MILE                                                        T. Takahashi
Internet-Draft                                                      NICT
Intended status: Standards Track                              R. Danyliw
Expires: June 26, August 13, 2020                                            CERT
                                                               M. Suzuki
                                                                    NICT
                                                       December 24, 2019
                                                       February 10, 2020

                         JSON binding of IODEF
                      draft-ietf-mile-jsoniodef-12
                      draft-ietf-mile-jsoniodef-13

Abstract

   The Incident Object Description Exchange Format defined in RFC 7970
   provides an information model and a corresponding XML data model for
   exchanging incident and indicator information.  This draft gives
   implementers and operators an alternative format to exchange the same
   information by defining an alternative data model implementation in
   JSON and its encoding in CBOR.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 26, August 13, 2020.

Copyright Notice

   Copyright (c) 2019 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  IODEF Data Types  . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Abstract Data Type to JSON Data Type Mapping  . . . . . .   3
     2.2.  Complex JSON Types  . . . . . . . . . . . . . . . . . . .   5
       2.2.1.  Integer . . . . . . . . . . . . . . . . . . . . . . .   5
       2.2.2.  Multilingual Strings  . . . . . . . . . . . . . . . .   5
       2.2.3.  Enum  . . . . . . . . . . . . . . . . . . . . . . . .   6
       2.2.4.  Software and Software Reference . . . . . . . . . . .   6
       2.2.5.  Structured Information  . . . . . . . . . . . . . . .   6
       2.2.6.  EXTENSION . . . . . . . . . . . . . . . . . . . . . .   7
   3.  IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . .   7
     3.1.  Classes and Elements  . . . . . . . . . . . . . . . . . .   7   8
     3.2.  Mapping between JSON and XML IODEF  . . . . . . . . . . .  17  18
   4.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  19
     4.1.  Minimal Example . . . . . . . . . . . . . . . . . . . . .  19
     4.2.  Indicators from a Campaign  . . . . . . . . . . . . . . .  21  22
   5.  Mapkeys . . . . . . . . . . . . . . . . . . . . . . . . . . .  26
   6.  The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . .  25
   6.  30
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  41
   7.  50
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  41
   8.  50
   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  41
   9.  50
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  41
     9.1.  50
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  41
     9.2.  50
     10.2.  Informative References . . . . . . . . . . . . . . . . .  42  51
   Appendix A.  Data Types used in this document . . . . . . . . . .  42  51
   Appendix B.  The IODEF Data Model (JSON Schema) . . . . . . . . .  42  52
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  71  80

1.  Introduction

   The Incident Object Description Exchange Format (IODEF) [RFC7970]
   defines a data representation for security incident reports and
   indicators commonly exchanged by operational security teams.  It
   facilitates the automated exchange of this information to enable
   mitigation and watch-and-warning.  Section 3 of [RFC7970] defined an
   information model using Unified Modeling Language (UML) and a
   corresponding Extensible Markup Language (XML) schema data model in
   Section 8.  This UML-based information model and XML-based data model
   are referred to as IODEF UML and IODEF XML, respectively in this
   document.

   IODEF documents are structured and thus suitable for machine
   processing.  They will streamline incident response operations.
   Another well-used and structured format that is suitable for machine
   processing is JavaScript Object Notation (JSON) [RFC8259].  To
   facilitate the automation of incident response operations, IODEF
   documents and implementations should support JSON representation and
   it encoding in Concise Binary Object Representation (CBOR) [RFC7049].

   This document defines an alternate implementation of the IODEF UML
   information model by specifying a JavaScript Object Notation (JSON)
   data model using Concise Data Definition Language (CDDL) [RFC8610]
   and JSON Schema [jsonschema]. [I-D.handrews-json-schema-validation].  This JSON
   data model is referred to as IODEF JSON in this document.  IODEF JSON
   provides all of the expressivity of IODEF XML.  It gives implementers
   and operators an alternative format to exchange the same information.

   The normative IODEF JSON data model is found in Section 5. 6.  Section 2
   and Section 3 describe the data types and elements of this data
   model.  Section 4 provides examples.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  IODEF Data Types

   IODEF JSON implements the abstract data types specified in Section 2
   of [RFC7970].

2.1.  Abstract Data Type to JSON Data Type Mapping

   IODEF JSON uses native and derived JSON data types.  Figure 1
   describes the mapping between the abstract data types in Section 2 of
   [RFC7970] and their corresponding implementations in IODEF JSON.

 +-----------------+-------------------+-------------------------------+
 | IODEF Data Type |      [RFC7970]    |       JSON Data Type          |
 |                 |      Reference    |                               |
 +-----------------+-------------------+-------------------------------+
 | INTEGER         | Section 2.1       | integer, see Section 2.2.1    |
 | REAL            | Section 2.2       | "number" per [RFC8259]        |
 | CHARACTER       | Section 2.3       | "string" per [RFC8259]        |
 | STRING          | Section 2.3       | "string" per [RFC8259]        |
 | ML_STRING       | Section 2.4       | see Section 2.2.2             |
 | BYTE            | Section 2.5.1     | "string" per [RFC8259]        |
 | BYTE[]          | Section 2.5.1     | "string" per [RFC8259]        |
 | HEXBIN          | Section 2.5.2     | "string" per [RFC8259]        |
 | HEXBIN[]        | Section 2.5.2     | "string" per [RFC8259]        |
 | ENUM            | Section 2.6       | see Section 2.2.3             |
 | DATETIME        | Section 2.7       | "string" per [RFC8259]        |
 | TIMEZONE        | Section 2.8       | "string" per [RFC8259]        |
 | PORTLIST        | Section 2.9       | "string" per [RFC8259]        |
 | POSTAL          | Section 2.10      | ML_STRING, Section 2.2.2      |
 | PHONE           | Section 2.11      | "string" per [RFC8259]        |
 | EMAIL           | Section 2.12      | "string" per [RFC8259]        |
 | URL             | Section 2.13      | "string" per [RFC8259]        |
 | ID              | Section 2.14      | "string" per [RFC8259]        |
 | IDREF           | Section 2.14      | "string" per [RFC8259]        |
 | SOFTWARE        | Section 2.15      | see Section 2.2.4             |
 | STRUCTUREDINFO  | [RFC 7203]        | see Section 2.2.5             |
 | EXTENSION       | Section 2.16      | see Section 2.2.6             |
 +-----------------+-------------------+-------------------------------+

                         Figure 1: JSON Data Types

+-----------------+------------------+---------------------------------+
| IODEF Data Type |  CBOR Data Type  |          CDDL prelude           |
|                 |                  |            [RFC8610]            |
+-----------------+------------------+---------------------------------+
| INTEGER         | 0, 1, 6 tag 2,   | integer                         |
|                 |  6 tag 3         |                                 |
| REAL            | 7 bits 26        | float32                         |
| CHARACTER       | 3                | text                            |
| STRING          | 3                | text                            |
| ML_STRING       | 5                | Maps/Structs (Section 3.5.1)    |
| BYTE            | 6 tag 22         | eb64legacy                      |
| BYTE[]          | 6 tag 22         | eb64legacy                      |
| HEXBIN          | 2 6 tag 23         | bytes eb16                            |
| HEXBIN[]        | 2 6 tag 23         | bytes eb16                            |
| ENUM            | -                | Choices (Section 2.2.2)         |
| DATETIME        | 6 tag 0          | tdate                           |
| TIMEZONE        | 3                | text                            |
| PORTLIST        | 3                | text                            |
| POSTAL          | 3                | ML_STRING (Section 2.2.1)       |
| PHONE           | 3                | text                            |
| EMAIL           | 3                | text                            |
| URL             | 6 tag 32         | uri                             |
| ID              | 3                | text                            |
| IDREF           | 3                | text                            |
| SOFTWARE        | 5                | Maps/Structs (Section 3.5.1)    |
| STRUCTUREDINFO  | 5                | Maps/Structs (Section 3.5.1)    |
| EXTENSION       | 5                | Maps/Structs (Section 3.5.1)    |
+-----------------+------------------+---------------------------------+

                         Figure 2: CBOR Data Types

2.2.  Complex JSON Types

2.2.1.  Integer

   An integer is a subset of "number" type of JSON, which represents
   signed digits encoded in Base 10.  The definition of this integer is
   "[ minus ] int" in [RFC8259] Section 6 manner.

2.2.2.  Multilingual Strings

   A string that needs to be represented in a human-readable language
   different from the default encoding of the document is represented in
   the information model by the ML_STRING data type.  This data type is
   implemented as either an object with "value", "lang", and
   "translation-id" elements or a text string as defined in Section 5. 6.
   An example is shown below.

   "MLStringType": {
     "value": "free-form text",                              # STRING
     "lang": "en",                                             # ENUM
     "translation-id": "jp2en0023"                           # STRING
   }

   Note that in figures throughout this document, some supplementary
   information follows "#", but these are not valid syntax in JSON, but
   are intended to facilitate reader understanding.

2.2.3.  Enum

   Enum is an ordered list of acceptable string values.  Each value has
   a representative keyword.  Within the data model, the enumerated type
   keywords are used as attribute values.

2.2.4.  Software and Software Reference

   A particular version of software is represented in the information
   model by the SOFTWARE data type.  This software can be described by
   using a reference, a Uniform Resource Locator (URL) [RFC3986], or
   with free-form text.  The SOFTWARE data type is implemented as an
   object with "SoftwareReference", "URL", and "Description" elements as
   defined in Section 5. 6.  Examples are shown below.

   "SoftwareType": {
     "SoftwareReference": {...},                  # SoftwareReference
     "Description": ["MS Windows"]                           # STRING
   }

   SoftwareReference class is a reference to a particular version of
   software.  Examples are shown below.

   "SoftwareReference": {
     "value": "cpe:/a:google:chrome:59.0.3071.115",          # STRING
     "spec-name": "cpe",                                       # ENUM
     "dtype": "string"                                         # ENUM
   }

2.2.5.  Structured Information

   Information provided in a form of structured string, such as ID, or
   structured information, such as XML documents, is represented in the
   information model by the STRUCTUREDINFO data type.  Note that this
   type was originally specified in Section 4.4 of [RFC7203] as a basic
   structure of its extension classes.  The STRUCTUREDINFO data type is
   implemented as an object with "SpecID", "ext-SpecID", "ContentID",
   "RawData", and "Reference" elements.  An example for embedding a
   structured ID is shown below.

   "StructuredInfo": {
     "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3",          # ENUM
     "ContentID": "CWE-89"                                   # STRING
   }

   When embedding the raw data, base64 encoding defined in Section 4 of
   [RFC4648] SHOULD it should be used for encoding the data, encoded as a BYTE type
   object, as shown below.

