draft-ietf-mile-jsoniodef-03.txt   draft-ietf-mile-jsoniodef-04.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft NICT Internet-Draft NICT
Intended status: Standards Track R. Danyliw Intended status: Standards Track R. Danyliw
Expires: September 19, 2018 CERT Expires: January 18, 2019 CERT
M. Suzuki M. Suzuki
NICT NICT
March 18, 2018 July 17, 2018
JSON binding of IODEF JSON binding of IODEF
draft-ietf-mile-jsoniodef-03 draft-ietf-mile-jsoniodef-04
Abstract Abstract
RFC7970 specified an information model and a corresponding XML data RFC7970 specified an information model and a corresponding XML data
model for exchanging incident and indicator information. This draft model for exchanging incident and indicator information. This draft
provides an alternative data model implementation in JSON. provides an alternative data model implementation in JSON.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 19, 2018. This Internet-Draft will expire on January 18, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 15 skipping to change at page 2, line 15
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3
2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 4 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 4
2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 4 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 4
2.2.2. Software . . . . . . . . . . . . . . . . . . . . . . 5 2.2.2. Software and SoftwareReference . . . . . . . . . . . 5
2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 5 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 5
3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 5 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 5 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 6
3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 6
3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 16 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 16
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 17 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 17
4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 17 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 18
5. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 19 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 20
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 38 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
8. Security Considerations . . . . . . . . . . . . . . . . . . . 38 8. Security Considerations . . . . . . . . . . . . . . . . . . . 35
9. Normative References . . . . . . . . . . . . . . . . . . . . 38 9. Normative References . . . . . . . . . . . . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 Appendix A. The IODEF Data Model (JSON Schema) . . . . . . . . . 35
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55
1. Introduction 1. Introduction
[RFC7970] defines a data representation for security incident reports [RFC7970] defines a data representation for security incident reports
and indicators commonly exchanged by operational security teams. It and indicators commonly exchanged by operational security teams. It
facilitates the automated exchange of this information to enable facilitates the automated exchange of this information to enable
mitigation and watch-and-warning. Section 3 of [RFC7970] defined an mitigation and watch-and-warning. Section 3 of [RFC7970] defined an
information model using Unified Modeling Language (UML) and a information model using Unified Modeling Language (UML) and a
corresponding Extensible Markup Language (XML) schema data model in corresponding Extensible Markup Language (XML) schema data model in
Section 8. This UML-based information model and XML-based data model Section 8. This UML-based information model and XML-based data model
skipping to change at page 4, line 27 skipping to change at page 4, line 27
| HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] |
| ENUM | Section 2.6 | "enum" array per [jsonschema] | | ENUM | Section 2.6 | "enum" array per [jsonschema] |
| DATETIME | Section 2.7 | "string" per [jsonschema] | | DATETIME | Section 2.7 | "string" per [jsonschema] |
| TIMEZONE | Section 2.8 | "string" per [jsonschema] | | TIMEZONE | Section 2.8 | "string" per [jsonschema] |
| PORTLIST | Section 2.9 | "string" per [jsonschema] | | PORTLIST | Section 2.9 | "string" per [jsonschema] |
| POSTAL | Section 2.10 | "string" per [jsonschema] | | POSTAL | Section 2.10 | "string" per [jsonschema] |
| POSTAL_ML | Section 2.10 | see ML_STRING, Section 2.2.1 | | POSTAL_ML | Section 2.10 | see ML_STRING, Section 2.2.1 |
| PHONE | Section 2.11 | "string" per [jsonschema] | | PHONE | Section 2.11 | "string" per [jsonschema] |
| EMAIL | Section 2.12 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] |
| URL | Section 2.13 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] |
| ID | Section 2.14 | "string" per [jsonschema] |
| IDREF | Section 2.14 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] |
| SOFTWARE | Section 2.15 | see Section 2.2.2 | | SOFTWARE | Section 2.15 | see Section 2.2.2 |
| STRUCTURED | N/A | see Section 2.2.3 | | STRUCTURED | RFC 7213 | see Section 2.2.3 |
| EXTENSION | Section 2.16 | see Section 2.2.4 |
+-----------------+-------------------+-------------------------------+ +-----------------+-------------------+-------------------------------+
Figure 1 Figure 1
2.2. Complex JSON Types 2.2. Complex JSON Types
2.2.1. Multilingual Strings 2.2.1. Multilingual Strings
A string that needs to be represented in a human-readable language A string that needs to be represented in a human-readable language
different than the default encoding of the document is represented in different than the default encoding of the document is represented in
the information model by the ML_STRING data type. This data type is the information model by the ML_STRING data type. This data type is
implemented as an object with "value", "lang", and "translation-id" implemented as an object with "value", "lang", and "translation-id"
elements as defined in Section 5. Examples are shown below. elements as defined in Section 5. Examples are shown below.
"MLStringType": { "MLStringType": {
"value": "free-form text", //STRING "value": "free-form text", //STRING
"lang": "en", //ENUM "lang": "en", //ENUM
"translation-id": "jp2en0023" //STRING "translation-id": "jp2en0023" //STRING
} }
2.2.2. Software 2.2.2. Software and SoftwareReference
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a URL, or with free-form text. The SOFTWARE data using a reference, a URL, or with free-form text. The SOFTWARE data
type is implemented as an object with "SoftwareReference", "URL", type is implemented as an object with "SoftwareReference", "URL",
"Description", and "Description_ML" elements as defined in Section 5. "Description", and "Description_ML" elements as defined in Section 5.
Examples are shown below. Examples are shown below.
"SoftwareType": { "SoftwareType": {
"SoftwareReference": {...}, //SoftwareReference "SoftwareReference": {...}, //SoftwareReference
"Description": ["MS Windows"] //STRING "Description": ["MS Windows"] //STRING
} }
SoftwareReference class is a reference to a particular version of
software. Examples are shown below.
"SoftwareReference": {
"value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING
"spec-name": "cpe", //ENUM
"dtype": "string", //ENUM
}
2.2.3. StructuredInfo 2.2.3. StructuredInfo
Information provided in a form of structured string, such as ID, or Information provided in a form of structured string, such as ID, or
structured information, such as XML documents, is represented in the structured information, such as XML documents, is represented in the
information model by the StructuredInfo data type. Note that this information model by the StructuredInfo data type. Note that this
type was originally specified in RFC7203. The StructuredInfo data type was originally specified in RFC7203. The StructuredInfo data
type is implemented as an object with "SpecID", "ext-SpecID", type is implemented as an object with "SpecID", "ext-SpecID",
"ContentID", "RawData", "Reference" elements. An example for "ContentID", "RawData", "Reference" elements. An example for
embedding a structured ID is shown below. embedding a structured ID is shown below.
skipping to change at page 5, line 42 skipping to change at page 6, line 5
} }
When embedding the raw data, base64 conversion should be used for When embedding the raw data, base64 conversion should be used for
encoding the data, as shown below. encoding the data, as shown below.
"StructuredInformation": { "StructuredInformation": {
"SpecID": "oval", //ENUM "SpecID": "oval", //ENUM
"RawData": "<<<strings encoded with base64>>>" //BYTE "RawData": "<<<strings encoded with base64>>>" //BYTE
} }
2.2.4. EXTENSION
Information not otherwise represented in the IODEF can be added using
the EXTENSION data type. This data type is a generic extension
mechanism. The EXTENSION data type is implemented as an
ExtensionType object with "value", "name", "dtype", "ext-dtype",
"meaning", "formatid", "restriction", "ext-restriction", and
"observable-id" elements. An example for embedding a structured ID
is shown below.
"ExtensionType": {
"value": "xxxxxxx", //String
"name": "Syslog", //String
"dtype": "string", //String
"meaning": "Syslog from the security appliance X", //String
}
3. IODEF JSON Data Model 3. IODEF JSON Data Model
3.1. Classes and Elements 3.1. Classes and Elements
The following table shows the list of IODEF Classes, their elements, The following table shows the list of IODEF Classes, their elements,
and the corresponding section in [RFC7970]. Note that the complete and the corresponding section in [RFC7970]. Note that the complete
JSON schema is defined in Section 5. JSON schema is defined in Section 5.
