draft-ietf-mile-jsoniodef-01.txt   draft-ietf-mile-jsoniodef-02.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft M. Suzuki Internet-Draft NICT
Intended status: Standards Track NICT Intended status: Standards Track R. Danyliw
Expires: May 14, 2018 November 10, 2017 Expires: July 15, 2018 CERT
M. Suzuki
NICT
January 11, 2018
JSON binding of IODEF JSON binding of IODEF
draft-ietf-mile-jsoniodef-01 draft-ietf-mile-jsoniodef-02
Abstract Abstract
RFC 7970 [RFC7970] provides XML-based data representation on incident RFC 7970 [RFC7970] provides XML-based data representation on incident
information, but the use of the IODEF data model is not limited to information, but the use of the IODEF data model is not limited to
XML. JSON representation is sometimes preferred since it is easy to XML. JSON representation is sometimes preferred since it is easy to
handle from certain programming environments. This draft represents handle from certain programming environments. This draft represents
the IODEF data model in JSON. the IODEF data model in JSON.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 14, 2018. This Internet-Draft will expire on July 15, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 19 skipping to change at page 3, line 23
3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 19 3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 19
3.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 20 3.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 20
3.17.1. Address Class . . . . . . . . . . . . . . . . . . . 20 3.17.1. Address Class . . . . . . . . . . . . . . . . . . . 20
3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 20 3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 20
3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21 3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21
3.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 21 3.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 21
3.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 22 3.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 22
3.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 22 3.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 22
3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 22 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 22
3.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 23 3.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 23
3.19.2. ApplicationHeader Class . . . . . . . . . . . . . . 23 3.19.2. EmailData Class . . . . . . . . . . . . . . . . . . 23
3.20. EmailData Class . . . . . . . . . . . . . . . . . . . . . 23 3.19.3. RecordData Class . . . . . . . . . . . . . . . . . . 24
3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 24 3.19.4. RecordPattern Class . . . . . . . . . . . . . . . . 24
3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 24 3.20. WindowsRegistryKeysModified Class . . . . . . . . . . . . 24
3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 25 3.20.1. Key Class . . . . . . . . . . . . . . . . . . . . . 25
3.22. WindowsRegistryKeysModified Class . . . . . . . . . . . . 25 3.21. CertificateData Class . . . . . . . . . . . . . . . . . . 25
3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 25 3.21.1. Certificate Class . . . . . . . . . . . . . . . . . 26
3.23. CertificateData Class . . . . . . . . . . . . . . . . . . 26 3.22. FileData Class . . . . . . . . . . . . . . . . . . . . . 26
3.23.1. Certificate Class . . . . . . . . . . . . . . . . . 26 3.22.1. File Class . . . . . . . . . . . . . . . . . . . . . 26
3.24. FileData Class . . . . . . . . . . . . . . . . . . . . . 27 3.23. HashData Class . . . . . . . . . . . . . . . . . . . . . 27
3.24.1. File Class . . . . . . . . . . . . . . . . . . . . . 27 3.23.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 27
3.25. HashData Class . . . . . . . . . . . . . . . . . . . . . 27 3.23.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 27
3.25.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 28 3.24. Indicator Class . . . . . . . . . . . . . . . . . . . . . 28
3.25.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 28 3.24.1. IndicatorID Class . . . . . . . . . . . . . . . . . 29
3.26. SignatureData Class . . . . . . . . . . . . . . . . . . . 28 3.24.2. AlternativeIndicatorID Class . . . . . . . . . . . . 29
3.27. Indicator Class . . . . . . . . . . . . . . . . . . . . . 29 3.24.3. Observable Class . . . . . . . . . . . . . . . . . . 29
3.27.1. IndicatorID Class . . . . . . . . . . . . . . . . . 30 3.24.4. BulkObservable Class . . . . . . . . . . . . . . . . 30
3.27.2. AlternativeIndicatorID Class . . . . . . . . . . . . 30 3.24.5. BulkObservableFormat Class . . . . . . . . . . . . . 30
3.27.3. Observable Class . . . . . . . . . . . . . . . . . . 30 3.24.6. IndicatorExpression Class . . . . . . . . . . . . . 31
3.27.4. BulkObservable Class . . . . . . . . . . . . . . . . 31 3.24.7. IndicatorReference Class . . . . . . . . . . . . . . 31
3.27.5. BulkObservableFormat Class . . . . . . . . . . . . . 31 3.24.8. AttackPhase Class . . . . . . . . . . . . . . . . . 31
3.27.6. IndicatorExpression Class . . . . . . . . . . . . . 32 4. Notable differences from RFC 7970 . . . . . . . . . . . . . . 32
3.27.7. ObservableReference Class . . . . . . . . . . . . . 32 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.27.8. IndicatorReference Class . . . . . . . . . . . . . . 32
3.27.9. AttackPhase Class . . . . . . . . . . . . . . . . . 33
4. Notable differences from RFC 7970 (to be deleted) . . . . . . 33
5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33 5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33
5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 34 5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 33
6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 36 6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 35
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 55 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 54
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54
9. Security Considerations . . . . . . . . . . . . . . . . . . . 55 9. Security Considerations . . . . . . . . . . . . . . . . . . . 54
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 54
10.1. Normative References . . . . . . . . . . . . . . . . . . 55 10.1. Normative References . . . . . . . . . . . . . . . . . . 54
10.2. Informative References . . . . . . . . . . . . . . . . . 56 10.2. Informative References . . . . . . . . . . . . . . . . . 54
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55
1. Introduction 1. Introduction
RFC 7970 [RFC7970] defines an data model for sharing incident RFC 7970 [RFC7970] defines an data model for sharing incident
information. It facilitates automated exchange of information among information. It facilitates automated exchange of information among
parties over networks. The data model can be implemented in a form parties over networks. The data model can be implemented in a form
of XML, but it is not always suitable for implementation. JSON-based of XML, but it is not always suitable for implementation. JSON-based
representation is often useful. representation is often useful.
Therefore, in this document, we provide a means to represent IODEF Therefore, in this document, we provide a means to represent IODEF
skipping to change at page 7, line 21 skipping to change at page 7, line 21
information model by the ID data type. A reference to this information model by the ID data type. A reference to this
identifier is represented by the IDREF data type. These data types identifier is represented by the IDREF data type. These data types
are implemented in the model as an "string" type per JSON schema are implemented in the model as an "string" type per JSON schema
[jsonschema]. [jsonschema].
2.15. Software 2.15. Software
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a URL, or with free-form text. The SOFTWARE data using a reference, a URL, or with free-form text. The SOFTWARE data
type is implemented as an object with "SoftwareReference", "URL", and type is implemented as an object with "SoftwareReference", "URL",
"Description" elements as defined in Section 6. Examples are shown "Description", and "Description_ML" elements as defined in Section 6.
below. Examples are shown below.