   "StructuredInfo": {
     "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2",        # ENUM
     "RawData": "<<<strings "<<< encoded with base64>>>" structured data >>>"              # BYTE
   }

   Note that

   When embedding the structure of this information is not interpreted raw data, base64 encoding defined in the
   IODEF JSON, and the word 'structured' indicates that the data item
   has internal structure that is intended to be processed outside Section 4 of
   the
   [RFC4648] SHOULD be used for JSON IODEF framework. while binary representation
   SHOULD be used for CBOR IODEF.

2.2.6.  EXTENSION

   Information not otherwise represented in the IODEF can be added using
   the EXTENSION data type.  This data type is a generic extension
   mechanism.  The EXTENSION data type is implemented as an
   ExtensionType object with "value", "name", "dtype", "ext-dtype",
   "meaning", "formatid", "restriction", "ext-restriction", and
   "observable-id" elements.  An example for embedding a structured ID
   is shown below.

   "ExtensionType": {
     "value": "xxxxxxx",                                     # STRING
     "name": "Syslog",                                       # STRING
     "dtype": "string",                                        # ENUM
     "meaning": "Syslog from the security appliance X"       # STRING
   }

   Note that this data type is prepared in [RFC7970] as its generic
   extension mechanism.  If a data item has internal structure that is
   intended to be processed outside of the IODEF framework, one may
   consider using StructuredInfo data type mentioned in Section 2.2.5.

3.  IODEF JSON Data Model
3.1.  Classes and Elements

   The following table shows the list of IODEF Classes, their elements,
   and the corresponding section in [RFC7970].  Note that the complete
   JSON schema is defined in Section 5 6 using CDDL.

   +-----------------------------+--------------------+---------------+
   | IODEF Class                 | Class              | Corresponding |
   |                             | Elements and       | Section       |
   |                             | Attribute          | in [RFC7970]  |
   +-----------------------------+--------------------+---------------+
   | IODEF-Document              | version            | 3.1           |
   |                             | lang?              |               |
   |                             | format-id?         |               |
   |                             | private-enum-name? |               |
   |                             | private-enum-id?   |               |
   |                             | Incident+          |               |
   |                             | AdditionalData*    |               |
   +-----------------------------+--------------------+---------------+
   | Incident                    | purpose            | 3.2           |
   |                             | ext-purpose?       |               |
   |                             | status?            |               |
   |                             | ext-status?        |               |
   |                             | lang?              |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | IncidentID         |               |
   |                             | AlternativeID?     |               |
   |                             | RelatedActivity*   |               |
   |                             | DetectTime?        |               |
   |                             | StartTime?         |               |
   |                             | EndTime?           |               |
   |                             | RecoveryTime?      |               |
   |                             | ReportTime?        |               |
   |                             | GenerationTime     |               |
   |                             | Description*       |               |
   |                             | Discovery*         |               |
   |                             | Assessment*        |               |
   |                             | Method*            |               |
   |                             | Contact+           |               |
   |                             | EventData*         |               |
   |                             | Indicator*         |               |
   |                             | History?           |               |
   |                             | AdditionalData*    |               |
   +-----------------------------+--------------------+---------------+
   | IncidentID                  | id                 | 3.4           |
   |                             | name               |               |
   |                             | instance?          |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   +-----------------------------+--------------------+---------------+
   | AlternativeID               | restriction?       | 3.5           |
   |                             | ext-restriction?   |               |
   |                             | IncidentID+        |               |
   +-----------------------------+--------------------+---------------+
   | RelatedActivity             | restriction?       | 3.6           |
   |                             | ext-restriction?   |               |
   |                             | IncidentID*        |               |
   |                             | URL*               |               |
   |                             | ThreatActor*       |               |
   |                             | Campaign*          |               |
   |                             | IndicatorID*       |               |
   |                             | Confidence?        |               |
   |                             | Description*       |               |
   |                             | AdditionalData*    |               |
   +-----------------------------+--------------------+---------------+
   | ThreatActor                 | restriction?       | 3.7           |
   |                             | ext-restriction?   |               |
   |                             | ThreatActorID*     |               |
   |                             | URL*               |               |
   |                             | Description*       |               |
   |                             | AdditionalData*    |               |
   +-----------------------------+--------------------+---------------+
   | Campaign                    | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | CampaignID*        |               |
   |                             | URL*               |               |
   |                             | Description*       |               |
   |                             | AdditionalData*    | 3.8           |
   +-----------------------------+--------------------+---------------+
   | Contact                     | role               |               |
   |                             | ext-role?          |               |
   |                             | type               |               |
   |                             | ext-type?          |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | ContactName*,      |               |
   |                             | ContactTitle*      |               |
   |                             | Description*       |               |
   |                             | RegistryHandle*    |               |
   |                             | PostalAddress*     |               |
   |                             | Email*             |               |
   |                             | Telephone*         |               |
   |                             | Timezone?          |               |
   |                             | Contact*           |               |
   |                             | AdditionalData*    | 3.9           |
   +-----------------------------+--------------------+---------------+
   | RegistryHandle              | handle             |               |
   |                             | registry           |               |
   |                             | ext-registry?      | 3.9.1         |
   +-----------------------------+--------------------+---------------+
   | PostalAddress               | type?              |               |
   |                             | ext-type?          |               |
   |                             | PAddress           |               |
   |                             | Description*       | 3.9.2         |
   +-----------------------------+--------------------+---------------+
   | Email                       | type?              |               |
   |                             | ext-type?          |               |
   |                             | EmailTo            |               |
   |                             | Description*       | 3.9.3         |
   +-----------------------------+--------------------+---------------+
   | Telephone                   | type?              |               |
   |                             | ext-type?          |               |
   |                             | TelephoneNumber    |               |
   |                             | Description*       | 3.9.4         |
   +-----------------------------+--------------------+---------------+
   | Discovery                   | source?            |               |
   |                             | ext-source?        |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | Description*       |               |
   |                             | Contact*           |               |
   |                             | DetectionPattern*  | 3.10          |
   +-----------------------------+--------------------+---------------+
   | DetectionPattern            | restriction?       | 3.10.1        |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | Application        |               |
   |                             | Description*       |               |
   |                             | DetectionConfiguration*  |         |
   +-----------------------------+--------------------+---------------+
   | Method                      | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | Reference*         |               |
   |                             | Description*       |               |
   |                             | AttackPattern*     |               |
   |                             | Vulnerability*     |               |
   |                             | Weakness*          |               |
   |                             | AdditionalData*    | 3.11          |
   +-----------------------------+--------------------+---------------+
   | Weakness (TBD)              | restriction?       |               |
   |                             | ext-restriction?   |               |
   +-----------------------------+--------------------+---------------+
   | Reference                   | observable-id?     |               |
   |                             | ReferenceName?     |               |
   |                             | URL*               |               |
   |                             | Description*       | 3.11.1        |
   +-----------------------------+--------------------+---------------+
   | Assessment                  | occurence?         |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | IncidentCategory*  |               |
   |                             | SystemImpact*      |               |
   |                             | BusinessImpact*    |               |
   |                             | TimeImpact*        |               |
   |                             | MonetaryImpact*    |               |
   |                             | IntendedImpact*    |               |
   |                             | Counter*           |               |
   |                             | MitigatingFactor*  |               |
   |                             | Cause*             |               |
   |                             | Confidence?        |               |
   |                             | AdditionalData*    | 3.12          |
   +-----------------------------+--------------------+---------------+
   | SystemImpact                | severity?          |               |
   |                             | completion?        |               |
   |                             | type               |               |
   |                             | ext-type?          |               |
   |                             | Description*       | 3.12.1        |
   +-----------------------------+--------------------+---------------+
   | BusinessImpact              | severity?          |               |
   |                             | ext-severity?      |               |
   |                             | type               |               |
   |                             | ext-type?          |               |
   |                             | Description*       | 3.12.2        |
   +-----------------------------+--------------------+---------------+
   | TimeImpact                  | value              |               |
   |                             | severity?          |               |
   |                             | metric             |               |
   |                             | ext-metric?        |               |
   |                             | duration?          |               |
   |                             | ext-duration?      | 3.12.3        |
   +-----------------------------+--------------------+---------------+
   | MonetaryImpact              | value              |               |
   |                             | severity?          |               |
   |                             | currency?          | 3.12.4        |
   +-----------------------------+--------------------+---------------+
   | Confidence                  | value              |               |
   |                             | rating             |               |
   |                             | ext-rating?        | 3.12.5        |
   +-----------------------------+--------------------+---------------+
   | History                     | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | HistoryItem+       | 3.13          |
   +-----------------------------+--------------------+---------------+
   | HistoryItem                 | action             |               |
   |                             | ext-action?        |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | DateTime           |               |
   |                             | IncidentID?        |               |
   |                             | Contact?           |               |
   |                             | Description*       |               |
   |                             | DefinedCOA*        |               |
   |                             | AdditionalData*    | 3.13.1        |
   +-----------------------------+--------------------+---------------+
   | EventData                   | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | Description*       |               |
   |                             | DetectTime?        |               |
   |                             | StartTime?         |               |
   |                             | EndTime?           |               |
   |                             | RecoveryTime?      |               |
   |                             | ReportTime?        |               |
   |                             | Contact*           |               |
   |                             | Discovery*         |               |
   |                             | Assessment?        |               |
   |                             | Method*            |               |
   |                             | System*            |               |
   |                             | Expectation*       |               |
   |                             | RecordData*        |               |
   |                             | EventData*         |               |
   |                             | AdditionalData*    | 3.14          |
   +-----------------------------+--------------------+---------------+
   | Expectation                 | action?            |               |
   |                             | ext-action?        |               |
   |                             | severity?          |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | Description*       |               |
   |                             | DefinedCOA*        |               |
   |                             | StartTime?         |               |
   |                             | EndTime?           |               |
   |                             | Contact?           | 3.15          |
   +-----------------------------+--------------------+---------------+
   | System                      | category?          |               |
   |                             | ext-category?      |               |
   |                             | interface?         |               |
   |                             | spoofed?           |               |
   |                             | virtual?           |               |
   |                             | ownership?         |               |
   |                             | ext-ownership?     |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | Node               |               |
   |                             | NodeRole*          |               |
   |                             | Service*           |               |
   |                             | OperatingSystem*   |               |
   |                             | Counter*           |               |
   |                             | AssetID*           |               |
   |                             | Description*       |               |
   |                             | AdditionalData*    | 3.17          |
   +-----------------------------+--------------------+---------------+
   | Node                        | DomainData*        |               |
   |                             | Address*           |               |
   |                             | PostalAddress?     |               |
   |                             | Location*          |               |
   |                             | Counter*           | 3.18          |
   +-----------------------------+--------------------+---------------+
   | Address                     | value              |               |
   |                             | category           |               |
   |                             | ext-category?      |               |
   |                             | vlan-name?         |               |
   |                             | vlan-num?          |               |
   |                             | observable-id?     | 3.18.1        |
   +-----------------------------+--------------------+---------------+
   | NodeRole                    | category           |               |
   |                             | ext-category?      |               |
   |                             | Description*       | 3.18.2        |
   +-----------------------------+--------------------+---------------+
   | Counter                     | value              |               |
   |                             | type               |               |
   |                             | ext-type?          |               |
   |                             | unit               |               |
   |                             | ext-unit?          |               |
   |                             | meaning?           |               |
   |                             | duration?          |               |
   |                             | ext-duration?      | 3.18.3        |
   +-----------------------------+--------------------+---------------+
   | DomainData                  | system-status      |               |
   |                             | ext-system-status? |               |
   |                             | domain-status      |               |
   |                             | ext-domain-status? |               |
   |                             | observable-id?     |               |
   |                             | Name               |               |
   |                             | DateDomainWasChecked?|             |
   |                             | RegistrationDate?  |               |
   |                             | ExpirationDate?    |               |
   |                             | RelatedDNS*        |               |
   |                             | Nameservers*       |               |
   |                             | DomainContacts?    | 3.19          |
   +-----------------------------+--------------------+---------------+
   | Nameserver                  | Server             |               |
   |                             | Address*           | 3.19.1        |
   +-----------------------------+--------------------+---------------+
   | DomainContacts              | SameDomainContact? |               |
   |                             | Contact+           | 3.19.2        |
   +-----------------------------+--------------------+---------------+
   | Service                     | ip-protocol?       |               |
   |                             | observable-id?     |               |
   |                             | ServiceName?       |               |
   |                             | Port?              |               |
   |                             | Portlist?          |               |
   |                             | ProtoCode?         |               |
   |                             | ProtoType?         |               |
   |                             | ProtoField?        |               |
   |                             | ApplicationHeaderField*|           |
   |                             | EmailData?         |               |
   |                             | Application?       | 3.20          |
   +-----------------------------+--------------------+---------------+
   | ServiceName                 | IANAService?       |               |
   |                             | URL*               |               |
   |                             | Description*       | 3.20.1        |
   +-----------------------------+--------------------+---------------+
   | EmailData                   | observable-id?     |               |
   |                             | EmailTo*           |               |
   |                             | EmailFrom?         |               |
   |                             | EmailSubject?      |               |
   |                             | EmailX-Mailer?     |               |
   |                             | EmailHeaderField*  |               |
   |                             | EmailHeaders?      |               |
   |                             | EmailBody?         |               |
   |                             | EmailMessage?      |               |
   |                             | HashData*          |               |
   |                             | Signature*         | 3.21          |
   +-----------------------------+--------------------+---------------+
   | RecordData                  | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | DateTime?          |               |
   |                             | Description*       |               |
   |                             | Application?       |               |
   |                             | RecordPattern*     |               |
   |                             | RecordItem*        |               |
   |                             | URL*               |               |
   |                             | FileData*          |               |
   |                             | WindowsRegistryKeysModified*|      |
   |                             | CertificateData*   |               |
   |                             | AdditionalData*    | 3.22.1        |
   +-----------------------------+--------------------+---------------+
   | RecordPattern               | type               |               |
   |                             | ext-type?          |               |
   |                             | offset?            |               |
   |                             | offsetunit?        |               |
   |                             | ext-offsetunit?    |               |
   |                             | instance?          |               |
   |                             | value              | 3.22.2        |
   +-----------------------------+--------------------+---------------+
   | WindowsRegistryKeysModified | observable-id?     | 3.23          |
   |                             | Key+               |               |
   +-----------------------------+--------------------+---------------+
   | Key                         | registryaction?    |               |
   |                             | ext-registryaction?|               |
   |                             | observable-id?     |               |
   |                             | KeyName            |               |
   |                             | KeyValue?          | 3.23.1        |
   +-----------------------------+--------------------+---------------+
   | CertificateData             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | Certificate+       | 3.24          |
   +-----------------------------+--------------------+---------------+
   | Certificate                 | observable-id?     |               |
   |                             | X509Data           |               |
   |                             | Description*       | 3.24.1        |
   +-----------------------------+--------------------+---------------+
   | FileData                    | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | File+              | 3.25          |
   +-----------------------------+--------------------+---------------+
   | File                        | observable-id?     |               |
   |                             | FileName?          |               |
   |                             | FileSize?          |               |
   |                             | FileType?          |               |
   |                             | URL*               |               |
   |                             | HashData?          |               |
   |                             | Signature*         |               |
   |                             | AssociatedSoftware?|               |
   |                             | FileProperties*    | 3.25.1        |
   +-----------------------------+--------------------+---------------+
   | HashData                    | scope              |               |
   |                             | HashTargetID?      |               |
   |                             | Hash*              |               |
   |                             | FuzzyHash*         | 3.26          |
   +-----------------------------+--------------------+---------------+
   | Hash                        | DigestMethod       |               |
   |                             | DigestValue        |               |
   |                             | CanonicalizationMethod?|           |
   |                             | Application?       | 3.26.1        |
   +-----------------------------+--------------------+---------------+
   | FuzzyHash                   | FuzzyHashValue+    |               |
   |                             | Application?       |               |
   |                             | AdditionalData*    | 3.26.2        |
   +-----------------------------+--------------------+---------------+
   | Indicator                   | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | IndicatorID        |               |
   |                             | AlternativeIndicatorID*|           |
   |                             | Description*       |               |
   |                             | StartTime?         |               |
   |                             | EndTime?           |               |
   |                             | Confidence?        |               |
   |                             | Contact*           |               |
   |                             | Observable?        |               |
   |                             | uid-ref?           |               |
   |                             | IndicatorExpression?|              |
   |                             | IndicatorReference?|               |
   |                             | NodeRole*          |               |
   |                             | AttackPhase*       |               |
   |                             | Reference*         |               |
   |                             | AdditionalData*    | 3.29          |
   +-----------------------------+--------------------+---------------+
   | IndicatorID                 | id                 |               |
   |                             | name               |               |
   |                             | version            | 3.29.1        |
   +-----------------------------+--------------------+---------------+
   | AlternativeIndicatorID      | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | IndicatorID+       | 3.29.2        |
   +-----------------------------+--------------------+---------------+
   | Observable                  | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | System?            |               |
   |                             | Address?           |               |
   |                             | DomainData?        |               |
   |                             | Service?           |               |
   |                             | EmailData?         |               |
   |                             | WindowsRegistryKeysModified?|      |
   |                             | FileData?          |               |
   |                             | CertificateData?   |               |
   |                             | RegistryHandle?    |               |
   |                             | RecordData?        |               |
   |                             | EventData?         |               |
   |                             | Incident?          |               |
   |                             | Expectation?       |               |
   |                             | Reference?         |               |
   |                             | Assessment?        |               |
   |                             | DetectionPattern?  |               |
   |                             | HistoryItem?       |               |
   |                             | BulkObservable?    |               |
   |                             | AdditionalData*    | 3.29.3        |
   +-----------------------------+--------------------+---------------+
   | BulkObservable              | type?              |               |
   |                             | ext-type?          |               |
   |                             | BulkObservableFormat?|             |
   |                             | BulkObservableList |               |
   |                             | AdditionalData*    | 3.29.4        |
   +-----------------------------+--------------------+---------------+
   | BulkObservableFormat        | Hash?              |               |
   |                             | AdditionalData*    | 3.29.5        |
   +-----------------------------+--------------------+---------------+
   | IndicatorExpression         | operator?          |               |
   |                             | ext-operator?      |               |
   |                             | IndicatorExpression*|              |
   |                             | Observable*        |               |
   |                             | uid-ref*           |               |
   |                             | IndicatorReference*|               |
   |                             | Confidence?        |               |
   |                             | AdditionalData*    | 3.29.6        |
   +-----------------------------+--------------------+---------------+
   | IndicatorReference          | uid-ref?           |               |
   |                             | euid-ref?          |               |
   |                             | version?           | 3.29.7        |
   +-----------------------------+--------------------+---------------+
   | AttackPhase                 | AttackPhaseID*     |               |
   |                             | URL*               |               |
   |                             | Description*       |               |
   |                             | AdditionalData*    | 3.29.8        |
   +-----------------------------+--------------------+---------------+

