                                         //REAL
     "severity": "medium",                                     //ENUM
     "currency": "USD",                                      //STRING
   }

3.12.5.  Confidence Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.12.5 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, rating, ext-rating?

   Example:

   "Confidence": {
     "value": "5"                                              //REAL
     "rating": "medium"                                        //ENUM
   }

                    Figure 25: Confidence Class in JSON

2.13.

3.13.  History Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.13
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, HistoryItem+

   Example:

   "History": {
     "restriction": "need-to-know"                             //ENUM
     "HistoryItem": {
                   "DateTime": "2015-10-15T11:18:00-05:00",
                   "action": "investigate" ... }                       //HistoryItem class
   },

                     Figure 26: History Class in JSON

2.13.1.

3.13.1.  HistoryItem Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.13.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   action, ext-action?, restriction?, ext-restriction?, observable-id?,
   DateTime, IncidentID?, Contact?, Description*, DefinedCOA*,
   AdditionalData*

   Example:

   "HistoryItem": {
                  "DateTime": "2015-10-15T11:18:00-05:00",
     "action": "investigate"                                   //ENUM
     "restriction": "need-to-know"                             //ENUM
     "DateTime": "2015-10-15T11:18:00-05:00",              //DateTime
     "IncidentID" { ...},                          //IncidentID class
   }

                   Figure 27: HistoryItem Class in JSON

2.14.

3.14.  EventData Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.14
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, observable-id?, Description*,
   DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?,
   Contact*, Discovery*, Assessment?, Method*, Flow*, Expectation*,
   Record?, EventData*, AdditionalData*

   Example:

   "EventData": {
     "ReportTime": "2016-06-01 18:05:33",
                   "System":
     "Contact": {
                     "category": "source",
                     "Node": ...},                               //Contact class
     "Assessment": {
                       "Address": ...},                         //Assessment class
     "Method": {
                         "category": "ipv4-addr",
                         "AddressValue": "192.228.139.118"
                       },
                       "Location": "OrgID=7"
                     },
                     "Service": ...},                                 //Method class
     "System": {
                       "ip-protocol": 6,
                       "Port": 49183
                     } ... },

                    Figure 28: EventData Class in JSON

2.15.                                //System class
     "Expectation": { ...},                       //Expectation class

3.15.  Expectation Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.15
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   action?, ext-action?, severity?, restriction?, ext-restriction?,
   Description*, DefinedCOA*, StartTime?, EndTime?, Contact?

   Example:

   "Expectation": {
     "action": "investigate"                                   //ENUM
     "severity": "medium"                                      //ENUM
     "restriction": "need-to-know"                             //ENUM
   },

                   Figure 29: Expectation Class in JSON

2.16.

3.16.  System Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.17
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   category?, ext-category?, interface?, spoofed?, virtual?, ownership?,
   ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*,
   Service*, OperatingSystem*, Counter*, AssetID*, Description*,
   AdditionalData*

   Example:

   "System": {
     "category": "source",                                     //ENUM
     "Node": {
                           "Address": {
                             "category": "ipv4-addr",
                             "AddressValue": "192.228.139.118"
                           },
                           "Location": "OrgID=7" ... },                                    //Node class
     "Service": {
                           "ip-protocol": 6,
                           "Port": 49183
                         }

                      Figure 30: System Class in JSON

2.17. ... },                              //Service class
   },

3.17.  Node Class

   This class is defined in Section 3.18 of RFC 7970 [RFC7970].

   The
   example below represents how to describe this class in JSON. elements and an example are shown below.  See Section 3.18
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   DomainData*, Address*, PostalAddress?, Location*, Counter*

   Example:

   "Node": {
     "Address": {
                             "category": "ipv4-addr",
                             "AddressValue": "192.228.139.118" ... },

                       Figure 31: Node Class in JSON

2.17.1.                              //Address class
     "Location": {"value":"OrgID=7"}                      //ML_STRING
   }

3.17.1.  Address Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.18.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, category, ext-category?, vlan-name?, vlan-num?, observable-id?

   Example:

   "Address": {
     "value": """192.228.139.118",                           //STRING
     "category": "ipv4-addr",
                             "AddressValue": "192.228.139.118"                                  //ENUM
   },

                     Figure 32: Address Class in JSON

2.17.2.

3.17.2.  NodeRole Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.18.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   category, ext-category?, Description*

   Example:

   "NodeRole": {
     "category": "client"                                      //ENUM
     "Description": {"value":"The computer at room A"}    //ML_STRING
   },

                     Figure 33: NodeRole Class in JSON

2.17.3.

3.17.3.  Counter Class

   This

   The class is defined in elements and an example are shown below.  See
   Section 3.18.3 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, type, ext-type?, unit, ext-unit?, meaning?, duration?, ext-
   duration?

   Example:

   "Counter": {
     "value": "3",                                             //REAL
     "type": "count",                                          //ENUM
     "unit": "packet"                                          //ENUM
     "meaning": {"value":"The number of scan packets
                 are counted"},                           //ML_STRING
   }

                     Figure 34: Counter Class in JSON

2.18.

3.18.  DomainData Class

   This

   The class is defined in elements and an example are shown below.  See Section 3.19
   of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON. [RFC7970] for the intended meanings of these elements.

   Class elements:

   system-status, ext-system-status?, domain-status, ext-domain-status?,
   observable-id?, Name, DateDomainWasChecked?, RegistrationDate?,
   ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts?

   Example:

   "DomainData": {
     "system-status": "innocent-hacked",                       //ENUM
     "domain-status": "assignedAndInactive",                 //STRING
     "Name": "temp1.nict.go.jp"                              //STRING
   },

                    Figure 35: DomainData Class in JSON

2.18.1.

3.18.1.  Nameserver Class

   This class is defined in Section 3.19.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   Server, Address*

   Example:

   "NameServers": {
     "Server": "vgw.nict.go.jp",                             //STRING
     "Address": {
       "AddressValue": "133.243.18.5",                       //STRING
       "category": "ipv4-addr"                                 //ENUM
     }
   }

                    Figure 36: Nameserver Class in JSON

2.18.2.

3.18.2.  DomainContacts Class

   This class is defined in Section 3.19.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   SameDomainContact?, Contact+

   Example:

   "DomainContacts": {
     "Contact": {
       "role": "user",                                         //ENUM
       "type": "organization"                                  //ENUM
     }
   }

                  Figure 37: DomainContacts Class in JSON

2.19.

3.19.  Service Class

   This class is defined in Section 3.20 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?,
   ProtoCode?, ProtoType?, ProtoField?, ApplicationHeader?, EmailData?,
   Application?
   Example:

   "Service": {
     "ServiceName": {
       "Description": "It seems to be a scan from an infected machine."
     },
     "ip-protocol": 6,                                      //INTEGER
     "Port": 49183                                          //INTEGER
   }

                     Figure 38: Service Class in JSON

2.19.1.

3.19.1.  ServiceName Class

   This class is defined in Section 3.20.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   IANAService?, URL*, Description*

   Example:

"ServiceName": {
  "IANAService": "telnet"                                          //STRING
  "URL": "https://en.wikipedia.org/wiki/Telnet"                    //STRING
  "Description": "It seems to be a scan from an infected machine." //STRING
},

                   Figure 39: ServiceName Class in JSON

2.19.2.

3.19.2.  ApplicationHeader Class

   This class is defined in Section 3.20.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   ApplicationHeaderField+

   Example:

   "ApplicationHeader": {
     "ApplicationHeaderField": {}

                Figure 40: ApplicationHeader
   }

3.20.  EmailData Class

   This class is defined in JSON

2.20.  EmailData Section 3.21 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?,
   EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?,
   HashData*, SignatureData*

   Example:

"EmailData":{
  "EmailTo": "user1@example.org"                                 //EMAIL
  "EmailFrom": "user2@example.com"                               //EMAIL
  "EmailSubject": "example email"                               //STRING
  "EmailX-Mailer": "example mailer v1.1.0"                      //STRING
  "EmailBody": "example email"                                  //STRING
}

3.21.  Record Class

   This class is defined in Section 3.21 3.22 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

                                     "EmailData":{}

                    Figure 41: EmailData

   Class in JSON

2.21.  Record elements:

   restriction?, ext-restriction?, RecordData+

   Example:

"Record": {
  "RecordData": {
    "RecordPattern": {
      "type": "regex",                                            //ENUM
      "value": "[0-9][A-Z]"
    }
  },
  "RecordItem": {}
},

3.21.1.  RecordData Class

   This class is defined in Section 3.22.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

                              "Record":

   Class elements:

   restriction?, ext-restriction?, observable-id?, DateTime?,
   Description*, Application?, RecordPattern*, RecordItem*, URL*,
   FileData*, WindowsRegistryKeysModified*, CertificateData*,
   AdditionalData*

   Example:

   "RecordData": {
     "RecordPattern": {
       "type": "regex",
       "value": "[0-9][A-Z]"
     }
   },
                                "RecordItem": {}
                              },

                      Figure 42: Record Class in JSON

2.21.1.