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IODEF Class | Class | Corresponding | | IODEF Class | Class | Corresponding |
skipping to change at page 6, line 30 skipping to change at page 7, line 10
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | IncidentID | | | | IncidentID | |
| | AlternativeID? | | | | AlternativeID? | |
| | RelatedActivity* | | | | RelatedActivity* | |
| | DetectTime? | | | | DetectTime? | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | RecoveryTime? | | | | RecoveryTime? | |
| | ReportTime? | | | | ReportTime? | |
| | GenrationTime? | | | | GenerationTime | |
| | Description* | | | | Description* | |
| | Description_ML* | | | | Description_ML* | |
| | Discovery* | | | | Discovery* | |
| | Assessment* | | | | Assessment* | |
| | Method* | | | | Method* | |
| | Contact+ | | | | Contact+ | |
| | EventData* | | | | EventData* | |
| | Indicator* | | | | Indicator* | |
| | History? | | | | History? | |
| | AdditionalData* | | | | AdditionalData* | |
skipping to change at page 7, line 37 skipping to change at page 8, line 17
| | Description* | | | | Description* | |
| | Description_ML* | | | | Description_ML* | |
| | AdditionalData* | 3.8 | | | AdditionalData* | 3.8 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Contact | role | | | Contact | role | |
| | ext-role? | | | | ext-role? | |
| | type | | | | type | |
| | ext-type? | | | | ext-type? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | ContactName*,ContactName_ML* | | | | ContactName*, | |
| | ContactName_ML*, | |
| | ContactTitle* | | | | ContactTitle* | |
| | ContactTitle_ML* | | | | ContactTitle_ML* | |
| | Description* | | | | Description* | |
| | Description_ML* | | | | Description_ML* | |
| | RegistryHandle* | | | | RegistryHandle* | |
| | PostalAddress* | | | | PostalAddress* | |
| | Email* | | | | Email* | |
| | Telephone* | | | | Telephone* | |
| | Timezone? | | | | Timezone? | |
| | Contact* | | | | Contact* | |
| | AdditionalData* | 3.9 | | | AdditionalData* | 3.9 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| RegistryHandle | handle| | | | RegistryHandle | handle | |
| | registry| | | | | registry | |
| | ext-registry? | 3.9.1 | | | ext-registry? | 3.9.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| PostalAddress | type?| | | | PostalAddress | type? | |
| | ext-type?| | | | | ext-type? | |
| | PAddress| | | | | PAddress | |
| | Description*| | | | | Description* | |
| | Description_ML* | 3.9.2 | | | Description_ML* | 3.9.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Email | type? | | | Email | type? | |
| | ext-type? | | | | ext-type? | |
| | EmailTo | | | | EmailTo | |
| | Description* | | | | Description* | |
| | Description_ML* | 3.9.3 | | | Description_ML* | 3.9.3 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Telephone | type? | | | Telephone | type? | |
| | ext-type? | | | | ext-type? | |
skipping to change at page 8, line 48 skipping to change at page 9, line 29
| | Description_ML* | | | | Description_ML* | |
| | DetectionConfiguration* | | | | DetectionConfiguration* | |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Method | restriction? | | | Method | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | Reference* | | | | Reference* | |
| | Description* | | | | Description* | |
| | Description_ML* | | | | Description_ML* | |
| | AttackPattern* | | | | AttackPattern* | |
| | Vulnerability* | | | | Vulnerability* | |
| | Weakness* | 3.11 | | | Weakness* | |
| | AdditionalData* | 3.11 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Reference | observable-id? | | | Reference | observable-id? | |
| | ReferenceName? | | | | ReferenceName? | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | |
| | Description_ML* | 3.11.1 | | | Description_ML* | 3.11.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Assessment | occurence? | | | Assessment | occurence? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | observable-id? | | | | observable-id? | |
| | IncidentCategory* | | | | IncidentCategory* | |
| | SystemImpact* | | | | SystemImpact* | |
| | BusinessImpact* | | | | BusinessImpact* | |
| | TimeImpact* | | | | TimeImpact* | |
| | MonetaryImpact* | | | | MonetaryImpact* | |
| | IntendedImpact* | | | | IntendedImpact* | |
| | Counter* | | | | Counter* | |
| | MitigationFactor* | | | | MitigatingFactor* | |
| | MitigationFactor_ML*| | | | MitigatingFactor_ML*| |
| | Cause* | | | | Cause* | |
| | Cause_ML* | | | | Cause_ML* | |
| | Confidence? | | | | Confidence? | |
| | AdditionalData* | 3.12 | | | AdditionalData* | 3.12 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| SystemImpact | severity? | | | SystemImpact | severity? | |
| | completion? | | | | completion? | |
| | type | | | | type | |
| | ext-type? | | | | ext-type? | |
| | Description* | | | | Description* | |
skipping to change at page 10, line 38 skipping to change at page 11, line 20
| | Description_ML* | | | | Description_ML* | |
| | DetectTime? | | | | DetectTime? | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | RecoveryTime? | | | | RecoveryTime? | |
| | ReportTime? | | | | ReportTime? | |
| | Contact* | | | | Contact* | |
| | Discovery* | | | | Discovery* | |
| | Assessment? | | | | Assessment? | |
| | Method* | | | | Method* | |
| | System* | |
| | Expectation* | | | | Expectation* | |
| | RecordData* | | | | RecordData* | |
| | EventData* | | | | EventData* | |
| | AdditionalData* | 3.14 | | | AdditionalData* | 3.14 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Expectation | action? | | | Expectation | action? | |
| | ext-action? | | | | ext-action? | |
| | severity? | | | | severity? | |
| | restriction? | | | | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
skipping to change at page 12, line 15 skipping to change at page 12, line 46
| | ext-duration? | 3.17.3 | | | ext-duration? | 3.17.3 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| DomainData | system-status | | | DomainData | system-status | |
| | ext-system-status? | | | | ext-system-status? | |
| | domain-status | | | | domain-status | |
| | ext-domain-status? | | | | ext-domain-status? | |
| | observable-id? | | | | observable-id? | |
| | Name | | | | Name | |
| | DateDomainWasChecked?| | | | DateDomainWasChecked?| |
| | RegistrationDate? | | | | RegistrationDate? | |
| | ExpirationDate ?| | | | ExpirationDate? | |
| | RelatedDNS* | | | | RelatedDNS* | |
| | Nameservers* | | | | Nameservers* | |
| | DomainContacts? | 3.18 | | | DomainContacts? | 3.18 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Nameserver | Server | | | Nameserver | Server | |
| | Address* | 3.18.1 | | | Address* | 3.18.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| DomainContacts | SameDomainContact? | | | DomainContacts | SameDomainContact? | |
| | Contact+ | 3.18.2 | | | Contact+ | 3.18.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Service | ip-protocol? | | | Service | ip-protocol? | |
| | observable-id? | | | | observable-id? | |
| | ServiceName? | | | | ServiceName? | |
| | Port? | | | | Port? | |
| | Portlist? | | | | Portlist? | |
| | ProtoCode? | | | | ProtoCode? | |
| | ProtoType? | | | | ProtoType? | |
| | ProtoField? | | | | ProtoField? | |
| | ApplicationHeaderField+| | | | ApplicationHeaderField*| |
| | EmailData? | | | | EmailData? | |
| | Application? | 3.19 | | | Application? | 3.19 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| ServiceName | IANAService? | | | ServiceName | IANAService? | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | |
| | Description_ML* | 3.19.1 | | | Description_ML* | 3.19.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| EmailData | observable-id? | | | EmailData | observable-id? | |
| | EmailTo* | | | | EmailTo* | |
skipping to change at page 14, line 28 skipping to change at page 15, line 11
| | Hash* | | | | Hash* | |
| | FuzzyHash* | 3.23 | | | FuzzyHash* | 3.23 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Hash | DigestMethod | | | Hash | DigestMethod | |
| | DigestValue | | | | DigestValue | |
| | CanonicalizationMethod?| | | | CanonicalizationMethod?| |
| | Application? | 3.23.1 | | | Application? | 3.23.1 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| FuzzyHash | FuzzyHashValue+ | | | FuzzyHash | FuzzyHashValue+ | |
| | Application? | | | | Application? | |
| | AdditionalData? | 3.23.2 | | | AdditionalData* | 3.23.2 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| Indicator | restriction? | | | Indicator | restriction? | |
| | ext-restriction? | | | | ext-restriction? | |
| | IndicatorID | | | | IndicatorID | |
| | AlternativeIndicatorID*| | | | AlternativeIndicatorID*| |
| | Description* | | | | Description* | |
| | Description_ML* | | | | Description_ML* | |
| | StartTime? | | | | StartTime? | |
| | EndTime? | | | | EndTime? | |
| | Confidence? | | | | Confidence? | |
skipping to change at page 16, line 37 skipping to change at page 17, line 20
directly have instance of Signature class that used to belong to directly have instance of Signature class that used to belong to
the SignatureData class. the SignatureData class.