                          Figure 3: IODEF Classes

3.2.  Mapping between JSON and XML IODEF

   o  Attributes and elements of each class in XML IODEF document are
      both presented as JSON attributes in JSON IODEF document, and the
      order of their appearances is ignored.

   o  Flow class is deleted, and classes with its instances now directly
      have instances of EventData class that used to belong to the Flow
      class.

   o  ApplicationHeader class is deleted, and classes with its instances
      now directly have instances of ApplicationHeaderField class that
      used to belong to the ApplicationHeader class.

   o  SignatureData class is deleted, and classes with its instances now
      directly have instance of Signature class that used to belong to
      the SignatureData class.

   o  IndicatorData class is deleted, and classes with its instances now
      directly have the instances of Indicator class that used to belong
      to the IndicatorData class.

   o  ObservableReference class is deleted, and classes with its
      instances now directly have uid-ref as an element.

   o  Record class is deleted, and classes with its instances now
      directly have the instances of RecordData class that used to
      belong to the Record class.

   o  The MLStringType were modified to support simple string by
      allowing the type to have not only a predefined object type but
      also text type, in order to allow simple descriptions of elements
      of the type.  Implementations need to be capable of parsing
      MLStringType that could take form of both text and object.

   o  The elements of ML_STRING type in XML IODEF document are presented
      as either STRING type or ML_STRING type in JSON IODEF document.
      When converting from XML IODEF document to JSON one or vice versa,
      the information contained in the original data of ML_STRING type
      must be preserved.  When STRING is used instead of ML_STRING,
      parsers can assume that its xml:lang is set to "en".  Otherwise it
      is expected that both receiver and sender have some external
      methods to agree upon the language used in this field.

   o  Data models of the extension classes defined by [RFC7203] and
      referenced by [RFC7970] are represented by StructuredInfo class
      defined in this document.

   o  Signature, X509Data, and RawData are encoded with using base64 and are
      represented as string (BYTE type) in encoding
      for JSON IODEF documents.

   o  EmailBody represents an whole message body including and binary representation for CBOR IODEF to
      represent them as BYTE object.

   o  EmailBody represents an whole message body including MIME
      structure in the same manner defined in [RFC7970].  In case of an
      email composed of MIME multipart, the EmailBody contains multiple
      body parts separated by boundary strings.

   o  The "ipv6-net-mask" type attribute of BulkObservable class remains
      available for the backward compatibility purpose, but the use of
      this attribute is not recommended because IPV6 does not use
      netmask any more.

   o  ENUM values in this document is extensible and is managed by IANA,
      as with [RFC7970].  The values in the table are used both by
      [RFC7970] implementations and by their JSON (and CBOR) bindings as
      specified by this document.

   o  This document uses JSON's "number" type to represent integers that
      only has full precision for integer values between -2**53 and
      2**53.  When dealing with integers outside the range, this issue
      needs to be considered.

   o  Binaries are encoded in bytes.  Note that XML IODEF in [RFC7970]
      uses HEXBIN due to the incapability of XML for embedding binaries
      as they are.