3.21.2.  RecordPattern Class

   This class is defined in Section 3.22.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?,
   value

   Example:

   "RecordPattern": {
     "type": "regex",
     "value": "[0-9][A-Z]"
   },

                  Figure 43: RecordPattern Class in JSON

2.22.

3.22.  WindowsRegistryKeysModified Class

   This class is defined in Section 3.23 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   observable-id?, Key+

   Example:

"WindowsRegistryKeysModified": {
  "Key": {
    "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx",                      //STRING
    "KeyName":"HKEY_LOCAL_MACHINExxxxxxx",                      //STRING
  }
}

           Figure 44: WindowsRegistryKeysModified Class in JSON

2.22.1.

3.22.1.  Key Class

   This class is defined in Section 3.23.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   registryaction?, ext-registryaction?, observable-id?, KeyName,
   KeyValue?

   Example:

   "Key": {
     "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx",              //STRING
     "KeyName":"HKEY_LOCAL_MACHINExxxxxxx",              //STRING
   }

                       Figure 45: Key Class in JSON

2.23.

3.23.  CertificateData Class

   This class is defined in Section 3.24 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, observable-id?, Certificate+

   Example:

   "CertificateData": {
     "Certificate": {
       "X509Data": {
                  "X509IssuerSerial": {
                    "X509IssuerName": "CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP",
                    "X509SerialNumber": "12345678"
                  },
                  "X509SKI": "31d97bd7"
                } "xxxxxxxx"                          //STRING
     }
   }

                 Figure 46: CertificateData Class in JSON

2.23.1.

3.23.1.  Certificate Class

   This class is defined in Section 3.24.1 of RFC 7970 [RFC7970].  The
   X509Data class contains base64 encoded form of X.509 certificate or
   chain as described in Section 4.4.4 of [W3C.XMLSIG].  The example
   below represents how to describe this class in JSON.

   Class elements:

   observable-id?, X509Data, Description*

   Example:

   "Certificate": {
     "X509Data": {
                  "X509IssuerSerial": {
                    "X509IssuerName": "CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP",
                    "X509SerialNumber": "12345678"
                  },
                  "X509SKI": "31d97bd7"
                } "xxxxxxxx"                          //STRING
   }

                   Figure 47: Certificate Class in JSON

2.24.

3.24.  FileData Class

   This class is defined in Section 3.25 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, observable-id?, File+

   Example:

   "FileData": {
     "File": {
       "FileName": "dummy.exe"                         //STRING
     }
   },

                     Figure 48: FileData Class in JSON

2.24.1.

3.24.1.  File Class

   This class is defined in Section 3.25.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?,
   SignatureData?, AssociatedSoftware?, FileProperties*

   Example:

   "File": {
     "FileName": "dummy.exe"                         //STRING
   }

                       Figure 49: File Class in JSON

2.25.

3.25.  HashData Class

   This class is defined in Section 3.26 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   scope, HashTargetID?, Hash*, FuzzyHash*

   Example:

  "HashData": {
    "scope": "file-contents",                       //ENUM
    "Hash": {
      "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
      "DigestValue": "xxxxxxxxxxx"                //STRING
    }
  }

                     Figure 50: HashData Class in JSON

2.25.1.

3.25.1.  Hash Class

   This class is defined in Section 3.26.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   DigestMethod, DigestValue, CanonicalizationMethod?, Application?

   Example:

   "Hash": {
     "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
     "DigestValue": "xxxxxxxxxxx"                //STRING
   }

                       Figure 51: Hash Class in JSON

2.25.2.

3.25.2.  FuzzyHash Class

   This class is defined in Section 3.26.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   FuzzyHashValue+, Application?, AdditionalData?

   Example:

   "FuzzyHash": {
     "FuzzyHashValue": {}
   }

                    Figure 52: FuzzyHash Class in JSON

2.26.

3.26.  SignatureData Class

   This class is defined in Section 3.27 of RFC 7970 [RFC7970].  The
   Signature class contains base64 encoded form of signature as
   described in Section 4.2 of [W3C.XMLSIG].  The example below
   represents how to describe this class in JSON.

   Class elements:

   Signature+

   Example:

   "SignatureData": {
     "Signature": "xxxxxxxx"                       //STRING
   }

                  Figure 53: SignatureData Class in JSON

2.27.

3.27.  Indicator Class

   This class is defined in Section 3.29 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*,
   Description*, StartTime?, EndTime?, Confidence?, Contact*,
   Observable?, ObservableReference?, IndicatorExpression?,
   IndicatorReference?, NodeRole*, AttackPhase*, Reference*,
   AdditionalData*

   Example:

   "Indicator": {
     "IndicatorID": {
       "id": "G90823490",                                    //STRING
       "name": "csirt.example.com",                          //STRING
       "version": "1"                                        //STRING
     },
     "Description": "C2 domains",                         //ML_STRING
     "StartTime": "2014-12-02T11:18:00-05:00",             //Datetime
     "Observable": {
       "BulkObservable": {
         "type": "fqdn"                                        //ENUM
       },
       "BulkObservableList": [
         "kj290023j09r34.example.com",                       //STRING
         "09ijk23jfj0k8.example.net",                        //STRING
         "klknjwfjiowjefr923.example.org",                   //STRING
         "oimireik79msd.example.org"                         //STRIN
       ]
     }
   }

                    Figure 54: Indicator Class in JSON

2.27.1.

3.27.1.  IndicatorID Class

   This class is defined in Section 3.29.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   id, name, version

   Example:

   "IndicatorID": {
     "id": "G90823490",                                    //STRING
     "name": "csirt.example.com",                          //STRING
     "version": "1"
                            },

                   Figure 55: IndicatorID Class in JSON

2.27.2.                                        //STRING
   }

3.27.2.  AlternativeIndicatorID Class

   This class is defined in Section 3.29.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, IndicatorReference+

   Example:

   "AlternativeIndicatorID": {
     "IndicatorReference": {
       "uid-ref": "xxxxx"
     }
   },

              Figure 56: AlternativeIndicatorID Class in JSON

2.27.3.

3.27.3.  Observable Class

   This class is defined in Section 3.29.3 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, System?, Address?, DomainData?,
   Service?, EmailData?, WindowsRegistryKeysModified?, FileData?,
   CertificateData?, RegistryHandle?, RecordData?, EventData?,
   Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?,
   HistoryItem?, BulkObservable?, AdditionalData*

   Example:

   "Observable": {
     "BulkObservable": {
       "type": "fqdn"                                        //ENUM
     },
     "BulkObservableList": [
       "kj290023j09r34.example.com",                       //STRING
       "09ijk23jfj0k8.example.net",                        //STRING
       "klknjwfjiowjefr923.example.org",                   //STRING
       "oimireik79msd.example.org"                         //STRING
     ]
   }

3.27.4.  BulkObservable Class

   This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   type?, ext-type?, BulkObservableFormat?, BulkObservableList,
   AdditionalData*

   Example:

   "BulkObservable": {
     "type": "fqdn"                                        //ENUM
   },
   "BulkObservableList": [
     "kj290023j09r34.example.com",                       //STRING
     "09ijk23jfj0k8.example.net",                        //STRING
     "klknjwfjiowjefr923.example.org",                   //STRING
     "oimireik79msd.example.org"                         //STRING
   ]

3.27.5.  BulkObservableFormat Class

   This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970].
   The example below represents how to describe this class in JSON.

   Class elements:

   Hash?, AdditionalData*

   Example:

  "BulkObservableFormat": {
    "Hash": {
      "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
      "DigestValue": "xxxxxxxxxxx"                  //STRING
    }

                    Figure 57: Observable Class in JSON

2.27.4.
  }

3.27.6.  IndicatorExpression Class

   This class is defined in Section 3.29.4 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

                               "IndicatorExpression": {}

               Figure 58: IndicatorExpression

   Class in JSON

2.27.5. elements:

   operator?, ext-operator?, IndicatorExpression*, Observable*,
   ObservableReference*, IndicatorReference*, Confidence?,
   AdditionalData*

   Example:

   "IndicatorExpression": {
     "ObservableReference": {
       "uid-ref": "xxxxx"
     }
   }

3.27.7.  ObservableReference Class

   This class is defined in Section 3.29.6 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   uid-ref

   Example:

   "ObservableReference": {
     "uid-ref": "xxxxx"
   },

               Figure 59: ObservableReference Class in JSON

2.27.6.