o IndicatorData class is deleted, and classes with its instances now o IndicatorData class is deleted, and classes with its instances now
directly have the instances of Indicator class that used to belong directly have the instances of Indicator class that used to belong
to the IndicatorData class. to the IndicatorData class.
o ObservableReference class is deleted, and classes with its o ObservableReference class is deleted, and classes with its
instances now directly have uid-ref as an element. instances now directly have uid-ref as an element.
o Record class is replaced by RecordData class, and RecordData class
is renamed to Record class.
o Record class is deleted, and classes with its instances now o Record class is deleted, and classes with its instances now
directly have the instances of RecordData class that used to directly have the instances of RecordData class that used to
belong to the Record class. belong to the Record class.
o The elements of ML_STRING type are prepared as two separate o The elements of ML_STRING type are prepared as two separate
elements: one of STRING type and another of ML_STRING type, in elements: one of STRING type and another of ML_STRING type, in
order to maintain the simplicity of IODEF documents when writing order to maintain the simplicity of IODEF documents when writing
with only STRING type characters. with only STRING type characters.
4. Examples 4. Examples
skipping to change at page 17, line 12 skipping to change at page 18, line 8
not represent the full capabilities of the data model or the the only not represent the full capabilities of the data model or the the only
way to encode particular information. way to encode particular information.
4.1. Minimal Example 4.1. Minimal Example
A document containing only the mandatory elements and attributes. A document containing only the mandatory elements and attributes.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incident": [ "Incident": [{
{
"purpose": "reporting", "purpose": "reporting",
"restriction": "private", "restriction": "private",
"IncidentID": { "IncidentID": {
"id": 492382, "id": "492382",
"name": "csirt.example.com" "name": "csirt.example.com"
}, },
"GenerationTime": "2015-07-18T09:00:00-05:00", "GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [ "Contact": [{
{
"type": "organization", "type": "organization",
"role": "creator", "role": "creator",
"email": { "Email": [{
"emailTo": "contact@csirt.example.com" "EmailTo": "contact@csirt.example.com"
} }]
} }]
] }]
}
]
} }
4.2. Indicators from a Campaign 4.2. Indicators from a Campaign
An example of C2 domains from a given campaign. An example of C2 domains from a given campaign.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incidents": [ "Incidents": [
skipping to change at page 19, line 12 skipping to change at page 20, line 4
"BulkObservableList": [ "BulkObservableList": [
"kj290023j09r34.example.com", "kj290023j09r34.example.com",
"09ijk23jfj0k8.example.net", "09ijk23jfj0k8.example.net",
"klknjwfjiowjefr923.example.org", "klknjwfjiowjefr923.example.org",
"oimireik79msd.example.org" "oimireik79msd.example.org"
] ]
} }
} }
] ]
} }
] ]
} }
5. The IODEF Data Model (JSON Schema) 5. The IODEF Data Model (CDDL)
start = iodef
;;; iodef.json: IODEF-Document
iodef = {
version: text
? lang: lang
? format-id: text
? private-enum-name: text
? private-enum-id: text
Incident: [+ Incident]
? AdditionalData: [+ ExtensionType]
}
duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" /
"year" / "ext-value"
lang = "en" / "jp"
restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" /
"ext-value"
DATETIME = text
URLtype = text
IDtype = text
action = "nothing" / "contact-source-site" / "cotact-target-site" /
"contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value"
ExtensionType = {
? Name: text
? dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" /
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value"
? ext-dtype: text
? meaning: text
? formatid: text
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
}
SoftwareType = {
? SoftwareReference: SoftwareReference
? URL: URLtype
? Description: text
}
SoftwareReference = {
? value: text
spec-name: "custom" / "cpe" / "swid" / "ext-value"
? ext-spec-name: text
? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value"
? ext-dtype: text
}
Incident = {
purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" /
"ext-value"
? ext-purpose: text
? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" /
"ext-value"
? ext-status: text
? lang: lang
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
IncidentID: IncidentID
? AlternativeID: AlternativeID
? RelatedActivity: [+ RelatedActivity]
? DetectTime: text
? StartTime: text
? EndTime: text
? RecoveryTime: text
? ReportTime: text
GenerationTime: text
? Description: [+ text]
? Description_ML: [+ text]
? Discovery: [+ Discovery]
? Assessment: [+ Assessment]
? Method: [+ Method]
Contact: [+ Contact]
? EventData: [+ EventData]
? Indicator: [+ Indicator]
? History: History
? AdditionalData: [+ ExtensionType]
}
IncidentID = {
id: text
name: text
? instance: text
? restriction: restriction
? ext-restriction: text
}
AlternativeID = {
? restriction: restriction
? ext-restriction: text
IncidentID: [+ IncidentID]
}
RelatedActivity = {
? restriction: restriction
? ext-restriction: text
? IncidentID: [+ IncidentID]
? URL: [+ URLtype]
? ThreatActor: [+ ThreatActor]
? Campaign: [+ Campaign]
? IndicatorID: [+ IndicatorID]
? Confidence: Confidence
? Description: [+ text]
? AdditionalData: [+ ExtensionType]
}
ThreatActor = {
? restriction: restriction
? ext-restriction: text
? ThreatActorID: [+ text]
? URL: [+ URLtype]
? Description: [+ text]
? Description_ML: [+ text]
? AdditionalData: [+ ExtensionType]
}
Campaign = {
? restriction: restriction
? ext-restriction: text
? CampaignID: [+ text]
? URL: [+ URLtype]
? Description: [+ text]
? Description_ML: [+ text]
? AdditionalData: [+ ExtensionType]
}
Contact = {
role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
"vendor" / "vendor-support" / "victim" / "victim-notified" /
"ext-value"
? ext-role: text
type: "person" / "organization" / "ext-value"
? ext-type: text
? restriction: restriction
? ext-restriction: text
? ContactName: [+ text]
? ContactName_ML: [+ text]
? ContactTitle: [+ text]
? ContactTitle_ML: [+ text]
? Description: [+ text]
? Description_ML: [+ text]
? RegistryHandle: [+ RegistryHandle]
? PostalAddress: [+ PostalAddress]
? Email: [+ Email]
? Telephone: [+ Telephone]
? Timezone: text
? Contact: [+ Contact]
? AdditionalData: [+ ExtensionType]
}
RegistryHandle = {
handle: text
registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" /
"local" / "ext-value"
? ext-registry: text
}
PostalAddress = {
? type: text
? ext-type: text
PAddress: text
? Description: [+ text]
? Description_ML: [+ text]
}
Email = {
? type: "direct" / "hotline" / "ext-value"
? ext-type: text
EmailTo: text
? Description: [+ text]
? Description_ML: [+ text]
}
Telephone = {
? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value"
? ext-type: text
TelephoneNumber: text
? Description: [+ text]
? Description_ML: [+ text]
}
Discovery = {
? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
"incident" / "os-log" / "application-log" / "device-log" /
"network-flow" / "passive-dns" / "investiation" / "audit" /
"international-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value"
? ext-source: text
? restriction: restriction
? ext-restriction: text
? Description: [+ text]
? Description_ML: [+ text]
? Contact: [+ Contact]
? DetectionPattern: [+ DetectionPattern]
}
DetectionPattern = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
Application: SoftwareType
? Description: [+ text]
? Description_ML: [+ text]
? DetectionConfiguration: [+ text]
}
Method = {
? restriction: restriction
? ext-restriction: text
? Reference: [+ Reference]
? Description: [+ text]
? Description_ML: [+ text]
? AttackPattern: [+ StructuredInformation]
? Vulnerability: [+ StructuredInformation]
? Weakness: [+ StructuredInformation]
? AdditionalData: [+ ExtensionType]
}
StructuredInformation = {
specID: text
? ext-specID: text
? contentID: text
? RawData: any
? URL: URLtype
}
Reference = {
? observable-id: IDtype
? ReferenceName: ReferenceName
? URL: [+ URLtype]
? Description: [+ text]
? Description_ML: [+ text]
}
ReferenceName = {
specIndex: int
ID: text
}
Assessment = {
? occurrence: "actual" / "potential"
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
? IncidentCategory: [+ text]
? SystemImpact: [+ SystemImpact]
? BusinessImpact: [+ BusinessImpact]
? TimeImpact: [+ TimeImpact]
? MonetaryImpact: [+ MonetaryImpact]
