draft-ietf-mile-jsoniodef-05.txt   draft-ietf-mile-jsoniodef-06.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft NICT Internet-Draft NICT
Intended status: Standards Track R. Danyliw Intended status: Standards Track R. Danyliw
Expires: April 25, 2019 CERT Expires: May 7, 2019 CERT
M. Suzuki M. Suzuki
NICT NICT
October 22, 2018 November 3, 2018
CBOR/JSON binding of IODEF CBOR/JSON binding of IODEF
draft-ietf-mile-jsoniodef-05 draft-ietf-mile-jsoniodef-06
Abstract Abstract
RFC7970 specified an information model and a corresponding XML data RFC7970 specified an information model and a corresponding XML data
model for exchanging incident and indicator information. This draft model for exchanging incident and indicator information. This draft
provides an alternative data model implementation in JSON. provides an alternative data model implementation in CBOR/JSON.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2019. This Internet-Draft will expire on May 7, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 20
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3
2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5
2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5
2.2.2. Software and SoftwareReference . . . . . . . . . . . 6 2.2.2. Software and SoftwareReference . . . . . . . . . . . 6
2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 6 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 6
2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7
3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7
3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7
3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 17 3.2. Mapping between CBOR/JSON and XML IODEF . . . . . . . . . 17
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18
4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 18 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20
5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 20 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 24
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
8. Security Considerations . . . . . . . . . . . . . . . . . . . 35 8. Security Considerations . . . . . . . . . . . . . . . . . . . 43
9. Normative References . . . . . . . . . . . . . . . . . . . . 35 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 43
Appendix A. The IODEF Data Model (JSON Schema) . . . . . . . . . 35 9.1. Normative References . . . . . . . . . . . . . . . . . . 43
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 9.2. Informative References . . . . . . . . . . . . . . . . . 43
Appendix A. Data Types used in this document . . . . . . . . . . 43
Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 76
1. Introduction 1. Introduction
[RFC7970] defines a data representation for security incident reports [RFC7970] defines a data representation for security incident reports
and indicators commonly exchanged by operational security teams. It and indicators commonly exchanged by operational security teams. It
facilitates the automated exchange of this information to enable facilitates the automated exchange of this information to enable
mitigation and watch-and-warning. Section 3 of [RFC7970] defined an mitigation and watch-and-warning. Section 3 of [RFC7970] defined an
information model using Unified Modeling Language (UML) and a information model using Unified Modeling Language (UML) and a
corresponding Extensible Markup Language (XML) schema data model in corresponding Extensible Markup Language (XML) schema data model in
Section 8. This UML-based information model and XML-based data model Section 8. This UML-based information model and XML-based data model
skipping to change at page 4, line 34 skipping to change at page 4, line 34
| PHONE | Section 2.11 | "string" per [jsonschema] | | PHONE | Section 2.11 | "string" per [jsonschema] |
| EMAIL | Section 2.12 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] |
| URL | Section 2.13 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] |
| ID | Section 2.14 | "string" per [jsonschema] | | ID | Section 2.14 | "string" per [jsonschema] |
| IDREF | Section 2.14 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] |
| SOFTWARE | Section 2.15 | see Section 2.2.2 | | SOFTWARE | Section 2.15 | see Section 2.2.2 |
| STRUCTURED | RFC 7213 | see Section 2.2.3 | | STRUCTURED | RFC 7213 | see Section 2.2.3 |
| EXTENSION | Section 2.16 | see Section 2.2.4 | | EXTENSION | Section 2.16 | see Section 2.2.4 |
+-----------------+-------------------+-------------------------------+ +-----------------+-------------------+-------------------------------+
Figure 1 Figure 1: JSON Data Types
+-----------------+------------------+-------------------------------------+ +-----------------+------------------+---------------------------------+
| IODEF Data Type | CBOR Data Type | CDDL prelude | | IODEF Data Type | CBOR Data Type | CDDL prelude |
| | | [draft-ietf-cbor-cddl-05] Reference | | | | [draft-ietf-cbor-cddl-05] |
+-----------------+------------------+-------------------------------------+ +-----------------+------------------+---------------------------------+
| INTEGER | 6 tag 2, 6 tag 3 | integer | | INTEGER | 6 tag 2, 6 tag 3 | integer |
| REAL | 7 bits 26 | float32 | | REAL | 7 bits 26 | float32 |
| CHARACTER | 3 text string | text | | CHARACTER | 3 text string | text |
| STRING | 3 text string | text | | STRING | 3 text string | text |
| ML_STRING | 5 map | see Maps/Structs, Section 3.5.1 | | ML_STRING | 5 map | Maps/Structs (Section 3.5.1) |
| BYTE | 6 tag 22 | eb64legacy | | BYTE | 6 tag 22 | eb64legacy |
| BYTE[] | 6 tag 22 | eb64legacy | | BYTE[] | 6 tag 22 | eb64legacy |
| HEXBIN | 2 byte string | bytes | | HEXBIN | 2 byte string | bytes |
| HEXBIN[] | 2 byte string | bytes | | HEXBIN[] | 2 byte string | bytes |
| ENUM | - | see Choices, Section 2.2.2 | | ENUM | - | Choices (Section 2.2.2) |
| DATETIME | 6 tag 0 | tdate | | DATETIME | 6 tag 0 | tdate |
| TIMEZONE | 3 text string | text | | TIMEZONE | 3 text string | text |
| PORTLIST | 3 text string | text | | PORTLIST | 3 text string | text |
| POSTAL | 3 text string | text | | POSTAL | 3 text string | text |
| | | / see Maps/Structs, Section 3.5.1 | | | | or Maps/Structs(Section 3.5.1) |
| PHONE | 3 text string | text | | PHONE | 3 text string | text |
| EMAIL | 3 text string | text | | EMAIL | 3 text string | text |
| URL | 6 tag 32 | uri | | URL | 6 tag 32 | uri |
| ID | 3 text string | text | | ID | 3 text string | text |
| IDREF | 3 text string | text | | IDREF | 3 text string | text |
| SOFTWARE | 5 map | see Maps/Structs, Section 3.5.1 | | SOFTWARE | 5 map | Maps/Structs (Section 3.5.1) |
| STRUCTURED | 5 map | see Maps/Structs, Section 3.5.1 | | STRUCTURED | 5 map | Maps/Structs (Section 3.5.1) |
| EXTENSION | 5 map | see Maps/Structs, Section 3.5.1 | | EXTENSION | 5 map | Maps/Structs (Section 3.5.1) |
+-----------------+------------------+-------------------------------------+ +-----------------+------------------+---------------------------------+
Figure 2 Figure 2: CBOR Data Types
2.2. Complex JSON Types 2.2. Complex JSON Types
2.2.1. Multilingual Strings 2.2.1. Multilingual Strings
A string that needs to be represented in a human-readable language A string that needs to be represented in a human-readable language
different than the default encoding of the document is represented in different than the default encoding of the document is represented in
the information model by the ML_STRING data type. This data type is the information model by the ML_STRING data type. This data type is
implemented as an object with "value", "lang", and "translation-id" implemented as an object with "value", "lang", and "translation-id"
elements as defined in Section 5. Examples are shown below. elements as defined in Section 5. Examples are shown below.
skipping to change at page 17, line 14 skipping to change at page 17, line 14
| IndicatorReference | uid-ref? | | | IndicatorReference | uid-ref? | |
| | euid-ref? | | | | euid-ref? | |
| | version? | 3.24.7 | | | version? | 3.24.7 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| AttackPhase | AttackPhaseID* | | | AttackPhase | AttackPhaseID* | |
| | URL* | | | | URL* | |
| | Description* | | | | Description* | |
| | AdditionalData* | 3.24.8 | | | AdditionalData* | 3.24.8 |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
3.2. Mapping between JSON and XML IODEF IODEF Classes
3.2. Mapping between CBOR/JSON and XML IODEF
o This document treats attributes and elements of each class defined o This document treats attributes and elements of each class defined
in [RFC7970] equally and is agnostic on the order of their in [RFC7970] equally and is agnostic on the order of their
appearances. appearances.
o Flow class is deleted, and classes with its instances now directly o Flow class is deleted, and classes with its instances now directly
have instances of EventData class that used to belong to the Flow have instances of EventData class that used to belong to the Flow
classs. classs.
o ApplicationHeader class is deleted, and classes with its instances o ApplicationHeader class is deleted, and classes with its instances
skipping to change at page 17, line 46 skipping to change at page 17, line 48
o ObservableReference class is deleted, and classes with its o ObservableReference class is deleted, and classes with its
instances now directly have uid-ref as an element. instances now directly have uid-ref as an element.
o Record class is replaced by RecordData class, and RecordData class o Record class is replaced by RecordData class, and RecordData class
is renamed to Record class. is renamed to Record class.
o Record class is deleted, and classes with its instances now o Record class is deleted, and classes with its instances now
directly have the instances of RecordData class that used to directly have the instances of RecordData class that used to
belong to the Record class. belong to the Record class.
o The elements of ML_STRING type are prepared as two separate o The elements of ML_STRING type in XML IODEF document are presented
elements: one of STRING type and another of ML_STRING type, in as either STRING type or ML_STRING type in CBOR/JSON IODEF
order to maintain the simplicity of IODEF documents when writing document.
with only STRING type characters.
o The order of appearances of class elements were ignored in CBOR/
JSON version.
4. Examples 4. Examples
This section provides example of IODEF documents. These examples do This section provides example of IODEF documents. These examples do
not represent the full capabilities of the data model or the the only not represent the full capabilities of the data model or the the only
way to encode particular information. way to encode particular information.
4.1. Minimal Example 4.1. Minimal Example
A document containing only the mandatory elements and attributes. A document containing only the mandatory elements and attributes is
shown below in JSON and CBOR, respectively.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incident": [{ "Incident": [{
"purpose": "reporting", "purpose": "reporting",
"restriction": "private", "restriction": "private",
"IncidentID": { "IncidentID": {
"id": "492382", "id": "492382",
"name": "csirt.example.com" "name": "csirt.example.com"
}, },
"GenerationTime": "2015-07-18T09:00:00-05:00", "GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [{ "Contact": [{
"type": "organization", "type": "organization",
"role": "creator", "role": "creator",
"Email": [{ "Email": [{"EmailTo": "contact@csirt.example.com"}]
"EmailTo": "contact@csirt.example.com"
}]
}] }]
}] }]
} }
Figure 3: A Minimal Example in JSON
A3 # map(3)
67 # text(7)
76657273696F6E # "version"
63 # text(3)
322E30 # "2.0"
64 # text(4)
6C616E67 # "lang"
62 # text(2)
656E # "en"
68 # text(8)
496E636964656E74 # "Incident"
81 # array(1)
A5 # map(5)
67 # text(7)
707572706F7365 # "purpose"
69 # text(9)
7265706F7274696E67 # "reporting"
6B # text(11)
7265737472696374696F6E # "restriction"
67 # text(7)
70726976617465 # "private"
6A # text(10)
496E636964656E744944 # "IncidentID"
A2 # map(2)
62 # text(2)
6964 # "id"
66 # text(6)
343932333832 # "492382"
64 # text(4)
6E616D65 # "name"
71 # text(17)
63736972742E6578616D706C652E636F6D # "csirt.example.com"
6E # text(14)
47656E65726174696F6E54696D65 # "GenerationTime"
C0 # tag(0)
78 19 # text(25)
323031352D30372D31385430393A30303A30302D30353A3030
# "2015-07-18T09:00:00-05:00"
67 # text(7)
436F6E74616374 # "Contact"
81 # array(1)
A3 # map(3)
64 # text(4)
74797065 # "type"
6C # text(12)
6F7267616E697A6174696F6E # "organization"
64 # text(4)
726F6C65 # "role"
67 # text(7)
63726561746F72 # "creator"
65 # text(5)
456D61696C # "Email"
81 # array(1)
A1 # map(1)
67 # text(7)
456D61696C546F # "EmailTo"
78 19 # text(25)
636F6E746163744063736972742E6578616D706C652E636F6D
# "contact@csirt.example.com"
Figure 4: A Minimal Example in CBOR
4.2. Indicators from a Campaign 4.2. Indicators from a Campaign
An example of C2 domains from a given campaign. An example of C2 domains from a given campaign is shwon below in JSON
and CBOR, respectively.
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incidents": [ "Incident": [{
{ "purpose": "watch",
"purpose": "watch", "restriction": "green",
"restriction": "green", "IncidentID": {
"IncidentID": { "id": "897923",
"id": "897923", "name": "csirt.example.com"
"name": "csirt.example.com" },
"RelatedActivity": [{
"ThreatActor": [{
"ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"],
"Description": ["Aggressive Butterfly"]}],
"Campaign": [{
"CampaignID": ["C-2015-59405"],
"Description": ["Orange Giraffe"]
}]
}],
"GenerationTime": "2015-10-02T11:18:00-05:00",
"Description": ["Summarizes the Indicators of Compromise for the
Orange Giraffe campaign of the Aggressive Butterfly crime gang."],
"Assessment": [{
"Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}]
}],
"Contact": [{
"type": "organization",
"role": "creator",
"ContactName": ["CSIRT for example.com"],
"Email": [{
"EmailTo": "contact@csirt.example.com"
}]
}],
"Indicator": [{
"IndicatorID": {
"id": "G90823490",
"name": "csirt.example.com",
"version": "1"
}, },
"RelatedActivity": [ "Description": ["C2 domains"],
{ "StartTime": "2014-12-02T11:18:00-05:00",
"ThreatActor": [ "Observable": {
{ "BulkObservable": {
"ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", "type": "ipv6-addr",
"Description": "Aggressive Butterfly" "BulkObservableList": "kj290023j09r34.example.com"}
} }
], }]
"Campaign": [ }]
{
"CampaignID": "C-2015-59405",
"Description": "Orange Giraffe"
}
]
}
],
"GenerationTime": "2015-10-02T11:18:00-05:00",
"Description": [
"Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."