4.  Examples

   This section provides examples of IODEF documents.  These examples do
   not represent the full capabilities of the data model or the only way
   to encode particular information.

4.1.  Minimal Example

   A document containing only the mandatory elements and attributes is
   shown below in JSON and CBOR, respectively.

   {
     "version": "2.0",
     "lang": "en",
     "Incident": [{
         "purpose": "reporting",
         "restriction": "private",
         "IncidentID": {
           "id": "492382",
           "name": "csirt.example.com"
         },
         "GenerationTime": "2015-07-18T09:00:00-05:00",
         "Contact": [{
             "type": "organization",
             "role": "creator",
             "Email": [{"EmailTo": "contact@csirt.example.com"}]
         }]
     }]
   }

                    Figure 4: A Minimal Example in JSON

A3                                      # map(3)
     67
   01                                   # text(7)
       76657273696F6E                      # "version" unsigned(1)
   63                                   # text(3)
      322E30                            # "2.0"
     64                                    # text(4)
       6C616E67
   02                                   # "lang" unsigned(2)
   62                                   # text(2)
      656E                              # "en"
     68                                    # text(8)
       496E636964656E74
   06                                   # "Incident" unsigned(6)
   81                                   # array(1)
      A5                                # map(5)
         67                                # text(7)
           707572706F7365
         17                             # "purpose" unsigned(23)
         69                             # text(9)
            7265706F7274696E67          # "reporting"
         6B                                # text(11)
           7265737472696374696F6E
         0F                             # "restriction" unsigned(15)
         67                             # text(7)
            70726976617465              # "private"
         6A                                # text(10)
           496E636964656E744944
         18 1B                          # "IncidentID" unsigned(27)
         A2                             # map(2)
           62                              # text(2)
             6964
            18 2B                       # "id" unsigned(43)
            66                          # text(6)
               343932333832             # "492382"
           64
            0A                          # text(4)
             6E616D65                      # "name" unsigned(10)
            71                          # text(17)
               63736972742E6578616D706C652E636F6D
                                        # "csirt.example.com"
         6E                                # text(14)
           47656E65726174696F6E54696D65    # "GenerationTime"
         C0
         18 23                          # tag(0) unsigned(35)
         78 19                          # text(25)
            323031352D30372D31385430393A30303A30302D30353A3030
                                        # "2015-07-18T09:00:00-05:00"
         67                                # text(7)
           436F6E74616374
         18 27                          # "Contact" unsigned(39)
         81                             # array(1)
            A3                          # map(3)
             64
               18 35                    # text(4)
               74797065                    # "type" unsigned(53)
               6C                       # text(12)
                  6F7267616E697A6174696F6E # "organization"
             64
               18 33                    # text(4)
               726F6C65                    # "role" unsigned(51)
               67                       # text(7)
                  63726561746F72        # "creator"
             65                            # text(5)
               456D61696C
               18 3B                    # "Email" unsigned(59)
               81                       # array(1)
                  A1                    # map(1)
                 67                        # text(7)
                   456D61696C546F
                     18 42              # "EmailTo" unsigned(66)
                     78 19              # text(25)
                        636F6E746163744063736972742E6578616D706C652E636F6D
                                        # "contact@csirt.example.com"

                    Figure 5: A Minimal Example in CBOR

4.2.  Indicators from a Campaign

   An example of C2 domains from a given campaign is shown below in JSON
   and CBOR, respectively.

{
  "version": "2.0",
  "lang": "en",
  "Incident": [{
    "purpose": "watch",
    "restriction": "green",
    "IncidentID": {
      "id": "897923",
      "name": "csirt.example.com"
    },
    "RelatedActivity": [{
      "ThreatActor": [{
        "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"],
        "Description": ["Aggressive Butterfly"]}],
      "Campaign": [{
        "CampaignID": ["C-2015-59405"],
        "Description": ["Orange Giraffe"]
      }]
    }],
    "GenerationTime": "2015-10-02T11:18:00-05:00",
    "Description": ["Summarizes the Indicators of Compromise for the
      Orange Giraffe campaign of the Aggressive Butterfly crime gang."],
    "Assessment": [{
      "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}]
    }],
    "Contact": [{
      "type": "organization",
      "role": "creator",
      "ContactName": ["CSIRT for example.com"],
      "Email": [{
        "EmailTo": "contact@csirt.example.com"
      }]
    }],
    "Indicator": [{
      "IndicatorID": {
        "id": "G90823490",
        "name": "csirt.example.com",
        "version": "1"
      },
      "Description": ["C2 domains"],
      "StartTime": "2014-12-02T11:18:00-05:00",
      "Observable": {
        "BulkObservable": {
          "type": "domain-name",
          "BulkObservableList": "kj290023j09r34.example.com"}
      }
    }]
  }]
}

               Figure 6: Indicators from a Campaign in JSON

A3                                      # map(3)
  67                                    # text(7)
    76657273696F6E
   01                                   # "version" unsigned(1)
   63                                   # text(3)
      322E30                            # "2.0"
  64
   02                                   # text(4)
    6C616E67                            # "lang" unsigned(2)
   62                                   # text(2)
      656E                              # "en"
  68
   06                                   # text(8)
    496E636964656E74                    # "Incident" unsigned(6)
   81                                   # array(1)
      A9                                # map(9)
      67                                # text(7)
        707572706F7365
         17                             # "purpose" unsigned(23)
         65                             # text(5)
            7761746368                  # "watch"
      6B
         0F                             # text(11)
        7265737472696374696F6E          # "restriction" unsigned(15)
         65                             # text(5)
            677265656E                  # "green"
      6A                                # text(10)
        496E636964656E744944
         18 1B                          # "IncidentID" unsigned(27)
         A2                             # map(2)
        62                              # text(2)
          6964
            18 2B                       # "id" unsigned(43)
            66                          # text(6)
               383937393233             # "897923"
        64                              # text(4)
          6E616D65
            0A                          # "name" unsigned(10)
            71                          # text(17)
               63736972742E6578616D706C652E636F6D # "csirt.example.com"
      6F                                # text(15)
        52656C617465644163746976697479
         18 1D                          # "RelatedActivity" unsigned(29)
         81                             # array(1)
            A2                          # map(2)
          6B                            # text(11)
            5468726561744163746F72
               18 2D                    # "ThreatActor" unsigned(45)
               81                       # array(1)
                  A2                    # map(2)
              6D                        # text(13)
                5468726561744163746F724944
                     18 31              # "ThreatActorID" unsigned(49)
                     81                 # array(1)
                        78 1A           # text(26)
                  54412D31322D414747524553534956452D425554544552464
                  C59
                           54412D31322D414747524553534956452D425554544552464C59
                                        # "TA-12-AGGRESSIVE-BUTTERFLY"
              6B                        # text(11)
                4465736372697074696F6E
                     14                 # "Description" unsigned(20)
                     81                 # array(1)
                        74              # text(20)
                           4167677265737369766520427574746572666C79
                                        # "Aggressive Butterfly"
          68                            # text(8)
            43616D706169676E
               18 2E                    # "Campaign" unsigned(46)
               81                       # array(1)
                  A2                    # map(2)
              6A                        # text(10)
                43616D706169676E4944
                     18 32              # "CampaignID" unsigned(50)
                     81                 # array(1)
                        6C              # text(12)
                           432D323031352D3539343035
                                        # "C-2015-59405"
              6B                        # text(11)
                4465736372697074696F6E
                     14                 # "Description" unsigned(20)
                     81                 # array(1)
                        6E              # text(14)
                           4F72616E67652047697261666665
                                        # "Orange Giraffe"
      6E                                # text(14)
        47656E65726174696F6E54696D65
         18 23                          # "GenerationTime"
      C0                                # tag(0) unsigned(35)
         78 19                          # text(25)
            323031352D31302D30325431313A31383A30302D30353A3030
                                        # "2015-10-02T11:18:00-05:00"
      6B                                # text(11)
        4465736372697074696F6E
         14                             # "Description" unsigned(20)
         81                             # array(1)
            78 6F 70                       # text(111)
          53756D6D6172697A65732074686520496E64696361746F7273206F6620436
          F6D70726F6D69736520666F7220746865204F72616E676520476972616666
          652063616D706169676E206F6620746865204167677265737369766520427
          574746572666C79206372696D652067616E672E text(112)
               53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F72207468650D0A4F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E
                                        # "Summarizes the Indicators of Compromise for the Orange the\r\nOrange Giraffe campaign of the Aggressive Butterfly crime gang."
      6A                                # text(10)
        4173736573736D656E74
         18 25                          # "Assessment" unsigned(37)
         81                             # array(1)
            A1                          # map(1)
          66                            # text(6)
            496D70616374
               18 58                    # "Impact" unsigned(88)
               81                       # array(1)
                  A1                    # map(1)
              6E
                     18 5A              # text(14)
                427573696E657373496D70616374 # "BusinessImpact" unsigned(90)
                     A1                 # map(1)
                64                      # text(4)
                  74797065
                        18 35           # "type" unsigned(53)
                        72              # text(18)
                           6272656163682D70726F7072696574617279
                                        # "breach-proprietary"
      67                                # text(7)
        436F6E74616374
         18 27                          # "Contact" unsigned(39)
         81                             # array(1)
            A4                          # map(4)
          64
               18 35                    # text(4)
            74797065                    # "type" unsigned(53)
               6C                       # text(12)
                  6F7267616E697A6174696F6E # "organization"
          64
               18 33                    # text(4)
            726F6C65                    # "role" unsigned(51)
               67                       # text(7)
                  63726561746F72        # "creator"
          6B
               18 37                    # text(11)
            436F6E746163744E616D65      # "ContactName" unsigned(55)
               81                       # array(1)
                  75                    # text(21)
                     435349525420666F72206578616D706C652E636F6D
                                        # "CSIRT for example.com"
          65                            # text(5)
            456D61696C
               18 3B                    # "Email" unsigned(59)
               81                       # array(1)
                  A1                    # map(1)
              67                        # text(7)
                456D61696C546F
                     18 42              # "EmailTo" unsigned(66)
                     78 19              # text(25)
                        636F6E746163744063736972742E6578616D706C652E636F6D
                                        # "contact@csirt.example.com"
      69                                # text(9)
        496E64696361746F72
         18 29                          # "Indicator" unsigned(41)
         81                             # array(1)
            A4                          # map(4)
          6B                            # text(11)
            496E64696361746F724944
               18 2F                    # "IndicatorID" unsigned(47)
               A3                       # map(3)
            62
                  18 2B                 # text(2)
              6964                      # "id" unsigned(43)
                  69                    # text(9)
                     473930383233343930 # "G90823490"
            64                          # text(4)
              6E616D65
                  0A                    # "name" unsigned(10)
                  71                    # text(17)
                     63736972742E6578616D706C652E636F6D
                                        # "csirt.example.com"
            67                          # text(7)
              76657273696F6E
                  01                    # "version" unsigned(1)
                  61                    # text(1)
                     31                 # "1"
          6B                            # text(11)
            4465736372697074696F6E
               14                       # "Description" unsigned(20)
               81                       # array(1)
                  6A                    # text(10)
                     433220646F6D61696E73 # "C2 domains"
          69                            # text(9)
            537461727454696D65
               18 1F                    # "StartTime"
          C0                            # tag(0) unsigned(31)
               78 19                    # text(25)
                  323031342D31322D30325431313A31383A30302D30353A3030
                                        # "2014-12-02T11:18:00-05:00"
          6A                            # text(10)
            4F627365727661626C65
               18 C4                    # "Observable" unsigned(196)
               A1                       # map(1)
            6E                          # text(14)
              42756C6B4F627365727661626C65
                  18 C9                 # "BulkObservable" unsigned(201)
                  A2                    # map(2)
              64
                     18 35              # text(4)
                74797065                # "type" unsigned(53)
                     6B                 # text(11)
                        646F6D61696E2D6E616D65 # "domain-name"
              72                        # text(18)
                42756C6B4F627365727661626C654C697374
                     18 CB              # "BulkObservableList" unsigned(203)
                     78 1A              # text(26)
                        6B6A3239303032336A30397233342E6578616D706C652E636F6D
                                        # "kj290023j09r34.example.com"