? IntendedImpact: [+ BusinessImpact]
? Counter: [+ Counter]
? MitigatingFactor: [+ text]
? MitigatingFactor_ML: [+ text]
? Cause: [+ text]
? Cause_ML: [+ text]
? Confidence: Confidence
? AdditionalData: [+ ExtensionType]
}
SystemImpact = {
? severity: "low" / "medium" / "high"
? completion: "failed" / "succeeded"
type: "takeover-account" / "takeover-service" / "takeover-system" /
"cps-manipulation" / "cps-damage" / "availability-data" /
"availability-account" / "availability-service" /
"availability-system" / "damaged-system" / "damaged-data" /
"breach-proprietary" / "breach-privacy" / "breach-credential" /
"breack-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value"
? ext-type: text
? Description: [+ text]
? Description_ML: [+ text]
}
BusinessImpact = {
? severity: "none" / "low" / "medium" / "high" / "unknown" / "ext-value"
? ext-severity: text
type: "breach-proprietary" / "breach-privacy" / "breach-credential" /
"loss-of-integrity" / "loss-of-service" / "theft-financial" /
"theft-service" / "degraded-reputation" / "asset-damage" /
"asset-manipulation" / "legal" / "extortion" / "unknown" /
"ext-value"
? ext-type: text
? Description: [+ text]
? Description_ML: [+ text]
}
TimeImpact = {
value: int
? severity: "low" / "medium" / "high"
metric: "labor" / "elapsed" / "downtime" / "ext-value"
? ext-metric: text
? duration: duration
? ext-duration: text
}
MonetaryImpact = {
value: int
? severity: "low" / "medium" / "high"
? currency: text
}
Confidence = {
value: int
rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value"
? ext-rating: text
}
History = {
? restriction: restriction
? ext-restriction: text
HistoryItem: [+ HistoryItem]
}
HistoryItem = {
action: action
? ext-action: text
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
DateTime: DATETIME
? IncidentID: IncidentID
? Contact: Contact
? Description: [+ text]
? Description_ML: [+ text]
? DefinedCOA: [+ text]
? AdditionalData: [+ ExtensionType]
}
EventData = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
? Description: [+ text]
? Description_ML: [+ text]
? DetectTime: DATETIME
? StartTime: DATETIME
? EndTime: DATETIME
? RecoveryTime: DATETIME
? ReportTime: DATETIME
? Contact: [+ Contact]
? Discovery: [+ Discovery]
? Assessment: Assessment
? Method: [+ Method]
? System: [+ System]
? Expectation: [+ Expectation]
? RecordData: [+ RecordData]
? EventData: [+ EventData]
? AdditionalData: [+ ExtensionType]
}
Expectation = {
? action: action
? ext-action: text
? severity: "low" / "medium" / "high"
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
? Description: [+ text]
? Description_ML: [+ text]
? DefinedCOA: [+ text]
? StartTime: DATETIME
? EndTime: DATETIME
? Contact: Contact
}
System = {
? category: "source" / "target" / "intermediate" / "sensor" /
"infrastructure" / "ext-value"
? ext-category: text
? interface: text
? spoofed: "unknown" / "yes" / "no"
? virtual: "yes" / "no" / "unknown"
? ownership: "organization" / "personal" / "partner" / "customer" /
"no-relationship" / "unknown" / "ext-value"
? ext-ownership: text
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
Node: Node
? NodeRole: [+ NodeRole]
? Service: [+ Service]
? OperatingSystem: [+ SoftwareType]
? Counter: [+ Counter]
? AssetID: [+ text]
? Description: [+ text]
? Description_ML: [+ text]
? AdditionalData: [+ ExtensionType]
}
Node = {
? DomainData: [+ DomainData]
? Address: [+ Address]
? PostalAddress: PostalAddress
? Location: [+ text]
? Location_ML: [+ text]
? Counter: [+ Counter]
}
Address = {
value: text
category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" /
"ext-value"
? ext-category: text
? vlan-name: text
? vlan-num: int
? observable-id: IDtype
}
NodeRole = {
category: "client" / "client-enterprise" / "clent-partner" /
"client-remote" / "client-kiosk" / "client-mobile" /
"server-internal" / "server-public" / "www" / "mail" /
"webmail" / "messaging" / "streaming" / "voice" / "file" /
"ftp" / "p2p" / "name" / "directory" / "credential" /
"print" / "application" / "database" / "backup" / "dhcp" /
"assessment" / "source-control" / "config-management" /
"monitoring" / "infra" / "infra-firewall" / "infra-router" /
"infra-switch" / "camera" / "proxy" / "remote-access" /
"log" / "virtualization" / "pos" / "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hot-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value"
? ext-category: text
? Description: [+ text]
? Description_ML: [+ text]
}
Counter = {
value: text
type: "count" / "peak" / "average" / "ext-value"
? ext-type: text
unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
"message" / "event" / "host" / "site" / "organization" /
"ext-value"
? ext-unit: text
? meaning: text
? meaning_ML: text
? duration: duration
? ext-duration: text
}
DomainData = {
system-status: "spoofed" / "fraudulent" / "innocent-hacked" /
"innocent-hijacked" / "unknown" / "ext-value"
? ext-system-status: text
domain-status: "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value"
? ext-domain-status: text
? observable-id: IDtype
Name: text
? DateDomainWasChecked: DATETIME
? RegistrationDate: DATETIME
? ExpirationDate: DATETIME
? RelatedDNS: [+ ExtensionType]
? NameServers: [+ NameServers]
? DomainContacts: DomainContacts
}
NameServers = {
Server: text
? Address: [+ Address]
}
DomainContacts = {
? SameDomainContact: text
Contact: [+ Contact]
}
Service = {
? ip-protocol: int
? observable-id: IDtype
? ServiceName: ServiceName
? Port: int
? Portlist: text
? ProtoCode: int
? ProtoType: int
? ProtoField: int
? ApplicationHeaderField: [+ ExtensionType]
? EmailData: EmailData
? Application: SoftwareType
}
ServiceName = {
? IANAService: text
? URL: [+ URLtype]
? Description: [+ text]
? Description_ML: [+ text]
}
EmailData = {
? observable-id: IDtype
? EmailTo: [+ text]
? EmailFrom: text
? EmailSubject: text
? EmailX-Mailer: text
? EmailHeaderField: [+ ExtensionType]
? EmailHeaders: text
? EmailBody: text
? EmailMessage: text
? HashData: [+ HashData]
? Signature: [+ text]
}
RecordData = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
? DateTime: DATETIME
? Description: [+ text]
? Description_ML: [+ text]
? Applicadtion: SoftwareType
? RecordPattern: [+ RecordPattern]
? RecordItem: [+ ExtensionType]
? URL: [+ URLtype]
? FileData: [+ FileData]
? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified]
? CertificateData: [+ CertificateData]
? AdditionalData: [+ ExtensionType]
}
RecordPattern = {
value: text
type: "regex" / "binary" / "xpath" / "ext-value"
? ext-type: text
? offset: int
? offsetunit: "line" / "byte" / "ext-value"
? ext-offsetunit: text
? instance: int
}
WindowsRegistryKeysModified = {
? observable-id: IDtype
Key: [+ Key]
}
Key = {
? registryaction: "add-key" / "add-value" / "delete-key" /
"delete-value" / "modify-key" / "modify-value" /
"ext-value"
? ext-registryaction: text
? observable-id: IDtype
KeyName: text
? KeyValue: text
}
CertificateData = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
Certificate: [+ Certificate]
}
Certificate = {
? observable-id: IDtype
X509Data: text
? Description: [+ text]
? Description_ML: [+ text]
}
FileData = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
File: [+ File]
}
File = {
? observable-id: IDtype
? FileName: text
? FileSize: int
? FileType: text
? URL: [+ URLtype]
? HashData: HashData
? Signature: [+ text]
? AssociatedSoftware: SoftwareType
? FileProperties: [+ ExtensionType]
}
HashData = {
scope: "file-contents" / "file-pe-section" / "file-pe-iat" /
"file-pe-resource" / "file-pdf-object" / "email-hash" /
"email-hash-header" / "email-hash-body"
? HashTargetID: text
? Hash: [+ Hash]
? FuzzyHash: [+ FuzzyHash]
}
Hash = {
DigestMethod: text
DigestValue: text
? CanonicalizationMethod: any
? Application: SoftwareType
}
FuzzyHash = {
FuzzyHashValue: [+ ExtensionType]
? Application: SoftwareType
? AdditionalData: [+ ExtensionType]
}
Indicator = {
? restriction: restriction
? ext-restriction: text
IndicatorID: IndicatorID
? AlternativeIndicatorID: [+ AlternativeIndicatorID]
? Description: [+ text]
? Description_ML: [+ text]
? StartTime: DATETIME
? EndTime: DATETIME
? Confidence: Confidence
? Contact: [+ Contact]
? Observable: Observable
? uid-ref: text
? IndicatorExpression: IndicatorExpression
? IndicatorReference: IndicatorReference
? NodeRole: [+ NodeRole]
? AttackPhase: [+ AttackPhase]
? Reference: [+ Reference]
? AdditionalData: [+ ExtensionType]
}
IndicatorID = {
id: IDtype
name: text
version: text
}
AlternativeIndicatorID = {
? restriction: restriction
? ext-restriction: text
IndicatorReference: [+ IndicatorReference]
}
Observable = {
? restriction: restriction
? ext-restriction: text
? System: System
? Address: Address