],
"Assessment": [
{
"BusinessImpact": {
"type": "breach-proprietary"
}
}
],
"Contacts": [
{
"type": "organization",
"role": "creator",
"ContactName": "CSIRT for example.com",
"Email": {
"emailTo": "contact@csirt.example.com"
}
}
],
"IndicatorList": [
{
"IndicatorID": {
"id": "G90823490",
"name": "csirt.example.com",
"version": "1"
},
"Description": "C2 domains",
"StartTime": "2014-12-02T11:18:00-05:00",
"Observable": {
"BulkObservable": {
"type": "fqdn"
},
"BulkObservableList": [
"kj290023j09r34.example.com",
"09ijk23jfj0k8.example.net",
"klknjwfjiowjefr923.example.org",
"oimireik79msd.example.org"
]
}
}
]
}
]
} }
Figure 5: Indicators from a Campaign in JSON
A3 # map(3)
67 # text(7)
76657273696F6E # "version"
63 # text(3)
322E30 # "2.0"
64 # text(4)
6C616E67 # "lang"
62 # text(2)
656E # "en"
68 # text(8)
496E636964656E74 # "Incident"
81 # array(1)
A9 # map(9)
67 # text(7)
707572706F7365 # "purpose"
65 # text(5)
7761746368 # "watch"
6B # text(11)
7265737472696374696F6E # "restriction"
65 # text(5)
677265656E # "green"
6A # text(10)
496E636964656E744944 # "IncidentID"
A2 # map(2)
62 # text(2)
6964 # "id"
66 # text(6)
383937393233 # "897923"
64 # text(4)
6E616D65 # "name"
71 # text(17)
63736972742E6578616D706C652E636F6D # "csirt.example.com"
6F # text(15)
52656C617465644163746976697479 # "RelatedActivity"
81 # array(1)
A2 # map(2)
6B # text(11)
5468726561744163746F72 # "ThreatActor"
81 # array(1)
A2 # map(2)
6D # text(13)
5468726561744163746F724944 # "ThreatActorID"
81 # array(1)
78 1A # text(26)
54412D31322D414747524553534956452D425554544552464
C59 # "TA-12-AGGRESSIVE-BUTTERFLY"
6B # text(11)
4465736372697074696F6E # "Description"
81 # array(1)
74 # text(20)
4167677265737369766520427574746572666C79
# "Aggressive Butterfly"
68 # text(8)
43616D706169676E # "Campaign"
81 # array(1)
A2 # map(2)
6A # text(10)
43616D706169676E4944 # "CampaignID"
81 # array(1)
6C # text(12)
432D323031352D3539343035 # "C-2015-59405"
6B # text(11)
4465736372697074696F6E # "Description"
81 # array(1)
6E # text(14)
4F72616E67652047697261666665 # "Orange Giraffe"
6E # text(14)
47656E65726174696F6E54696D65 # "GenerationTime"
C0 # tag(0)
78 19 # text(25)
323031352D31302D30325431313A31383A30302D30353A3030
# "2015-10-02T11:18:00-05:00"
6B # text(11)
4465736372697074696F6E # "Description"
81 # array(1)
78 6F # text(111)
53756D6D6172697A65732074686520496E64696361746F7273206F6620436
F6D70726F6D69736520666F7220746865204F72616E676520476972616666
652063616D706169676E206F6620746865204167677265737369766520427
574746572666C79206372696D652067616E672E
# "Summarizes the Indicators of Compromise for the Orange
Giraffe campaign of the Aggressive Butterfly crime gang."
6A # text(10)
4173736573736D656E74 # "Assessment"
81 # array(1)
A1 # map(1)
66 # text(6)
496D70616374 # "Impact"
81 # array(1)
A1 # map(1)
6E # text(14)
427573696E657373496D70616374 # "BusinessImpact"
A1 # map(1)
64 # text(4)
74797065 # "type"
72 # text(18)
6272656163682D70726F7072696574617279
# "breach-proprietary"
67 # text(7)
436F6E74616374 # "Contact"
81 # array(1)
A4 # map(4)
64 # text(4)
74797065 # "type"
6C # text(12)
6F7267616E697A6174696F6E # "organization"
64 # text(4)
726F6C65 # "role"
67 # text(7)
63726561746F72 # "creator"
6B # text(11)
436F6E746163744E616D65 # "ContactName"
81 # array(1)
75 # text(21)
435349525420666F72206578616D706C652E636F6D
# "CSIRT for example.com"
65 # text(5)
456D61696C # "Email"
81 # array(1)
A1 # map(1)
67 # text(7)
456D61696C546F # "EmailTo"
78 19 # text(25)
636F6E746163744063736972742E6578616D706C652E636F6D
# "contact@csirt.example.com"
69 # text(9)
496E64696361746F72 # "Indicator"
81 # array(1)
A4 # map(4)
6B # text(11)
496E64696361746F724944 # "IndicatorID"
A3 # map(3)
62 # text(2)
6964 # "id"
69 # text(9)
473930383233343930 # "G90823490"
64 # text(4)
6E616D65 # "name"
71 # text(17)
63736972742E6578616D706C652E636F6D
# "csirt.example.com"
67 # text(7)
76657273696F6E # "version"
61 # text(1)
31 # "1"
6B # text(11)
4465736372697074696F6E # "Description"
81 # array(1)
6A # text(10)
433220646F6D61696E73 # "C2 domains"
69 # text(9)
537461727454696D65 # "StartTime"
C0 # tag(0)
78 19 # text(25)
323031342D31322D30325431313A31383A30302D30353A3030
# "2014-12-02T11:18:00-05:00"
6A # text(10)
4F627365727661626C65 # "Observable"
A1 # map(1)
6E # text(14)
42756C6B4F627365727661626C65 # "BulkObservable"
A2 # map(2)
64 # text(4)
74797065 # "type"
69 # text(9)
697076362D61646472 # "ipv6-addr"
72 # text(18)
42756C6B4F627365727661626C654C697374
# "BulkObservableList"
78 1A # text(26)
6B6A3239303032336A30397233342E6578616D706C652E636F6D
# "kj290023j09r34.example.com"
Figure 6: Indicators from a Campaign in CBOR
5. The IODEF Data Model (CDDL) 5. The IODEF Data Model (CDDL)
start = iodef start = iodef
;;; iodef.json: IODEF-Document ;;; iodef.json: IODEF-Document
iodef = { iodef = {
version: text version: text
? lang: lang ? lang: lang
? format-id: text ? format-id: text
? private-enum-name: text ? private-enum-name: text
? private-enum-id: text ? private-enum-id: text
Incident: [+ Incident] Incident: [+ Incident]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
skipping to change at page 20, line 40 skipping to change at page 25, line 21
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" /
"year" / "ext-value" "year" / "ext-value"
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
restriction = "public" / "partner" / "need-to-know" / "private" / restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" / "default" / "white" / "green" / "amber" / "red" /
"ext-value" "ext-value"
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype IDREFType = IDtype
URLtype = uri
TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp "\d+(\-\d+)?(,\d+(\-\d+)?)*" PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"
action = "nothing" / "contact-source-site" / "cotact-target-site" / action = "nothing" / "contact-source-site" / "contact-target-site" /
"contact-sender" / "investigate" / "block-host" / "contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" / "block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" / "honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" / "harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" / "status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value" "defined-coa" / "other" / "ext-value"
DATETIME = tdate
MLStringType = { MLStringType = {
value: text value: text
?lang: lang ? lang: lang
?translation-id: text ? translation-id: text
} }
PositiveFloatType = { PositiveFloatType = float32 .gt 0
value: float32 .gt 0
}
PAddressType = MLStringType PAddressType = MLStringType
ExtensionType = { ExtensionType = {
value: text ? ssvalue: text
? Name: text ? name: text
dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" / "ntpstamp" / "integer" / "portlist" / "real" / "string" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string" "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value"
.default "string"
? ext-dtype: text ? ext-dtype: text
? meaning: text ? meaning: text
? formatid: text ? formatid: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
} }
SoftwareType = { SoftwareType = {
? SoftwareReference: SoftwareReference ? SoftwareReference: SoftwareReference
? URL: [+ uri] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
SoftwareReference = { SoftwareReference = {
? value: text ? value: text
spec-name: "custom" / "cpe" / "swid" / "ext-value" spec-name: "custom" / "cpe" / "swid" / "ext-value"
? ext-spec-name: text ? ext-spec-name: text
? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string" ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value"
.default "string"
? ext-dtype: text ? ext-dtype: text
} }
Incident = { Incident = {
purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" /
"ext-value" "ext-value"
? ext-purpose: text ? ext-purpose: text
? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" /
"ext-value" "ext-value"
? ext-status: text ? ext-status: text
? lang: lang ? lang: lang
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
IncidentID: IncidentID IncidentID: IncidentID
? AlternativeID: AlternativeID ? AlternativeID: AlternativeID
? RelatedActivity: [+ RelatedActivity] ? RelatedActivity: [+ RelatedActivity]
? DetectTime: tdate ? DetectTime: DATETIME
? StartTime: tdate ? StartTime: DATETIME
? EndTime: tdate ? EndTime: DATETIME
? RecoveryTime: tdate ? RecoveryTime: DATETIME
? ReportTime: tdate ? ReportTime: DATETIME
GenerationTime: tdate GenerationTime: DATETIME
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? Discovery: [+ Discovery] ? Discovery: [+ Discovery]
? Assessment: [+ Assessment] ? Assessment: [+ Assessment]
? Method: [+ Method] ? Method: [+ Method]
Contact: [+ Contact] Contact: [+ Contact]
? EventData: [+ EventData] ? EventData: [+ EventData]
? Indicator: [+ Indicator] ? Indicator: [+ Indicator]
? History: History ? History: History
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
skipping to change at page 22, line 46 skipping to change at page 27, line 32
AlternativeID = { AlternativeID = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
IncidentID: [+ IncidentID] IncidentID: [+ IncidentID]
} }
RelatedActivity = { RelatedActivity = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? IncidentID: [+ IncidentID] ? IncidentID: [+ IncidentID]
? URL: [+ uri] ? URL: [+ URLtype]
? ThreatActor: [+ ThreatActor] ? ThreatActor: [+ ThreatActor]
? Campaign: [+ Campaign] ? Campaign: [+ Campaign]
? IndicatorID: [+ IndicatorID] ? IndicatorID: [+ IndicatorID]
? Confidence: Confidence ? Confidence: Confidence
? Description: [+ text] ? Description: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
ThreatActor = { ThreatActor = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? ThreatActorID: [+ text] ? ThreatActorID: [+ text]
? URL: [+ uri] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Campaign = { Campaign = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? CampaignID: [+ text] ? CampaignID: [+ text]
? URL: [+ uri] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Contact = { Contact = {
role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
"vendor" / "vendor-support" / "victim" / "victim-notified" / "vendor" / "vendor-support" / "victim" / "victim-notified" /
"ext-value" "ext-value"
? ext-role: text ? ext-role: text
skipping to change at page 23, line 49 skipping to change at page 28, line 35
? PostalAddress: [+ PostalAddress] ? PostalAddress: [+ PostalAddress]
? Email: [+ Email] ? Email: [+ Email]
? Telephone: [+ Telephone] ? Telephone: [+ Telephone]
? Timezone: TimeZonetype ? Timezone: TimeZonetype
? Contact: [+ Contact] ? Contact: [+ Contact]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
RegistryHandle = { RegistryHandle = {
handle: text handle: text
registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" /
"local" / "ext-value" "afrinic" / "local" / "ext-value"
? ext-registry: text ? ext-registry: text
} }
PostalAddress = { PostalAddress = {
? type: text ? type: text
? ext-type: text ? ext-type: text
PAddress: PAddressType PAddress: PAddressType
? Description: [+ text / MLStringTYpe] ? Description: [+ text / MLStringType]
} }
Email = { Email = {
? type: "direct" / "hotline" / "ext-value" ? type: "direct" / "hotline" / "ext-value"
? ext-type: text ? ext-type: text
EmailTo: text EmailTo: text
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
Telephone = { Telephone = {
? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value"
? ext-type: text ? ext-type: text
TelephoneNumber: text TelephoneNumber: text
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
Discovery = { Discovery = {
skipping to change at page 24, line 31 skipping to change at page 29, line 17
Telephone = { Telephone = {
? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value"
? ext-type: text ? ext-type: text
TelephoneNumber: text TelephoneNumber: text
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
Discovery = { Discovery = {
? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
"incident" / "os-log" / "application-log" / "device-log" / "incident" / "os-log" / "application-log" / "device-log" /
"network-flow" / "passive-dns" / "investiation" / "audit" / "network-flow" / "passive-dns" / "investigation" / "audit" /
"international-notification" / "external-notification" / "internal-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value" "leo" / "partner" / "actor" / "unknown" / "ext-value"
? ext-source: text ? ext-source: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? Contact: [+ Contact] ? Contact: [+ Contact]
? DetectionPattern: [+ DetectionPattern] ? DetectionPattern: [+ DetectionPattern]
} }
DetectionPattern = { DetectionPattern = {
skipping to change at page 25, line 14 skipping to change at page 29, line 49
? ext-restriction: text ? ext-restriction: text
? Reference: [+ Reference] ? Reference: [+ Reference]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? AttackPattern: [+ StructuredInformation] ? AttackPattern: [+ StructuredInformation]
? Vulnerability: [+ StructuredInformation] ? Vulnerability: [+ StructuredInformation]
? Weakness: [+ StructuredInformation] ? Weakness: [+ StructuredInformation]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
StructuredInformation = { StructuredInformation = {
specID: text SpecID: SpecID
? ext-specID: text ? ext-SpecID: text
? contentID: text ? ContentID: text
? RawData: any ? RawData: [+ ExtensionType]
? URL: uri ? Reference:[+ Reference]
? Platform:[+ Platform]
? Scoring:[+ Scoring]
}
Platform = {
SpecID: SpecID
? ext-SpecID: text
? ContentID: text
? RawData: [+ ExtensionType]
? Reference: [+ Reference]
}
Scoring = {
SpecID: SpecID
? ext-SpecID: text