3.27.8.  IndicatorReference Class

   This class is defined in Section 3.29.7 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   uid-ref?, euid-ref?, version?

   Example:

   "IndicatorReference": {
     "uid-ref": "xxxxx"
   }

                Figure 60: IndicatorReference Class in JSON

2.27.7.

3.27.9.  AttackPhase Class

   This class is defined in Section 3.29.8 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   AttackPhaseID*, URL*, Description*, AdditionalData*

   Example:

"AttackPhase": {
  "Description": "Currently, the infected host is scanning arbitrary hosts to find next targets." //ML_STRING
}

                   Figure 61: AttackPhase Class in JSON

3.

4.  Notable differences from RFC 7970 (to be deleted)

   o  This document treats attributes and elements of each class defined
      in RFC 7970 [RFC7970] equally and is agnostic on the order of
      their appearances.

   o  Flow class is deleted, and EventData class now has the instance of
      System class.

   o  Record class is deleted, and the link to the Record class are
      directly connected to RecordData class, which is then renamed to
      Record class.

4.

5.  Examples

   This section provides example of IODEF documents.  These examples do
   not represent the full capabilities of the data model or the the only
   way to encode particular information.

4.1.

5.1.  Minimal Example

   A document containing only the mandatory elements and attributes.

   {
     "version": "2.0",
     "lang": "en",
     "Incident": [
       {
         "purpose": "reporting",
         "restriction": "private",
         "IncidentID": {
           "id": 492382,
           "name": "csirt.example.com"
         },
         "GenerationTime": "2015-07-18T09:00:00-05:00",
         "Contact": [
           {
             "type": "organization",
             "role": "creator",
             "email": {
               "emailTo": "contact@csirt.example.com"
             }
           }
         ]
       }
     ]
   }

                 Figure 62: JSON representation example 1

4.2.

5.2.  Indicators from a Campaign

   An example of C2 domains from a given campaign.

{
  "version": "2.0",
  "lang": "en",
  "Incidents": [
    {
      "purpose": "watch",
      "restriction": "green",
      "IncidentID": {
        "id": "897923",
        "name": "csirt.example.com"
      },
      "RelatedActivity": [
        {
          "ThreatActor": [
            {
              "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY",
              "Description": "Aggressive Butterfly"
            }
          ],
          "Campaign": [
            {
              "CampaignID": "C-2015-59405",
              "Description": "Orange Giraffe"
            }
          ]
        }
      ],
      "GenerationTime": "2015-10-02T11:18:00-05:00",
      "Description": [
        "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."
      ],
      "Assessment": [
        {
          "BusinessImpact": {
            "type": "breach-proprietary"
          }
        }
      ],
      "Contacts": [
        {
          "type": "organization",
          "role": "creator",
          "ContactName": "CSIRT for example.com",
          "Email": {
            "emailTo": "contact@csirt.example.com"
          }
        }
      ],
      "IndicatorList": [
        {
          "IndicatorID": {
            "id": "G90823490",
            "name": "csirt.example.com",
            "version": "1"
          },
          "Description": "C2 domains",
          "StartTime": "2014-12-02T11:18:00-05:00",
          "Observable": {
            "BulkObservable": {
              "type": "fqdn"
            },
            "BulkObservableList": [
              "kj290023j09r34.example.com",
              "09ijk23jfj0k8.example.net",
              "klknjwfjiowjefr923.example.org",
              "oimireik79msd.example.org"
            ]

          }
        }
      ]
    }
  ]
}

                 Figure 63: JSON representation example 2

5.

6.  The IODEF Data Model (JSON Schema)

{
         { "$schema": "http://json-schema.org/draft-04/schema#",
  "definitions": {
    "action": {"enum": ["nothing","contact-source-site","contact-target-site",
               "contact-sender", "investigate","block-host","block-network",
               "block-port","rate-limit-host","rate-limit-network",
               "rate-limit-port","redirect-traffic","honeypot",
               "upgrade-software","rebuild-asset","harden-asset",
               "remediate-other","status-triage","status-new-info",
               "watch-and-report","training","defined-coa","ext-value"]},
    "duration": {"enum": ["second","minute","hour","day","month","quarter",
                 "year","ext-value"]},
    "lang": {
               "enum": [
                 "en",
                 "jp"
               ]
             }, {"enum": ["en","jp"]},
    "purpose": {"enum": ["traceback","mitigation","reporting","watch","other",
               "ext-value"]},
    "restriction": {
               "enum": [
                 "public",
                 "partner",
                 "need-to-know",
                 "private",
                 "default",
                 "white",
                 "green",
                 "amber",
                 "red",
                 "ext-value"
               ]
             }, {"enum": ["public","partner","need-to-know","private",
                   "default","white","green","amber","red","ext-value"]},
    "status": {"enum": ["new","in-progress","forwarded","resolved","future",
              "ext-value"]},
    "DATETIME": {"type": "string"},
    "PORTLIST": {"type": "string"},
    "URLtype": {
               "type": "string"
             }, {"type": "string"},
    "IDtype": {
               "type": "string"
             }, {"type": "string"},
    "ExtensionType": {
      "type": "object",
      "properties": {
        "name": {
                   "type": "string"
                 }, {"type": "string"},
        "dtype": {
                   "enum": [
                     "boolean",
                     "byte",
                     "bytes",
                     "character",
                     "date-time",
                     "ntpstamp",
                     "integer",
                     "portlist",
                     "real",
                     "string",
                     "file",
                     "path",
                     "frame",
                     "packet",
                     "ipv4-packet",
                     "ipv6-packet",
                     "url",
                     "csv",
                     "winreg",
                     "xml",
                     "ext-value"
                   ]
                 }, {"enum": ["boolean","byte","bytes","character","date-time",
                  "ntpstamp","integer","portlist","real","string","file",
                  "path","frame","packet","ipv4-packet","ipv6-packet","url",
                  "csv","winreg","xml","ext-value"]},
        "ext-dtype": {
                   "type": "string"
                 }, {"type": "string"},
        "meaning": {
                   "type": "string"
                 }, {"type": "string"},
        "formatid": {
                   "type": "string"
                 }, {"type": "string"},
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"}}},
    "ExtensionTypeList": {
                   "$ref": "#/definitions/IDtype"
                 }

               }
             },
      "type": "array",
      "items": {"$ref": "#/definitions/ExtensionType"}},