? DomainData: DomainData
? EmailData: EmailData
? Service: Service
? WindowsRegistryKeysModified: WindowsRegistryKeysModified
? FileData: FileData
? CertificateData: CertificateData
? RegistryHandle: RegistryHandle
? RecordData: RecordData
? EventData: EventData
? Incident: Incident
? Expectation: Expectation
? Reference: Reference
? Assessment: Assessment
? DetectionPattern: DetectionPattern
? HistoryItem: HistoryItem
? BulkObservable: BulkObservable
? AdditionalData: [+ ExtensionType]
}
BulkObservable = {
? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
"mac" / "site-url" / "domain-name" / "domain-to-ipv4" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
"windows-reg-key" / "file-hash" / "email-x-mailer" /
"email-subject" / "http-user-agent" / "http-request-uri" /
"mutex" / "file-path" / "user-name" / "ext-value"
? ext-type: text
? BulkObservableFormat: BulkObservableFormat
BulkObservableList: [+ text]
? AdditionalData: [+ ExtensionType]
}
BulkObservableFormat = {
? Hash: Hash
? AdditionalData: [+ ExtensionType]
}
IndicatorExpression = {
? operator: "not" / "and" / "or" / "xor"
? ext-operator: text
? IndicatorExpression: [+ IndicatorExpression]
? Observable: [+ Observable]
? uid-ref: [+ text]
? IndicatorReference: [+ IndicatorReference]
? Confidence: Confidence
? AdditionalData: [+ ExtensionType]
}
IndicatorReference = {
? uid-ref: text
? euid-ref: text
? version: text
}
AttackPhase = {
? AttackPhaseID: [+ text]
? URL: [+ URLtype]
? Description: [+ text]
? Description_ML: [+ text]
? AdditionalData: [+ ExtensionType]
}
Figure 2: Data Model in CDDL
6. Acknowledgements
We would like to thank Henk Birkholz and Carsten Bormann for their
insightful comments on CDDL.
7. IANA Considerations
This document registers a JSON schema.
8. Security Considerations
This memo does not provide any further security considerations than
the one described in [RFC7970].
9. Normative References
[jsonschema]
"JSON Schema", 2006.
http://json-schema.org/
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC7970] Danyliw, R., "The Incident Object Description Exchange
Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
November 2016, <https://www.rfc-editor.org/info/rfc7970>.
Appendix A. The IODEF Data Model (JSON Schema)
This section provides a JSON schema that defines the IODEF Data Model
defined in this draft.
{ "$schema": "http://json-schema.org/draft-04/schema#", { "$schema": "http://json-schema.org/draft-04/schema#",
"definitions": { "definitions": {
"action": {"enum": ["nothing","contact-source-site","contact-target-site", "action": {"enum": ["nothing","contact-source-site",
"contact-sender", "investigate","block-host","block-network", "contact-target-site","contact-sender","investigate",
"block-port","rate-limit-host","rate-limit-network", "block-host","block-network","block-port","rate-limit-host",
"rate-limit-port","redirect-traffic","honeypot", "rate-limit-network","rate-limit-port","redirect-traffic",
"upgrade-software","rebuild-asset","harden-asset", "honeypot","upgrade-software","rebuild-asset","harden-asset",
"remediate-other","status-triage","status-new-info", "remediate-other","status-triage","status-new-info",
"watch-and-report","training","defined-coa","ext-value"]}, "watch-and-report","training","defined-coa","ext-value"]},
"duration": {"enum": ["second","minute","hour","day","month","quarter", "duration": {"enum": ["second","minute","hour","day","month","quarter",
"year","ext-value"]}, "year","ext-value"]},
"lang": {"enum": ["en","jp"]}, "lang": {"enum": ["en","jp"]},
"purpose": {"enum": ["traceback","mitigation","reporting","watch","other", "purpose": {"enum": ["traceback","mitigation","reporting","watch",
"ext-value"]}, "other","ext-value"]},
"restriction": {"enum": ["public","partner","need-to-know","private", "restriction": {"enum": ["public","partner","need-to-know","private",
"default","white","green","amber","red","ext-value"]}, "default","white","green","amber","red","ext-value"]},
"status": {"enum": ["new","in-progress","forwarded","resolved","future", "status": {"enum": ["new","in-progress","forwarded","resolved",
"ext-value"]}, "future","ext-value"]},
"DATETIME": {"type": "string"}, "DATETIME": {"type": "string"},
"PORTLIST": {"type": "string"}, "PORTLIST": {"type": "string"},
"URLtype": {"type": "string"}, "URLtype": {"type": "string"},
"IDtype": {"type": "string"}, "IDtype": {"type": "string"},
"ExtensionType": { "ExtensionType": {
"type": "object", "type": "object",
"properties": { "properties": {
"name": {"type": "string"}, "name": {"type": "string"},
"dtype": {"enum": ["boolean","byte","bytes","character","date-time", "dtype": {"enum": ["boolean","byte","bytes","character","date-time",
"ntpstamp","integer","portlist","real","string","file", "ntpstamp","integer","portlist","real","string","file",
skipping to change at page 21, line 4 skipping to change at page 37, line 38
"ext-purpose": {"type": "string"}, "ext-purpose": {"type": "string"},
"status": {"$ref": "#/definitions/status"}, "status": {"$ref": "#/definitions/status"},
"ext-status": {"type": "string"}, "ext-status": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentID": {"$ref": "#/definitions/IncidentID"}, "IncidentID": {"$ref": "#/definitions/IncidentID"},
"AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"},
"RelatedActivity": { "RelatedActivity": {
"type": "array","items": {"$ref": "#/definitions/RelatedActivity"}}, "type": "array",
"items": {"$ref": "#/definitions/RelatedActivity"}},
"DetectTime": {"type": "string"}, "DetectTime": {"type": "string"},
"StartTime": {"type": "string"}, "StartTime": {"type": "string"},
"EndTime": {"type": "string"}, "EndTime": {"type": "string"},
"RecoveryTime": {"type": "string"}, "RecoveryTime": {"type": "string"},
"ReportTime": {"type": "string"}, "ReportTime": {"type": "string"},
"GenerationTime": {"type": "string"}, "GenerationTime": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {"type": "array","items": {"type": "string"}},
"Discovery": { "Discovery": {
"type": "array","items": {"$ref": "#/definitions/Discovery"}}, "type": "array","items": {"$ref": "#/definitions/Discovery"}},
"Assessment": { "Assessment": {
skipping to change at page 22, line 27 skipping to change at page 39, line 15
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"Description": { "type": "array","items": {"type": "string"}}, "Description": { "type": "array","items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false}, "additionalProperties": false},
"ThreatActor": { "ThreatActor": {
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"ThreatActorID": {"type": "array", "items": {"type": "string"}}, "ThreatActorID": {"type": "array", "items": {"type": "string"}},
"Description": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}},
"URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "URL": {"type":"array","items":{"$ref":"#/definitions/URLtype"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false}, "additionalProperties": false},
"Campaign": { "Campaign": {
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"CampaignID": {"type": "array", "items": {"type": "string"}}, "CampaignID": {"type": "array", "items": {"type": "string"}},
"URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "URL": {"type":"array", "items":{"$ref":"#/definitions/URLtype"}},
"Description": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
"Contact": { "Contact": {
"type": "object", "type": "object",
"properties": { "properties": {
"role": { "role": {
"enum": ["creator","reporter","admin","tech","provider","user", "enum": ["creator","reporter","admin","tech","provider","user",
"billing","legal","irt","abuse","cc","cc-irt","leo", "billing","legal","irt","abuse","cc","cc-irt","leo",
"vendor","vendor-support","victim","victim-notified", "vendor","vendor-support","victim","victim-notified",
"ext-value"]}, "ext-value"]},
"ext-role": {"type": "string"}, "ext-role": {"type": "string"},
"type": {"enum": ["person","organization","ext-value"]}, "type": {"enum": ["person","organization","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"ContactName": {"type": "array", "items": {"type": "string"}}, "ContactName": {"type": "array", "items": {"type": "string"}},
"ContactTitle": {"type": "array", "items": {"type": "string"}}, "ContactTitle": {"type": "array", "items": {"type": "string"}},
"Description": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}},
"RegistryHandle": { "RegistryHandle": {
"type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}}, "type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}},
"PostalAddress": { "PostalAddress": {