               Figure 7: Indicators from a Campaign in CBOR

5.  Mapkeys

   The IODEF Data Model (CDDL)

start = iodef

;;; iodef.json: IODEF-Document

iodef = mapkeys are provided in Table Figure 8 for minimizing the CBOR
   size.

   +---------------------------------+-------+
   |mapkey                           |cborkey|
   +---------------------------------+-------+
   |iodef-version                    |1      |
   |iodef-lang                       |2      |
   |iodef-format-id                  |3      |
   |iodef-private-enum-name          |4      |
   |iodef-private-enum-id            |5      |
   |iodef-Incident                   |6      |
   |iodef-AdditionalData             |7      |
   |iodef-value                      |8      |
   |iodef-translation-id             |9      |
   |iodef-name                       |10     |
   |iodef-dtype                      |11     |
   |iodef-ext-dtype                  |12     |
   |iodef-meaning                    |13     |
   |iodef-formatid                   |14     |
   |iodef-restriction                |15     |
   |iodef-ext-restriction            |16     |
   |iodef-observable-id              |17     |
   |iodef-SoftwareReference          |18     |
   |iodef-URL                        |19     |
   |iodef-Description                |20     |
   |iodef-spec-name                  |21     |
   |iodef-ext-spec-name              |22     |
   |iodef-purpose                    |23     |
   |iodef-ext-purpose                |24     |
   |iodef-status                     |25     |
   |iodef-ext-status                 |26     |
   |iodef-IncidentID                 |27     |
   |iodef-AlternativeID              |28     |
   |iodef-RelatedActivity            |29     |
   |iodef-DetectTime                 |30     |
   |iodef-StartTime                  |31     |
   |iodef-EndTime                    |32     |
   |iodef-RecoveryTime               |33     |
   |iodef-ReportTime                 |34     |
   |iodef-GenerationTime             |35     |
   |iodef-Discovery                  |36     |
   |iodef-Assessment                 |37     |
   |iodef-Method                     |38     |
   |iodef-Contact                    |39     |
   |iodef-EventData                  |40     |
   |iodef-Indicator                  |41     |
   |iodef-History                    |42     |
   |iodef-id                         |43     |
   |iodef-instance                   |44     |
   |iodef-ThreatActor                |45     |
   |iodef-Campaign                   |46     |
   |iodef-IndicatorID                |47     |
   |iodef-Confidence                 |48     |
   |iodef-ThreatActorID              |49     |
   |iodef-CampaignID                 |50     |
   |iodef-role                       |51     |
   |iodef-ext-role                   |52     |
   |iodef-type                       |53     |
   |iodef-ext-type                   |54     |
   |iodef-ContactName                |55     |
   |iodef-ContactTitle               |56     |
   |iodef-RegistryHandle             |57     |
   |iodef-PostalAddress              |58     |
   |iodef-Email                      |59     |
   |iodef-Telephone                  |60     |
   |iodef-Timezone                   |61     |
   |iodef-handle                     |62     |
   |iodef-registry                   |63     |
   |iodef-ext-registry               |64     |
   |iodef-PAddress                   |65     |
   |iodef-EmailTo                    |66     |
   |iodef-TelephoneNumber            |67     |
   |iodef-source                     |68     |
   |iodef-ext-source                 |69     |
   |iodef-DetectionPattern           |70     |
   |iodef-DetectionConfiguration     |71     |
   |iodef-Application                |72     |
   |iodef-Reference                  |73     |
   |iodef-AttackPattern              |74     |
   |iodef-Vulnerability              |75     |
   |iodef-Weakness                   |76     |
   |iodef-SpecID                     |77     |
   |iodef-ext-SpecID                 |78     |
   |iodef-ContentID                  |79     |
   |iodef-RawData                    |80     |
   |iodef-Platform                   |81     |
   |iodef-Scoring                    |82     |
   |iodef-ReferenceName              |83     |
   |iodef-specIndex                  |84     |
   |iodef-ID                         |85     |
   |iodef-occurrence                 |86     |
   |iodef-IncidentCategory           |87     |
   |iodef-Impact                     |88     |
   |iodef-SystemImpact               |89     |
   |iodef-BusinessImpact             |90     |
   |iodef-TimeImpact                 |91     |
   |iodef-MonetaryImpact             |92     |
   |iodef-IntendedImpact             |93     |
   |iodef-Counter                    |94     |
   |iodef-MitigatingFactor           |95     |
   |iodef-Cause                      |96     |
   |iodef-severity                   |97     |
   |iodef-completion                 |98     |
   |iodef-ext-severity               |99     |
   |iodef-metric                     |100    |
   |iodef-ext-metric                 |101    |
   |iodef-duration                   |102    |
   |iodef-ext-duration               |103    |
   |iodef-currency                   |104    |
   |iodef-rating                     |105    |
   |iodef-ext-rating                 |106    |
   |iodef-HistoryItem                |107    |
   |iodef-action                     |108    |
   |iodef-ext-action                 |109    |
   |iodef-DateTime                   |110    |
   |iodef-DefinedCOA                 |111    |
   |iodef-System                     |112    |
   |iodef-Expectation                |113    |
   |iodef-RecordData                 |114    |
   |iodef-category                   |115    |
   |iodef-ext-category               |116    |
   |iodef-interface                  |117    |
   |iodef-spoofed                    |118    |
   |iodef-virtual                    |119    |
   |iodef-ownership                  |120    |
   |iodef-ext-ownership              |121    |
   |iodef-Node                       |122    |
   |iodef-NodeRole                   |123    |
   |iodef-Service                    |124    |
   |iodef-OperatingSystem            |125    |
   |iodef-AssetID                    |126    |
   |iodef-DomainData                 |127    |
   |iodef-Address                    |128    |
   |iodef-Location                   |129    |
   |iodef-vlan-name                  |130    |
   |iodef-vlan-num                   |131    |
   |iodef-unit                       |132    |
   |iodef-ext-unit                   |133    |
   |iodef-system-status              |134    |
   |iodef-ext-system-status          |135    |
   |iodef-domain-status              |136    |
   |iodef-ext-domain-status          |137    |
   |iodef-Name                       |138    |
   |iodef-DateDomainWasChecked       |139    |
   |iodef-RegistrationDate           |140    |
   |iodef-ExpirationDate             |141    |
   |iodef-RelatedDNS                 |142    |
   |iodef-NameServers                |143    |
   |iodef-DomainContacts             |144    |
   |iodef-Server                     |145    |
   |iodef-SameDomainContact          |146    |
   |iodef-ip-protocol                |147    |
   |iodef-ServiceName                |148    |
   |iodef-Port                       |149    |
   |iodef-Portlist                   |150    |
   |iodef-ProtoCode                  |151    |
   |iodef-ProtoType                  |152    |
   |iodef-ProtoField                 |153    |
   |iodef-ApplicationHeaderField     |154    |
   |iodef-EmailData                  |155    |
   |iodef-IANAService                |156    |
   |iodef-EmailFrom                  |157    |
   |iodef-EmailSubject               |158    |
   |iodef-EmailX-Mailer              |159    |
   |iodef-EmailHeaderField           |160    |
   |iodef-EmailHeaders               |161    |
   |iodef-EmailBody                  |162    |
   |iodef-EmailMessage               |163    |
   |iodef-HashData                   |164    |
   |iodef-Signature                  |165    |
   |iodef-RecordPattern              |166    |
   |iodef-RecordItem                 |167    |
   |iodef-FileData                   |168    |
   |iodef-WindowsRegistryKeysModified|169    |
   |iodef-CertificateData            |170    |
   |iodef-offset                     |171    |
   |iodef-offsetunit                 |172    |
   |iodef-ext-offsetunit             |173    |
   |iodef-Key                        |174    |
   |iodef-registryaction             |175    |
   |iodef-ext-registryaction         |176    |
   |iodef-KeyName                    |177    |
   |iodef-KeyValue                   |178    |
   |iodef-Certificate                |179    |
   |iodef-X509Data                   |180    |
   |iodef-File                       |181    |
   |iodef-FileName                   |182    |
   |iodef-FileSize                   |183    |
   |iodef-FileType                   |184    |
   |iodef-AssociatedSoftware         |185    |
   |iodef-FileProperties             |186    |
   |iodef-scope                      |187    |
   |iodef-HashTargetID               |188    |
   |iodef-Hash                       |189    |
   |iodef-FuzzyHash                  |190    |
   |iodef-DigestMethod               |191    |
   |iodef-DigestValue                |192    |
   |iodef-CanonicalizationMethod     |193    |
   |iodef-FuzzyHashValue             |194    |
   |iodef-AlternativeIndicatorID     |195    |
   |iodef-Observable                 |196    |
   |iodef-uid-ref                    |197    |
   |iodef-IndicatorExpression        |198    |
   |iodef-IndicatorReference         |199    |
   |iodef-AttackPhase                |200    |
   |iodef-BulkObservable             |201    |
   |iodef-BulkObservableFormat       |202    |
   |iodef-BulkObservableList         |203    |
   |iodef-operator                   |204    |
   |iodef-ext-operator               |205    |
   |iodef-euid-ref                   |206    |
   |iodef-AttackPhaseID              |207    |
   +---------------------------------+-------+