    "SoftwareType": {
      "type": "object",
      "properties": {
        "SoftwareReference": {
                   "$ref": "#/definitions/SoftwareReference"
                 }, {"$ref": "#/definitions/SoftwareReference"},
        "URL": {
                   "$ref": "#/definitions/URLtype"
                 }, {"$ref": "#/definitions/URLtype"},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "string"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "SoftwareReference": {
      "type": "object",
      "properties": {
        "value": {
                   "type": "string"
                 }, {"type": "string"},
        "spec-name": {
                   "type": "string"
                 }, {"type": "string"},
        "ext-spec-name": {
                   "type": "string"
                 }, {"type": "string"},
        "dtype": {
                   "type": "string"
                 }, {"type": "string"},
        "ext-dtype": {"type": "string"}},
      "required": ["spec-name"],
      "additionalProperties": false},
    "StructuredInfo": {
      "type": "string"
                 }
               }, "object",
      "properties": {
        "specID": {"type": "string"},
        "ext-specID": {"type": "string"},
        "contentID": {"type": "string"},
        "RawData": {"type": "string"},
        "URL": {"$ref": "#/definitions/URLtype"}},
      "required": [
                 "spec-name"
               ], ["specID"],
      "additionalProperties": false
             }, false},
    "Incident": {
      "title": "Incident",
      "description": "JSON schema for Incident class",
      "type": "object",
      "properties": {
        "purpose": {
                   "enum": [
                     "traceback",
                     "mitigation",
                     "reporting",
                     "watch",
                     "other",
                     "ext-value"
                   ]
                 }, {"$ref": "#/definitions/purpose"},
        "ext-purpose": {
                   "type": "string"
                 }, {"type": "string"},
        "status": {
                   "enum": [
                     "blabla"
                   ]
                 }, {"$ref": "#/definitions/status"},
        "ext-status": {
                   "type": "string"
                 },
                 "lang": {
                   "$ref": "#/definitions/lang"
                 }, {"type": "string"},
        "lang": {"$ref": "#/definitions/lang"},
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "IncidentID": {
                   "$ref": "#/definitions/IncidentID"
                 }, {"$ref": "#/definitions/IncidentID"},
        "AlternativeID": {
                   "type": "object"
                 }, {"$ref": "#/definitions/AlternativeID"},
        "RelatedActivity": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/RelatedActivity"
                   }
                 }, "array","items": {"$ref": "#/definitions/RelatedActivity"}},
        "DetectTime": {
                   "type": "string"
                 }, {"type": "string"},
        "StartTime": {
                   "type": "string"
                 }, {"type": "string"},
        "EndTime": {
                   "type": "string"
                 }, {"type": "string"},
        "RecoveryTime": {
                   "type": "string"
                 }, {"type": "string"},
        "ReportTime": {
                   "type": "string"
                 }, {"type": "string"},
        "GenerationTime": {
                   "type": "string"
                 }, {"type": "string"},
        "Description": {
                   "type": "array",
                   "items": {
                     "type": "string"
                   }
                 }, {"type": "array","items": {"type": "string"}},
        "Discovery": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/Discovery"
                   }
                 }, "array","items": {"$ref": "#/definitions/Discovery"}},
        "Assessment": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/Assessment"
                   }
                 }, "array","items": {"$ref": "#/definitions/Assessment"}},
        "Methods": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/Method"
                   }
                 }, "array","items": {"$ref": "#/definitions/Method"}},
        "Contacts": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/Contact"
                   }
                 }, "array","items": {"$ref": "#/definitions/Contact"}},
        "EventData": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/EventData"

                   }
                 }, "array","items": {"$ref": "#/definitions/EventData"}},
        "IndicatorList": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/Indicator"
                   },
                 }, "array","items": {"$ref": "#/definitions/Indicator"}},
        "History": {
                   "$ref": "#/definitions/History"
                 }, {"$ref": "#/definitions/History"},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [
                 "IncidentID",
                 "GenerationTime",
                 "Contacts",
                 "purpose"
               ], ["IncidentID","GenerationTime","Contacts","purpose"],
      "additionalProperties": false
             }, false},
    "IncidentID": {
      "title": "IncidentID",
      "description": "JSON schema for IncidentID class",
      "type": "object",
      "properties": {
        "id": {
                   "type": "string"
                 }, {"type": "string"},
        "name": {
                   "type": "string"
                 }, {"type": "string"},
        "instance": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"}},
      "required": ["name"],
      "additionalProperties": false},
    "AlternativeID": {
      "title": "AlternativeID",
      "description": "JSON schema for AlternativeID class",
      "type": "string"
                 },
                 "restriction": "object",
      "properties": {
                   "$ref": "#/definitions/restriction"
                 },
                 "ext-restriction":
        "IncidentID": {
          "type": "string"
                 }
               }, "array","items":{"$ref": "#/definitions/IncidentID"}},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"}},
      "required": [
                 "name"
               ], ["IncidentID"],
      "additionalProperties": false
             }, false},
    "RelatedActivity": {
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "IncidentID": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/IncidentID"
                   }
                 }, "array","items": {"$ref": "#/definitions/IncidentID"}},
        "URL": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/URLtype"
                   }
                 }, "array","items": {"$ref": "#/definitions/URLtype"}},
        "ThreatActor": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/ThreatActor"
                   }
                 }, "array","items": {"$ref": "#/definitions/ThreatActor"}},
        "Campaign": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/Campaign"
                   }
                 }, "array","items": {"$ref": "#/definitions/Campaign"}},
        "IndicatorID": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/IndicatorID"
                   }
                 }, "array","items": {"$ref": "#/definitions/IndicatorID"}},
        "Confidence": {
                   "$ref": "#/definitions/Confidence"
                 }, {"$ref": "#/definitions/Confidence"},
        "Description": { "type": "array",
                   "items": {
                     "type": "string"
                   }
                 }, "array","items": {"type": "string"}},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false
             }, false},
    "ThreatActor": {
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "ThreatActorID": {
                   "type": "string"
                 }, {"type": "array", "items": {"type": "string"}},
        "Description": {
                   "type": "string"
                 }, {"type": "array", "items": {"type": "string"}},
        "URL": {
                   "$ref": "#/definitions/URLtype"
                 },
                 "AdditionalData": {
                   "type": {"type": "array", "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref": "#/definitions/URLtype"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false
             }, false},
    "Campaign": {
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "CampaignID": {}, {"type": "array", "items": {"type": "string"}},
        "URL": {
                   "$ref": "#/definitions/URLtype"
                 }, {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
        "Description": {
                   "type": "string"
                 },
                 "AdditionalData": {
                   "type": {"type": "array", "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }
             }, {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
    "Contact": {
      "type": "object",
      "properties": {
        "role": {}, {
          "enum": ["creator","reporter","admin","tech","provider","user",
                   "billing","legal","irt","abuse","cc","cc-irt","leo",
                   "vendor","vendor-support","victim","victim-notified",
                   "ext-value"]},
        "ext-role": {}, {"type": "string"},
        "type": {}, {"enum": ["person","organization","ext-value"]},
        "ext-type": {}, {"type": "string"},
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "ContactName": {}, {"type": "array", "items": {"type": "string"}},
        "ContactTitle": {}, {"type": "array", "items": {"type": "string"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "RegistryHandle": {
          "type": "string"
                 },
                 "RegistryHandle": {}, "array", "items": {"$ref": "#/definitions/RegistryHandle"}},

        "PostalAddress": {}, {
          "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}},
        "Email": {}, {"type": "array", "items": {"$ref": "#/definitions/Email"}},
        "Telephone": {
                   "$ref": "#/definitions/Telephone"
                 },
          "type": "array", "items": {"$ref": "#/definitions/Telephone"}},
        "Timezone": {}, {"type": "string"},
        "Contact": {
                   "$ref": "#/definitions/Contact"
                 },
                 "AdditionalData": {
          "type": "array", "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref": "#/definitions/Contact"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [
                 "role",
                 "type"
               ], ["role","type"],
      "additionalProperties": false
             }, false},
    "RegistryHandle": {
      "type": "object",
      "properties": {
                 "RegistryHandleName": {},
        "handle": {"type": "string"},
        "registry": {}, {
          "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local",
                   "ext-value"]},
        "ext-registry": {}
               }, {"type": "string"}},
      "required": [
                 "registry"
               ], ["registry"],
      "additionalProperties": false
             }, false},
    "PostalAddress": {
      "type": "object",
      "properties": {
        "type": {
                   "type": "string"
                 }, {"type": "string"},
        "ext-type": {
                   "type": "string"
                 }, {"type": "string"},
        "PAddress": {
                   "type": "string"
                 }, {"type": "string"},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "array", "items": {"type": "string"}}},
      "required": [
                 "PAddress"
               ], ["PAddress"],
      "additionalProperties": false
             }, false},
    "Email": {
      "type": "object",
      "properties": {
        "type": {}, {
          "enum":["direct","hotline","ext-value"]},
        "ext-type": {}, {"type": "string"},
        "EmailTo": {}, {"type": "string"},
        "Description": {
                   "type": "string"
                 }

               }, {"type": "array", "items": {"type": "string"}}},
      "required": [
                 "EmailTo"
               ], ["EmailTo"],
      "additionalProperties": false
             }, false},
    "Telephone": {
      "type": "object",
      "properties": {
        "type": {}, {
          "enum":["wired","mobile","fax","hotline","ext-value"]},
        "ext-type": {}, {"type": "string"},
        "TelephoneNumber": {}, {"type": "string"},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "array", "items": {"type": "string"}}},