"type": "array", "items": {"$ref": "#/definitions/PostalAddress"}}, "type":"array", "items":{"$ref":"#/definitions/PostalAddress"}},
"Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}},
"Telephone": { "Telephone": {
"type": "array", "items": {"$ref": "#/definitions/Telephone"}}, "type": "array", "items": {"$ref": "#/definitions/Telephone"}},
"Timezone": {"type": "string"}, "Timezone": {"type": "string"},
"Contact": { "Contact": {
"type": "array", "items": {"$ref": "#/definitions/Contact"}}, "type": "array", "items": {"$ref": "#/definitions/Contact"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["role","type"], "required": ["role","type"],
"additionalProperties": false}, "additionalProperties": false},
"RegistryHandle": { "RegistryHandle": {
"type": "object", "type": "object",
"properties": { "properties": {
"handle": {"type": "string"}, "handle": {"type": "string"},
"registry": { "registry": {
"enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local", "enum": ["internic","apnic","arin","lacnic","ripe","afrinic",
"ext-value"]}, "local","ext-value"]},
"ext-registry": {"type": "string"}}, "ext-registry": {"type": "string"}},
"required": ["registry"], "required": ["registry"],
"additionalProperties": false}, "additionalProperties": false},
"PostalAddress": { "PostalAddress": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": {"type": "string"}, "type": {"type": "string"},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"PAddress": {"type": "string"}, "PAddress": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}}}, "Description": {"type": "array", "items": {"type": "string"}}},
skipping to change at page 24, line 26 skipping to change at page 41, line 13
"network-flow","passive-dns","investigation","audit", "network-flow","passive-dns","investigation","audit",
"internal-notification","external-notification","leo", "internal-notification","external-notification","leo",
"partner","actor","unknown","ext-value"]}, "partner","actor","unknown","ext-value"]},
"ext-source": {"type": "string"}, "ext-source": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}},
"Contact": { "Contact": {
"type": "array", "items": {"$ref": "#/definitions/Contact"}}, "type": "array", "items": {"$ref": "#/definitions/Contact"}},
"DetectionPattern": { "DetectionPattern": {
"type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}}, "type":"array",
"items":{"$ref":"#/definitions/DetectionPattern"}}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"DetectionPattern": { "DetectionPattern": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Application": {"$ref": "#/definitions/SoftwareType"}, "Application": {"$ref": "#/definitions/SoftwareType"},
"Description": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}},
skipping to change at page 24, line 50 skipping to change at page 41, line 38
"additionalProperties": false}, "additionalProperties": false},
"Method": { "Method": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"References": { "References": {
"type": "array","items": {"$ref": "#/definitions/Reference"}}, "type": "array","items": {"$ref": "#/definitions/Reference"}},
"Description": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}},
"AttackPattern": { "AttackPattern": {
"type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}},
"Vulnerability": { "Vulnerability": {
"type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}},
"Weakness": { "Weakness": {
"type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Reference": { "Reference": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ReferenceName": {"type": "string"}, "ReferenceName": {"type": "string"},
"URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "URL":{"type":"array", "items":{"$ref":"#/definitions/URLtype"}},
"Description": {"type": "array", "items": {"type": "string"}}}, "Description": {"type": "array", "items": {"type": "string"}}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Assessment": { "Assessment": {
"type": "object", "type": "object",
"properties": { "properties": {
"occurrence": {"enum":["actual","potential"]}, "occurrence": {"enum":["actual","potential"]},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentCategory": {"type": "array", "items": {"type": "string"}}, "IncidentCategory": {"type": "array", "items": {"type": "string"}},
"SystemImpact": { "SystemImpact": {
"type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}},
"BusinessImpact": { "BusinessImpact": {
"type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, "type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}},
"TimeImpact": { "TimeImpact": {
"type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}},
"MonetaryImpact": { "MonetaryImpact": {
"type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}}, "type":"array", "items":{"$ref":"#/definitions/MonetaryImpact"}},
"IntendedImpact": { "IntendedImpact": {
"type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, "type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}},
"Counter": { "Counter": {
"type": "array", "items": {"$ref": "#/definitions/Counter"}}, "type": "array", "items": {"$ref": "#/definitions/Counter"}},
"MitigatingFactor": { "MitigatingFactor": {
"type": "array", "items": {"$type": "string"}}, "type": "array", "items": {"$type": "string"}},
"Cause": {"type": "array", "items": {"$type": "string"}}, "Cause": {"type": "array", "items": {"$type": "string"}},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"SystemImpact": { "SystemImpact": {
skipping to change at page 26, line 12 skipping to change at page 42, line 48
"enum":["low","medium","high"]}, "enum":["low","medium","high"]},
"completion": {"enum":["failed","succeeded"]}, "completion": {"enum":["failed","succeeded"]},
"type": { "type": {
"enum":["takeover-account","takeover-service","takeover-system", "enum":["takeover-account","takeover-service","takeover-system",
"cps-manipulation","cps-damage","availability-data", "cps-manipulation","cps-damage","availability-data",
"availability-account","availability-service", "availability-account","availability-service",
"availability-system","damaged-system","damaged-data", "availability-system","damaged-system","damaged-data",
"breach-proprietary","breach-privacy","breach-credential", "breach-proprietary","breach-privacy","breach-credential",
"breach-configuration","integrity-data", "breach-configuration","integrity-data",
"integrity-configuration","integrity-hardware", "integrity-configuration","integrity-hardware",
"traffic-redirection","monitoring-traffic","monitoring-host", "traffic-redirection","monitoring-traffic",
"policy","unknown","ext-value"]}, "monitoring-host","policy","unknown","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}}, "Description": {"type": "array","items": {"type": "string"}}},
"required": ["type"], "required": ["type"],
"additionalProperties": false}, "additionalProperties": false},
"BusinessImpact": { "BusinessImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"severity": { "severity": {
"enum":["none","low","medium","high","unknown","ext-value"]}, "enum":["none","low","medium","high","unknown","ext-value"]},
"ext-severity": {"type":"string"}, "ext-severity": {"type":"string"},
"type": { "type": {
"enum":["breach-proprietary","breach-privacy","breach-credential", "enum":["breach-proprietary","breach-privacy","breach-credential",
skipping to change at page 28, line 14 skipping to change at page 44, line 50
"type": "array","items": {"$ref": "#/definitions/Contact"}}, "type": "array","items": {"$ref": "#/definitions/Contact"}},
"Discovery": { "Discovery": {
"type": "array","items": {"$ref": "#/definitions/Discovery"}}, "type": "array","items": {"$ref": "#/definitions/Discovery"}},
"Assessment": {"$ref": "#/definitions/Assessment"}, "Assessment": {"$ref": "#/definitions/Assessment"},
"Method": { "Method": {
"type": "array","items": {"$ref": "#/definitions/Method"}}, "type": "array","items": {"$ref": "#/definitions/Method"}},
"System": { "System": {
"type": "array","items": {"$ref": "#/definitions/System"}}, "type": "array","items": {"$ref": "#/definitions/System"}},
"Expectation": { "Expectation": {
"type": "array","items": {"$ref": "#/definitions/Expectation"}}, "type": "array","items": {"$ref": "#/definitions/Expectation"}},
"RecordData": {"type": "array", "items": {"$ref": "#/definitions/RecordData"}}, "RecordData": {"type": "array",
"items": {"$ref": "#/definitions/RecordData"}},
"EventData": { "EventData": {
"type": "array","items": {"$ref": "#/definitions/EventData"}}, "type": "array","items": {"$ref": "#/definitions/EventData"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["ReportTime"], "required": ["ReportTime"],