                             Figure 8: Mapkeys

6.  The IODEF Data Model (CDDL)

   This section provides the IODEF data model.  Note that mapkeys are
   described at the beginning of the CDDL data model for better
   readability.

start = iodef

;;; iodef.json: IODEF-Document

iodef-version = 1
iodef-lang = 2
iodef-format-id = 3
iodef-private-enum-name = 4
iodef-private-enum-id = 5
iodef-Incident = 6
iodef-AdditionalData = 7
iodef-value = 8
iodef-translation-id = 9
iodef-name = 10
iodef-dtype = 11
iodef-ext-dtype = 12
iodef-meaning = 13
iodef-formatid = 14
iodef-restriction = 15
iodef-ext-restriction = 16
iodef-observable-id = 17
iodef-SoftwareReference = 18
iodef-URL = 19
iodef-Description = 20
iodef-spec-name = 21
iodef-ext-spec-name = 22
iodef-purpose = 23
iodef-ext-purpose = 24
iodef-status = 25
iodef-ext-status = 26
iodef-IncidentID = 27
iodef-AlternativeID = 28
iodef-RelatedActivity = 29
iodef-DetectTime = 30
iodef-StartTime = 31
iodef-EndTime = 32
iodef-RecoveryTime = 33
iodef-ReportTime = 34
iodef-GenerationTime = 35
iodef-Discovery = 36
iodef-Assessment = 37
iodef-Method = 38
iodef-Contact = 39
iodef-EventData = 40
iodef-Indicator = 41
iodef-History = 42
iodef-id = 43
iodef-instance = 44
iodef-ThreatActor = 45
iodef-Campaign = 46
iodef-IndicatorID = 47
iodef-Confidence = 48
iodef-ThreatActorID = 49
iodef-CampaignID = 50
iodef-role = 51
iodef-ext-role = 52
iodef-type = 53
iodef-ext-type = 54
iodef-ContactName = 55
iodef-ContactTitle = 56
iodef-RegistryHandle = 57
iodef-PostalAddress = 58
iodef-Email = 59
iodef-Telephone = 60
iodef-Timezone = 61
iodef-handle = 62
iodef-registry = 63
iodef-ext-registry = 64
iodef-PAddress = 65
iodef-EmailTo = 66
iodef-TelephoneNumber = 67
iodef-source = 68
iodef-ext-source = 69
iodef-DetectionPattern = 70
iodef-DetectionConfiguration = 71
iodef-Application = 72
iodef-Reference = 73
iodef-AttackPattern = 74
iodef-Vulnerability = 75
iodef-Weakness = 76
iodef-SpecID = 77
iodef-ext-SpecID = 78
iodef-ContentID = 79
iodef-RawData = 80
iodef-Platform = 81
iodef-Scoring = 82
iodef-ReferenceName = 83
iodef-specIndex = 84
iodef-ID = 85
iodef-occurrence = 86
iodef-IncidentCategory = 87
iodef-Impact = 88
iodef-SystemImpact = 89
iodef-BusinessImpact = 90
iodef-TimeImpact = 91
iodef-MonetaryImpact = 92
iodef-IntendedImpact = 93
iodef-Counter = 94
iodef-MitigatingFactor = 95
iodef-Cause = 96
iodef-severity = 97
iodef-completion = 98
iodef-ext-severity = 99
iodef-metric = 100
iodef-ext-metric = 101
iodef-duration = 102
iodef-ext-duration = 103
iodef-currency = 104
iodef-rating = 105
iodef-ext-rating = 106
iodef-HistoryItem = 107
iodef-action = 108
iodef-ext-action = 109
iodef-DateTime = 110
iodef-DefinedCOA = 111
iodef-System = 112
iodef-Expectation = 113
iodef-RecordData = 114
iodef-category = 115
iodef-ext-category = 116
iodef-interface = 117
iodef-spoofed = 118
iodef-virtual = 119
iodef-ownership = 120
iodef-ext-ownership = 121
iodef-Node = 122
iodef-NodeRole = 123
iodef-Service = 124
iodef-OperatingSystem = 125
iodef-AssetID = 126
iodef-DomainData = 127
iodef-Address = 128
iodef-Location = 129
iodef-vlan-name = 130
iodef-vlan-num = 131
iodef-unit = 132
iodef-ext-unit = 133
iodef-system-status = 134
iodef-ext-system-status = 135
iodef-domain-status = 136
iodef-ext-domain-status = 137
iodef-Name = 138
iodef-DateDomainWasChecked = 139
iodef-RegistrationDate = 140
iodef-ExpirationDate = 141
iodef-RelatedDNS = 142
iodef-NameServers = 143
iodef-DomainContacts = 144
iodef-Server = 145
iodef-SameDomainContact = 146
iodef-ip-protocol = 147
iodef-ServiceName = 148
iodef-Port = 149
iodef-Portlist = 150
iodef-ProtoCode = 151
iodef-ProtoType = 152
iodef-ProtoField = 153
iodef-ApplicationHeaderField = 154
iodef-EmailData = 155
iodef-IANAService = 156
iodef-EmailFrom = 157
iodef-EmailSubject = 158
iodef-EmailX-Mailer = 159
iodef-EmailHeaderField = 160
iodef-EmailHeaders = 161
iodef-EmailBody = 162
iodef-EmailMessage = 163
iodef-HashData = 164
iodef-Signature = 165
iodef-RecordPattern = 166
iodef-RecordItem = 167
iodef-FileData = 168
iodef-WindowsRegistryKeysModified = 169
iodef-CertificateData = 170
iodef-offset = 171
iodef-offsetunit = 172
iodef-ext-offsetunit = 173
iodef-Key = 174
iodef-registryaction = 175
iodef-ext-registryaction = 176
iodef-KeyName = 177
iodef-KeyValue = 178
iodef-Certificate = 179
iodef-X509Data = 180
iodef-File = 181
iodef-FileName = 182
iodef-FileSize = 183
iodef-FileType = 184
iodef-AssociatedSoftware = 185
iodef-FileProperties = 186
iodef-scope = 187
iodef-HashTargetID = 188
iodef-Hash = 189
iodef-FuzzyHash = 190
iodef-DigestMethod = 191
iodef-DigestValue = 192
iodef-CanonicalizationMethod = 193
iodef-FuzzyHashValue = 194
iodef-AlternativeIndicatorID = 195
iodef-Observable = 196
iodef-uid-ref = 197
iodef-IndicatorExpression = 198
iodef-IndicatorReference = 199
iodef-AttackPhase = 200
iodef-BulkObservable = 201
iodef-BulkObservableFormat = 202
iodef-BulkObservableList = 203
iodef-operator = 204
iodef-ext-operator = 205
iodef-euid-ref = 206
iodef-AttackPhaseID = 207

iodef = {
 version: text
 iodef-version => text,
 ? lang: lang iodef-lang => lang,
 ? format-id: iodef-format-id => text
 ? private-enum-name: text iodef-private-enum-name => text,
 ? private-enum-id: text
 Incident: iodef-private-enum-id => text,
 iodef-Incident => [+ Incident] Incident],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" /
"year" / "ext-value"
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"

restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" /
"ext-value"
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" /  "private"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype
URLtype = uri
TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
action = "nothing" / "contact-source-site" / "contact-target-site" /
"contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value"

DATETIME = tdate

BYTE = eb64legacy

MLStringType = {
    value: text
    ? lang: lang
    iodef-value => text,
    ? iodef-lang => lang,
    ? translation-id: iodef-translation-id => text
} / text

PositiveFloatType = float32 .gt 0
PAddressType = MLStringType

ExtensionType  = {
 value: text
 ? name: text
 dtype:
 iodef-value => text,
 ? iodef-name => text,
 iodef-dtype => "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/ "json" /
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value"
.default "string"
 ? ext-dtype: text
 ? meaning: text
 ? formatid: text iodef-ext-dtype => text,
 ? iodef-meaning => text,
 ? iodef-formatid => text,
 ? restriction: iodef-restriction => restriction .default "private"
 ? ext-restriction: text "private",
 ? observable-id: IDtype iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
}

SoftwareType = {
 ? SoftwareReference: SoftwareReference iodef-SoftwareReference => SoftwareReference,
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? Description: iodef-Description => [+ MLStringType]
}

SoftwareReference = {
 ? value: text
 spec-name: iodef-value => text,
 iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value" "ext-value",
 ? ext-spec-name: text iodef-ext-spec-name => text,
 ? dtype: iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" / "ext-value"
.default "string" "string",
 ? ext-dtype: iodef-ext-dtype => text
}