? ContentID: text
? RawData: [+ ExtensionType]
? Reference: [+ Reference]
} }
Reference = { Reference = {
? observable-id: IDtype ? observable-id: IDtype
? ReferenceName: ReferenceName ? ReferenceName: ReferenceName
? URL: [+ uri] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
ReferenceName = { ReferenceName = {
specIndex: integer specIndex: integer
ID: IDtype ID: IDtype
} }
Assessment = { Assessment = {
? occurrence: "actual" / "potential" ? occurrence: "actual" / "potential"
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? IncidentCategory: [+ text / MLStringType] ? IncidentCategory: [+ text / MLStringType]
Impact: [+ {SystemImpact: SystemImpact} / {BusinessImpact: BusinessImpact} / Impact: [+ {SystemImpact: SystemImpact} /
{TimeImpact: TimeImpact} / {MonetaryImpact: MonetaryImpact} / {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} /
{MonetaryImpact: MonetaryImpact} / {IntendedImpact: BusinessImpact}] {MonetaryImpact: MonetaryImpact} /
{IntendedImpact: BusinessImpact}]
? Counter: [+ Counter] ? Counter: [+ Counter]
? MitigatingFactor: [+ text / MLStringType] ? MitigatingFactor: [+ text / MLStringType]
? Cause: [+ text / MLStringType] ? Cause: [+ text / MLStringType]
? Confidence: Confidence ? Confidence: Confidence
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
SystemImpact = { SystemImpact = {
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
? completion: "failed" / "succeeded" ? completion: "failed" / "succeeded"
type: "takeover-account" / "takeover-service" / "takeover-system" / type: "takeover-account" / "takeover-service" / "takeover-system" /
"cps-manipulation" / "cps-damage" / "availability-data" / "cps-manipulation" / "cps-damage" / "availability-data" /
"availability-account" / "availability-service" / "availability-account" / "availability-service" /
"availability-system" / "damaged-system" / "damaged-data" / "availability-system" / "damaged-system" / "damaged-data" /
"breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-proprietary" / "breach-privacy" / "breach-credential" /
"breack-configuration" / "integrity-data" / "breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" / "integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" / "traffic-redirection"/"monitoring-traffic"/"monitoring-host"/
"policy" / "unknown" / "ext-value" .default "unknown" "policy" / "unknown" / "ext-value" .default "unknown"
? ext-type: text ? ext-type: text
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
BusinessImpact = { BusinessImpact = {
? severity: "none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown" ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value"
.default "unknown"
? ext-severity: text ? ext-severity: text
type: "breach-proprietary" / "breach-privacy" / "breach-credential" / type: "breach-proprietary" / "breach-privacy" / "breach-credential" /
"loss-of-integrity" / "loss-of-service" / "theft-financial" / "loss-of-integrity" / "loss-of-service" / "theft-financial" /
"theft-service" / "degraded-reputation" / "asset-damage" / "theft-service" / "degraded-reputation" / "asset-damage" /
"asset-manipulation" / "legal" / "extortion" / "unknown" / "asset-manipulation" / "legal" / "extortion" / "unknown" /
"ext-value" .default "unknown" "ext-value" .default "unknown"
? ext-type: text ? ext-type: text
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
skipping to change at page 27, line 14 skipping to change at page 32, line 16
? ext-restriction: text ? ext-restriction: text
HistoryItem: [+ HistoryItem] HistoryItem: [+ HistoryItem]
} }
HistoryItem = { HistoryItem = {
action: action .default "other" action: action .default "other"
? ext-action: text ? ext-action: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
DateTime: tdate DateTime: DATETIME
? IncidentID: IncidentID ? IncidentID: IncidentID
? Contact: Contact ? Contact: Contact
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? DefinedCOA: [+ text] ? DefinedCOA: [+ text]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
EventData = { EventData = {
? restriction: restriction .default "default" ? restriction: restriction .default "default"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? DetectTime: tdate ? DetectTime: DATETIME
? StartTime: tdate ? StartTime: DATETIME
? EndTime: tdate ? EndTime: DATETIME
? RecoveryTime: tdate ? RecoveryTime: DATETIME
? ReportTime: tdate ? ReportTime: DATETIME
? Contact: [+ Contact] ? Contact: [+ Contact]
? Discovery: [+ Discovery] ? Discovery: [+ Discovery]
? Assessment: Assessment ? Assessment: Assessment
? Method: [+ Method] ? Method: [+ Method]
? System: [+ System] ? System: [+ System]
? Expectation: [+ Expectation] ? Expectation: [+ Expectation]
? RecordData: [+ RecordData] ? RecordData: [+ RecordData]
? EventData: [+ EventData] ? EventData: [+ EventData]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Expectation = { Expectation = {
? action: action .default "other" ? action: action .default "other"
? ext-action: text ? ext-action: text
? severity: "low" / "medium" / "high" ? severity: "low" / "medium" / "high"
? restriction: restriction .default "default" ? restriction: restriction .default "default"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? DefinedCOA: [+ text] ? DefinedCOA: [+ text]
? StartTime: tdate ? StartTime: DATETIME
? EndTime: tdate ? EndTime: DATETIME
? Contact: Contact ? Contact: Contact
} }
System = { System = {
? category: "source" / "target" / "intermediate" / "sensor" / ? category: "source" / "target" / "intermediate" / "sensor" /
"infrastructure" / "ext-value" "infrastructure" / "ext-value"
? ext-category: text ? ext-category: text
? interface: text ? interface: text
? spoofed: "unknown" / "yes" / "no" .default "unknown" ? spoofed: "unknown" / "yes" / "no" .default "unknown"
? virtual: "yes" / "no" / "unknown" .default "unknown" ? virtual: "yes" / "no" / "unknown" .default "unknown"
? ownership: "organization" / "personal" / "partner" / "customer" / ? ownership: "organization" / "personal" / "partner" / "customer" /
"no-relationship" / "unknown" / "ext-value" "no-relationship" / "unknown" / "ext-value"
? ext-ownership: text ? ext-ownership: text
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
skipping to change at page 28, line 33 skipping to change at page 33, line 35
? NodeRole: [+ NodeRole] ? NodeRole: [+ NodeRole]
? Service: [+ Service] ? Service: [+ Service]
? OperatingSystem: [+ SoftwareType] ? OperatingSystem: [+ SoftwareType]
? Counter: [+ Counter] ? Counter: [+ Counter]
? AssetID: [+ text] ? AssetID: [+ text]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Node = { Node = {
? DomainData: [+ DomainData] ( DomainData:[+ DomainData]
? Address: [+ Address] ? Address:[+ Address]) /
? PostalAddress: PAddressType (? DomainData:[+ DomainData]
? Location: [+ text / MLSTringType] + Address:[+ Address])
? PostalAddress: PostalAddress
? Location: [+ text / MLStringType]
? Counter: [+ Counter] ? Counter: [+ Counter]
} }
Address = { Address = {
value: text value: text
category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" /
"ext-value" .default "ipv6-addr" "ext-value" .default "ipv6-addr"
? ext-category: text ? ext-category: text
skipping to change at page 29, line 32 skipping to change at page 34, line 36
} }
Counter = { Counter = {
value: float32 value: float32
type: "count" / "peak" / "average" / "ext-value" type: "count" / "peak" / "average" / "ext-value"
? ext-type: text ? ext-type: text
unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
"message" / "event" / "host" / "site" / "organization" / "message" / "event" / "host" / "site" / "organization" /
"ext-value" "ext-value"
? ext-unit: text ? ext-unit: text
? meaning: text / MLStringTYpe ? meaning: text
? duration: duration .default "hour" ? duration: duration .default "hour"
? ext-duration: text ? ext-duration: text
} }
DomainData = { DomainData = {
system-status: "spoofed" / "fraudulent" / "innocent-hacked" / system-status: "spoofed" / "fraudulent" / "innocent-hacked" /
"innocent-hijacked" / "unknown" / "ext-value" "innocent-hijacked" / "unknown" / "ext-value"
? ext-system-status: text ? ext-system-status: text
domain-status: "reservedDelegation" / "assignedAndActive" / domain-status: "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" / "assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" / "revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value" "registrarLock" / "other" / "unknown" / "ext-value"
? ext-domain-status: text ? ext-domain-status: text
? observable-id: IDtype ? observable-id: IDtype
Name: text Name: text
? DateDomainWasChecked: tdate ? DateDomainWasChecked: DATETIME
? RegistrationDate: tdate ? RegistrationDate: DATETIME
? ExpirationDate: tdate ? ExpirationDate: DATETIME
? RelatedDNS: [+ ExtensionType] ? RelatedDNS: [+ ExtensionType]
? NameServers: [+ NameServers] ? NameServers: [+ NameServers]
? DomainContacts: DomainContacts ? DomainContacts: DomainContacts
} }
NameServers = { NameServers = {
Server: text Server: text
Address: [+ Address] Address: [+ Address]
} }
skipping to change at page 30, line 34 skipping to change at page 35, line 38
? ProtoCode: integer ? ProtoCode: integer
? ProtoType: integer ? ProtoType: integer
? ProtoField: integer ? ProtoField: integer
? ApplicationHeaderField: [+ ExtensionType] ? ApplicationHeaderField: [+ ExtensionType]
? EmailData: EmailData ? EmailData: EmailData
? Application: SoftwareType ? Application: SoftwareType
} }
ServiceName = { ServiceName = {
? IANAService: text ? IANAService: text
? URL: [+ uri] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
EmailData = { EmailData = {
? observable-id: IDtype ? observable-id: IDtype
? EmailTo: [+ text] ? EmailTo: [+ text]
? EmailFrom: text ? EmailFrom: text
? EmailSubject: text ? EmailSubject: text
? EmailX-Mailer: text ? EmailX-Mailer: text
? EmailHeaderField: [+ ExtensionType] ? EmailHeaderField: [+ ExtensionType]
? EmailHeaders: text ? EmailHeaders: text
? EmailBody: text ? EmailBody: text
? EmailMessage: text ? EmailMessage: text
? HashData: [+ HashData] ? HashData: [+ HashData]
? Signature: [+ text] ? Signature: [+ SignatureType]
}
SignatureType = {
? id: IDtype
SignedInfo: SignedInfoType
SignatureValue: SignatureValueType
? KeyInfo: KeyInfoType
? Object: [+ ObjectType]
}
SignedInfoType = {
? id: IDtype
CanonicalizationMethod: CanonicalizationMethodType
SignatureMethod: SignatureMethodType
Reference: [+ ReferenceType]
}
SignatureMethodType = {
? value: text
Algorithm: URLtype
? HMACOutputLength: HMACOutputLengthType
} }
HMACOutputLengthType = integer
ReferenceType = {
? id: IDtype
? URI: URLtype
? Type: URLtype
? Transforms: TransformsType
DigestMethod: DigestMethodType
DigestValue: DigestValueType
}
TransformsType = {
Transform: [+ TransformType]
}
TransformType = {
? value: text
Algorithm: URLtype
? XPath: [+ text]
}
DigestMethodType = {
? value: text
Algorithm: URLtype
}
DigestValueType = eb64legacy
SignatureValueType = {
value: eb64legacy
? id: IDtype
}
KeyInfoType = {
? value: text
? id: IDtype
KeyProperties: [+ {KeyName: text} / {KeyValue: KeyValueType} /
{RetrievalMethod: RetrievalMethodType} /
{X509Data: X509DataType} / {PGPData: PGPDataType} /
{SPKIData: SPKIDataType} / {MgmtData: text}]
}
KeyValueType = {
? value: text
KeyValueProperties: {DSAKeyValue: DSAKeyValueType} /
{RSAKeyValue: RSAKeyValueType}
}
DSAKeyValueType = {
? P: CryptoBinary
? Q: CryptoBinary
? G: CryptoBinary
Y: CryptoBinary
? J: CryptoBinary
? Seed: CryptoBinary
? PgenCounter: CryptoBinary
}
CryptoBinary = eb64legacy
RSAKeyValueType ={
Modulus: CryptoBinary
Exponent: CryptoBinary
}
RetrievalMethodType = {
URI: URLtype
? Type: URLtype
? Transforms: TransformsType
}
PGPDataType = {
? value: text
PGPDataProperties: {PGPKeyID: eb64legacy} / {PGPKeyPacket: eb64legacy}
}
SPKIDataType = {
? value: text
SPKISexp: [+ eb64legacy]
}
ObjectType = {
? value: text
? id: IDtype
? MimeType: text
? Encoding: URLtype
}
RecordData = { RecordData = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
? DateTime: tdate ? DateTime: DATETIME
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? Applicadtion: SoftwareType ? Application: SoftwareType
? RecordPattern: [+ RecordPattern] ? RecordPattern: [+ RecordPattern]
? RecordItem: [+ ExtensionType] ? RecordItem: [+ ExtensionType]
? URL: [+ uri] ? URL: [+ URLtype]
? FileData: [+ FileData] ? FileData: [+ FileData]
? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified]
? CertificateData: [+ CertificateData] ? CertificateData: [+ CertificateData]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
RecordPattern = { RecordPattern = {
value: text value: text
type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" type: "regex" / "binary" / "xpath" / "ext-value" .default "regex"
? ext-type: text ? ext-type: text
skipping to change at page 32, line 4 skipping to change at page 39, line 20
KeyName: text KeyName: text
? KeyValue: text ? KeyValue: text
} }
CertificateData = { CertificateData = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
Certificate: [+ Certificate] Certificate: [+ Certificate]
} }
Certificate = { Certificate = {
? observable-id: IDtype ? observable-id: IDtype
X509Data: text X509Data: X509DataType
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
} }
X509DataType = {
X509DataProperties: [+ {X509IssuerSerial: X509IssuerSerialType} /
{X509SKI: eb64legacy} / {X509SubjectName: text} /
{X509Certificate: eb64legacy} /
{X509CRL: eb64legacy}]
}
X509IssuerSerialType = {
X509IssuerName: text
X509SerialNumber: integer
}
FileData = { FileData = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
? observable-id: IDtype ? observable-id: IDtype