"additionalProperties": false}, "additionalProperties": false},
"Expectation": { "Expectation": {
"type": "object", "type": "object",
"properties": { "properties": {
"action": {"$ref":"#/definitions/action"}, "action": {"$ref":"#/definitions/action"},
"ext-action": {"type": "string"}, "ext-action": {"type": "string"},
skipping to change at page 28, line 40 skipping to change at page 45, line 30
"DefinedCOA": {"type": "array","items": {"type": "string"}}, "DefinedCOA": {"type": "array","items": {"type": "string"}},
"StartTime": {"type": "string"}, "StartTime": {"type": "string"},
"EndTime": {"type": "string"}, "EndTime": {"type": "string"},
"Contact": {"$ref": "#/definitions/Contact"}}, "Contact": {"$ref": "#/definitions/Contact"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"System": { "System": {
"type": "object", "type": "object",
"properties": { "properties": {
"category": { "category": {
"enum": ["source","target","intermediate","sensor","infrastructure", "enum": ["source","target","intermediate","sensor",
"ext-value"]}, "infrastructure","ext-value"]},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"interface": {"type": "string"}, "interface": {"type": "string"},
"spoofed": {"enum": ["unknown","yes","no"]}, "spoofed": {"enum": ["unknown","yes","no"]},
"virtual": {"enum": ["yes","no","unknown"]}, "virtual": {"enum": ["yes","no","unknown"]},
"ownership": { "ownership": {
"enum":["organization","personal","partner","customer", "enum":["organization","personal","partner","customer",
"no-relationship","unknown","ext-value"]}, "no-relationship","unknown","ext-value"]},
"ext-ownership": {"type": "string"}, "ext-ownership": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
skipping to change at page 29, line 28 skipping to change at page 46, line 17
"additionalProperties": false}, "additionalProperties": false},
"Node": { "Node": {
"type": "object", "type": "object",
"properties": { "properties": {
"DomainData": { "DomainData": {
"type": "array","items": {"$ref": "#/definitions/DomainData"}}, "type": "array","items": {"$ref": "#/definitions/DomainData"}},
"Address": { "Address": {
"type": "array","items": {"$ref": "#/definitions/Address"}}, "type": "array","items": {"$ref": "#/definitions/Address"}},
"PostalAddress": {"type": "string"}, "PostalAddress": {"type": "string"},
"Location": {"type": "array","items": {"type": "string"}}, "Location": {"type": "array","items": {"type": "string"}},
"Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}}, "Counter": {"type":"array",
"items":{"$ref":"#/definitions/Counter"}}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Address": { "Address": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"category": { "category": {
"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
"ipv6-net-masked","mac","site-url","ext-value"]}, "ipv6-net-masked","mac","site-url","ext-value"]},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"vlan-name": {"type": "string"}, "vlan-name": {"type": "string"},
"vlan-num": {"type": "integer"}, "vlan-num": {"type": "integer"},
"observable-id": {"$ref": "#/definitions/IDtype"}}, "observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["category"], "required": ["category"],
"additionalProperties": false}, "additionalProperties": false},
"NodeRole": { "NodeRole": {
"type": "object", "type": "object",
"properties": { "properties": {
"category": { "category": {
"enum":["client","client-enterprise","clent-partner","client-remote", "enum":["client","client-enterprise","clent-partner",
"client-kiosk","client-mobile","server-internal", "client-remote","client-kiosk","client-mobile",
"server-public","www","mail","webmail","messaging", "server-internal","server-public","www","mail","webmail",
"streaming","voice","file","ftp","p2p","name","directory", "messaging","streaming","voice","file","ftp","p2p","name",
"credential","print","application","database","backup", "directory","credential","print","application","database",
"dhcp","assessment","source-control","config-management", "backup","dhcp","assessment","source-control",
"monitoring","infra","infra-firewall","infra-router", "config-management","monitoring","infra","infra-firewall",
"infra-switch","camera","proxy","remote-access","log", "infra-router","infra-switch","camera","proxy",
"virtualization","pos", "scada", "scada-supervisory", "remote-access","log","virtualization","pos", "scada",
"sinkhole","honeypot","anomyzation","c2-server", "scada-supervisory","sinkhole","honeypot","anomyzation",
"malware-distribution","drop-server","hot-point","reflector", "c2-server","malware-distribution","drop-server",
"phishing-site","spear-phishing-site","recruiting-site", "hot-point","reflector","phishing-site",
"spear-phishing-site","recruiting-site",
"fraudulent-site","ext-value"]}, "fraudulent-site","ext-value"]},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}}, "Description": {"type": "array","items": {"type": "string"}}},
"required": ["category"], "required": ["category"],
"additionalProperties": false}, "additionalProperties": false},
"Counter": { "Counter": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"type": {"enum": ["count","peak","average","ext-value"]}, "type": {"enum": ["count","peak","average","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"unit": {"enum": ["byte","mbit","packet","flow","session","alert", "unit": {"enum": ["byte","mbit","packet","flow","session","alert",
"message","event","host","site","organization","ext-value"]}, "message","event","host","site","organization",
"ext-value"]},
"ext-unit": {"type": "string"}, "ext-unit": {"type": "string"},
"meaning": {"type": "string"}, "meaning": {"type": "string"},
"duration": {"$ref":"#/definitions/duration"}, "duration": {"$ref":"#/definitions/duration"},
"ext-duration": {"type": "string"}}, "ext-duration": {"type": "string"}},
"required": ["type","unit"], "required": ["type","unit"],
"additionalProperties": false}, "additionalProperties": false},
"DomainData": { "DomainData": {
"type": "object", "type": "object",
"properties": { "properties": {
"system-status": { "system-status": {
skipping to change at page 31, line 15 skipping to change at page 48, line 6
"NameServers": { "NameServers": {
"type": "array","items": {"$ref": "#/definitions/NameServers"}}, "type": "array","items": {"$ref": "#/definitions/NameServers"}},
"DomainContacts": { "DomainContacts": {
"$ref": "#/definitions/DomainContacts"}}, "$ref": "#/definitions/DomainContacts"}},
"required": ["Name","system-status","domain-status"], "required": ["Name","system-status","domain-status"],
"additionalProperties": false}, "additionalProperties": false},
"NameServers": { "NameServers": {
"type": "object", "type": "object",
"properties": { "properties": {
"Server": {"type": "string"}, "Server": {"type": "string"},
"Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}}, "Address": {"type":"array",
"items":{"$ref":"#/definitions/Address"}}},
"required": ["Server","Address"], "required": ["Server","Address"],
"additionalProperties": false}, "additionalProperties": false},
"DomainContacts": { "DomainContacts": {
"type": "object", "type": "object",
"properties": { "properties": {
"SameDomainContact": {"type": "string"}, "SameDomainContact": {"type": "string"},
"Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}}, "Contact": {"type":"array",
"items":{"$ref":"#/definitions/Contact"}}},
"required": ["Contact"], "required": ["Contact"],
"additionalProperties": false}, "additionalProperties": false},
"Service": { "Service": {
"type": "object", "type": "object",
"properties": { "properties": {
"ip-protocol": {"type": "integer"}, "ip-protocol": {"type": "integer"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ServiceName": {"$ref": "#/definitions/ServiceName"}, "ServiceName": {"$ref": "#/definitions/ServiceName"},
"Port": {"type": "integer"}, "Port": {"type": "integer"},
"Portlist": {"$ref": "#/definitions/PORTLIST"}, "Portlist": {"$ref": "#/definitions/PORTLIST"},
"ProtoCode": {"type": "integer"}, "ProtoCode": {"type": "integer"},
"ProtoType": {"type": "integer"}, "ProtoType": {"type": "integer"},
"ProtoField": {"type": "integer"}, "ProtoField": {"type": "integer"},
"ApplicationHeaderField": {"$ref":"#/definitions/ExtensionTypeList"}, "ApplicationHeaderField":{"$ref":"#/definitions/ExtensionTypeList"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Application": {"$ref": "#/definitions/SoftwareType"}}, "Application": {"$ref": "#/definitions/SoftwareType"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ServiceName": { "ServiceName": {
"type": "object", "type": "object",
"properties": { "properties": {