"SoftwareType": { "SoftwareType": {
"SoftwareReference": {...}, //SoftwareReference "SoftwareReference": {...}, //SoftwareReference
"Description": {"value":"MS Windows"}, //ML_STRING "Description": ["MS Windows"], //STRING
} }
2.16. StructuredInfo 2.16. StructuredInfo
Information provided in a form of structured string, such as ID, or Information provided in a form of structured string, such as ID, or
structured information, such as XML documents, is represented in the structured information, such as XML documents, is represented in the
information model by the StructuredInfo data type. Note that this information model by the StructuredInfo data type. Note that this
type was originally specified in RFC7203. The StructuredInfo data type was originally specified in RFC7203. The StructuredInfo data
type is implemented as an object with "SpecID", "ext-SpecID", type is implemented as an object with "SpecID", "ext-SpecID",
"ContentID", "RawData", "Reference" elements. An example for "ContentID", "RawData", "Reference" elements. An example for
skipping to change at page 7, line 50 skipping to change at page 7, line 50
"StructuredInformation": { "StructuredInformation": {
"SpecID": "cve", //ENUM "SpecID": "cve", //ENUM
"ContentID": "CVE-2007-5000", //STRING "ContentID": "CVE-2007-5000", //STRING
} }
When embedding the raw data, base64 conversion should be used for When embedding the raw data, base64 conversion should be used for
encoding the data, as shown below. encoding the data, as shown below.
"StructuredInformation": { "StructuredInformation": {
"SpecID": "oval", //ENUM "SpecID": "oval", //ENUM
"RawData": "<<<strings encoded with base64>>>", //STRING "RawData": "<<<strings encoded with base64>>>", //BYTE
} }
3. The IODEF Information Model in JSON 3. The IODEF Information Model in JSON
The data model of IODEF is defined in RFC 7970 [RFC7970], and this The data model of IODEF is defined in RFC 7970 [RFC7970], and this
section illustrates their representations in JSON. Note that the section illustrates their representations in JSON. Note that the
complete JSON schema is defined in Section 6. complete JSON schema is defined in Section 6.
3.1. IODEF-Document Class 3.1. IODEF-Document Class
skipping to change at page 8, line 24 skipping to change at page 8, line 24
elements and an example are shown below. See Section 3.1 of RFC 7970 elements and an example are shown below. See Section 3.1 of RFC 7970
[RFC7970] for the intended meanings of these elements. [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
version, lang?, format-id?, private-enum-name?, private-enum-id?, version, lang?, format-id?, private-enum-name?, private-enum-id?,
Incident+, AdditionalData* Incident+, AdditionalData*
Example: Example:
"IODEF-Document": { "IODEF-Document": {
"version": "2.1", //STRING "version": "2.1", //STRING
"lang": "en", //ENUM "lang": "en", //ENUM
"format-id": "RFC7970-json", //STRING "format-id": "RFC7970-json", //STRING
"Incident": [ ... ] //Incident "Incident": [ ... ] //Incident
} }
3.2. Incident Class 3.2. Incident Class
The Incident class describes commonly exchanged information when The Incident class describes commonly exchanged information when
reporting or sharing derived analysis from security incidents. Its reporting or sharing derived analysis from security incidents. Its
class elements and an example are shown below. See Section 3.2 of class elements and an example are shown below. See Section 3.2 of
RFC 7970 [RFC7970] for the intended meanings of these elements. RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
purpose, ext-purpose?, status?, ext-status?, lang?, restriction?, purpose, ext-purpose?, status?, ext-status?, lang?, restriction?,
ext-restriction?, observable-id?, IncidentID, AlternativeID?, ext-restriction?, observable-id?, IncidentID, AlternativeID?,
RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?,
ReportTime?, GenrationTime?, Description*, Discovery*, Assessment*, ReportTime?, GenrationTime?, Description*, Description_ML*,
Method*, Contact+, EventData*, IndicatorData?, History?, Discovery*, Assessment*, Method*, Contact+, EventData*, Indicator*,
AdditionalData* History?, AdditionalData*
Example: Example:
"Incident": { "Incident": {
"purpose": "reporting", //ENUM "purpose": "reporting", //ENUM
"lang": "en", //STRING "lang": "en", //STRING
"restriction": "green", //ENUM "restriction": "green", //ENUM
"IncidentID": { ... }, //IncidentID Class "IncidentID": { ... }, //IncidentID Class
"RelatedActivity": [ ... ], //RelatedActivity Class "RelatedActivity": [ ... ], //RelatedActivity Class
"GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime "GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime
"Description": [{"value":"Incident in the HQ"}], //ML_STRING "Description": ["Incident in the HQ"], //STRING
"Assessment": [ ... ], //Assessment "Assessment": [ ... ], //Assessment
"Method": [ ... ], //Method "Method": [ ... ], //Method
"Contact": [ ... ] //Contact "Contact": [ ... ] //Contact
"EventData": [ ... ], //EventData "EventData": [ ... ], //EventData
"IndicatorData": { ... } //IndicatorData "Indicator": { ... } //Indicator
"History": { ... }, //History "History": { ... }, //History
"AdditionalData": [ ... ], //AdditionalData "AdditionalData": [ ... ], //AdditionalData
} }
3.3. Common Attributes 3.3. Common Attributes
There are a number of recurring attributes used in the information There are a number of recurring attributes used in the information
model. They are documented in this section. model. They are documented in this section.
3.3.1. restriction Attribute 3.3.1. restriction Attribute
skipping to change at page 11, line 13 skipping to change at page 11, line 13
} }
3.7. ThreatActor Class 3.7. ThreatActor Class
The class elements and an example are shown below. See Section 3.7 The class elements and an example are shown below. See Section 3.7
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
restriction?, ext-restriction?, ThreatActorID*, URL*, Description*, restriction?, ext-restriction?, ThreatActorID*, URL*, Description*,
AdditionalData* Description_ML*, AdditionalData*
Example: Example:
"ThreatActor": { "ThreatActor": {
"ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING
"Description": {"value":"Aggressive Butterfly"} //ML_STRING "Description": ["Aggressive Butterfly"] //STRING
} }
3.8. Campaign Class 3.8. Campaign Class
The class elements and an example are shown below. See Section 3.8 The class elements and an example are shown below. See Section 3.8
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
restriction?, ext-restriction?, CampaignID*, URL*, Description*, restriction?, ext-restriction?, CampaignID*, URL*, Description*,
AdditionalData* Description_ML*, AdditionalData*
Example: Example:
"Campaign": { "Campaign": {
"CampaignID": "C-2015-59405", //STRING "CampaignID": "C-2015-59405", //STRING
"Description": {"value":"Orange Giraffe"} //ML_STRING "Description": ["Orange Giraffe"] //STRING
} }
3.9. Contact Class 3.9. Contact Class
The class elements and an example are shown below. See Section 3.9 The class elements and an example are shown below. See Section 3.9
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
role, ext-role?, type, ext-type?, restriction?, ext-restriction?, role, ext-role?, type, ext-type?, restriction?, ext-restriction?,
ContactName*, ContactTitle*, Description*, RegistryHandle*, ContactName*,ContactName_ML*, ContactTitle*, ContactTitle_ML*,
PostalAddress*, Email*, Telephone*, Timezone?, Contact*, Description*, Description_ML*, RegistryHandle*, PostalAddress*,
AdditionalData* Email*, Telephone*, Timezone?, Contact*, AdditionalData*
Example: Example:
"Contact": { "Contact": {
"role": "creator", //ENUM "role": "creator", //ENUM
"type": "organization", //ENUM "type": "organization", //ENUM
"ContactName": {"value":"CSIRT for example.com"}, //ML_STRING "ContactName": {"value":"CSIRT for example.com"}, //STRING
"ContactTitle": {"value":"Senior Research Engineer"} //ML_STRING "ContactTitle": {"value":"Senior Research Engineer"} //STRING
"email": {...}, //Email Class "email": {...}, //Email Class
"Telephone": {...}, //Telephone Class "Telephone": {...}, //Telephone Class
"Timezone": "+09:00" //TIMEZONE "Timezone": "+09:00" //TIMEZONE