File: [+ File] File: [+ File]
} }
File = { File = {
? observable-id: IDtype ? observable-id: IDtype
? FileName: text ? FileName: text
? FileSize: integer ? FileSize: integer
? FileType: text ? FileType: text
? URL: [+ uri] ? URL: [+ URLtype]
? HashData: HashData ? HashData: HashData
? Signature: [+ text] ? Signature: [+ SignatureType]
? AssociatedSoftware: SoftwareType ? AssociatedSoftware: SoftwareType
? FileProperties: [+ ExtensionType] ? FileProperties: [+ ExtensionType]
} }
HashData = { HashData = {
scope: "file-contents" / "file-pe-section" / "file-pe-iat" / scope: "file-contents" / "file-pe-section" / "file-pe-iat" /
"file-pe-resource" / "file-pdf-object" / "email-hash" / "file-pe-resource" / "file-pdf-object" / "email-hash" /
"email-hash-header" / "email-hash-body" "email-hash-header" / "email-hash-body"
? HashTargetID: text ? HashTargetID: text
? Hash: [+ Hash] ? Hash: [+ Hash]
? FuzzyHash: [+ FuzzyHash] ? FuzzyHash: [+ FuzzyHash]
} }
Hash = { Hash = {
DigestMethod: text DigestMethod: DigestMethodType
DigestValue: text DigestValue: DigestValueType
? CanonicalizationMethod: any ? CanonicalizationMethod: CanonicalizationMethodType
? Application: SoftwareType ? Application: SoftwareType
} }
CanonicalizationMethodType = {
? value: text
Algorithm: URLtype
}
FuzzyHash = { FuzzyHash = {
FuzzyHashValue: [+ ExtensionType] FuzzyHashValue: [+ ExtensionType]
? Application: SoftwareType ? Application: SoftwareType
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Indicator = { Indicator = {
? restriction: restriction .default "private" ? restriction: restriction .default "private"
? ext-restriction: text ? ext-restriction: text
IndicatorID: IndicatorID IndicatorID: IndicatorID
? AlternativeIndicatorID: [+ AlternativeIndicatorID] ? AlternativeIndicatorID: [+ AlternativeIndicatorID]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? StartTime: tdate ? StartTime: DATETIME
? EndTime: tdate ? EndTime: DATETIME
? Confidence: Confidence ? Confidence: Confidence
? Contact: [+ Contact] ? Contact: [+ Contact]
? Observable: Observable ? Observable: Observable
? uid-ref: IDREFType ? uid-ref: IDREFType
? IndicatorExpression: IndicatorExpression ? IndicatorExpression: IndicatorExpression
? IndicatorReference: IndicatorReference ? IndicatorReference: IndicatorReference
? NodeRole: [+ NodeRole] ? NodeRole: [+ NodeRole]
? AttackPhase: [+ AttackPhase] ? AttackPhase: [+ AttackPhase]
? Reference: [+ Reference] ? Reference: [+ Reference]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
skipping to change at page 34, line 50 skipping to change at page 42, line 37
} }
IndicatorReference = { IndicatorReference = {
? uid-ref: IDREFType ? uid-ref: IDREFType
? euid-ref: text ? euid-ref: text
? version: text ? version: text
} }
AttackPhase = { AttackPhase = {
? AttackPhaseID: [+ text] ? AttackPhaseID: [+ text]
? URL: [+ uri] ? URL: [+ URLtype]
? Description: [+ text / MLStringType] ? Description: [+ text / MLStringType]
? AdditionalData: [+ ExtensionType] ? AdditionalData: [+ ExtensionType]
} }
Figure 3: Data Model in CDDL Figure 7: Data Model in CDDL
6. Acknowledgements 6. Acknowledgements
We would like to thank Yasuaki Morita, Henk Birkholz and Carsten We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki
Bormann for their insightful comments on CDDL. Morita, and Takahiko Nagata for their insightful comments on CDDL.
7. IANA Considerations 7. IANA Considerations
This document registers a JSON schema. This document registers a JSON schema.
8. Security Considerations 8. Security Considerations
This memo does not provide any further security considerations than This memo does not provide any further security considerations than
the one described in [RFC7970]. the one described in [RFC7970].
9. Normative References 9. References
[jsonschema] 9.1. Normative References
"JSON Schema", 2006.
http://json-schema.org/ [cddlspec]
Henk Birkholz, Christoph Vigano, and Carsten Bormann,
"Concise data definition language (CDDL): a notational
convention to express CBOR and JSON data structuresy",
2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7970] Danyliw, R., "The Incident Object Description Exchange [RFC7970] Danyliw, R., "The Incident Object Description Exchange
Format Version 2", RFC 7970, DOI 10.17487/RFC7970, Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
November 2016, <https://www.rfc-editor.org/info/rfc7970>. November 2016, <https://www.rfc-editor.org/info/rfc7970>.
Appendix A. The IODEF Data Model (JSON Schema) 9.2. Informative References
[jsonschema]
Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema:
core definitions and terminology", 2013.
Appendix A. Data Types used in this document
The CDDL prelude used in this document is mapped to JSON as shown in
the table below.
+-----------------+-------------------+----------------------------+
| CDDL Prelude | Use of JSON | Instance | Validation |
+-----------------+-------------------+----------------------------+
| bytes | n/a | string | tool available |
| text | string | string | unnecessary |
| tdate | n/a | string | 7.3.1 date-time |
| integer | n/a | number | integer |
| eb64legacy | n/a | string | tool available |
| uri | n/a | string | 7.3.6 uri |
| float32 | float32 | number | unnecessary |
+-----------------+-------------------+----------------------------+
Figure 8
Appendix B. The IODEF Data Model (JSON Schema)
This section provides a JSON schema that defines the IODEF Data Model This section provides a JSON schema that defines the IODEF Data Model
defined in this draft. defined in this draft.
{ "$schema": "http://json-schema.org/draft-04/schema#", { "$schema": "http://json-schema.org/draft-04/schema#",
"definitions": { "definitions": {
"action": {"enum": ["nothing","contact-source-site", "action": {"enum": ["nothing","contact-source-site",
"contact-target-site","contact-sender","investigate", "contact-target-site","contact-sender","investigate",
"block-host","block-network","block-port","rate-limit-host", "block-host","block-network","block-port","rate-limit-host",
"rate-limit-network","rate-limit-port","redirect-traffic", "rate-limit-network","rate-limit-port","redirect-traffic",
"honeypot","upgrade-software","rebuild-asset","harden-asset", "honeypot","upgrade-software","rebuild-asset","harden-asset",
"remediate-other","status-triage","status-new-info", "remediate-other","status-triage","status-new-info",
"watch-and-report","training","defined-coa","ext-value"]}, "watch-and-report","training","defined-coa","other",
"duration": {"enum": ["second","minute","hour","day","month","quarter", "ext-value"]},
"year","ext-value"]}, "duration":{"enum":["second","minute","hour","day","month",
"lang": {"enum": ["en","jp"]}, "quarter","year","ext-value"]},
"SpecID":{
"enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]},
"lang": {
"type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
"purpose": {"enum": ["traceback","mitigation","reporting","watch", "purpose": {"enum": ["traceback","mitigation","reporting","watch",
"other","ext-value"]}, "other","ext-value"]},
"restriction": {"enum": ["public","partner","need-to-know","private", "restriction":{"enum":["public","partner","need-to-know","private",
"default","white","green","amber","red","ext-value"]}, "default","white","green","amber","red","ext-value"]},
"status": {"enum": ["new","in-progress","forwarded","resolved", "status": {"enum": ["new","in-progress","forwarded","resolved",
"future","ext-value"]}, "future","ext-value"]},
"DATETIME": {"type": "string"}, "DATETIME": {"type": "string","format": "date-time"},
"PORTLIST": {"type": "string"}, "PortlistType": {
"URLtype": {"type": "string"}, "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"},
"IDtype": {"type": "string"}, "TimeZonetype": {
"type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
"URLtype": {
"type": "string",
"pattern":
"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"},
"IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"},
"IDREFType": {"$ref": "#/definitions/IDtype"},
"CryptoBinary": {"type": "string"},
"MLStringType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"},
"translation-id": {"type": "string"}},
"required": ["value"],
"additionalProperties":false},
"PositiveFloatType": {"type": "number","minimum": 0},
"PAddressType": {"$ref": "#/definitions/MLStringType"},
"ExtensionType": { "ExtensionType": {
"type": "object", "type": "object",
"properties": { "properties": {
"name": {"type": "string"}, "value": {"type": "string"},
"dtype": {"enum": ["boolean","byte","bytes","character","date-time", "Name": {"type": "string"},
"ntpstamp","integer","portlist","real","string","file", "dtype":{"enum":["boolean","byte","bytes","character",
"path","frame","packet","ipv4-packet","ipv6-packet","url", "date-time","ntpstamp","integer","portlist","real","string",
"csv","winreg","xml","ext-value"]}, "file","path","frame","packet","ipv4-packet","ipv6-packet",
"url", "csv","winreg","xml","ext-value"],"default": "string"},
"ext-dtype": {"type": "string"}, "ext-dtype": {"type": "string"},
"meaning": {"type": "string"}, "meaning": {"type": "string"},
"formatid": {"type": "string"}, "formatid": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {
"$ref": "#/definitions/restriction","default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}}}, "observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["value","dtype"],
"additionalProperties":false},
"ExtensionTypeList": { "ExtensionTypeList": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"}}, "items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"SoftwareType": { "SoftwareType": {
"type": "object", "type": "object",
"properties": { "properties": {
"SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"},
"URL": {"$ref": "#/definitions/URLtype"}, "URL": {
"Description": {"type": "array", "items": {"type":"string"}}}, "type": "array",
"items": {"$ref": "#/definitions/URLtype",
"minItems": 1}},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1 }},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"SoftwareReference": { "SoftwareReference": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"spec-name": {"type": "string"}, "spec-name": {"enum": ["custom","cpe","swid","ext-value"]},
"ext-spec-name": {"type": "string"}, "ext-spec-name": {"type": "string"},
"dtype": {"type": "string"}, "dtype": {"enum": ["bytes","integer","real","string","xml",
"ext-value"] , "default": "string"},
"ext-dtype": {"type": "string"}}, "ext-dtype": {"type": "string"}},
"required": ["spec-name"], "required": ["spec-name"],
"additionalProperties": false}, "additionalProperties": false},
"StructuredInfo": { "StructuredInformation": {
"type": "object", "type": "object",
"properties": { "properties": {
"specID": {"type": "string"}, "SpecID": {"$ref":"#/definitions/SpecID"},
"ext-specID": {"type": "string"}, "ext-SpecID": {"type": "string"},
"contentID": {"type": "string"}, "ContentID": {"type": "string"},
"RawData": {"type": "string"}, "RawData": {"$ref": "#/definitions/ExtensionTypeList"},
"URL": {"$ref": "#/definitions/URLtype"}}, "Reference": {
"required": ["specID"], "type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1
},
"Platform": {
"type": "array",
"items": {"$ref": "#/definitions/Platform"},
"minItems": 1
},
"Scoring": {
"type": "array",
"items": {"$ref": "#/definitions/Scoring"},
"minItems": 1}},
"required": ["SpecID"],
"additionalProperties": false},
"Platform": {
"type": "object",
"properties": {
"SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"},
"RawData": {"$ref": "#/definitions/ExtensionTypeList"},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1}},
"required": ["SpecID"],
"additionalProperties": false},
"Scoring": {
"type": "object",
"properties": {
"SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"},
"RawData": {"$ref": "#/definitions/ExtensionTypeList"},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1}},
"required": ["SpecID"],
"additionalProperties": false}, "additionalProperties": false},
"Incident": { "Incident": {
"title": "Incident", "title": "Incident",
"description": "JSON schema for Incident class", "description": "JSON schema for Incident class",
"type": "object", "type": "object",
"properties": { "properties": {
"purpose": {"$ref": "#/definitions/purpose"}, "purpose": {"$ref": "#/definitions/purpose"},
"ext-purpose": {"type": "string"}, "ext-purpose": {"type": "string"},
"status": {"$ref": "#/definitions/status"}, "status": {"$ref": "#/definitions/status"},
"ext-status": {"type": "string"}, "ext-status": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentID": {"$ref": "#/definitions/IncidentID"}, "IncidentID": {"$ref": "#/definitions/IncidentID"},
"AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"},
"RelatedActivity": { "RelatedActivity": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/RelatedActivity"}}, "items": {"$ref": "#/definitions/RelatedActivity"},
"DetectTime": {"type": "string"}, "minItems": 1},
"StartTime": {"type": "string"}, "DetectTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"type": "string"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"type": "string"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"type": "string"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"GenerationTime": {"type": "string"}, "ReportTime": {"$ref": "#/definitions/DATETIME"},
"Description": {"type": "array","items": {"type": "string"}}, "GenerationTime": {"$ref": "#/definitions/DATETIME"},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"Discovery": { "Discovery": {
"type": "array","items": {"$ref": "#/definitions/Discovery"}}, "type": "array",
"items": {"$ref": "#/definitions/Discovery"},