      "required": [
                 "TelephoneNumber"
               ], ["TelephoneNumber"],
      "additionalProperties": false
             }, false},
    "Discovery": {
      "type": "object",
      "properties": {
        "source": {}, {
          "enum":["nidps","hips","siem","av","third-party-monitoring",
                  "incident","os-log","application-log","device-log",
                  "network-flow","passive-dns","investigation","audit",
                  "internal-notification","external-notification","leo",
                  "partner","actor","unknown","ext-value"]},
        "ext-source": {}, {"type": "string"},
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "Description": {
                   "type": "string"
                 }, {"type": "array", "items": {"type": "string"}},
        "Contact": {
                   "$ref": "#/definitions/Contact"
                 },
          "type": "array", "items": {"$ref": "#/definitions/Contact"}},
        "DetectionPattern": {
                   "$ref": "#/definitions/DetectionPattern"
                 }
               },
          "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}},
      "required": [],
      "additionalProperties": false
             }, false},
    "DetectionPattern": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "Application": {
                   "$ref": "#/definitions/SoftwareType"
                 }, {"$ref": "#/definitions/SoftwareType"},
        "Description": {"type": "array", "items": {"type": "string"}},
        "DetectionConfiguration": {
          "type": "string"
                 },
                 "DetectionConfiguration": {}
               }, "array", "items": {"type": "string"}}},
      "required": [
                 "Application"
               ], ["Application"],
      "additionalProperties": false
             }, false},
    "Method": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "References": {
          "type": "array","items": {"$ref": "#/definitions/Reference"}},
        "Description": {"type": "array", "items": {
                     "$ref": "#/definitions/Reference"
                   }
                 },
                 "Description": {"type": "string"}},
        "AttackPattern": {
          "type": "string"
                 },
                 "AttackPattern": {}, "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "Vulnerability": {},
                 "Weakness": {},
                 "AdditionalData": {
          "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "Weakness": {
                     "$ref": "#/definitions/ExtensionType"
                   }

                 }
               },
          "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},

      "required": [],
      "additionalProperties": false
             }, false},
    "Reference": {
      "type": "object",
      "properties": {
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "ReferenceName": {}, {"type": "string"},
        "URL": {
                   "$ref": "#/definitions/URLtype"
                 }, {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "array", "items": {"type": "string"}}},
      "required": [],
      "additionalProperties": false
             }, false},
    "Assessment": {
      "type": "object",
      "properties": {
        "occurrence": {}, {"enum":["actual","potential"]},
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "IncidentCategory": {}, {"type": "array", "items": {"type": "string"}},
        "SystemImpact": {
                   "$ref": "#/definitions/SystemImpact"
                 },
          "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}},
        "BusinessImpact": {}, {
          "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}},
        "TimeImpact": {
                   "$ref": "#/definitions/TimeImpact"
                 },
          "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}},
        "MonetaryImpact": {
                   "$ref": "#/definitions/MonetaryImpact"
                 },
          "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}},
        "IntendedImpact": {}, {
          "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}},
        "Counter": {
                   "$ref": "#/definitions/Counter"
                 },
          "type": "array", "items": {"$ref": "#/definitions/Counter"}},
        "MitigatingFactor": {},
                 "Cause": {},
                 "Confidence": {
                   "$ref": "#/definitions/Confidence"
                 },
                 "AdditionalData": {
          "type": "array", "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$type": "string"}},
        "Cause": {"type": "array", "items": {"$type": "string"}},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "SystemImpact": {
      "type": "object",
      "properties": {
        "severity": {}, {
          "enum":["low","medium","high"]},
        "completion": {}, {"enum":["failed","succeeded"]},
        "type": {}, {
          "enum":["takeover-account","takeover-service","takeover-system",
                  "cps-manipulation","cps-damage","availability-data",
                  "availability-account","availability-service",
                  "availability-system","damaged-system","damaged-data",
                  "breach-proprietary","breach-privacy","breach-credential",
                  "breach-configuration","integrity-data",
                  "integrity-configuration","integrity-hardware",
                  "traffic-redirection","monitoring-traffic","monitoring-host",
                  "policy","unknown","ext-value"]},
        "ext-type": {}, {"type": "string"},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "array","items": {"type": "string"}}},
      "required": [
                 "type"
               ], ["type"],
      "additionalProperties": false
             }, false},
    "BusinessImpact": {
      "type": "object",
      "properties": {
        "severity": {}, {
          "enum":["none","low","medium","high","unknown","ext-value"]},
        "ext-severity": {}, {"type":"string"},
        "type": {}, {
          "enum":["breach-proprietary","breach-privacy","breach-credential",
                  "loss-of-integrity","loss-of-service","theft-financial",
                  "theft-service","degraded-reputation","asset-damage",
                  "asset-manipulation","legal","extortion","unknown",
                  "ext-value"]},
        "ext-type": {}, {"type": "string"},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "array","items": {"type": "string"}}},
      "required": [
                 "type"
               ], ["type"],
      "additionalProperties": false

             }, false},
    "TimeImpact": {
      "type": "object",
      "properties": {
        "value": {}, {"type": "number"},
        "severity": {}, {"enum": ["low","medium","high"]},
        "metric": {}, {"enum": ["labor","elapsed","downtime","ext-value"]},
        "ext-metric": {}, {"type": "string"},
        "duration": {}, {"$ref":"#/definitions/duration"},
        "ext-duration": {}
               }, {"type": "string"}},
      "required": [
                 "metric"
               ], ["metric"],
      "additionalProperties": false
             }, false},
    "MonetaryImpact": {
      "type": "object",
      "properties": {
                 "MonetaryImpactValue": {},
        "value": {"type": "number"},
        "severity": {}, {"enum":["low","medium","high"]},
        "currency": {}
               }, {"type": "string"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "Confidence": {
      "type": "object",
      "properties": {
                 "ConfidenceValue": {},
        "value": {"type": "number"},
        "rating": {}, {
          "enum": ["low","medium","high","numeric","unknown","ext-value"]},
        "ext-rating": {}
               }, {"type":"string"}},
      "required": [
                 "rating"
               ], ["rating"],
      "additionalProperties": false
             }, false},
    "History": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "HistoryItem": {
          "type": "string"
                 },
                 "HistoryItem": {}

               }, "array","items": {"$ref": "#/definitions/HistoryItem"}}},
      "required": [
                 "HistoryItem"
               ], ["HistoryItem"],
      "additionalProperties": false
             }, false},
    "HistoryItem": {
      "type": "object",
      "properties": {
        "action": {}, {"$ref": "#/definitions/action"},
        "ext-action": {}, {"type": "string"},
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 },
                 "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {}, {"$ref": "#/definitions/DATETIME"},
        "IncidentID": {}, {"$ref": "#/definitions/IncidentID"},
        "Contact": {
                   "$ref": "#/definitions/Contact"
                 }, {"$ref": "#/definitions/Contact"},
        "Description": {
                   "type": "string"
                 }, {"type": "array","items": {"type": "string"}},
        "DefinedCOA": {}, {"type": "array","items": {"type": "string"}},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [
                 "DateTime",
                 "action"
               ], ["DateTime","action"],
      "additionalProperties": false
             }, false},
    "EventData": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "Description": {
                   "type": "string"
                 }, {"type": "array","items": {"type": "string"}},
        "DetectTime": {}, {"type": "string"},
        "StartTime": {}, {"type": "string"},
        "EndTime": {}, {"type": "string"},
        "RecoveryTime": {}, {"type": "string"},
        "ReportTime": {
                   "type": "string"
                 }, {"type": "string"},
        "Contact": {
                   "$ref": "#/definitions/Contact"
                 },
          "type": "array","items": {"$ref": "#/definitions/Contact"}},
        "Discovery": {
                   "$ref": "#/definitions/Discovery"
                 },
          "type": "array","items": {"$ref": "#/definitions/Discovery"}},
        "Assessment": {}, {"$ref": "#/definitions/Assessment"},
        "Method": {
                   "$ref": "#/definitions/Method"
                 },
          "type": "array","items": {"$ref": "#/definitions/Method"}},
        "System": {
                   "$ref": "#/definitions/System"
                 },
          "type": "array","items": {"$ref": "#/definitions/System"}},
        "Expectation": {
                   "$ref": "#/definitions/Expectation"
                 },
          "type": "array","items": {"$ref": "#/definitions/Expectation"}},
        "Record": {
                   "$ref": "#/definitions/Record"
                 }, {"$ref": "#/definitions/Record"},
        "EventData": {
                   "$ref": "#/definitions/EventData"
                 },
                 "AdditionalData": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, "array","items": {"$ref": "#/definitions/EventData"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [
                 "ReportTime"
               ], ["ReportTime"],
      "additionalProperties": false
             }, false},
    "Expectation": {
      "type": "object",
      "properties": {
        "action": {}, {"$ref":"#/definitions/action"},
        "ext-action": {}, {"type": "string"},
        "severity": {}, {"enum": ["low","medium","high"]},
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "Description": {
                   "type": "string"
                 }, {"type": "array","items": {"type": "string"}},
        "DefinedCOA": {}, {"type": "array","items": {"type": "string"}},
        "StartTime": {}, {"type": "string"},
        "EndTime": {}, {"type": "string"},
        "Contact": {
                   "$ref": "#/definitions/Contact"
                 }
               }, {"$ref": "#/definitions/Contact"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "System": {
      "type": "object",
      "properties": {
        "category": {
          "enum": [
                     "source",
                     "target",
                     "intermediate",
                     "sensor",
                     "infrastructure",
                     "ext-value"
                   ]
                 }, ["source","target","intermediate","sensor","infrastructure",
                   "ext-value"]},
        "ext-category": {}, {"type": "string"},
        "interface": {}, {"type": "string"},
        "spoofed": {}, {"enum": ["unknown","yes","no"]},
        "virtual": {}, {"enum": ["yes","no","unknown"]},
        "ownership": {}, {
          "enum":["organization","personal","partner","customer",
                  "no-relationship","unknown","ext-value"]},
        "ext-ownership": {}, {"type": "string"},
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "Node": {
                   "$ref": "#/definitions/Node"
                 }, {"$ref": "#/definitions/Node"},
        "NodeRole": {
                   "$ref": "#/definitions/NodeRole"
                 },
          "type": "array","items": {"$ref": "#/definitions/NodeRole"}},