Incident = {
 purpose:
 iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" / "other" /
          "ext-value"
"ext-value",
 ? ext-purpose: text iodef-ext-purpose => text,
 ? status: iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" / "future" /
           "ext-value"
 ? ext-status: text
"ext-value",
 ? lang: lang iodef-ext-status => text,
 ? iodef-lang => lang,
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? observable-id: IDtype
 IncidentID: IncidentID iodef-observable-id => IDtype,
 iodef-IncidentID => IncidentID,
 ? AlternativeID: AlternativeID iodef-AlternativeID => AlternativeID,
 ? RelatedActivity: iodef-RelatedActivity => [+ RelatedActivity] RelatedActivity],
 ? DetectTime: DATETIME iodef-DetectTime => DATETIME,
 ? StartTime: DATETIME iodef-StartTime => DATETIME,
 ? EndTime: DATETIME iodef-EndTime => DATETIME,
 ? RecoveryTime: DATETIME iodef-RecoveryTime => DATETIME,
 ? ReportTime: DATETIME
 GenerationTime: DATETIME iodef-ReportTime => DATETIME,
 iodef-GenerationTime => DATETIME,
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? Discovery: iodef-Discovery => [+ Discovery] Discovery],
 ? Assessment: iodef-Assessment => [+ Assessment] Assessment],
 ? Method: iodef-Method => [+ Method]
 Contact: Method],
 iodef-Contact => [+ Contact] Contact],
 ? EventData: iodef-EventData => [+ EventData] EventData],
 ? Indicator: iodef-Indicator => [+ Indicator] Indicator],
 ? History: History iodef-History => History,
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

IncidentID = {
 id: text
 name: text
 ? instance: text
 iodef-id => text,
 iodef-name => text,
 ? iodef-instance => text,
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: iodef-ext-restriction => text
}

AlternativeID = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text
 IncidentID: iodef-ext-restriction => text,
 iodef-IncidentID => [+ IncidentID]
}

RelatedActivity = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? IncidentID: iodef-IncidentID => [+ IncidentID] IncidentID],
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? ThreatActor: iodef-ThreatActor => [+ ThreatActor] ThreatActor],
 ? Campaign: iodef-Campaign => [+ Campaign] Campaign],
 ? IndicatorID: iodef-IndicatorID => [+ IndicatorID] IndicatorID],
 ? Confidence: Confidence iodef-Confidence => Confidence,
 ? Description: iodef-Description => [+ text] text],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

ThreatActor = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? ThreatActorID: iodef-ThreatActorID => [+ text] text],
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

Campaign  = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? CampaignID: iodef-CampaignID => [+ text] text],
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

Contact = {
 role:
 iodef-role => "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / /,
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
"vendor" / "vendor-support" / "victim" / "victim-notified" /
       "ext-value"
"ext-value",
 ? ext-role: text
 type: iodef-ext-role => text,
 iodef-type => "person" / "organization" / "ext-value" "ext-value",
 ? ext-type: text iodef-ext-type => text,
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? ContactName: iodef-ContactName => [+ MLStringType] MLStringType],
 ? ContactTitle: iodef-ContactTitle => [+ MLStringType] MLStringType],
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? RegistryHandle: iodef-RegistryHandle => [+ RegistryHandle] RegistryHandle],
 ? PostalAddress: iodef-PostalAddress => [+ PostalAddress] PostalAddress],
 ? Email: iodef-Email => [+ Email] Email],
 ? Telephone: iodef-Telephone => [+ Telephone] Telephone],
 ? Timezone: TimeZonetype iodef-Timezone => TimeZonetype,
 ? Contact: iodef-Contact => [+ Contact] Contact],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

RegistryHandle = {
 handle: text
 registry:
 iodef-handle => text,
 iodef-registry => "internic" / "apnic" / "arin" / "lacnic" / "ripe" /
"afrinic" / "local" / "ext-value" "ext-value",
 ? ext-registry: iodef-ext-registry => text
}

PostalAddress = {
 ? type: iodef-type => "street" / "mailing" / "ext-value" "ext-value",
 ? ext-type: text
 PAddress: PAddressType iodef-ext-type => text,
 iodef-PAddress => PAddressType,
 ? Description: iodef-Description => [+ MLStringType]
}
Email = {
 ? type: iodef-type => "direct" / "hotline" / "ext-value" "ext-value",
 ? ext-type: text
 EmailTo: text iodef-ext-type => text,
 iodef-EmailTo => text,
 ? Description: iodef-Description => [+ MLStringType]
}

Telephone = {
 ? type: iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value" "ext-value",
 ? ext-type: text
 TelephoneNumber: text iodef-ext-type => text,
 iodef-TelephoneNumber => text,
 ? Description: iodef-Description => [+ MLStringType]
}

Discovery = {
 ? source: iodef-source => "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
"incident" / "os-log" / "application-log" / "device-log" /
"network-flow" / "passive-dns" / "investigation" / "audit" /
"internal-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value" "ext-value",
 ? ext-source: text iodef-ext-source => text,
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? Contact: iodef-Contact => [+ Contact] Contact],
 ? DetectionPattern: iodef-DetectionPattern => [+ DetectionPattern]
}

DetectionPattern = {
 ? restriction: iodef-restriction => restriction .default "private"
 ? ext-restriction: text "private",
 ? observable-id: IDtype
 (Description: [+ MLStringType] // DetectionConfiguration: [+ text])
 Application: iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 (iodef-Description => [+ MLStringType],
iodef-DetectionConfiguration => [+ text]),
 iodef-Application => SoftwareType
}

Method = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? Reference: iodef-Reference => [+ Reference] Reference],
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? AttackPattern: iodef-AttackPattern => [+ StructuredInfo] StructuredInfo],
 ? Vulnerability: iodef-Vulnerability => [+ StructuredInfo] StructuredInfo],
 ? Weakness: iodef-Weakness => [+ StructuredInfo] StructuredInfo],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}
StructuredInfo = {
 SpecID: SpecID
 iodef-SpecID => SpecID,
 ? ext-SpecID: text iodef-ext-SpecID => text,
 ? ContentID: text iodef-ContentID => text,
 ? (RawData: (iodef-RawData => [+ BYTE] // Reference:[+ Reference]) BYTE],
iodef-Reference => [+ Reference]),
 ? Platform:[+ Platform] iodef-Platform => [+ Platform],
 ? Scoring:[+ iodef-Scoring => [+ Scoring]
}

Platform = {
    SpecID: SpecID
    iodef-SpecID => SpecID,
    ? ext-SpecID: text iodef-ext-SpecID => text,
    ? ContentID: text iodef-ContentID => text,
    ? RawData: iodef-RawData => [+ BYTE] BYTE],
    ? Reference: iodef-Reference => [+ Reference]
}
Scoring = {
    SpecID: SpecID
    iodef-SpecID => SpecID,
    ? ext-SpecID: text iodef-ext-SpecID => text,
    ? ContentID: text iodef-ContentID => text,
    ? RawData: iodef-RawData => [+ BYTE] BYTE],
    ? Reference: iodef-Reference => [+ Reference]
}
Reference = {
 ? observable-id: IDtype iodef-observable-id => IDtype,
 ? ReferenceName: ReferenceName iodef-ReferenceName => ReferenceName,
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? Description: iodef-Description => [+ MLStringType]
}

ReferenceName = {
 specIndex: integer
 ID:
 iodef-specIndex => integer,
 iodef-ID => IDtype
}

Assessment = {
 ? occurrence: iodef-occurrence => "actual" / "potential" "potential",
 ? restriction: iodef-restriction => restriction .default "private"
 ? ext-restriction: text
 ? observable-id: IDtype "private",
 ? IncidentCategory: iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 ? iodef-IncidentCategory => [+ MLStringType],
 iodef-Impact => [+ MLStringType]
 Impact: [+ {SystemImpact: {iodef-SystemImpact => SystemImpact} /
          {BusinessImpact: BusinessImpact}
          {iodef-BusinessImpact => BusinessImpact / {TimeImpact:
          {iodef-TimeImpact => TimeImpact} /
          {MonetaryImpact:
          {iodef-MonetaryImpact => MonetaryImpact} /
          {IntendedImpact: BusinessImpact}]
          {iodef-IntendedImpact => BusinessImpact}],
 ? Counter: iodef-Counter => [+ Counter] Counter],
 ? MitigatingFactor: iodef-MitigatingFactor => [+ MLStringType] MLStringType],
 ? Cause: iodef-Cause => [+ MLStringType] MLStringType],
 ? Confidence: Confidence iodef-Confidence => Confidence,
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

SystemImpact = {
 ? severity: iodef-severity => "low" / "medium" / "high" "high",
 ? completion: iodef-completion => "failed" / "succeeded"
 type: "succeeded",
 iodef-type => "takeover-account" / "takeover-service" / "takeover-system" /
"cps-manipulation" / "cps-damage" / "availability-data" /
"availability-account" / "availability-service" /
"availability-system" / "damaged-system" / "damaged-data" /
"breach-proprietary" / "breach-privacy" / "breach-credential" /
"breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host"/ "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown" "unknown",
 ? ext-type: text iodef-ext-type => text,
 ? Description: iodef-Description => [+ MLStringType]
}

BusinessImpact = {
? severity:"none" iodef-severity => "none" / "low" / "medium" / "high" / "unknown" / "ext-value"
.default "unknown" "unknown",
 ? ext-severity: text
 type: iodef-ext-severity => text,
 iodef-type => "breach-proprietary" / "breach-privacy" / "breach-credential" /
"loss-of-integrity" / "loss-of-service" / "theft-financial" /
"theft-service" / "degraded-reputation" / "asset-damage" /
"asset-manipulation" / "legal" / "extortion" / "unknown" /
"ext-value" .default "unknown" "unknown",
 ? ext-type: text iodef-ext-type => text,
 ? Description: iodef-Description => [+ MLStringType]
}

TimeImpact = {
 value: PositiveFloatType
 iodef-value => PositiveFloatType,
 ? severity: iodef-severity => "low" / "medium" / "high"
 metric: "high",
 iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value" "ext-value",
 ? ext-metric: text iodef-ext-metric => text,
 ? duration: iodef-duration => duration .default "hour" "hour",
 ? ext-duration: iodef-ext-duration => text
}

MonetaryImpact = {
 value: PositiveFloatType
 iodef-value => PositiveFloatType,
 ? severity: iodef-severity => "low" / "medium" / "high" "high",
 ? currency: iodef-currency => text

}

Confidence = {
 value: float32
 rating:
 iodef-value => float32,
 iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" "ext-value",
 ? ext-rating: iodef-ext-rating => text
}

History = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text
 HistoryItem: iodef-ext-restriction => text,
 iodef-HistoryItem => [+ HistoryItem]
}

HistoryItem = {
 action:
 iodef-action => action .default "other" "other",
 ? ext-action: text iodef-ext-action => text,
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? observable-id: IDtype
 DateTime: DATETIME iodef-observable-id => IDtype,
 iodef-DateTime => DATETIME,
 ? IncidentID: IncidentID iodef-IncidentID => IncidentID,
 ? Contact: Contact iodef-Contact => Contact,
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? DefinedCOA: iodef-DefinedCOA => [+ text] text],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