"minItems": 1},
"Assessment": { "Assessment": {
"type": "array","items": {"$ref": "#/definitions/Assessment"}}, "type": "array",
"Methods": { "items": {"$ref": "#/definitions/Assessment"},
"type": "array","items": {"$ref": "#/definitions/Method"}}, "minItems": 1},
"Contacts": { "Method": {
"type": "array","items": {"$ref": "#/definitions/Contact"}}, "type": "array",
"items": {"$ref": "#/definitions/Method"},
"minItems": 1},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"EventData": { "EventData": {
"type": "array","items": {"$ref": "#/definitions/EventData"}}, "type": "array",
"IndicatorList": { "items": {"$ref": "#/definitions/EventData"},
"type": "array","items": {"$ref": "#/definitions/Indicator"}}, "minItems": 1},
"Indicator": {
"type": "array",
"items": {"$ref": "#/definitions/Indicator"},
"minItems": 1},
"History": {"$ref": "#/definitions/History"}, "History": {"$ref": "#/definitions/History"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IncidentID","GenerationTime","Contacts","purpose"], "required": ["IncidentID","GenerationTime","Contact","purpose"],
"additionalProperties": false}, "additionalProperties": false},
"IncidentID": { "IncidentID": {
"title": "IncidentID", "title": "IncidentID",
"description": "JSON schema for IncidentID class", "description": "JSON schema for IncidentID class",
"type": "object", "type": "object",
"properties": { "properties": {
"id": {"type": "string"}, "id": {"type": "string"},
"name": {"type": "string"}, "name": {"type": "string"},
"instance": {"type": "string"}, "instance": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}}, "ext-restriction": {"type": "string"}},
"required": ["name"], "required": ["id","name"],
"additionalProperties": false}, "additionalProperties": false},
"AlternativeID": { "AlternativeID": {
"title": "AlternativeID", "title": "AlternativeID",
"description": "JSON schema for AlternativeID class", "description": "JSON schema for AlternativeID class",
"type": "object", "type": "object",
"properties": { "properties": {
"IncidentID": { "IncidentID": {
"type": "array","items":{"$ref": "#/definitions/IncidentID"}}, "type": "array",
"restriction": {"$ref": "#/definitions/restriction"}, "items":{"$ref": "#/definitions/IncidentID"},
"minItems": 1},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}}, "ext-restriction": {"type": "string"}},
"required": ["IncidentID"], "required": ["IncidentID"],
"additionalProperties": false}, "additionalProperties": false},
"RelatedActivity": { "RelatedActivity": {
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"IncidentID": { "IncidentID": {
"type": "array","items": {"$ref": "#/definitions/IncidentID"}}, "type": "array",
"items": {"$ref": "#/definitions/IncidentID"},
"minItems": 1},
"URL": { "URL": {
"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"ThreatActor": { "ThreatActor": {
"type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, "type": "array",
"items": {"$ref": "#/definitions/ThreatActor"},
"minItems": 1},
"Campaign": { "Campaign": {
"type": "array","items": {"$ref": "#/definitions/Campaign"}}, "type": "array",
"items": {"$ref": "#/definitions/Campaign"},
"minItems": 1},
"IndicatorID": { "IndicatorID": {
"type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, "type": "array",
"items": {"$ref": "#/definitions/IndicatorID"},
"minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"Description": { "type": "array","items": {"type": "string"}}, "Description": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false}, "additionalProperties": false},
"ThreatActor": { "ThreatActor": {
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"ThreatActorID": {"type": "array", "items": {"type": "string"}}, "ThreatActorID": {
"Description": {"type": "array", "items": {"type": "string"}}, "type": "array",
"URL": {"type":"array","items":{"$ref":"#/definitions/URLtype"}}, "items": {"type": "string"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"URL": {
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false}, "additionalProperties": false},
"Campaign": { "Campaign": {
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"CampaignID": {"type": "array", "items": {"type": "string"}}, "CampaignID": {
"URL": {"type":"array", "items":{"$ref":"#/definitions/URLtype"}}, "type": "array",
"Description": {"type": "array", "items": {"type": "string"}}, "items": {"type": "string"},
"minItems": 1},
"URL": {
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
"Contact": { "Contact": {
"type": "object", "type": "object",
"properties": { "properties": {
"role": { "role": {
"enum": ["creator","reporter","admin","tech","provider","user", "enum":["creator","reporter","admin","tech","provider","user",
"billing","legal","irt","abuse","cc","cc-irt","leo", "billing","legal","irt","abuse","cc","cc-irt","leo",
"vendor","vendor-support","victim","victim-notified", "vendor","vendor-support","victim","victim-notified",
"ext-value"]}, "ext-value"]},
"ext-role": {"type": "string"}, "ext-role": {"type": "string"},
"type": {"enum": ["person","organization","ext-value"]}, "type": {"enum": ["person","organization","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"ContactName": {"type": "array", "items": {"type": "string"}}, "ContactName": {
"ContactTitle": {"type": "array", "items": {"type": "string"}}, "type": "array",
"Description": {"type": "array", "items": {"type": "string"}}, "items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"ContactTitle": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"RegistryHandle": { "RegistryHandle": {
"type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}}, "type":"array",
"items":{"$ref":"#/definitions/RegistryHandle"},
"minItems": 1},
"PostalAddress": { "PostalAddress": {
"type":"array", "items":{"$ref":"#/definitions/PostalAddress"}}, "type":"array",
"Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, "items":{"$ref":"#/definitions/PostalAddress"},
"minItems": 1},
"Email": {
"type": "array",
"items": {"$ref": "#/definitions/Email"},
"minItems": 1},
"Telephone": { "Telephone": {
"type": "array", "items": {"$ref": "#/definitions/Telephone"}}, "type": "array",
"Timezone": {"type": "string"}, "items": {"$ref": "#/definitions/Telephone"},
"minItems": 1},
"Timezone": {"$ref": "#/definitions/TimeZonetype"},
"Contact": { "Contact": {
"type": "array", "items": {"$ref": "#/definitions/Contact"}}, "type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["role","type"], "required": ["role","type"],
"additionalProperties": false}, "additionalProperties": false},
"RegistryHandle": { "RegistryHandle": {
"type": "object", "type": "object",
"properties": { "properties": {
"handle": {"type": "string"}, "handle": {"type": "string"},
"registry": { "registry": {
"enum": ["internic","apnic","arin","lacnic","ripe","afrinic", "enum": ["internic","apnic","arin","lacnic","ripe","afrinic",
"local","ext-value"]}, "local","ext-value"]},
"ext-registry": {"type": "string"}}, "ext-registry": {"type": "string"}},
"required": ["registry"], "required": ["handle","registry"],
"additionalProperties": false}, "additionalProperties": false},
"PostalAddress": { "PostalAddress": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": {"type": "string"}, "type": {"type": "string"},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"PAddress": {"type": "string"}, "PAddress": {"$ref": "#/definitions/PAddressType"},
"Description": {"type": "array", "items": {"type": "string"}}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": ["PAddress"], "required": ["PAddress"],
"additionalProperties": false}, "additionalProperties": false},
"Email": { "Email": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": { "type": {
"enum":["direct","hotline","ext-value"]}, "enum":["direct","hotline","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"EmailTo": {"type": "string"}, "EmailTo": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": ["EmailTo"], "required": ["EmailTo"],
"additionalProperties": false}, "additionalProperties": false},
"Telephone": { "Telephone": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": { "type": {
"enum":["wired","mobile","fax","hotline","ext-value"]}, "enum":["wired","mobile","fax","hotline","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"TelephoneNumber": {"type": "string"}, "TelephoneNumber": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": ["TelephoneNumber"], "required": ["TelephoneNumber"],
"additionalProperties": false}, "additionalProperties": false},
"Discovery": { "Discovery": {
"type": "object", "type": "object",
"properties": { "properties": {
"source": { "source": {
"enum":["nidps","hips","siem","av","third-party-monitoring", "enum":["nidps","hips","siem","av","third-party-monitoring",
"incident","os-log","application-log","device-log", "incident","os-log","application-log","device-log",
"network-flow","passive-dns","investigation","audit", "network-flow","passive-dns","investigation","audit",
"internal-notification","external-notification","leo", "internal-notification","external-notification","leo",
"partner","actor","unknown","ext-value"]}, "partner","actor","unknown","ext-value"]},
"ext-source": {"type": "string"}, "ext-source": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"Contact": { "Contact": {
"type": "array", "items": {"$ref": "#/definitions/Contact"}}, "type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"DetectionPattern": { "DetectionPattern": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/DetectionPattern"}}}, "items":{"$ref":"#/definitions/DetectionPattern"},
"minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"DetectionPattern": { "DetectionPattern": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Application": {"$ref": "#/definitions/SoftwareType"}, "Application": {"$ref": "#/definitions/SoftwareType"},
"Description": {"type": "array", "items": {"type": "string"}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"DetectionConfiguration": { "DetectionConfiguration": {
"type": "array", "items": {"type": "string"}}}, "type": "array",
"items": {"type": "string"},
"minItems": 1}},
"required": ["Application"], "required": ["Application"],
"additionalProperties": false}, "additionalProperties": false},
"Method": { "Method": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"References": { "Reference": {
"type": "array","items": {"$ref": "#/definitions/Reference"}}, "type": "array",
"Description": {"type": "array", "items": {"type": "string"}}, "items": {"$ref": "#/definitions/Reference"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"AttackPattern": { "AttackPattern": {
"type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, "type":"array",
"items":{"$ref":"#/definitions/StructuredInformation"},
"minItems": 1},
"Vulnerability": { "Vulnerability": {
"type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, "type":"array",
"items":{"$ref":"#/definitions/StructuredInformation"},
"minItems": 1},
"Weakness": { "Weakness": {
"type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}}, "type":"array",
"items":{"$ref":"#/definitions/StructuredInformation"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Reference": { "Reference": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ReferenceName": {"type": "string"}, "ReferenceName": {"$ref":"#/definitions/ReferenceName"},
"URL":{"type":"array", "items":{"$ref":"#/definitions/URLtype"}}, "URL":{
"Description": {"type": "array", "items": {"type": "string"}}}, "type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ReferenceName" : {
"type": "object",
"properties": {
"specIndex": {"type": "number"},
"ID": {"$ref":"#/definitions/IDtype"}},
"required": ["specIndex","ID"],
"additionalProperties": false},
"Assessment": { "Assessment": {
"type": "object", "type": "object",
"properties": { "properties": {
"occurrence": {"enum":["actual","potential"]}, "occurrence": {"enum":["actual","potential"]},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentCategory": {"type": "array", "items": {"type": "string"}}, "IncidentCategory": {
"SystemImpact": { "type": "array",
"type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, "items": {"oneOf":[{"type": "string"},
"BusinessImpact": { {"$ref": "#/definitions/MLStringType"}]},
"type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}}, "minItems": 1},
"TimeImpact": { "Impact": {
"type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, "type": "array",
"MonetaryImpact": { "items": {
"type":"array", "items":{"$ref":"#/definitions/MonetaryImpact"}}, "properties": {
"IntendedImpact": { "SystemImpact":{"$ref":"#/definitions/SystemImpact"},
"type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}}, "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"},
"TimeImpact":{"$ref":"#/definitions/TimeImpact"},
"MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"},
"IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}},
"additionalProperties":false},
"minItems" : 1
},
"Counter": { "Counter": {
"type": "array", "items": {"$ref": "#/definitions/Counter"}}, "type": "array",
"items": {"$ref": "#/definitions/Counter"},
"minItems": 1},
"MitigatingFactor": { "MitigatingFactor": {
"type": "array", "items": {"$type": "string"}}, "type": "array",
"Cause": {"type": "array", "items": {"$type": "string"}}, "items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"Cause": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": ["Impact"],
"additionalProperties": false}, "additionalProperties": false},
"SystemImpact": { "SystemImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"severity": { "severity": {"enum":["low","medium","high"]},
"enum":["low","medium","high"]},