        "Service": {
                   "$ref": "#/definitions/Service"
                 },
          "type": "array","items": {"$ref": "#/definitions/Service"}},
        "OperatingSystem": {}, {
          "type": "array","items": {"$ref": "#/definitions/SoftwareType"}},
        "Counter": {
                   "$ref": "#/definitions/Counter"
                 },
          "type": "array","items": {"$ref": "#/definitions/Counter"}},
        "AssetID": {}, {"type": "array","items": {"type": "string"}},
        "Description": {
                   "type": "string"
                 }, {"type": "array","items": {"type": "string"}},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [
                 "Node"
               ], ["Node"],
      "additionalProperties": false
             }, false},
    "Node": {
      "type": "object",
      "properties": {
        "DomainData": {
                   "$ref": "#/definitions/DomainData"
                 },
          "type": "array","items": {"$ref": "#/definitions/DomainData"}},
        "Address": {
                   "$ref": "#/definitions/Address"
                 },
          "type": "array","items": {"$ref": "#/definitions/Address"}},
        "PostalAddress": {}, {"type": "string"},
        "Location": {
                   "type": "string"
                 }, {"type": "array","items": {"type": "string"}},
        "Counter": {
                   "$ref": "#/definitions/Counter"
                 }
               }, {"type": "array","items":{"$ref":"#/definitions/Counter"}}},
      "required": [],
      "additionalProperties": false
             }, false},
    "Address": {
      "type": "object",
      "properties": {
                 "AddressValue": {},
        "value": {"type": "string"},
        "category": {}, {
           "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
                    "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
                    "ipv6-net-masked","mac","site-url","ext-value"]},
        "ext-category": {}, {"type": "string"},
        "vlan-name": {}, {"type": "string"},
        "vlan-num": {
                   "type": "integer"
                 }, {"type": "integer"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }
               }, {"$ref": "#/definitions/IDtype"}},
      "required": [
                 "category"
               ], ["category"],
      "additionalProperties": false
             }, false},
    "NodeRole": {
      "type": "object",
      "properties": {
        "category": {}, {
          "enum":["client","client-enterprise","clent-partner","client-remote",
                  "client-kiosk","client-mobile","server-internal",
                  "server-public","www","mail","webmail","messaging",
                  "streaming","voice","file","ftp","p2p","name","directory",
                  "credential","print","application","database","backup",
                  "dhcp","assessment","source-control","config-management",
                  "monitoring","infra","infra-firewall","infra-router",
                  "infra-switch","camera","proxy","remote-access","log",
                  "virtualization","pos", "scada", "scada-supervisory",
                  "sinkhole","honeypot","anomyzation","c2-server",
                  "malware-distribution","drop-server","hot-point","reflector",
                  "phishing-site","spear-phishing-site","recruiting-site",
                  "fraudulent-site","ext-value"]},
        "ext-category": {}, {"type": "string"},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "array","items": {"type": "string"}}},
      "required": [
                 "category"
               ], ["category"],
      "additionalProperties": false
             }, false},
    "Counter": {
      "type": "object",
      "properties": {
        "value": {
                   "type": "string"
                 }, {"type": "string"},
        "type": {}, {"enum": ["count","peak","average","ext-value"]},
        "ext-type": {}, {"type": "string"},
        "unit": {}, {"enum": ["byte","mbit","packet","flow","session","alert",
                 "message","event","host","site","organization","ext-value"]},
        "ext-unit": {}, {"type": "string"},
        "meaning": {}, {"type": "string"},
        "duration": {}, {"$ref":"#/definitions/duration"},
        "ext-duration": {}
               }, {"type": "string"}},
      "required": [
                 "type",
                 "unit"
               ], ["type","unit"],
      "additionalProperties": false
             }, false},
    "DomainData": {
      "type": "object",
      "properties": {
        "system-status": {}, {
          "enum": ["spoofed","fraudulent","innocent-hacked",
                   "innocent-hijacked","unknown","ext-value"]},
        "ext-system-status": {}, {"type": "string"},
        "domain-status": {}, {
          "enum": [
            "reservedDelegation","assignedAndActive","assignedAndInactive",
            "assignedAndOnHold","revoked","transferPending","registryLock",
            "registrarLock","other","unknown","ext-value"]},
        "ext-domain-status": {}, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "Name": {}, {"type": "string"},
        "DateDomainWasChecked": {}, {"$ref": "#/definitions/DATETIME"},
        "RegistrationDate": {}, {"$ref": "#/definitions/DATETIME"},
        "ExpirationDate": {}, {"$ref": "#/definitions/DATETIME"},
        "RelatedDNS": {}, {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "NameServers": {
                   "$ref": "#/definitions/NameServers"
                 },
          "type": "array","items": {"$ref": "#/definitions/NameServers"}},
        "DomainContacts": {
                   "$ref": "#/definitions/DomainContacts"
                 }
               },
          "type": "array","items": {"$ref": "#/definitions/DomainContacts"}}},