} }
3.9.1. RegistryHandle Class 3.9.1. RegistryHandle Class
The class elements and an example are shown below. See Section 3.9.1 The class elements and an example are shown below. See Section 3.9.1
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
skipping to change at page 12, line 38 skipping to change at page 12, line 38
"registry": "apnic", //ENUM "registry": "apnic", //ENUM
} }
3.9.2. PostalAddress Class 3.9.2. PostalAddress Class
The class elements and an example are shown below. See Section 3.9.2 The class elements and an example are shown below. See Section 3.9.2
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
type?, ext-type?, PAddress, Description* type?, ext-type?, PAddress, Description*, Description_ML*
Example: Example:
"PostalAddress": { "PostalAddress": {
"type": "mailing", //ENUM "type": "mailing", //ENUM
"PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan", //POSTAL "PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan", //POSTAL
"Description": {"value":"Office address"} //ML_STRING "Description": ["Office address"] //STRING
}, },
3.9.3. Email Class 3.9.3. Email Class
The class elements and an example are shown below. See Section 3.9.3 The class elements and an example are shown below. See Section 3.9.3
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
type?, ext-type?, EmailTo, Description* type?, ext-type?, EmailTo, Description*, Description_ML*
Example: Example:
"Email": { "Email": {
"type": "direct", //ENUM "type": "direct", //ENUM
"emailTo": "contact@csirt.example.com", //EMAIL "emailTo": "contact@csirt.example.com", //EMAIL
"Description": {"value":"Administrator's address"} //ML_STRING "Description": ["Administrator's address"] //STRING
}, },
3.9.4. Telephone Class 3.9.4. Telephone Class
The class elements and an example are shown below. See Section 3.9.4 The class elements and an example are shown below. See Section 3.9.4
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
type?, ext-type?, TelephoneNumber, Description* type?, ext-type?, TelephoneNumber, Description*, Description_ML*
Example: Example:
"Telephone": { "Telephone": {
"type": "wired", //ENUM "type": "wired", //ENUM
"TelephoneNumber": "+818012345678", //PHONE "TelephoneNumber": "+818012345678", //PHONE
"Description": {"value":"Admin's moble"} //ML_STRING "Description": ["Admin's moble"] //STRING
}, },
3.10. Discovery Class 3.10. Discovery Class
The class elements and an example are shown below. See Section 3.10 The class elements and an example are shown below. See Section 3.10
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
source?, ext-source?, restriction?, ext-restriction?, Description*, source?, ext-source?, restriction?, ext-restriction?, Description*,
Contact*, DetectionPattern* Description_ML*, Contact*, DetectionPattern*
Example: Example:
"Discovery": { "Discovery": {
"source": "nidps", //ENUM "source": "nidps", //ENUM
"restriction": "need-to-know" //ENUM "restriction": "need-to-know" //ENUM
"Contact": {...}, //Contact class "Contact": {...}, //Contact class
"DetectionPattern": {...}, //DetectionPattern class "DetectionPattern": {...}, //DetectionPattern class
"Description":{"value":"IDS provided an alert"} //ML_STRING "Description":["IDS provided an alert"] //STRING
} }
} }
3.10.1. DetectionPattern Class 3.10.1. DetectionPattern Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
restriction?, ext-restriction?, observable-id?, Application, restriction?, ext-restriction?, observable-id?, Application,
Description*, DetectionConfiguration* Description*, Description_ML*, DetectionConfiguration*
Example: Example:
"DetectionPattern": { "DetectionPattern": {
"Application": {...}, //SOFTWARE "Application": {...}, //SOFTWARE
"Description": {"value":"The specified application "Description": ["The specified application
needs to be reviewed"}, //ML_STRING needs to be reviewed"], //STRING
} }
} }
3.11. Method Class 3.11. Method Class
The class elements and an example are shown below. See Section 3.11 The class elements and an example are shown below. See Section 3.11
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
restriction?, ext-restriction?, Reference*, Description*, restriction?, ext-restriction?, Reference*, Description*,
AttackPattern*, Vulnerability*, Weakness* Description_ML*, AttackPattern*, Vulnerability*, Weakness*
Example: Example:
"Method": { "Method": {
"AttackPattern": {...} //StructuredInfo "AttackPattern": {...} //StructuredInfo
"Vulnerability": {...} //StructuredInfo "Vulnerability": {...} //StructuredInfo
} }
3.11.1. Reference Class 3.11.1. Reference Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
observable-id?, ReferenceName?, URL*, Description* observable-id?, ReferenceName?, URL*, Description*, Description_ML*
Example: Example:
"Reference":{ "Reference":{
"URL":"http://www.nict.go.jp" //URL "URL":"http://www.nict.go.jp" //URL
} }
3.12. Assessment Class 3.12. Assessment Class
The class elements and an example are shown below. See Section 3.12 The class elements and an example are shown below. See Section 3.12
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
occurence?, restriction?, ext-restriction?, observable-id?, occurence?, restriction?, ext-restriction?, observable-id?,
IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*, IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*,
MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*, MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*,
Cause*, Confidence?, AdditionalData* MitigationFactor_ML*, Cause*, Cause_ML*, Confidence?, AdditionalData*
Example: Example:
"Assessment": { "Assessment": {
"SystemImpact": {...}, //SystemImpact class "SystemImpact": {...}, //SystemImpact class
"BusinessImpact": {...}, //BusinessImpact class "BusinessImpact": {...}, //BusinessImpact class
"TimeImpact": {...}, //TimeImpact class "TimeImpact": {...}, //TimeImpact class
"MonetaryImpact": {...}, //MonetaryImpact class "MonetaryImpact": {...}, //MonetaryImpact class
"IntendedImpact": {...}, //IntendedImpact class "IntendedImpact": {...}, //IntendedImpact class
"Counter": "5", //Counter class "Counter": "5", //Counter class
"MitigationFactor": {"value":"Rebooting is required"}//ML_STRING "MitigationFactor": ["Rebooting is required"] //STRING
"Cause": {"value":"Malware Infection"} //ML_STRING "Cause": ["Malware Infection"] //STRING
} }
} }
3.12.1. SystemImpact Class 3.12.1. SystemImpact Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
severity?, completion?, type, ext-type?, Description* severity?, completion?, type, ext-type?, Description*,
Description_ML*
Example: Example:
"SystemImpact":{ "SystemImpact":{
"severity":"high", //ENUM "severity":"high", //ENUM
"completion": "successful" //ENUM "completion": "successful" //ENUM
"type":"integrity-data" //ENUM "type":"integrity-data" //ENUM
"Description":{"value":"The web page was falsified"} //ML_STRING "Description": ["The web page was falsified"] //STRING
}, },
3.12.2. BusinessImpact Class 3.12.2. BusinessImpact Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
severity?, ext-severity?, type, ext-type?, Description* severity?, ext-severity?, type, ext-type?, Description*,
Description_ML*
Example: Example:
"BusinessImpact": { "BusinessImpact": {
"severity":"medium", //ENUM "severity":"medium", //ENUM
"completion": "successful" //ENUM "completion": "successful" //ENUM
"type": "degraded-reputation" //ENUM "type": "degraded-reputation" //ENUM
"Description":{"value":"The web page was falsified"} //ML_STRING "Description": ["The web page was falsified"] //STRING
} }
3.12.3. TimeImpact Class 3.12.3. TimeImpact Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
skipping to change at page 18, line 23 skipping to change at page 18, line 23
3.13.1. HistoryItem Class 3.13.1. HistoryItem Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
action, ext-action?, restriction?, ext-restriction?, observable-id?, action, ext-action?, restriction?, ext-restriction?, observable-id?,
DateTime, IncidentID?, Contact?, Description*, DefinedCOA*, DateTime, IncidentID?, Contact?, Description*, Description_ML*,
AdditionalData* DefinedCOA*, AdditionalData*
Example: Example:
"HistoryItem": { "HistoryItem": {