"completion": {"enum":["failed","succeeded"]}, "completion": {"enum":["failed","succeeded"]},
"type": { "type": {
"enum":["takeover-account","takeover-service","takeover-system", "enum":["takeover-account","takeover-service",
"cps-manipulation","cps-damage","availability-data", "takeover-system","cps-manipulation","cps-damage",
"availability-account","availability-service", "availability-data","availability-account",
"availability-system","damaged-system","damaged-data", "availability-service","availability-system",
"breach-proprietary","breach-privacy","breach-credential", "damaged-system","damaged-data","breach-proprietary",
"breach-configuration","integrity-data", "breach-privacy","breach-credential",
"integrity-configuration","integrity-hardware", "breach-configuration","integrity-data",
"traffic-redirection","monitoring-traffic", "integrity-configuration","integrity-hardware",
"monitoring-host","policy","unknown","ext-value"]}, "traffic-redirection","monitoring-traffic",
"monitoring-host","policy","unknown","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": ["type"], "required": ["type"],
"additionalProperties": false}, "additionalProperties": false},
"BusinessImpact": { "BusinessImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"severity": { "severity": {"enum":["none","low","medium","high","unknown",
"enum":["none","low","medium","high","unknown","ext-value"]}, "ext-value"],"default": "unknown"},
"ext-severity": {"type":"string"}, "ext-severity": {"type":"string"},
"type": { "type": {"enum":["breach-proprietary","breach-privacy",
"enum":["breach-proprietary","breach-privacy","breach-credential", "breach-credential","loss-of-integrity","loss-of-service",
"loss-of-integrity","loss-of-service","theft-financial", "theft-financial","theft-service","degraded-reputation",
"theft-service","degraded-reputation","asset-damage", "asset-damage","asset-manipulation","legal","extortion",
"asset-manipulation","legal","extortion","unknown", "unknown","ext-value"]},
"ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": ["type"], "required": ["type"],
"additionalProperties": false}, "additionalProperties": false},
"TimeImpact": { "TimeImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "number"}, "value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum": ["low","medium","high"]}, "severity": {"enum": ["low","medium","high"]},
"metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "metric": {"enum": ["labor","elapsed","downtime","ext-value"]},
"ext-metric": {"type": "string"}, "ext-metric": {"type": "string"},
"duration": {"$ref":"#/definitions/duration"}, "duration": {"$ref":"#/definitions/duration","default": "hour"},
"ext-duration": {"type": "string"}}, "ext-duration": {"type": "string"}},
"required": ["metric"], "required": ["value","metric"],
"additionalProperties": false}, "additionalProperties": false},
"MonetaryImpact": { "MonetaryImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "number"}, "value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum":["low","medium","high"]}, "severity": {"enum":["low","medium","high"]},
"currency": {"type": "string"}}, "currency": {"type": "string"}},
"required": [],
"required": ["value"],
"additionalProperties": false}, "additionalProperties": false},
"Confidence": { "Confidence": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "number"}, "value": {"type": "number"},
"rating": { "rating": {"enum": ["low","medium","high","numeric","unknown",
"enum": ["low","medium","high","numeric","unknown","ext-value"]}, "ext-value"]},
"ext-rating": {"type":"string"}}, "ext-rating": {"type":"string"}},
"required": ["rating"], "required": ["value","rating"],
"additionalProperties": false}, "additionalProperties": false},
"History": { "History": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"HistoryItem": { "HistoryItem": {
"type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, "type": "array",
"items": {"$ref": "#/definitions/HistoryItem"},
"minItems": 1}},
"required": ["HistoryItem"], "required": ["HistoryItem"],
"additionalProperties": false}, "additionalProperties": false},
"HistoryItem": { "HistoryItem": {
"type": "object", "type": "object",
"properties": { "properties": {
"action": {"$ref": "#/definitions/action"}, "action": {"$ref": "#/definitions/action","default": "other"},
"ext-action": {"type": "string"}, "ext-action": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"}, "DateTime": {"$ref": "#/definitions/DATETIME"},
"IncidentID": {"$ref": "#/definitions/IncidentID"}, "IncidentID": {"$ref": "#/definitions/IncidentID"},
"Contact": {"$ref": "#/definitions/Contact"}, "Contact": {"$ref": "#/definitions/Contact"},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {
"DefinedCOA": {"type": "array","items": {"type": "string"}}, "type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"DefinedCOA": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["DateTime","action"], "required": ["DateTime","action"],
"additionalProperties": false}, "additionalProperties": false},
"EventData": { "EventData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {"type": "array",
"DetectTime": {"type": "string"}, "items": { "type":"string",
"StartTime": {"type": "string"}, "$ref":"#/definitions/MLStringType"}},
"EndTime": {"type": "string"}, "DetectTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"type": "string"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"type": "string"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"$ref": "#/definitions/DATETIME"},
"Contact": { "Contact": {
"type": "array","items": {"$ref": "#/definitions/Contact"}}, "type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"Discovery": { "Discovery": {
"type": "array","items": {"$ref": "#/definitions/Discovery"}}, "type": "array",
"items": {"$ref": "#/definitions/Discovery"},
"minItems": 1},
"Assessment": {"$ref": "#/definitions/Assessment"}, "Assessment": {"$ref": "#/definitions/Assessment"},
"Method": { "Method": {
"type": "array","items": {"$ref": "#/definitions/Method"}}, "type": "array",
"items": {"$ref": "#/definitions/Method"},
"minItems": 1},
"System": { "System": {
"type": "array","items": {"$ref": "#/definitions/System"}}, "type": "array",
"items": {"$ref": "#/definitions/System"},
"minItems": 1},
"Expectation": { "Expectation": {
"type": "array","items": {"$ref": "#/definitions/Expectation"}}, "type": "array",
"RecordData": {"type": "array", "items": {"$ref": "#/definitions/Expectation"},
"items": {"$ref": "#/definitions/RecordData"}}, "minItems": 1},
"RecordData": {
"type": "array",
"items": {"$ref": "#/definitions/RecordData"},
"minItems": 1},
"EventData": { "EventData": {
"type": "array","items": {"$ref": "#/definitions/EventData"}}, "type": "array",
"items": {"$ref": "#/definitions/EventData"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["ReportTime"], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Expectation": { "Expectation": {
"type": "object", "type": "object",
"properties": { "properties": {
"action": {"$ref":"#/definitions/action"}, "action": {"$ref":"#/definitions/action","default": "other"},
"ext-action": {"type": "string"}, "ext-action": {"type": "string"},
"severity": {"enum": ["low","medium","high"]}, "severity": {"enum": ["low","medium","high"]},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "default"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {
"DefinedCOA": {"type": "array","items": {"type": "string"}}, "type": "array",
"StartTime": {"type": "string"}, "items": {"oneOf":[{"type": "string"},
"EndTime": {"type": "string"}, {"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"DefinedCOA": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"Contact": {"$ref": "#/definitions/Contact"}}, "Contact": {"$ref": "#/definitions/Contact"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"System": { "System": {
"type": "object", "type": "object",
"properties": { "properties": {
"category": { "category": {
"enum": ["source","target","intermediate","sensor", "enum": ["source","target","intermediate","sensor",
"infrastructure","ext-value"]}, "infrastructure","ext-value"]},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"interface": {"type": "string"}, "interface": {"type": "string"},
"spoofed": {"enum": ["unknown","yes","no"]}, "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"},
"virtual": {"enum": ["yes","no","unknown"]}, "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"},
"ownership": { "ownership": {
"enum":["organization","personal","partner","customer", "enum":["organization","personal","partner","customer",
"no-relationship","unknown","ext-value"]}, "no-relationship","unknown","ext-value"]},
"ext-ownership": {"type": "string"}, "ext-ownership": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Node": {"$ref": "#/definitions/Node"}, "Node": {"$ref": "#/definitions/Node"},
"NodeRole": { "NodeRole": {
"type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "type": "array",
"items": {"$ref": "#/definitions/NodeRole"},
"minItems": 1},
"Service": { "Service": {
"type": "array","items": {"$ref": "#/definitions/Service"}}, "type": "array",
"items": {"$ref": "#/definitions/Service"},
"minItems": 1},
"OperatingSystem": { "OperatingSystem": {
"type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, "type": "array",
"items": {"$ref": "#/definitions/SoftwareType"},
"minItems": 1},
"Counter": { "Counter": {
"type": "array","items": {"$ref": "#/definitions/Counter"}}, "type": "array",
"AssetID": {"type": "array","items": {"type": "string"}}, "items": {"$ref": "#/definitions/Counter"},
"Description": {"type": "array","items": {"type": "string"}}, "minItems": 1},
"AssetID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Node"], "required": ["Node"],
"additionalProperties": false}, "additionalProperties": false},
"Node": { "Node": {
"type": "object", "type": "object",
"properties": { "properties": {
"DomainData": { "DomainData": {
"type": "array","items": {"$ref": "#/definitions/DomainData"}}, "type": "array",
"items": {"$ref": "#/definitions/DomainData"},
"minItems": 1},
"Address": { "Address": {
"type": "array","items": {"$ref": "#/definitions/Address"}}, "type": "array",
"PostalAddress": {"type": "string"}, "items": {"$ref": "#/definitions/Address"},
"Location": {"type": "array","items": {"type": "string"}}, "minItems": 1},
"Counter": {"type":"array", "PostalAddress": {"$ref": "#/definitions/PostalAddress"},
"items":{"$ref":"#/definitions/Counter"}}}, "Location": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"Counter": {
"type":"array",
"items":{"$ref":"#/definitions/Counter"},
"minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Address": { "Address": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"category": { "category": {
"enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
"ipv6-net-masked","mac","site-url","ext-value"]}, "ipv6-net-masked","mac","site-url","ext-value"],
"default": "ipv6-addr"},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"vlan-name": {"type": "string"}, "vlan-name": {"type": "string"},
"vlan-num": {"type": "integer"}, "vlan-num": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"}}, "observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["category"], "required": ["value","category"],
"additionalProperties": false}, "additionalProperties": false},
"NodeRole": { "NodeRole": {
"type": "object", "type": "object",
"properties": { "properties": {
"category": { "category": {
"enum":["client","client-enterprise","clent-partner", "enum":["client","client-enterprise","clent-partner",
"client-remote","client-kiosk","client-mobile", "client-remote","client-kiosk","client-mobile",
"server-internal","server-public","www","mail","webmail", "server-internal","server-public","www","mail","webmail",
"messaging","streaming","voice","file","ftp","p2p","name", "messaging","streaming","voice","file","ftp","p2p","name",
"directory","credential","print","application","database", "directory","credential","print","application","database",
"backup","dhcp","assessment","source-control", "backup","dhcp","assessment","source-control",
"config-management","monitoring","infra","infra-firewall", "config-management","monitoring","infra","infra-firewall",
"infra-router","infra-switch","camera","proxy", "infra-router","infra-switch","camera","proxy",
"remote-access","log","virtualization","pos", "scada", "remote-access","log","virtualization","pos", "scada",
"scada-supervisory","sinkhole","honeypot","anomyzation", "scada-supervisory","sinkhole","honeypot","anomyzation",
"c2-server","malware-distribution","drop-server", "c2-server","malware-distribution","drop-server",
"hot-point","reflector","phishing-site", "hot-point","reflector","phishing-site",
"spear-phishing-site","recruiting-site", "spear-phishing-site","recruiting-site","fraudulent-site",
"fraudulent-site","ext-value"]}, "ext-value"]},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": ["category"], "required": ["category"],
"additionalProperties": false}, "additionalProperties": false},
"Counter": { "Counter": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "number"},
"type": {"enum": ["count","peak","average","ext-value"]}, "type": {"enum": ["count","peak","average","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"unit": {"enum": ["byte","mbit","packet","flow","session","alert", "unit":{"enum":["byte","mbit","packet","flow","session","alert",
"message","event","host","site","organization", "message","event","host","site","organization","ext-value"]},
"ext-value"]},
"ext-unit": {"type": "string"}, "ext-unit": {"type": "string"},
"meaning": {"type": "string"}, "meaning": {"type": "string"},