"IANAService": {"type": "string"}, "IANAService": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"Description": {"type": "array","items": {"type": "string"}}}, "Description": {"type": "array","items": {"type": "string"}}},
skipping to change at page 32, line 39 skipping to change at page 49, line 34
"RecordItem": { "RecordItem": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"URL": { "URL": {
"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "type": "array","items": {"$ref": "#/definitions/URLtype"}},
"FileData": { "FileData": {
"type": "array","items": {"$ref": "#/definitions/FileData"}}, "type": "array","items": {"$ref": "#/definitions/FileData"}},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}},
"CertificateData": { "CertificateData": {
"type": "array","items": {"$ref": "#/definitions/CertificateData"}}, "type":"array","items":{"$ref":"#/definitions/CertificateData"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false "additionalProperties": false
}, },
"RecordPattern": { "RecordPattern": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"type": {"enum": ["regex","binary","xpath","ext-value"]}, "type": {"enum": ["regex","binary","xpath","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
skipping to change at page 34, line 18 skipping to change at page 51, line 11
"type": "object", "type": "object",
"properties": { "properties": {
"FileName": {"type": "string"}, "FileName": {"type": "string"},
"FileSize": {"type": "integer"}, "FileSize": {"type": "integer"},
"FileType": {"type": "string"}, "FileType": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"HashData": {"$ref": "#/definitions/HashData"}, "HashData": {"$ref": "#/definitions/HashData"},
"Signature": {"type": "array","items": {"type": "string"}}, "Signature": {"type": "array","items": {"type": "string"}},
"AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
"FileProperties": { "FileProperties": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, "type":"array","items":{"$ref":"#/definitions/ExtensionType"}}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"HashData": { "HashData": {
"type": "object", "type": "object",
"properties": { "properties": {
"scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat",
"file-pe-resource","file-pdf-object","email-hash", "file-pe-resource","file-pdf-object","email-hash",
"email-hash-header","email-hash-body"]}, "email-hash-header","email-hash-body"]},
"HashTargetID": {"type": "string"}, "HashTargetID": {"type": "string"},
"Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}},
skipping to change at page 35, line 19 skipping to change at page 52, line 13
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, "items": {"$ref": "#/definitions/AlternativeIndicatorID"}},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {"type": "array","items": {"type": "string"}},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"Contact": { "Contact": {
"type": "array","items": {"$ref": "#/definitions/Contact"}}, "type": "array","items": {"$ref": "#/definitions/Contact"}},
"Observable": {"$ref": "#/definitions/Observable"}, "Observable": {"$ref": "#/definitions/Observable"},
"uid-ref": {"type": "string"}, "uid-ref": {"type": "string"},
"IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"}, "IndicatorExpression":{"$ref":"#/definitions/IndicatorExpression"},
"IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"},
"NodeRole": { "NodeRole": {
"type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "type": "array","items": {"$ref": "#/definitions/NodeRole"}},
"AttackPhase": { "AttackPhase": {
"type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, "type": "array","items": {"$ref": "#/definitions/AttackPhase"}},
"Reference": { "Reference": {
"type": "array","items": {"$ref": "#/definitions/Reference"}}, "type": "array","items": {"$ref": "#/definitions/Reference"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IndicatorID"], "required": ["IndicatorID"],
"additionalProperties": false}, "additionalProperties": false},
skipping to change at page 36, line 15 skipping to change at page 53, line 9
"System": {"$ref": "#/definitions/System"}, "System": {"$ref": "#/definitions/System"},
"Address": {"$ref": "#/definitions/Address"}, "Address": {"$ref": "#/definitions/Address"},
"DomainData": {"$ref": "#/definitions/DomainData"}, "DomainData": {"$ref": "#/definitions/DomainData"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Service": {"$ref": "#/definitions/Service"}, "Service": {"$ref": "#/definitions/Service"},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"$ref": "#/definitions/WindowsRegistryKeysModified"}, "$ref": "#/definitions/WindowsRegistryKeysModified"},
"FileData": {"$ref": "#/definitions/FileData"}, "FileData": {"$ref": "#/definitions/FileData"},
"CertificateData": {"$ref": "#/definitions/CertificateData"}, "CertificateData": {"$ref": "#/definitions/CertificateData"},
"RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"},
"RecordData": {"type": "array", "item": {"$ref": "#/definitions/Record"}}, "RecordData": {"type": "array",
"item": {"$ref": "#/definitions/Record"}},
"EventData": {"$ref": "#/definitions/EventData"}, "EventData": {"$ref": "#/definitions/EventData"},
"Incident": {"$ref": "#/definitions/Incident"}, "Incident": {"$ref": "#/definitions/Incident"},
"Expectation": {"$ref": "#/definitions/Expectation"}, "Expectation": {"$ref": "#/definitions/Expectation"},
"Reference": {"$ref": "#/definitions/Reference"}, "Reference": {"$ref": "#/definitions/Reference"},
"Assessment": {"$ref": "#/definitions/Assessment"}, "Assessment": {"$ref": "#/definitions/Assessment"},
"DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
"HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservable": { "BulkObservable": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask",
"site-url","domain-name","domain-to-ipv4","domain-to-ipv6", "mac","site-url","domain-name","domain-to-ipv4",
"domain-to-ipv4-timestamp","domain-to-ipv6-timestamp", "domain-to-ipv6","domain-to-ipv4-timestamp",
"ipv4-port","ipv6-port","windows-reg-key","file-hash", "domain-to-ipv6-timestamp","ipv4-port","ipv6-port",
"email-x-mailer","email-subject","http-user-agent", "windows-reg-key","file-hash","email-x-mailer",
"http-request-url","mutex","file-path","user-name", "email-subject","http-user-agent","http-request-url",
"ext-value"]}, "mutex","file-path","user-name","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableFormant":{
"$ref": "#/definitions/BulkObservableFormat"},
"BulkObservableList": {"type": "array", "item":{"type": "string"}}, "BulkObservableList": {"type": "array", "item":{"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservableFormat": { "BulkObservableFormat": {
"type": "object", "type": "object",
"properties": { "properties": {
"Hash": {"$ref": "#/definitions/Hash"}, "Hash": {"$ref": "#/definitions/Hash"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
skipping to change at page 38, line 4 skipping to change at page 54, line 47
"version": {"type": "string"}, "version": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"format-id": {"type": "string"}, "format-id": {"type": "string"},
"private-enum-name": {"type": "string"}, "private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"}, "private-enum-id": {"type": "string"},
"Incident": { "Incident": {
"type": "array","items": {"$ref": "#/definitions/Incident"}}, "type": "array","items": {"$ref": "#/definitions/Incident"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version","Incident"], "required": ["version","Incident"],
"additionalProperties": false} "additionalProperties": false}
Figure 2: JSON schema
6. Acknowledgements
TBD.
7. IANA Considerations
This memo includes no request to IANA.
8. Security Considerations
This memo does not provide any further security considerations than
the one described in [RFC7970].
9. Normative References
[jsonschema]
"JSON Schema", 2006.
http://json-schema.org/
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC7970] Danyliw, R., "The Incident Object Description Exchange Figure 3: JSON schema
Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
November 2016, <https://www.rfc-editor.org/info/rfc7970>.
Authors' Addresses Authors' Addresses
Takeshi Takahashi Takeshi Takahashi
National Institute of Information and Communications Technology National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi 4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795 Koganei, Tokyo 184-8795
Japan Japan
Phone: +81 42 327 5862 Phone: +81 42 327 5862
 End of changes. 67 change blocks. 
134 lines changed or deleted 914 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/