"action": "investigate" //ENUM "action": "investigate" //ENUM
"restriction": "need-to-know" //ENUM "restriction": "need-to-know" //ENUM
"DateTime": "2015-10-15T11:18:00-05:00", //DateTime "DateTime": "2015-10-15T11:18:00-05:00", //DateTime
"IncidentID" { ...}, //IncidentID class "IncidentID" { ...}, //IncidentID class
} }
3.14. EventData Class 3.14. EventData Class
The class elements and an example are shown below. See Section 3.14 The class elements and an example are shown below. See Section 3.14
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
restriction?, ext-restriction?, observable-id?, Description*, restriction?, ext-restriction?, observable-id?, Description*,
DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?, Description_ML*, DetectTime?, StartTime?, EndTime?, RecoveryTime?,
Contact*, Discovery*, Assessment?, Method*, Flow*, Expectation*, ReportTime?, Contact*, Discovery*, Assessment?, Method*,
Record?, EventData*, AdditionalData* Expectation*, RecordData*, EventData*, AdditionalData*
Example: Example:
"EventData": { "EventData": {
"ReportTime": "2016-06-01 18:05:33", "ReportTime": "2016-06-01 18:05:33",
"Contact": { ...}, //Contact class "Contact": { ...}, //Contact class
"Assessment": { ...}, //Assessment class "Assessment": { ...}, //Assessment class
"Method": { ...}, //Method class "Method": { ...}, //Method class
"System": { ... }, //System class "System": { ... }, //System class
"Expectation": { ...}, //Expectation class "Expectation": { ...}, //Expectation class
3.15. Expectation Class 3.15. Expectation Class
The class elements and an example are shown below. See Section 3.15 The class elements and an example are shown below. See Section 3.15
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
action?, ext-action?, severity?, restriction?, ext-restriction?, action?, ext-action?, severity?, restriction?, ext-restriction?,
Description*, DefinedCOA*, StartTime?, EndTime?, Contact? Description*, Description_ML*, DefinedCOA*, StartTime?, EndTime?,
Contact?
Example: Example:
"Expectation": { "Expectation": {
"action": "investigate" //ENUM "action": "investigate" //ENUM
"severity": "medium" //ENUM "severity": "medium" //ENUM
"restriction": "need-to-know" //ENUM "restriction": "need-to-know" //ENUM
}, },
3.16. System Class 3.16. System Class
The class elements and an example are shown below. See Section 3.17 The class elements and an example are shown below. See Section 3.17
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
category?, ext-category?, interface?, spoofed?, virtual?, ownership?, category?, ext-category?, interface?, spoofed?, virtual?, ownership?,
ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*, ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*,
Service*, OperatingSystem*, Counter*, AssetID*, Description*, Service*, OperatingSystem*, Counter*, AssetID*, Description*,
AdditionalData* Description_ML*, AdditionalData*
Example: Example:
"System": { "System": {
"category": "source", //ENUM "category": "source", //ENUM
"Node": { ... }, //Node class "Node": { ... }, //Node class
"Service": { ... }, //Service class "Service": { ... }, //Service class
}, },
3.17. Node Class 3.17. Node Class
The class elements and an example are shown below. See Section 3.18 The class elements and an example are shown below. See Section 3.18
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
DomainData*, Address*, PostalAddress?, Location*, Counter* DomainData*, Address*, PostalAddress?, Location*, Location_ML*,
Counter*
Example: Example:
"Node": { "Node": {
"Address": { ... }, //Address class "Address": { ... }, //Address class
"Location": {"value":"OrgID=7"} //ML_STRING "Location": ["OrgID=7"] //STRING
} }
3.17.1. Address Class 3.17.1. Address Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
skipping to change at page 20, line 46 skipping to change at page 20, line 47
}, },
3.17.2. NodeRole Class 3.17.2. NodeRole Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
category, ext-category?, Description* category, ext-category?, Description*, Description_ML*
Example: Example:
"NodeRole": { "NodeRole": {
"category": "client" //ENUM "category": "client" //ENUM
"Description": {"value":"The computer at room A"} //ML_STRING "Description": ["The computer at room A"] //STRING
}, },
3.17.3. Counter Class 3.17.3. Counter Class
The class elements and an example are shown below. See The class elements and an example are shown below. See
Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of
these elements. these elements.
Class elements: Class elements:
value, type, ext-type?, unit, ext-unit?, meaning?, duration?, ext- value, type, ext-type?, unit, ext-unit?, meaning?, meaning_ML?,
duration? duration?, ext-duration?
Example: Example:
"Counter": { "Counter": {
"value": "3", //REAL "value": "3", //REAL
"type": "count", //ENUM "type": "count", //ENUM
"unit": "packet" //ENUM "unit": "packet", //ENUM
"meaning": {"value":"The number of scan packets "meaning": "The number of scan packets are counted" //STRING
are counted"}, //ML_STRING
} }
3.18. DomainData Class 3.18. DomainData Class
The class elements and an example are shown below. See Section 3.19 The class elements and an example are shown below. See Section 3.19
of RFC 7970 [RFC7970] for the intended meanings of these elements. of RFC 7970 [RFC7970] for the intended meanings of these elements.
Class elements: Class elements:
system-status, ext-system-status?, domain-status, ext-domain-status?, system-status, ext-system-status?, domain-status, ext-domain-status?,
skipping to change at page 22, line 50 skipping to change at page 22, line 50
} }
3.19. Service Class 3.19. Service Class
This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?, ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?,
ProtoCode?, ProtoType?, ProtoField?, ApplicationHeader?, EmailData?, ProtoCode?, ProtoType?, ProtoField?, ApplicationHeaderField+,
Application? EmailData?, Application?
Example: Example:
"Service": { "Service": {
"ServiceName": { "ServiceName": {
"Description": "It seems to be a scan from an infected machine." "Description": ["It seems to be a scan from an infected machine."]
}, },
"ip-protocol": 6, //INTEGER "ip-protocol": 6, //INTEGER
"Port": 49183 //INTEGER "Port": 49183 //INTEGER
} }
3.19.1. ServiceName Class 3.19.1. ServiceName Class
This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
IANAService?, URL*, Description* IANAService?, URL*, Description*, Description_ML*
Example:
"ServiceName": {
"IANAService": "telnet" //STRING
"URL": "https://en.wikipedia.org/wiki/Telnet" //STRING
"Description": "It seems to be a scan from an infected machine." //STRING
},
3.19.2. ApplicationHeader Class
This class is defined in Section 3.20.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
ApplicationHeaderField+
Example: Example:
"ApplicationHeader": { "ServiceName": {
"ApplicationHeaderField": {} "IANAService": "telnet" //STRING
} "URL": "https://en.wikipedia.org/wiki/Telnet" //STRING
"Description":["It is a scan from an infected machine."]//STRING
},
3.20. EmailData Class 3.19.2. EmailData Class
This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?, observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?,
EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?, EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?,
HashData*, SignatureData* HashData*, Signature*
Example:
"EmailData":{
"EmailTo": "user1@example.org" //EMAIL
"EmailFrom": "user2@example.com" //EMAIL
"EmailSubject": "example email" //STRING
"EmailX-Mailer": "example mailer v1.1.0" //STRING
"EmailBody": "example email" //STRING
}
3.21. Record Class
This class is defined in Section 3.22 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
restriction?, ext-restriction?, RecordData+
Example: Example:
"Record": { "EmailData":{
"RecordData": { "EmailTo": "user1@example.org" //EMAIL
"RecordPattern": { "EmailFrom": "user2@example.com" //EMAIL
"type": "regex", //ENUM "EmailSubject": "example email" //STRING
"value": "[0-9][A-Z]" "EmailX-Mailer": "example mailer v1.1.0" //STRING
} "EmailBody": "example email" //STRING
}, }
"RecordItem": {} Note that Signature element in this class contains base64 encoded
}, form of signature as described in Section 4.2 of [W3C.XMLSIG].