      "required": [
                 "Name",
                 "system-status",
                 "domain-status"
               ], ["Name","system-status","domain-status"],
      "additionalProperties": false
             }, false},
    "NameServers": {
      "type": "object",
      "properties": {
        "Server": {}, {"type": "string"},
        "Address": {
                   "$ref": "#/definitions/Address"
                 }
               }, {"type": "array","items":{"$ref":"#/definitions/Address"}}},
      "required": [
                 "Server",
                 "Address"
               ], ["Server","Address"],
      "additionalProperties": false
             }, false},
    "DomainContacts": {
      "type": "object",
      "properties": {
        "SameDomainContact": {}, {"type": "string"},
        "Contact": {
                   "$ref": "#/definitions/Contact"
                 }
               }, {"type": "array","items":{"$ref":"#/definitions/Contact"}}},
      "required": [
                 "Contact"
               ], ["Contact"],
      "additionalProperties": false
             }, false},
    "Service": {
      "type": "object",
      "properties": {
        "ip-protocol": {}, {"type": "integer"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "ServiceName": {}, {"$ref": "#/definitions/ServiceName"},
        "Port": {}, {"type": "integer"},
        "Portlist": {}, {"$ref": "#/definitions/PORTLIST"},
        "ProtoCode": {}, {"type": "integer"},
        "ProtoType": {}, {"type": "integer"},
        "ProtoField": {}, {"type": "integer"},
        "ApplicationHeader": {}, {"$ref": "#/definitions/ApplicationHeader"},
        "EmailData": {}, {"$ref": "#/definitions/EmailData"},
        "Application": {}
               }, {"$ref": "#/definitions/SoftwareType"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "ServiceName": {
      "type": "object",
      "properties": {
        "IANAService": {}, {"type": "string"},
        "URL": {
                   "$ref": "#/definitions/URLtype"
                 }, {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "array","items": {"type": "string"}}},
      "required": [],
      "additionalProperties": false
             }, false},
    "ApplicationHeader": {
      "type": "object",
      "properties": {
        "ApplicationHeaderField": {}
               }, {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
      "required": [
                 "ApplictionHeaderField"
               ], ["ApplicationHeaderField"],
      "additionalProperties": false
             }, false},
    "EmailData": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "EmailTo": {}, {"type": "array","items": {"type": "string"}},
        "EmailFrom": {}, {"type": "string"},
        "EmailSubject": {}, {"type": "string"},
        "EmailX-Mailer": {}, {"type": "string"},
        "EmailHeaderField": {}, {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "EmailHeaders": {}, {"type": "string"},
        "EmailBody": {}, {"type": "string"},
        "EmailMessage": {}, {"type": "string"},
        "HashData": {
                   "$ref": "#/definitions/HashData"
                 },
          "type": "array","items": {"$ref": "#/definitions/HashData"}},
        "SignatureData": {
                   "$ref": "#/definitions/SignatureData"
                 }
               },
          "type": "array","items": {"$ref": "#/definitions/SignatureData"}}},
      "required": [],
      "additionalProperties": false
             },
             "Record": false},
    "Record":{
      "type": "object",
      "properties":{
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "RecordData": {
          "type": "array","items": {"$ref": "#/definitions/RecordData"}}},
      "required":["RecordData"],
      "additionalProperties": false},
    "RecordData": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "DateTime": {}, {"$ref": "#/definitions/DATETIME"},
        "Description": {
                   "type": "string"
                 }, {"type": "array","items": {"type": "string"}},
        "Applicadtion": {}, {"$ref": "#/definitions/SoftwareType"},
        "RecordPattern": {}, {
          "type": "array","items": {"$ref": "#/definitions/RecordPattern"}},
        "RecordItem": {}, {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "URL": {
                   "$ref": "#/definitions/URLtype"
                 },
          "type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "FileData": {
                   "$ref": "#/definitions/FileData"
                 },
          "type": "array","items": {"$ref": "#/definitions/FileData"}},
        "WindowsRegistryKeysModified": {},
                 "CertificateData": {
                   "$ref": "#/definitions/CertificateData"
                 },
                 "AdditionalData": {
          "type": "array",
          "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}},
        "CertificateData": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               },
          "type": "array","items": {"$ref": "#/definitions/CertificateData"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
    },
    "RecordPattern": {
      "type": "object",
      "properties": {
                 "RecordPatternValue": {},
        "value": {"type": "string"},
        "type": {}, {"enum": ["regex","binary","xpath","ext-value"]},
        "ext-type": {}, {"type": "string"},
        "offset": {}, {"type": "integer"},
        "offsetunit": {}, {"enum":["line","byte","ext-value"]},
        "ext-offsetunit": {}, {"type": "string"},
        "instance": {
                   "type": "integer"
                 }
               },
               "required": [
                 "type"
               ], {"type": "integer"}},
      "required": ["type"],
      "additionalProperties": false
             }, false},
    "WindowsRegistryKeysModified": {
      "type": "object",
      "properties": {
        "observabile-id": {}, {"$ref": "#/definitions/IDtype"},
        "Key": {}
               }, {"type": "array","items": {"$ref": "#/definitions/Key"}}},
      "required": [
                 "Key"
               ], ["Key"],
      "additionalProperties": false
             }, false},
    "Key": {
      "type": "object",
      "properties": {
        "registryaction": {}, {"enum": ["add-key","add-value","delete-key",
                          "delete-value","modify-key","modify-value",
                          "ext-value"]},
        "ext-registryaction": {}, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "KeyName": {}, {"type":"string"},
        "KeyValue": {}
               }, {"type": "string"}},
      "required": [
                 "KeyName"
               ], ["KeyName"],
      "additionalProperties": false
             }, false},
    "CertificateData": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "Certificate": {
                   "$ref": "#/definitions/Certificate"
                 }
               },
          "type": "array","items": {"$ref": "#/definitions/Certificate"}}},
      "required": [
                 "Certificate"
               ], ["Certificate"],
      "additionalProperties": false
             }, false},
    "Certificate": {
      "type": "object",
      "properties": {
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "X509Data": {}, {type: "string"},
        "Description": {
                   "type": "string"
                 }
               }, {"type": "array","items": {"type": "string"}}},
      "required": [
                 "X509Data"
               ], ["X509Data"],
      "additionalProperties": false
             }, false},
    "FileData": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "observable-id": {
                   "$ref": "#/definitions/IDtype"
                 }, {"$ref": "#/definitions/IDtype"},
        "File": {
                   "$ref": "#/definitions/File"
                 }
               }, {"type": "array","items": {"$ref": "#/definitions/File"}}},
      "required": [
                 "File"
               ], ["File"],
      "additionalProperties": false
             }, false},
    "File": {
      "type": "object",
      "properties": {
        "FileName": {
                   "type": "string"
                 }, {"type": "string"},
        "FileSize": {}, {"type": "integer"},
        "FileType": {}, {"type": "string"},
        "URL": {
                   "$ref": "#/definitions/URLtype"
                 }, {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "HashData": {
                   "$ref": "#/definitions/HashData"
                 }, {"$ref": "#/definitions/HashData"},
        "SignatureData": {
                   "$ref": "#/definitions/SignatureData"
                 }, {"$ref": "#/definitions/SignatureData"},
        "AssociatedSoftware": {}, {"$ref": "#/definitions/SoftwareType"},
        "FileProperties": {}
               }, {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
      "required": [],
      "additionalProperties": false
             }, false},
    "HashData": {
      "type": "object",
      "properties": {
        "scope": {}, {"enum": ["file-contents","file-pe-section","file-pe-iat",
                 "file-pe-resource","file-pdf-object","email-hash",
                 "email-hash-header","email-hash-body"]},
        "HashTargetID": {}, {"type": "string"},
        "Hash": {
                   "$ref": "#/definitions/Hash"
                 }, {"type": "array","items": {"$ref": "#/definitions/Hash"}},
        "FuzzyHash": {
                   "$ref": "#/definitions/FuzzyHash"
                 }
               },
          "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}},
      "required": [
                 "scope"
               ], ["scope"],
      "additionalProperties": false
             }, false},
    "Hash": {
      "type": "object",
      "properties": {
        "DigestMethod": {
                   "type": "string"
                 }, {"type": "string"},
        "DigestValue": {
                   "type": "string"
                 }, {"type": "string"},
        "CanonicalizationMethod": {},
        "Application": {}
               }, {"$ref": "#/definitions/SoftwareType"}},

      "required": [
                 "DigestMethod",
                 "DigestValue"
               ], ["DigestMethod","DigestValue"],
      "additionalProperties": false

             }, false},
    "FuzzyHash": {
      "type": "object",
      "properties": {
        "FuzzyHashValue": {
                   "$ref": "#/definitions/ExtensionType"
                 },
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "Application": {}, {"$ref": "#/definitions/SoftwareType"},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [
                 "FuzzyHashValue"
               ], ["FuzzyHashValue"],
      "additionalProperties": false
             }, false},
    "SignatureData": {
      "type": "object",
      "properties": {
        "Signature": {
                   "SignatureValue": "xxxxxxxx",
                   "id": "xxxxxxxx"
                 }
               }, {"type": "array","items": {"type": "string"}}},
      "required": [
                 "Signature"
               ], ["Signature"],
      "additionalProperties": false
             }, false},
    "Indicator": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "IndicatorID": {
                   "$ref": "#/definitions/IndicatorID"
                 }, {"$ref": "#/definitions/IndicatorID"},
        "AlternativeIndicatorID": {
                   "$ref": "#/definitions/AlternativeIndicatorID"
                 },
                 "Description": {
          "type": "string"
                 }, "array",
          "items": {"$ref": "#/definitions/AlternativeIndicatorID"}},
        "Description": {"type": "array","items": {"type": "string"}},
        "StartTime": {}, {"$ref": "#/definitions/DATETIME"},
        "EndTime": {}, {"$ref": "#/definitions/DATETIME"},
        "Confidence": {
                   "$ref": "#/definitions/Confidence"
                 }, {"$ref": "#/definitions/Confidence"},
        "Contact": {
                   "$ref": "#/definitions/Contact"
                 },
          "type": "array","items": {"$ref": "#/definitions/Contact"}},
        "Observable": {}, {"$ref": "#/definitions/Observable"},
        "ObservableReference": {
                   "$ref": "#/definitions/ObservableReference"
                 }, {"$ref": "#/definitions/ObservableReference"},
        "IndicatorExpression": {
                   "$ref": "#/definitions/IndicatorExpression"
                 }, {"$ref": "#/definitions/IndicatorExpression"},
        "IndicatorReference": {
                   "$ref": "#/definitions/IndicatorReference"
                 }, {"$ref": "#/definitions/IndicatorReference"},
        "NodeRole": {
                   "$ref": "#/definitions/NodeRole"
                 },
          "type": "array","items": {"$ref": "#/definitions/NodeRole"}},
        "AttackPhase": {
                   "$ref": "#/definitions/AttackPhase"
                 },
          "type": "array","items": {"$ref": "#/definitions/AttackPhase"}},
        "Reference": {
                   "$ref": "#/definitions/Reference"
                 },
                 "AdditionalData": {
          "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, "array","items": {"$ref": "#/definitions/Reference"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [
                 "IndicatorID"
               ], ["IndicatorID"],
      "additionalProperties": false
             }, false},
    "IndicatorID": {
      "type": "object",
      "properties": {
        "id": {}, {"type": "string"},
        "name": {
                   "type": "string"