"duration": {"$ref":"#/definitions/duration"}, "duration": {"$ref":"#/definitions/duration","default": "hour"},
"ext-duration": {"type": "string"}}, "ext-duration": {"type": "string"}},
"required": ["type","unit"], "required": ["value","type","unit"],
"additionalProperties": false}, "additionalProperties": false},
"DomainData": { "DomainData": {
"type": "object", "type": "object",
"properties": { "properties": {
"system-status": { "system-status": {
"enum": ["spoofed","fraudulent","innocent-hacked", "enum": ["spoofed","fraudulent","innocent-hacked",
"innocent-hijacked","unknown","ext-value"]}, "innocent-hijacked","unknown","ext-value"]},
"ext-system-status": {"type": "string"}, "ext-system-status": {"type": "string"},
"domain-status": { "domain-status": {
"enum": [ "enum": [ "reservedDelegation","assignedAndActive",
"reservedDelegation","assignedAndActive","assignedAndInactive", "assignedAndInactive","assignedAndOnHold","revoked",
"assignedAndOnHold","revoked","transferPending","registryLock", "transferPending","registryLock","registrarLock",
"registrarLock","other","unknown","ext-value"]}, "other","unknown","ext-value"]},
"ext-domain-status": {"type": "string"}, "ext-domain-status": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Name": {"type": "string"}, "Name": {"type": "string"},
"DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"},
"RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "RegistrationDate": {"$ref": "#/definitions/DATETIME"},
"ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
"RelatedDNS": { "RelatedDNS": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"NameServers": { "NameServers": {
"type": "array","items": {"$ref": "#/definitions/NameServers"}}, "type": "array",
"DomainContacts": { "items": {"$ref": "#/definitions/NameServers"},
"$ref": "#/definitions/DomainContacts"}}, "minItems": 1},
"DomainContacts": {"$ref": "#/definitions/DomainContacts"}},
"required": ["Name","system-status","domain-status"], "required": ["Name","system-status","domain-status"],
"additionalProperties": false}, "additionalProperties": false},
"NameServers": { "NameServers": {
"type": "object", "type": "object",
"properties": { "properties": {
"Server": {"type": "string"}, "Server": {"type": "string"},
"Address": {"type":"array", "Address": {
"items":{"$ref":"#/definitions/Address"}}}, "type":"array",
"items":{"$ref":"#/definitions/Address"},
"minItems": 1}},
"required": ["Server","Address"], "required": ["Server","Address"],
"additionalProperties": false}, "additionalProperties": false},
"DomainContacts": { "DomainContacts": {
"type": "object", "type": "object",
"properties": { "properties": {
"SameDomainContact": {"type": "string"}, "SameDomainContact": {"type": "string"},
"Contact": {"type":"array", "Contact": {
"items":{"$ref":"#/definitions/Contact"}}}, "type":"array",
"items":{"$ref":"#/definitions/Contact"},
"minItems": 1}},
"required": ["Contact"], "required": ["Contact"],
"additionalProperties": false}, "additionalProperties": false},
"Service": { "Service": {
"type": "object", "type": "object",
"properties": { "properties": {
"ip-protocol": {"type": "integer"}, "ip-protocol": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ServiceName": {"$ref": "#/definitions/ServiceName"}, "ServiceName": {"$ref": "#/definitions/ServiceName"},
"Port": {"type": "integer"}, "Port": {"type": "number"},
"Portlist": {"$ref": "#/definitions/PORTLIST"}, "Portlist": {"$ref": "#/definitions/PortlistType"},
"ProtoCode": {"type": "integer"}, "ProtoCode": {"type": "number"},
"ProtoType": {"type": "integer"}, "ProtoType": {"type": "number"},
"ProtoField": {"type": "integer"}, "ProtoField": {"type": "number"},
"ApplicationHeaderField":{"$ref":"#/definitions/ExtensionTypeList"}, "ApplicationHeaderField":{
"$ref":"#/definitions/ExtensionTypeList"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Application": {"$ref": "#/definitions/SoftwareType"}}, "Application": {"$ref": "#/definitions/SoftwareType"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ServiceName": { "ServiceName": {
"type": "object", "type": "object",
"properties": { "properties": {
"IANAService": {"type": "string"}, "IANAService": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "URL": {"type": "array",
"Description": {"type": "array","items": {"type": "string"}}}, "items": {"$ref": "#/definitions/URLtype"}},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"EmailData": { "EmailData": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"EmailTo": {"type": "array","items": {"type": "string"}}, "EmailTo": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"EmailFrom": {"type": "string"}, "EmailFrom": {"type": "string"},
"EmailSubject": {"type": "string"}, "EmailSubject": {"type": "string"},
"EmailX-Mailer": {"type": "string"}, "EmailX-Mailer": {"type": "string"},
"EmailHeaderField": { "EmailHeaderField": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"EmailHeaders": {"type": "string"}, "EmailHeaders": {"type": "string"},
"EmailBody": {"type": "string"}, "EmailBody": {"type": "string"},
"EmailMessage": {"type": "string"}, "EmailMessage": {"type": "string"},
"HashData": { "HashData": {
"type": "array","items": {"$ref": "#/definitions/HashData"}}, "type": "array",
"Signature": {"type": "array","items": {"type": "string"}}}, "items": {"$ref": "#/definitions/HashData"},
"minItems": 1},
"Signature": {
"type": "array",
"items": {"$ref": "#/definitions/SignatureType"},
"minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"SignatureType": {
"type": "object",
"properties": {
"id": {"$ref": "#/definitions/IDtype"},
"SignedInfo": {"$ref": "#/definitions/SignedInfoType"},
"SignatureValue": {"$ref": "#/definitions/SignatureValueType"},
"KeyInfo": {"$ref": "#/definitions/KeyInfoType"},
"Object": {
"type": "array",
"items": {"$ref": "#/definitions/ObjectType"},
"minItems": 1}},
"required": ["SignedInfo","SignatureValue"],
"additionalProperties": false
},
"SignatureValueType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"id": {"$ref": "#/definitions/IDtype"}
},
"required": ["value"],
"additionalProperties": false
},
"SignedInfoType": {
"type": "object",
"properties": {
"id": {"$ref": "#/definitions/IDtype"},
"CanonicalizationMethod":
{"$ref": "#/definitions/CanonicalizationMethodType"},
"SignatureMethod": {"$ref":"#/definitions/SignatureMethodType"},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/ReferenceType"},
"minItems": 1}
},
"required": ["CanonicalizationMethod","SignatureMethod",
"Reference"],
"additionalProperties": false
},
"SignatureMethodType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"Algorithm": {"$ref": "#/definitions/URLtype"},
"HMACOutputLength":{"$ref":"#/definitions/HMACOutputLengthType"}
},
"required": ["Algorithm"],
"additionalProperties": false
},
"HMACOutputLengthType": {"type": "number"},
"ReferenceType": {
"type": "object",
"properties": {
"id": {"$ref": "#/definitions/IDtype"},
"URI": {"$ref": "#/definitions/URLtype"},
"Type": {"$ref": "#/definitions/URLtype"},
"Transforms": {"$ref": "#/definitions/TransformsType"},
"DigestMethod": {"$ref": "#/definitions/DigestMethodType"},
"DigestValue": {"$ref": "#/definitions/DigestValueType"}
},
"required": ["DigestMethod","DigestValue"],
"additionalProperties": false
},
"TransformsType": {
"type": "object",
"properties": {
"Transform": {
"type": "array",
"items": {"$ref": "#/definitions/TransformType"},
"minItems": 1}
},
"required": ["Transform"],
"additionalProperties": false
},
"TransformType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"Algorithm": {"$ref": "#/definitions/URLtype"},
"XPath": {
"type": "array",
"items": {"type": "string"},
"minItems": 1}
},
"required": ["Algorithm"],
"additionalProperties": false
},
"DigestMethodType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"Algorithm": {"$ref": "#/definitions/URLtype"}
},
"required": ["Algorithm"],
"additionalProperties": false
},
"DigestValueType": {"type": "string"},
"KeyInfoType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"id": {"$ref": "#/definitions/IDtype"},
"KeyProperties": {
"type": "array",
"items": {
"type": "object",
"properties": {
"KeyName": {"type": "string"},
"KeyValue": {"$ref": "#/definitions/KeyValueType"},
"RetrievalMethod":
{"$ref": "#/definitions/RetrievalMethodType"},
"X509Data": {"$ref": "#/definitions/X509DataType"},
"PGPData": {"$ref": "#/definitions/PGPDataType"},
"SPKIData": {"$ref": "#/definitions/SPKIDataType"},
"MgmtData": {"type": "string"}},
"additionalProperties": false},
"minItems" : 1}},
"required": ["KeyProperties"],
"additionalProperties": false
},
"KeyValueType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"KeyValueProperties": {
"items": {
"type": "object",
"properties": {
"DSAKeyValue": {"$ref": "#/definitions/DSAKeyValueType"},
"RSAKeyValue": {"$ref": "#/definitions/RSAKeyValueType"}},
"additionalProperties": false}}
},
"required": ["KeyValueProperties"],
"additionalProperties": false
},
"DSAKeyValueType": {
"type": "object",
"properties": {
"P": {"$ref": "#/definitions/CryptoBinary"},
"Q": {"$ref": "#/definitions/CryptoBinary"},
"G": {"$ref": "#/definitions/CryptoBinary"},
"Y": {"$ref": "#/definitions/CryptoBinary"},
"J": {"$ref": "#/definitions/CryptoBinary"},
"Seed": {"$ref": "#/definitions/CryptoBinary"},
"PgenCounter": {"$ref": "#/definitions/CryptoBinary"}
},
"required": ["Y"],
"additionalProperties": false
},
"RSAKeyValueType":{
"type": "object",
"properties": {
"Modulus": {"$ref": "#/definitions/CryptoBinary"},
"Exponent": {"$ref": "#/definitions/CryptoBinary"}
},
"required": ["Modulus","Exponent"],
"additionalProperties": false
},
"RetrievalMethodType": {
"type": "object",
"properties": {
"URI": {"$ref": "#/definitions/URLtype"},
"Type": {"$ref": "#/definitions/URLtype"},
"Transforms": {"$ref": "#/definitions/TransformsType"}
},
"required": ["URI"],
"additionalProperties": false
},
"PGPDataType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"PGPDataProperties": {
"items": {
"type": "object",
"properties": {
"PGPKeyID": {"type": "string"},
"PGPKeyPacket": {"type": "string"}},
"additionalProperties": false}}},
"required": ["PGPDataProperties"],
"additionalProperties": false
},
"SPKIDataType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"SPKISexp": {
"type": "array",
"items": {"type": "string"},
"minItems": 1}
},
"required": ["SPKISexp"],
"additionalProperties": false
},
"ObjectType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"id": {"$ref": "#/definitions/IDtype"},
"MimeType": {"type": "string"},
"Encoding": {"$ref": "#/definitions/URLtype"}
},
"additionalProperties": false
},
"RecordData": { "RecordData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"}, "DateTime": {"$ref": "#/definitions/DATETIME"},
"Description": {"type": "array","items": {"type": "string"}}, "Description": {
"Applicadtion": {"$ref": "#/definitions/SoftwareType"}, "type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"},
"RecordPattern": { "RecordPattern": {
"type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, "type": "array",
"items": {"$ref": "#/definitions/RecordPattern"},
"minItems": 1},
"RecordItem": { "RecordItem": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"URL": { "URL": {
"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"FileData": { "FileData": {
"type": "array","items": {"$ref": "#/definitions/FileData"}}, "type": "array",
"items": {"$ref": "#/definitions/FileData"},
"minItems": 1},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"},
"minItems": 1},
"CertificateData": { "CertificateData": {
"type":"array","items":{"$ref":"#/definitions/CertificateData"}}, "type":"array",
"items":{"$ref":"#/definitions/CertificateData"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false "additionalProperties": false},
},
"RecordPattern": { "RecordPattern": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"type": {"enum": ["regex","binary","xpath","ext-value"]}, "type": {"enum": ["regex","binary","xpath","ext-value"],
"default": "regex"},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"offset": {"type": "integer"}, "offset": {"type": "number"},
"offsetunit": {"enum":["line","byte","ext-value"]}, "offsetunit": {"enum":["line","byte","ext-value"] ,
"default": "line"},
"ext-offsetunit": {"type": "string"}, "ext-offsetunit": {"type": "string"},
"instance": {"type": "integer"}}, "instance": {"type": "number"}},
"required": ["type"], "required": ["value","type"],
"additionalProperties": false}, "additionalProperties": false},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"type": "object", "type": "object",
"properties": { "properties": {
"observabile-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, "Key": {
"type": "array",
"items": {"$ref": "#/definitions/Key"},
"minItems": 1}},
"required": ["Key"], "required": ["Key"],
"additionalProperties": false}, "additionalProperties": false},
"Key": { "Key": {
"type": "object", "type": "object",
"properties": { "properties": {
"registryaction": {"enum": ["add-key","add-value","delete-key", "registryaction": {"enum": ["add-key","add-value","delete-key",
"delete-value","modify-key","modify-value", "delete-value","modify-key","modify-value",
"ext-value"]}, "ext-value"]},
"ext-registryaction": {"type": "string"}, "ext-registryaction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"KeyName": {"type":"string"}, "KeyName": {"type":"string"},
"KeyValue": {"type": "string"}}, "KeyValue": {"type": "string"}},
"required": ["KeyName"], "required": ["KeyName"],
"additionalProperties": false}, "additionalProperties": false},
"CertificateData": { "CertificateData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Certificate": { "Certificate": {