3.21.1. RecordData Class 3.19.3. RecordData Class
This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
restriction?, ext-restriction?, observable-id?, DateTime?, restriction?, ext-restriction?, observable-id?, DateTime?,
Description*, Application?, RecordPattern*, RecordItem*, URL*, Description*, Description_ML*, Application?, RecordPattern*,
FileData*, WindowsRegistryKeysModified*, CertificateData*, RecordItem*, URL*, FileData*, WindowsRegistryKeysModified*,
AdditionalData* CertificateData*, AdditionalData*
Example: Example:
"RecordData": { "RecordData": {
"RecordPattern": { "RecordPattern": {
"type": "regex", "type": "regex",
"value": "[0-9][A-Z]" "value": "[0-9][A-Z]"
} }
}, },
3.21.2. RecordPattern Class 3.19.4. RecordPattern Class
This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?, type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?,
value value
Example: Example:
"RecordPattern": { "RecordPattern": {
"type": "regex", "type": "regex",
"value": "[0-9][A-Z]" "value": "[0-9][A-Z]"
}, },
3.22. WindowsRegistryKeysModified Class 3.20. WindowsRegistryKeysModified Class
This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
observable-id?, Key+ observable-id?, Key+
Example: Example:
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"Key": { "Key": {
"KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING
"KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING
} }
} }
3.22.1. Key Class 3.20.1. Key Class
This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
registryaction?, ext-registryaction?, observable-id?, KeyName, registryaction?, ext-registryaction?, observable-id?, KeyName,
KeyValue? KeyValue?
Example: Example:
"Key": { "Key": {
"KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING
"KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING
} }
3.23. CertificateData Class 3.21. CertificateData Class
This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
restriction?, ext-restriction?, observable-id?, Certificate+ restriction?, ext-restriction?, observable-id?, Certificate+
Example: Example:
"CertificateData": { "CertificateData": {
"Certificate": { "Certificate": {
"X509Data": "xxxxxxxx" //STRING "X509Data": "xxxxxxxx" //STRING
} }
} }
3.23.1. Certificate Class 3.21.1. Certificate Class
This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The
X509Data class contains base64 encoded form of X.509 certificate or X509Data class contains base64 encoded form of X.509 certificate or
chain as described in Section 4.4.4 of [W3C.XMLSIG]. The example chain as described in Section 4.4.4 of [W3C.XMLSIG]. The example
below represents how to describe this class in JSON. below represents how to describe this class in JSON.
Class elements: Class elements:
observable-id?, X509Data, Description* observable-id?, X509Data, Description*, Description_ML*
Example: Example:
"Certificate": { "Certificate": {
"X509Data": "xxxxxxxx" //STRING "X509Data": "xxxxxxxx" //STRING
} }
3.24. FileData Class 3.22. FileData Class
This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
restriction?, ext-restriction?, observable-id?, File+ restriction?, ext-restriction?, observable-id?, File+
Example: Example:
"FileData": { "FileData": {
"File": { "File": {
"FileName": "dummy.exe" //STRING "FileName": "dummy.exe" //STRING
} }
}, },
3.24.1. File Class 3.22.1. File Class
This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?, observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?,
SignatureData?, AssociatedSoftware?, FileProperties* Signature*, AssociatedSoftware?, FileProperties*
Example: Example:
"File": { "File": {
"FileName": "dummy.exe" //STRING "FileName": "dummy.exe" //STRING
} }
3.25. HashData Class Note that Signature element in this class contains base64 encoded
form of signature as described in Section 4.2 of [W3C.XMLSIG].
3.23. HashData Class
This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
scope, HashTargetID?, Hash*, FuzzyHash* scope, HashTargetID?, Hash*, FuzzyHash*
Example: Example:
"HashData": { "HashData": {
"scope": "file-contents", //ENUM "scope": "file-contents", //ENUM
"Hash": { "Hash": {
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1", //STRING
"DigestValue": "xxxxxxxxxxx" //STRING "DigestValue": "xxxxxxxxxxx" //STRING
} }
} }
3.25.1. Hash Class 3.23.1. Hash Class
This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
DigestMethod, DigestValue, CanonicalizationMethod?, Application? DigestMethod, DigestValue, CanonicalizationMethod?, Application?
Example: Example:
"Hash": { "Hash": {
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
"DigestValue": "xxxxxxxxxxx" //STRING "DigestValue": "xxxxxxxxxxx" //STRING
} }
3.25.2. FuzzyHash Class 3.23.2. FuzzyHash Class
This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
FuzzyHashValue+, Application?, AdditionalData? FuzzyHashValue+, Application?, AdditionalData?
Example: Example:
"FuzzyHash": { "FuzzyHash": {
"FuzzyHashValue": {} "FuzzyHashValue": {}
} }
3.26. SignatureData Class 3.24. Indicator Class
This class is defined in Section 3.27 of RFC 7970 [RFC7970]. The
Signature class contains base64 encoded form of signature as
described in Section 4.2 of [W3C.XMLSIG]. The example below
represents how to describe this class in JSON.