                 }, {"type": "string"},
        "version": {
                   "type": "string"
                 }
               }, {"type": "string"}},
      "required": [
                 "name",
                 "version"
               ],
               "additionalProperties": false
             }, ["name","version"],
      "additionalProperties": false},
    "AlternativeIndicatorID": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "IndicatorReference": {
                   "$ref": "#/definitions/IndicatorReference"
                 }
               },
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorReference"}}},
      "required": [
                 "IndicatorReference"
               ], ["IndicatorReference"],
      "additionalProperties": false
             }, false},
    "Observable": {
      "type": "object",
      "properties": {
        "restriction": {
                   "$ref": "#/definitions/restriction"
                 }, {"$ref": "#/definitions/restriction"},
        "ext-restriction": {
                   "type": "string"
                 }, {"type": "string"},
        "System": {}, {"$ref": "#/definitions/System"},
        "Address": {}, {"$ref": "#/definitions/Address"},
        "DomainData": {
                   "$ref": "#/definitions/DomainData"
                 }, {"$ref": "#/definitions/DomainData"},
        "EmailData": {}, {"$ref": "#/definitions/EmailData"},
        "Service": {
                   "$ref": "#/definitions/Service"
                 }, {"$ref": "#/definitions/Service"},
        "WindowsRegistryKeysModified": {},
                 "FileData": {
          "$ref": "#/definitions/FileData"
                 }, "#/definitions/WindowsRegistryKeysModified"},
        "FileData": {"$ref": "#/definitions/FileData"},
        "CertificateData": {
                   "$ref": "#/definitions/CertificateData"
                 }, {"$ref": "#/definitions/CertificateData"},
        "RegistryHandle": {}, {"$ref": "#/definitions/RegistryHandle"},
        "Record": {
                   "$ref": "#/definitions/Record"
                 }, {"$ref": "#/definitions/Record"},
        "EventData": {}, {"$ref": "#/definitions/EventData"},
        "Incident": {}, {"$ref": "#/definitions/Incident"},
        "Expectation": {
                   "$ref": "#/definitions/Expectation"
                 }, {"$ref": "#/definitions/Expectation"},
        "Reference": {
                   "$ref": "#/definitions/Reference"
                 }, {"$ref": "#/definitions/Reference"},
        "Assessment": {}, {"$ref": "#/definitions/Assessment"},
        "DetectionPattern": {}, {"$ref": "#/definitions/DetectionPattern"},
        "HistoryItem": {}, {"$ref": "#/definitions/HistoryItem"},
        "BulkObservable": {
                   "type": "string"
                 }, {"type": "string"},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "BulkObservable": {
      "type": "object",
      "properties": {
        "type": {}, {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
                 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac",
                 "site-url","domain-name","domain-to-ipv4","domain-to-ipv6",
                 "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp",
                 "ipv4-port","ipv6-port","windows-reg-key","file-hash",
                 "email-x-mailer","email-subject","http-user-agent",
                 "http-request-url","mutex","file-path","user-name",
                 "ext-value"]},
        "ext-type": {},
                 "BulkObservableFormant": {}, {"type": "string"},
        "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"},
        "BulkObservableList": {
                   "type": "string"
                 }, {"type": "string"},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }

                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "BulkObservableFormat": {
      "type": "object",
      "properties": {
        "Hash": {
                   "$ref": "#/definitions/Hash"
                 }, {"$ref": "#/definitions/Hash"},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "IndicatorExpression": {
      "type": "object",
      "properties": {
        "operator": {}, {"enum": ["not","and","or","xor"]},
        "ext-operator": {
                   "type": "string"
                 }, {"type": "string"},
        "IndicatorExpression": {
                   "$ref": "#/definitions/IndicatorExpression"
                 },
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorExpression"}},
        "Observable": {}, {
          "type": "array","items": {"$ref": "#/definitions/Observable"}},
        "ObservableReference": {
                   "$ref": "#/definitions/ObservableReference"
                 },
          "type": "array",
          "items": {"$ref": "#/definitions/ObservableReference"}},
        "IndicatorReference": {
                   "$ref": "#/definitions/IndicatorReference"
                 },
                 "AdditionalData": {
          "type": "array",
         "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref": "#/definitions/IndicatorReference"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
             }, false},
    "ObservableReference": {
      "type": "object",
      "properties": {
                 "uid-ref": {}
               }, {"uid-ref": {"type": "string"}},
      "required": [
                 "uid-ref"
               ], ["uid-ref"],
      "additionalProperties": false
             }, false},
    "IndicatorReference": {
      "type": "object",
      "properties": {
        "uid-ref": {}, {"type": "string"},
        "euid-ref": {
                   "type": "string"
                 }, {"type": "string"},
        "version": {
                   "type": "string"
                 }
               }, {"type": "string"}},

      "required": [],
      "additionalProperties": false
             }, false},
    "AttackPhase": {
      "type": "object",
      "properties": {
        "AttackPhaseID": {
                   "type": "string"
                 }, {"type": "array","items": {"type": "string"}},
        "URL": {
                   "$ref": "#/definitions/URLtype"
                 }, {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "Description": {
                   "type": "string"
                 }, {"type": "array","items": {"type": "string"}},
        "AdditionalData": {
                   "type": "array",
                   "items": {
                     "$ref": "#/definitions/ExtensionType"
                   }
                 }
               }, {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
             }
           }, false}},
  "title": "IODEF-Document",
  "description": "JSON schema for IODEF-Document class",
  "type": "object",
  "properties": {
    "version": {
               "type": "string"
             }, {"type": "string"},
    "lang": {
               "$ref": "#/definitions/lang"
             }, {"$ref": "#/definitions/lang"},
    "format-id": {
               "type": "string"
             }, {"type": "string"},
    "private-enum-name": {
               "type": "string"
             }, {"type": "string"},
    "private-enum-id": {"type": "string"},
    "Incident": {
      "type": "string"
             },
             "Incidents": {
               "type": "array",
               "items": {
                 "$ref": "#/definitions/Incident"
               }
             }, "array","items": {"$ref": "#/definitions/Incident"}},
      "AdditionalData": {
               "type": "array",
               "items": {
                 "$ref": "#/definitions/ExtensionType"
               }
             }
           }, {"$ref":"#/definitions/ExtensionTypeList"}},
  "required": [
             "version",
             "Incidents"
           ], ["version","Incident"],
  "additionalProperties": false
         } false}

                           Figure 64: 1: JSON schema

6.

7.  Acknowledgements

   TBD.

7.

8.  IANA Considerations

   This memo includes no request to IANA.

8.

9.  Security Considerations

   This memo does not provide any further security considerations than
   the one described in RFC 7970 [RFC7970].

9.

10.  References

9.1.

10.1.  Normative References

   [min_ref]  authSurName, authInitials., "Minimal Reference",

   [jsonschema]
              "JSON Schema", 2006.

              http://json-schema.org/

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7970]  Danyliw, R., "The Incident Object Description Exchange
              Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
              November 2016, <https://www.rfc-editor.org/info/rfc7970>.

9.2.

10.2.  Informative References

   [DOMINATION]
              Mad Dominators, Inc., "Ultimate Plan for Taking Over the
              World", 1984, <http://www.example.com/dominator.html>.

   [RFC2629]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
              DOI 10.17487/RFC2629, June 1999,
              <https://www.rfc-editor.org/info/rfc2629>.

   [RFC3552]  Rescorla, E. and B. Korver, "Guidelines for Writing RFC
              Text on Security Considerations", BCP 72, RFC 3552,
              DOI 10.17487/RFC3552, July 2003,
              <https://www.rfc-editor.org/info/rfc3552>.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <https://www.rfc-editor.org/info/rfc5226>.

Authors' Addresses

   Takeshi Takahashi
   NICT
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Phone: +81 42 327 5862
   Email: takeshi_takahashi@nict.go.jp
   Mio Suzuki
   NICT
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Email: mio@nict.go.jp