"type": "array","items": {"$ref": "#/definitions/Certificate"}}}, "type": "array",
"items": {"$ref": "#/definitions/Certificate"},
"minItems": 1}},
"required": ["Certificate"], "required": ["Certificate"],
"additionalProperties": false}, "additionalProperties": false},
"Certificate": { "Certificate": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"X509Data": {type: "string"}, "X509Data": {"$ref": "#/definitions/X509DataType"},
"Description": {"type": "array","items": {"type": "string"}}}, "Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1}},
"required": ["X509Data"], "required": ["X509Data"],
"additionalProperties": false}, "additionalProperties": false},
"X509DataType": {
"type": "object",
"properties": {
"X509DataProperties": {
"type": "array",
"items": {
"type": "object",
"properties": {
"X509IssuerSerial":
{"$ref": "#/definitions/X509IssuerSerialType"},
"X509SKI": {"type": "string"},
"X509SubjectName": {"type": "string"},
"X509Certificate": {"type": "string"},
"X509CRL": {"type": "string"}},
"additionalProperties": false},
"minItems" : 1}},
"required": ["X509DataProperties"],
"additionalProperties": false
},
"X509IssuerSerialType": {
"type": "object",
"properties": {
"X509IssuerName": {"type": "string"},
"X509SerialNumber": {"type": "number"}
},
"required": ["X509IssuerName","X509SerialNumber"],
"additionalProperties": false
},
"FileData": { "FileData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, "File": {
"type": "array",
"items": {"$ref": "#/definitions/File"},
"minItems": 1}},
"required": ["File"], "required": ["File"],
"additionalProperties": false}, "additionalProperties": false},
"File": { "File": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"FileName": {"type": "string"}, "FileName": {"type": "string"},
"FileSize": {"type": "integer"}, "FileSize": {"type": "number"},
"FileType": {"type": "string"}, "FileType": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"HashData": {"$ref": "#/definitions/HashData"}, "HashData": {"$ref": "#/definitions/HashData"},
"Signature": {"type": "array","items": {"type": "string"}}, "Signature": {
"type": "array",
"items": {"$ref": "#/definitions/SignatureType"},
"minItems": 1},
"AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
"FileProperties": { "FileProperties": {
"type":"array","items":{"$ref":"#/definitions/ExtensionType"}}}, "type":"array",
"items":{"$ref":"#/definitions/ExtensionType"},
"minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"HashData": { "HashData": {
"type": "object", "type": "object",
"properties": { "properties": {
"scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", "scope": {"enum": ["file-contents","file-pe-section",
"file-pe-resource","file-pdf-object","email-hash", "file-pe-iat","file-pe-resource","file-pdf-object",
"email-hash-header","email-hash-body"]}, "email-hash","email-hash-header","email-hash-body"]},
"HashTargetID": {"type": "string"}, "HashTargetID": {"type": "string"},
"Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, "Hash": {
"type": "array",
"items": {"$ref": "#/definitions/Hash"},
"minItems": 1},
"FuzzyHash": { "FuzzyHash": {
"type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, "type": "array",
"items": {"$ref": "#/definitions/FuzzyHash"},
"minItems": 1}},
"required": ["scope"], "required": ["scope"],
"additionalProperties": false}, "additionalProperties": false},
"Hash": { "Hash": {
"type": "object", "type": "object",
"properties": { "properties": {
"DigestMethod": {"type": "string"}, "DigestMethod": {"$ref": "#/definitions/DigestMethodType"},
"DigestValue": {"type": "string"}, "DigestValue": {"$ref": "#/definitions/DigestValueType"},
"CanonicalizationMethod": {}, "CanonicalizationMethod":
{"$ref": "#/definitions/CanonicalizationMethodType"},
"Application": {"$ref": "#/definitions/SoftwareType"}}, "Application": {"$ref": "#/definitions/SoftwareType"}},
"required": ["DigestMethod","DigestValue"], "required": ["DigestMethod","DigestValue"],
"additionalProperties": false}, "additionalProperties": false},
"CanonicalizationMethodType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"Algorithm": {"$ref": "#/definitions/URLtype"}
},
"required": ["Algorithm"],
"additionalProperties": false
},
"FuzzyHash": { "FuzzyHash": {
"type": "object", "type": "object",
"properties": { "properties": {
"FuzzyHashValue": { "FuzzyHashValue": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"}, "Application": {"$ref": "#/definitions/SoftwareType"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["FuzzyHashValue"], "required": ["FuzzyHashValue"],
"additionalProperties": false}, "additionalProperties": false},
"Indicator": { "Indicator": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
"AlternativeIndicatorID": { "AlternativeIndicatorID": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, "items": {"$ref": "#/definitions/AlternativeIndicatorID"},
"Description": {"type": "array","items": {"type": "string"}}, "minItems": 1},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"Contact": { "Contact": {
"type": "array","items": {"$ref": "#/definitions/Contact"}}, "type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"Observable": {"$ref": "#/definitions/Observable"}, "Observable": {"$ref": "#/definitions/Observable"},
"uid-ref": {"type": "string"}, "uid-ref": {"$ref": "#/definitions/IDREFType"},
"IndicatorExpression":{"$ref":"#/definitions/IndicatorExpression"}, "IndicatorExpression":{
"IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, "$ref":"#/definitions/IndicatorExpression"},
"IndicatorReference":{
"$ref": "#/definitions/IndicatorReference"},
"NodeRole": { "NodeRole": {
"type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "type": "array",
"items": {"$ref": "#/definitions/NodeRole"},
"minItems": 1},
"AttackPhase": { "AttackPhase": {
"type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, "type": "array",
"items": {"$ref": "#/definitions/AttackPhase"},
"minItems": 1},
"Reference": { "Reference": {
"type": "array","items": {"$ref": "#/definitions/Reference"}}, "type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IndicatorID"], "required": ["IndicatorID"],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorID": { "IndicatorID": {
"type": "object", "type": "object",
"properties": { "properties": {
"id": {"type": "string"}, "id": {"type": "string"},
"name": {"type": "string"}, "name": {"type": "string"},
"version": {"type": "string"}}, "version": {"type": "string"}},
"required": ["name","version"],
"required": ["id","name","version"],
"additionalProperties": false}, "additionalProperties": false},
"AlternativeIndicatorID": { "AlternativeIndicatorID": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"IndicatorReference": { "IndicatorReference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorReference"}}}, "items": {"$ref": "#/definitions/IndicatorReference"},
"minItems": 1}},
"required": ["IndicatorReference"], "required": ["IndicatorReference"],
"additionalProperties": false}, "additionalProperties": false},
"Observable": { "Observable": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction"}, "restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"System": {"$ref": "#/definitions/System"}, "System": {"$ref": "#/definitions/System"},
"Address": {"$ref": "#/definitions/Address"}, "Address": {"$ref": "#/definitions/Address"},
"DomainData": {"$ref": "#/definitions/DomainData"}, "DomainData": {"$ref": "#/definitions/DomainData"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Service": {"$ref": "#/definitions/Service"}, "Service": {"$ref": "#/definitions/Service"},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"$ref": "#/definitions/WindowsRegistryKeysModified"}, "$ref": "#/definitions/WindowsRegistryKeysModified"},
"FileData": {"$ref": "#/definitions/FileData"}, "FileData": {"$ref": "#/definitions/FileData"},
"CertificateData": {"$ref": "#/definitions/CertificateData"}, "CertificateData": {"$ref": "#/definitions/CertificateData"},
"RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"},
"RecordData": {"type": "array", "RecordData": {"$ref": "#/definitions/RecordData"},
"item": {"$ref": "#/definitions/Record"}},
"EventData": {"$ref": "#/definitions/EventData"}, "EventData": {"$ref": "#/definitions/EventData"},
"Incident": {"$ref": "#/definitions/Incident"}, "Incident": {"$ref": "#/definitions/Incident"},
"Expectation": {"$ref": "#/definitions/Expectation"}, "Expectation": {"$ref": "#/definitions/Expectation"},
"Reference": {"$ref": "#/definitions/Reference"}, "Reference": {"$ref": "#/definitions/Reference"},
"Assessment": {"$ref": "#/definitions/Assessment"}, "Assessment": {"$ref": "#/definitions/Assessment"},
"DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
"HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservable": { "BulkObservable": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask",
"mac","site-url","domain-name","domain-to-ipv4", "mac","site-url","domain-name","domain-to-ipv4",
"domain-to-ipv6","domain-to-ipv4-timestamp", "domain-to-ipv6","domain-to-ipv4-timestamp",
"domain-to-ipv6-timestamp","ipv4-port","ipv6-port", "domain-to-ipv6-timestamp","ipv4-port","ipv6-port",
"windows-reg-key","file-hash","email-x-mailer", "windows-reg-key","file-hash","email-x-mailer",
"email-subject","http-user-agent","http-request-url", "email-subject","http-user-agent","http-request-url",
"mutex","file-path","user-name","ext-value"]}, "mutex","file-path","user-name","ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"BulkObservableFormant":{ "BulkObservableFormat":{
"$ref": "#/definitions/BulkObservableFormat"}, "$ref": "#/definitions/BulkObservableFormat"},
"BulkObservableList": {"type": "array", "item":{"type": "string"}}, "BulkObservableList": {"type": "string"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": ["BulkObservableList"],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservableFormat": { "BulkObservableFormat": {
"type": "object", "type": "object",
"properties": { "properties": {
"Hash": {"$ref": "#/definitions/Hash"}, "Hash": {"$ref": "#/definitions/Hash"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorExpression": { "IndicatorExpression": {
"type": "object", "type": "object",
"properties": { "properties": {
"operator": {"enum": ["not","and","or","xor"]}, "operator": {"enum": ["not","and","or","xor"],"default": "and"},
"ext-operator": {"type": "string"}, "ext-operator": {"type": "string"},
"IndicatorExpression": { "IndicatorExpression": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorExpression"}}, "items": {"$ref": "#/definitions/IndicatorExpression"},
"minItems": 1},
"Observable": { "Observable": {
"type": "array","items": {"$ref": "#/definitions/Observable"}}, "type": "array",
"uid-ref": {"type": "string"}, "items": {"$ref": "#/definitions/Observable"},
"minItems": 1},
"uid-ref": {
"type": "array",
"items": {"$ref": "#/definitions/IDREFType"},
"minItems": 1},
"IndicatorReference": { "IndicatorReference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorReference"}}, "items": {"$ref": "#/definitions/IndicatorReference"},
"minItems": 1},
"Confidence": {"$ref":"#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorReference": { "IndicatorReference": {
"type": "object", "type": "object",
"properties": { "properties": {
"uid-ref": {"type": "string"}, "uid-ref": {"$ref":"#/definitions/IDREFType"},
"euid-ref": {"type": "string"}, "euid-ref": {"type": "string"},
"version": {"type": "string"}}, "version": {"type": "string"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"AttackPhase": { "AttackPhase": {
"type": "object", "type": "object",
"properties": { "properties": {
"AttackPhaseID": {"type": "array","items": {"type": "string"}}, "AttackPhaseID": {
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "type": "array",
"Description": {"type": "array","items": {"type": "string"}}, "items": {"type": "string"},
"minItems": 1},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"oneOf":[{"type": "string"},
{"$ref": "#/definitions/MLStringType"}]},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}}, "additionalProperties": false}},
"title": "IODEF-Document", "title": "IODEF-Document",
"description": "JSON schema for IODEF-Document class", "description": "JSON schema for IODEF-Document class",
"type": "object", "type": "object",
"properties": { "properties": {
"version": {"type": "string"}, "version": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"format-id": {"type": "string"}, "format-id": {"type": "string"},
"private-enum-name": {"type": "string"}, "private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"}, "private-enum-id": {"type": "string"},
"Incident": { "Incident": {
"type": "array","items": {"$ref": "#/definitions/Incident"}}, "type": "array",
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "items": {"$ref": "#/definitions/Incident"},
"minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version","Incident"], "required": ["version","Incident"],
"additionalProperties": false} "additionalProperties": false}
Figure 4: JSON schema Figure 9: JSON schema
Authors' Addresses Authors' Addresses
Takeshi Takahashi Takeshi Takahashi
National Institute of Information and Communications Technology National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi 4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795 Koganei, Tokyo 184-8795
Japan Japan
Phone: +81 42 327 5862 Phone: +81 42 327 5862
Email: takeshi_takahashi@nict.go.jp Email: takeshi_takahashi@nict.go.jp
 End of changes. 249 change blocks. 
530 lines changed or deleted 1582 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/