Class elements:
Signature+
Example:
"SignatureData": {
"Signature": "xxxxxxxx" //STRING
}
3.27. Indicator Class
This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*, restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*,
Description*, StartTime?, EndTime?, Confidence?, Contact*, Description*, Description_ML*, StartTime?, EndTime?, Confidence?,
Observable?, ObservableReference?, IndicatorExpression?, Contact*, Observable?, uid-ref?, IndicatorExpression?,
IndicatorReference?, NodeRole*, AttackPhase*, Reference*, IndicatorReference?, NodeRole*, AttackPhase*, Reference*,
AdditionalData* AdditionalData*
Example: Example:
"Indicator": { "Indicator": {
"IndicatorID": { "IndicatorID": {
"id": "G90823490", //STRING "id": "G90823490", //STRING
"name": "csirt.example.com", //STRING "name": "csirt.example.com", //STRING
"version": "1" //STRING "version": "1" //STRING
}, },
"Description": "C2 domains", //ML_STRING "Description": ["C2 domains"], //STRING
"StartTime": "2014-12-02T11:18:00-05:00", //Datetime "StartTime": "2014-12-02T11:18:00-05:00", //Datetime
"Observable": { "Observable": {
"BulkObservable": { "BulkObservable": {
"type": "fqdn" //ENUM "type": "fqdn" //ENUM
}, },
"BulkObservableList": [ "BulkObservableList": [
"kj290023j09r34.example.com", //STRING "kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING "09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING "klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRIN "oimireik79msd.example.org" //STRING
] ]
} }
} }
3.27.1. IndicatorID Class 3.24.1. IndicatorID Class
This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
id, name, version id, name, version
Example: Example:
"IndicatorID": { "IndicatorID": {
"id": "G90823490", //STRING "id": "G90823490", //STRING
"name": "csirt.example.com", //STRING "name": "csirt.example.com", //STRING
"version": "1" //STRING "version": "1" //STRING
} }
3.27.2. AlternativeIndicatorID Class 3.24.2. AlternativeIndicatorID Class
This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
restriction?, ext-restriction?, IndicatorReference+ restriction?, ext-restriction?, IndicatorReference+
Example: Example:
"AlternativeIndicatorID": { "AlternativeIndicatorID": {
"IndicatorReference": { "IndicatorReference": {
"uid-ref": "xxxxx" "uid-ref": "xxxxx"
} }
}, },
3.27.3. Observable Class 3.24.3. Observable Class
This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
restriction?, ext-restriction?, System?, Address?, DomainData?, restriction?, ext-restriction?, System?, Address?, DomainData?,
Service?, EmailData?, WindowsRegistryKeysModified?, FileData?, Service?, EmailData?, WindowsRegistryKeysModified?, FileData?,
CertificateData?, RegistryHandle?, RecordData?, EventData?, CertificateData?, RegistryHandle?, RecordData?, EventData?,
Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?, Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?,
HistoryItem?, BulkObservable?, AdditionalData* HistoryItem?, BulkObservable?, AdditionalData*
Example: Example:
"Observable": { "Observable": {
"BulkObservable": { "BulkObservable": {
"type": "fqdn" //ENUM "type": "fqdn" //ENUM
}, },
"BulkObservableList": [ "BulkObservableList": [
"kj290023j09r34.example.com", //STRING "kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING "09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING "klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRING "oimireik79msd.example.org" //STRING
] ]
} }
3.27.4. BulkObservable Class 3.24.4. BulkObservable Class
This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
type?, ext-type?, BulkObservableFormat?, BulkObservableList, type?, ext-type?, BulkObservableFormat?, BulkObservableList,
AdditionalData* AdditionalData*
Example: Example:
"BulkObservable": { "BulkObservable": {
"type": "fqdn" //ENUM "type": "fqdn" //ENUM
}, },
"BulkObservableList": [ "BulkObservableList": [
"kj290023j09r34.example.com", //STRING "kj290023j09r34.example.com", //STRING
"09ijk23jfj0k8.example.net", //STRING "09ijk23jfj0k8.example.net", //STRING
"klknjwfjiowjefr923.example.org", //STRING "klknjwfjiowjefr923.example.org", //STRING
"oimireik79msd.example.org" //STRING "oimireik79msd.example.org" //STRING
] ]
3.27.5. BulkObservableFormat Class 3.24.5. BulkObservableFormat Class
This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970]. This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970].
The example below represents how to describe this class in JSON. The example below represents how to describe this class in JSON.
Class elements: Class elements:
Hash?, AdditionalData* Hash?, AdditionalData*
Example: Example:
"BulkObservableFormat": { "BulkObservableFormat": {
"Hash": { "Hash": {
"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1",//STRING
"DigestValue": "xxxxxxxxxxx" //STRING "DigestValue": "xxxxxxxxxxx" //STRING
}
}
3.27.6. IndicatorExpression Class
This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON.
Class elements:
operator?, ext-operator?, IndicatorExpression*, Observable*,
ObservableReference*, IndicatorReference*, Confidence?,
AdditionalData*
Example:
"IndicatorExpression": {
"ObservableReference": {
"uid-ref": "xxxxx"
} }
} }
3.27.7. ObservableReference Class 3.24.6. IndicatorExpression Class
This class is defined in Section 3.29.6 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
uid-ref operator?, ext-operator?, IndicatorExpression*, Observable*, uid-
ref*, IndicatorReference*, Confidence?, AdditionalData*
Example: Example:
"ObservableReference": { "IndicatorExpression": {
"uid-ref": "xxxxx" "uid-ref": "xxxxx"
}, }
3.27.8. IndicatorReference Class 3.24.7. IndicatorReference Class
This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
uid-ref?, euid-ref?, version? uid-ref?, euid-ref?, version?
Example: Example:
"IndicatorReference": { "IndicatorReference": {
"uid-ref": "xxxxx" "uid-ref": "xxxxx"
} }
3.27.9. AttackPhase Class 3.24.8. AttackPhase Class
This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The
example below represents how to describe this class in JSON. example below represents how to describe this class in JSON.
Class elements: Class elements:
AttackPhaseID*, URL*, Description*, AdditionalData* AttackPhaseID*, URL*, Description*, Description_ML*, AdditionalData*
Example: Example:
"AttackPhase": { "AttackPhase": {
"Description": "Currently, the infected host is scanning arbitrary hosts to find next targets." //ML_STRING "Description": ["Currently, the infected host is scanning arbitrary hosts to find next targets."] //STRING
} }
4. Notable differences from RFC 7970 (to be deleted) 4. Notable differences from RFC 7970
o This document treats attributes and elements of each class defined o This document treats attributes and elements of each class defined
in RFC 7970 [RFC7970] equally and is agnostic on the order of in RFC 7970 [RFC7970] equally and is agnostic on the order of
their appearances. their appearances.
o Flow class is deleted, and EventData class now has the instance of o Flow class is deleted, and classes with its instances now directly
System class. have instances of EventData class that used to belong to the Flow
classs.
o Record class is deleted, and the link to the Record class are o ApplicationHeader class is deleted, and classes with its instances
directly connected to RecordData class, which is then renamed to now directly have instances of ApplicationHeaderField class that
Record class. used to belong to the ApplicationHeader class.
o SignatureData class is deleted, and classes with its instances now
directly have instance of Signature class that used to belong to
the SignatureData class.
o IndicatorData class is deleted, and classes with its instances now
directly have the instances of Indicator class that used to belong
to the IndicatorData class.
o ObservableReference class is deleted, and classes with its
instances now directly have uid-ref as an element.
o Record class is deleted, and classes with its instances now
directly have the instances of RecordData class that used to
belong to the Record class.
o The elements of ML_STRING type are prepared as two separatem
elements: one of STRING type and another of ML_STRING type, in
order to maintain the simplicity of IODEF docuemnts when writing
with only STRING type characters.
5. Examples 5. Examples
This section provides example of IODEF documents. These examples do This section provides example of IODEF documents. These examples do
not represent the full capabilities of the data model or the the only not represent the full capabilities of the data model or the the only
way to encode particular information. way to encode particular information.
5.1. Minimal Example 5.1. Minimal Example
A document containing only the mandatory elements and attributes. A document containing only the mandatory elements and attributes.
skipping to change at page 37, line 4 skipping to change at page 36, line 8
"csv","winreg","xml","ext-value"]}, "csv","winreg","xml","ext-value"]},
"ext-dtype": {"type": "string"}, "ext-dtype": {"type": "string"},
"meaning": {"type": "string"}, "meaning": {"type": "string"},
"formatid": {"type": "string"}, "formatid": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}}}, "observable-id": {"$ref": "#/definitions/IDtype"}}},
"ExtensionTypeList": { "ExtensionTypeList": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"}}, "items": {"$ref": "#/definitions/ExtensionType"}},
"SoftwareType": { "SoftwareType": {
"type": "object", "type": "object",
"properties": { "properties": {
"SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"},
"URL": {"$ref": "#/definitions/URLtype"}, "URL": {"$ref": "#/definitions/URLtype"},
"Description": {"type": "string"}}, "Description": {"type": "array", "items": {"type":"string"}}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"SoftwareReference": { "SoftwareReference": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"spec-name": {"type": "string"}, "spec-name": {"type": "string"},
"ext-spec-name": {"type": "string"}, "ext-spec-name": {"type": "string"},
"dtype": {"type": "string"}, "dtype": {"type": "string"},
"ext-dtype": {"type": "string"}}, "ext-dtype": {"type": "string"}},
skipping to change at page 45, line 10 skipping to change at page 44, line 14
"type": "array","items": {"$ref": "#/definitions/Contact"}}, "type": "array","items": {"$ref": "#/definitions/Contact"}},
"Discovery": { "Discovery": {
"type": "array","items": {"$ref": "#/definitions/Discovery"}}, "type": "array","items": {"$ref": "#/definitions/Discovery"}},
"Assessment": {"$ref": "#/definitions/Assessment"}, "Assessment": {"$ref": "#/definitions/Assessment"},
"Method": { "Method": {
"type": "array","items": {"$ref": "#/definitions/Method"}}, "type": "array","items": {"$ref": "#/definitions/Method"}},
"System": { "System": {
"type": "array","items": {"$ref": "#/definitions/System"}}, "type": "array","items": {"$ref": "#/definitions/System"}},
"Expectation": { "Expectation": {
"type": "array","items": {"$ref": "#/definitions/Expectation"}}, "type": "array","items": {"$ref": "#/definitions/Expectation"}},
"Record": {"$ref": "#/definitions/Record"}, "RecordData": {"type": "array", "items": {"$ref": "#/definitions/RecordData"}},
"EventData": { "EventData": {
"type": "array","items": {"$ref": "#/definitions/EventData"}}, "type": "array","items": {"$ref": "#/definitions/EventData"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["ReportTime"], "required": ["ReportTime"],
"additionalProperties": false}, "additionalProperties": false},
"Expectation": { "Expectation": {
"type": "object", "type": "object",
"properties": { "properties": {
"action": {"$ref":"#/definitions/action"}, "action": {"$ref":"#/definitions/action"},
"ext-action": {"type": "string"}, "ext-action": {"type": "string"},
skipping to change at page 47, line 48 skipping to change at page 47, line 4
"assignedAndOnHold","revoked","transferPending","registryLock", "assignedAndOnHold","revoked","transferPending","registryLock",
"registrarLock","other","unknown","ext-value"]}, "registrarLock","other","unknown","ext-value"]},
"ext-domain-status": {"type": "string"}, "ext-domain-status": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Name": {"type": "string"}, "Name": {"type": "string"},
"DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"},
"RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "RegistrationDate": {"$ref": "#/definitions/DATETIME"},
"ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
"RelatedDNS": { "RelatedDNS": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"NameServers": { "NameServers": {
"type": "array","items": {"$ref": "#/definitions/NameServers"}}, "type": "array","items": {"$ref": "#/definitions/NameServers"}},
"DomainContacts": { "DomainContacts": {
"type": "array","items": {"$ref": "#/definitions/DomainContacts"}}}, "$ref": "#/definitions/DomainContacts"}},
"required": ["Name","system-status","domain-status"], "required": ["Name","system-status","domain-status"],
"additionalProperties": false}, "additionalProperties": false},
"NameServers": { "NameServers": {
"type": "object", "type": "object",
"properties": { "properties": {
"Server": {"type": "string"}, "Server": {"type": "string"},
"Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}}, "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}},
"required": ["Server","Address"], "required": ["Server","Address"],
"additionalProperties": false}, "additionalProperties": false},
"DomainContacts": { "DomainContacts": {
skipping to change at page 48, line 32 skipping to change at page 47, line 36
"type": "object", "type": "object",
"properties": { "properties": {
"ip-protocol": {"type": "integer"}, "ip-protocol": {"type": "integer"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ServiceName": {"$ref": "#/definitions/ServiceName"}, "ServiceName": {"$ref": "#/definitions/ServiceName"},
"Port": {"type": "integer"}, "Port": {"type": "integer"},
"Portlist": {"$ref": "#/definitions/PORTLIST"}, "Portlist": {"$ref": "#/definitions/PORTLIST"},
"ProtoCode": {"type": "integer"}, "ProtoCode": {"type": "integer"},
"ProtoType": {"type": "integer"}, "ProtoType": {"type": "integer"},
"ProtoField": {"type": "integer"}, "ProtoField": {"type": "integer"},
"ApplicationHeader": {"$ref": "#/definitions/ApplicationHeader"}, "ApplicationHeaderField": {"$ref":"#/definitions/ExtensionTypeList"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Application": {"$ref": "#/definitions/SoftwareType"}}, "Application": {"$ref": "#/definitions/SoftwareType"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ServiceName": { "ServiceName": {
"type": "object", "type": "object",
"properties": { "properties": {
"IANAService": {"type": "string"}, "IANAService": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"Description": {"type": "array","items": {"type": "string"}}}, "Description": {"type": "array","items": {"type": "string"}}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ApplicationHeader": {
"type": "object",
"properties": {
"ApplicationHeaderField": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
"required": ["ApplicationHeaderField"],
"additionalProperties": false},
"EmailData": { "EmailData": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"EmailTo": {"type": "array","items": {"type": "string"}}, "EmailTo": {"type": "array","items": {"type": "string"}},
"EmailFrom": {"type": "string"}, "EmailFrom": {"type": "string"},
"EmailSubject": {"type": "string"}, "EmailSubject": {"type": "string"},
"EmailX-Mailer": {"type": "string"}, "EmailX-Mailer": {"type": "string"},
"EmailHeaderField": { "EmailHeaderField": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"EmailHeaders": {"type": "string"}, "EmailHeaders": {"type": "string"},
"EmailBody": {"type": "string"}, "EmailBody": {"type": "string"},
"EmailMessage": {"type": "string"}, "EmailMessage": {"type": "string"},
"HashData": { "HashData": {
"type": "array","items": {"$ref": "#/definitions/HashData"}}, "type": "array","items": {"$ref": "#/definitions/HashData"}},
"SignatureData": { "Signature": {"type": "array","items": {"type": "string"}}},
"type": "array","items": {"$ref": "#/definitions/SignatureData"}}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Record":{
"type": "object",
"properties":{
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"RecordData": {
"type": "array","items": {"$ref": "#/definitions/RecordData"}}},
"required":["RecordData"],
"additionalProperties": false},
"RecordData": { "RecordData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"}, "DateTime": {"$ref": "#/definitions/DATETIME"},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {"type": "array","items": {"type": "string"}},
"Applicadtion": {"$ref": "#/definitions/SoftwareType"}, "Applicadtion": {"$ref": "#/definitions/SoftwareType"},
"RecordPattern": { "RecordPattern": {
skipping to change at page 51, line 27 skipping to change at page 50, line 15
"required": ["File"], "required": ["File"],
"additionalProperties": false}, "additionalProperties": false},
"File": { "File": {
"type": "object", "type": "object",
"properties": { "properties": {
"FileName": {"type": "string"}, "FileName": {"type": "string"},
"FileSize": {"type": "integer"}, "FileSize": {"type": "integer"},
"FileType": {"type": "string"}, "FileType": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"HashData": {"$ref": "#/definitions/HashData"}, "HashData": {"$ref": "#/definitions/HashData"},
"SignatureData": {"$ref": "#/definitions/SignatureData"}, "Signature": {"type": "array","items": {"type": "string"}},
"AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
"FileProperties": { "FileProperties": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"HashData": { "HashData": {
"type": "object", "type": "object",
"properties": { "properties": {
"scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat",
"file-pe-resource","file-pdf-object","email-hash", "file-pe-resource","file-pdf-object","email-hash",
skipping to change at page 52, line 16 skipping to change at page 50, line 51
"additionalProperties": false}, "additionalProperties": false},
"FuzzyHash": { "FuzzyHash": {
"type": "object", "type": "object",
"properties": { "properties": {
"FuzzyHashValue": { "FuzzyHashValue": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"Application": {"$ref": "#/definitions/SoftwareType"}, "Application": {"$ref": "#/definitions/SoftwareType"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["FuzzyHashValue"], "required": ["FuzzyHashValue"],
"additionalProperties": false}, "additionalProperties": false},
"SignatureData": {
"type": "object",
"properties": {
"Signature": {"type": "array","items": {"type": "string"}}},
"required": ["Signature"],
"additionalProperties": false},
"Indicator": { "Indicator": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
"AlternativeIndicatorID": { "AlternativeIndicatorID": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, "items": {"$ref": "#/definitions/AlternativeIndicatorID"}},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {"type": "array","items": {"type": "string"}},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"Contact": { "Contact": {
"type": "array","items": {"$ref": "#/definitions/Contact"}}, "type": "array","items": {"$ref": "#/definitions/Contact"}},
"Observable": {"$ref": "#/definitions/Observable"}, "Observable": {"$ref": "#/definitions/Observable"},
"ObservableReference": {"$ref": "#/definitions/ObservableReference"}, "uid-ref": {"type": "string"},
"IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"}, "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"},
"IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"},
"NodeRole": { "NodeRole": {
"type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "type": "array","items": {"$ref": "#/definitions/NodeRole"}},
"AttackPhase": { "AttackPhase": {
"type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, "type": "array","items": {"$ref": "#/definitions/AttackPhase"}},
"Reference": { "Reference": {
"type": "array","items": {"$ref": "#/definitions/Reference"}}, "type": "array","items": {"$ref": "#/definitions/Reference"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IndicatorID"], "required": ["IndicatorID"],
skipping to change at page 53, line 34 skipping to change at page 52, line 15
"System": {"$ref": "#/definitions/System"}, "System": {"$ref": "#/definitions/System"},
"Address": {"$ref": "#/definitions/Address"}, "Address": {"$ref": "#/definitions/Address"},
"DomainData": {"$ref": "#/definitions/DomainData"}, "DomainData": {"$ref": "#/definitions/DomainData"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Service": {"$ref": "#/definitions/Service"}, "Service": {"$ref": "#/definitions/Service"},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"$ref": "#/definitions/WindowsRegistryKeysModified"}, "$ref": "#/definitions/WindowsRegistryKeysModified"},
"FileData": {"$ref": "#/definitions/FileData"}, "FileData": {"$ref": "#/definitions/FileData"},
"CertificateData": {"$ref": "#/definitions/CertificateData"}, "CertificateData": {"$ref": "#/definitions/CertificateData"},
"RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"},
"Record": {"$ref": "#/definitions/Record"}, "RecordData": {"type": "array", "item": {"$ref": "#/definitions/Record"}},
"EventData": {"$ref": "#/definitions/EventData"}, "EventData": {"$ref": "#/definitions/EventData"},
"Incident": {"$ref": "#/definitions/Incident"}, "Incident": {"$ref": "#/definitions/Incident"},
"Expectation": {"$ref": "#/definitions/Expectation"}, "Expectation": {"$ref": "#/definitions/Expectation"},
"Reference": {"$ref": "#/definitions/Reference"}, "Reference": {"$ref": "#/definitions/Reference"},
"Assessment": {"$ref": "#/definitions/Assessment"}, "Assessment": {"$ref": "#/definitions/Assessment"},
"DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
"HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"BulkObservable": {"type": "string"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservable": { "BulkObservable": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac",
"site-url","domain-name","domain-to-ipv4","domain-to-ipv6", "site-url","domain-name","domain-to-ipv4","domain-to-ipv6",
"domain-to-ipv4-timestamp","domain-to-ipv6-timestamp", "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp",
"ipv4-port","ipv6-port","windows-reg-key","file-hash", "ipv4-port","ipv6-port","windows-reg-key","file-hash",
"email-x-mailer","email-subject","http-user-agent", "email-x-mailer","email-subject","http-user-agent",
"http-request-url","mutex","file-path","user-name", "http-request-url","mutex","file-path","user-name",
"ext-value"]}, "ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"},
"BulkObservableList": {"type": "string"}, "BulkObservableList": {"type": "array", "item":{"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservableFormat": { "BulkObservableFormat": {
"type": "object", "type": "object",
"properties": { "properties": {
"Hash": {"$ref": "#/definitions/Hash"}, "Hash": {"$ref": "#/definitions/Hash"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorExpression": { "IndicatorExpression": {
"type": "object", "type": "object",
"properties": { "properties": {
"operator": {"enum": ["not","and","or","xor"]}, "operator": {"enum": ["not","and","or","xor"]},
"ext-operator": {"type": "string"}, "ext-operator": {"type": "string"},
"IndicatorExpression": { "IndicatorExpression": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorExpression"}}, "items": {"$ref": "#/definitions/IndicatorExpression"}},
"Observable": { "Observable": {
"type": "array","items": {"$ref": "#/definitions/Observable"}}, "type": "array","items": {"$ref": "#/definitions/Observable"}},
"ObservableReference": { "uid-ref": {"type": "string"},
"type": "array",
"items": {"$ref": "#/definitions/ObservableReference"}},
"IndicatorReference": { "IndicatorReference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorReference"}}, "items": {"$ref": "#/definitions/IndicatorReference"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ObservableReference": {
"type": "object",
"properties": {"uid-ref": {"type": "string"}},
"required": ["uid-ref"],
"additionalProperties": false},
"IndicatorReference": { "IndicatorReference": {
"type": "object", "type": "object",
"properties": { "properties": {
"uid-ref": {"type": "string"}, "uid-ref": {"type": "string"},
"euid-ref": {"type": "string"}, "euid-ref": {"type": "string"},
"version": {"type": "string"}}, "version": {"type": "string"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"AttackPhase": { "AttackPhase": {
"type": "object", "type": "object",
"properties": { "properties": {
"AttackPhaseID": {"type": "array","items": {"type": "string"}}, "AttackPhaseID": {"type": "array","items": {"type": "string"}},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {"type": "array","items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
skipping to change at page 56, line 39 skipping to change at page 55, line 13
<https://www.rfc-editor.org/info/rfc3552>. <https://www.rfc-editor.org/info/rfc3552>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, IANA Considerations Section in RFCs", RFC 5226,
DOI 10.17487/RFC5226, May 2008, DOI 10.17487/RFC5226, May 2008,
<https://www.rfc-editor.org/info/rfc5226>. <https://www.rfc-editor.org/info/rfc5226>.
Authors' Addresses Authors' Addresses
Takeshi Takahashi Takeshi Takahashi
NICT National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi 4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795 Koganei, Tokyo 184-8795
Japan Japan
Phone: +81 42 327 5862 Phone: +81 42 327 5862
Email: takeshi_takahashi@nict.go.jp Email: takeshi_takahashi@nict.go.jp
Roman Danyliw
CERT, Software Engineering Institute, Carnegie Mellon University
4500 Fifth Avenue
Pittsburgh, PA
USA
Email: rdd@cert.org
Mio Suzuki Mio Suzuki
NICT National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi 4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795 Koganei, Tokyo 184-8795
Japan Japan
Email: mio@nict.go.jp Email: mio@nict.go.jp
 End of changes. 123 change blocks. 
321 lines changed or deleted 255 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/