EventData = {
 ? restriction: iodef-restriction => restriction .default "default" "default",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? observable-id: IDtype iodef-observable-id => IDtype,
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? DetectTime: DATETIME iodef-DetectTime => DATETIME,
 ? StartTime: DATETIME iodef-StartTime => DATETIME,
 ? EndTime: DATETIME iodef-EndTime => DATETIME,
 ? RecoveryTime: DATETIME iodef-RecoveryTime => DATETIME,
 ? ReportTime: DATETIME iodef-ReportTime => DATETIME,
 ? Contact: iodef-Contact => [+ Contact] Contact],
 ? Discovery: iodef-Discovery => [+ Discovery] Discovery],
 ? Assessment: Assessment iodef-Assessment => Assessment,
 ? Method: iodef-Method => [+ Method] Method],
 ? System: iodef-System => [+ System] System],
 ? Expectation: iodef-Expectation => [+ Expectation] Expectation],
 ? RecordData: iodef-RecordData => [+ RecordData] RecordData],
 ? EventData: iodef-EventData => [+ EventData] EventData],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}
Expectation = {
 ? action: iodef-action => action .default "other" "other",
 ? ext-action: text iodef-ext-action => text,
 ? severity: iodef-severity => "low" / "medium" / "high" "high",
 ? restriction: iodef-restriction => restriction .default "default" "default",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? observable-id: IDtype iodef-observable-id => IDtype,
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? DefinedCOA: iodef-DefinedCOA => [+ text] text],
 ? StartTime: DATETIME iodef-StartTime => DATETIME,
 ? EndTime: DATETIME iodef-EndTime => DATETIME,
 ? Contact: iodef-Contact => Contact
}

System = {
 ? category: iodef-category => "source" / "target" / "intermediate" / "sensor" /
"infrastructure" / "ext-value"
 ? ext-category: text "ext-value",
 ? interface: text iodef-ext-category => text,
 ? iodef-interface => text,
 ? spoofed: iodef-spoofed => "unknown" / "yes" / "no" .default "unknown" "unknown",
 ? virtual: iodef-virtual => "yes" / "no" / "unknown" .default "unknown" "unknown",
 ? ownership: iodef-ownership => "organization" / "personal" / "partner" / "customer" /
"no-relationship" / "unknown" / "ext-value" "ext-value",
 ? ext-ownership: text iodef-ext-ownership => text,
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? observable-id: IDtype
 Node: Node iodef-observable-id => IDtype,
 iodef-Node => Node,
 ? NodeRole: iodef-NodeRole => [+ NodeRole] NodeRole],
 ? Service: iodef-Service => [+ Service] Service],
 ? OperatingSystem: iodef-OperatingSystem => [+ SoftwareType] SoftwareType],
 ? Counter: iodef-Counter => [+ Counter] Counter],
 ? AssetID: iodef-AssetID => [+ text] text],
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

Node = {
 (DomainData:[+ DomainData]
 (iodef-DomainData => [+ DomainData],
  ? Address:[+ iodef-Address => [+ Address] //
  ? DomainData:[+ DomainData]
  Address:[+ Address]) iodef-DomainData => [+ DomainData],
  iodef-Address => [+ Address]),
 ? PostalAddress: PostalAddress iodef-PostalAddress => PostalAddress,
 ? Location: iodef-Location => [+ MLStringType] MLStringType],
 ? Counter: iodef-Counter => [+ Counter]
}

Address = {
 value: text
 category:
 iodef-value => text,
 iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
"ext-value" .default "ipv6-addr"
 ? ext-category: text "ipv6-addr",
 ? vlan-name: text iodef-ext-category => text,
 ? iodef-vlan-name => text,
 ? vlan-num: integer iodef-vlan-num => integer,
 ? observable-id: iodef-observable-id => IDtype
}

NodeRole = {
 category:
 iodef-category => "client" / "client-enterprise" / "client-partner" /
"client-remote" / "client-kiosk" / "client-mobile" /
"server-internal" / "server-public" / "www" / "mail" /
"webmail" / "messaging" / "streaming" / "voice" / "file" /
"ftp" / "p2p" / "name" / "directory" / "credential" /
"print" / "application" / "database" / "backup" / "dhcp" /
"assessment" / "source-control" / "config-management" /
"monitoring" / "infra" / "infra-firewall" / "infra-router" /
"infra-switch" / "camera" / "proxy" / "remote-access" /
"log" / "virtualization" / "pos" /  "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hop-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value" "ext-value",
 ? ext-category: text iodef-ext-category => text,
 ? Description: iodef-Description => [+ MLStringType]
}

Counter = {
 value: float32
 type:
 iodef-value => float32,
 iodef-type => "count" / "peak" / "average" / "ext-value" "ext-value",
 ? ext-type: text
 unit: iodef-ext-type => text,
 iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
"message" / "event" / "host" / "site" / "organization" /
       "ext-value"
 ? ext-unit: text
"ext-value",
 ? meaning: text iodef-ext-unit => text,
 ? iodef-meaning => text,
 ? duration: iodef-duration => duration .default "hour" "hour",
 ? ext-duration: iodef-ext-duration => text
}

DomainData = {
 system-status:
 iodef-system-status => "spoofed" / "fraudulent" / "innocent-hacked" /
"innocent-hijacked" / "unknown" / "ext-value" "ext-value",
 ? ext-system-status: text
 domain-status: iodef-ext-system-status => text,
 iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value" "ext-value",
 ? ext-domain-status: text iodef-ext-domain-status => text,
 ? observable-id: IDtype
 Name: text iodef-observable-id => IDtype,
 iodef-Name => text,
 ? DateDomainWasChecked: DATETIME iodef-DateDomainWasChecked => DATETIME,
 ? RegistrationDate: DATETIME iodef-RegistrationDate => DATETIME,
 ? ExpirationDate: DATETIME iodef-ExpirationDate => DATETIME,
 ? RelatedDNS: iodef-RelatedDNS => [+ ExtensionType] ExtensionType],
 ? NameServers: iodef-NameServers => [+ NameServers] NameServers],
 ? DomainContacts: iodef-DomainContacts => DomainContacts
}

NameServers = {
 Server: text
 Address:
 iodef-Server => text,
 iodef-Address => [+ Address]
}

DomainContacts = {
 (SameDomainContact:
 (iodef-SameDomainContact => text // Contact: iodef-Contact => [+ Contact])
}

Service = {
 ? ip-protocol: integer
 ? observable-id: IDtype iodef-ip-protocol => integer,
 ? ServiceName: ServiceName iodef-observable-id => IDtype,
 ? iodef-ServiceName => ServiceName,
 ? Port: integer iodef-Port => integer,
 ? Portlist: PortlistType iodef-Portlist => PortlistType,
 ? ProtoCode: integer iodef-ProtoCode => integer,
 ? ProtoType: integer iodef-ProtoType => integer,
 ? ProtoField: integer iodef-ProtoField => integer,
 ? ApplicationHeaderField: iodef-ApplicationHeaderField => [+ ExtensionType] ExtensionType],
 ? EmailData: EmailData iodef-EmailData => EmailData,
 ? Application: iodef-Application => SoftwareType
}

ServiceName = {
 ? IANAService: text iodef-IANAService => text,
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? Description: iodef-Description => [+ MLStringType]
}

EmailData = {
 ? observable-id: IDtype iodef-observable-id => IDtype,
 ? EmailTo: iodef-EmailTo => [+ text] text],
 ? EmailFrom: text iodef-EmailFrom => text,
 ? EmailSubject: text iodef-EmailSubject => text,
 ? EmailX-Mailer: text iodef-EmailX-Mailer => text,
 ? EmailHeaderField: iodef-EmailHeaderField => [+ ExtensionType] ExtensionType],
 ? EmailHeaders: text iodef-EmailHeaders => text,
 ? EmailBody: text iodef-EmailBody => text,
 ? EmailMessage: text iodef-EmailMessage => text,
 ? HashData: iodef-HashData => [+ HashData] HashData],
 ? Signature: iodef-Signature => [+ BYTE]
}

RecordData = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? observable-id: IDtype iodef-observable-id => IDtype,
 ? DateTime: DATETIME iodef-DateTime => DATETIME,
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? Application: SoftwareType iodef-Application => SoftwareType,
 ? RecordPattern: iodef-RecordPattern => [+ RecordPattern] RecordPattern],
 ? RecordItem: iodef-RecordItem => [+ ExtensionType] ExtensionType],
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? FileData: iodef-FileData => [+ FileData] FileData],
 ? WindowsRegistryKeysModified: iodef-WindowsRegistryKeysModified => [+ WindowsRegistryKeysModified] WindowsRegistryKeysModified],
 ? CertificateData: iodef-CertificateData => [+ CertificateData] CertificateData],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

RecordPattern = {
 value: text
 type:
 iodef-value => text,
 iodef-type => "regex" / "binary" / "xpath" / "ext-value"  .default "regex" "regex",
 ? ext-type: text iodef-ext-type => text,
 ? offset: integer iodef-offset => integer,
 ? offsetunit: iodef-offsetunit => "line" / "byte" / "ext-value" .default "line" "line",
 ? ext-offsetunit: text iodef-ext-offsetunit => text,
 ? instance: iodef-instance => integer
}

WindowsRegistryKeysModified = {
 ? observable-id: IDtype
 Key: iodef-observable-id => IDtype,
 iodef-Key => [+ Key]
}

Key = {
 ? registryaction: iodef-registryaction => "add-key" / "add-value" / "delete-key" /
"delete-value" / "modify-key" / "modify-value" /
                   "ext-value"
 ? ext-registryaction: text
"ext-value",
 ? observable-id: IDtype
 KeyName: text iodef-ext-registryaction => text,
 ? iodef-observable-id => IDtype,
 iodef-KeyName => text,
 ? KeyValue: iodef-KeyValue => text
}

CertificateData = {
 ? restriction: iodef-restriction => restriction .default "private"
 ? ext-restriction: text "private",
 ? observable-id: IDtype
 Certificate: iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 iodef-Certificate => [+ Certificate]
}

Certificate = {
 ? observable-id: IDtype
 X509Data: BYTE iodef-observable-id => IDtype,
 iodef-X509Data => BYTE,
 ? Description: iodef-Description => [+ MLStringType]
}

FileData = {
 ? restriction: iodef-restriction => restriction .default "private"
 ? ext-restriction: text "private",
 ? observable-id: IDtype
 File: iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 iodef-File => [+ File]
}

File = {
 ? observable-id: IDtype
 ? FileName: text iodef-observable-id => IDtype,
 ? iodef-FileName => text,
 ? FileSize: integer iodef-FileSize => integer,
 ? FileType: text iodef-FileType => text,
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? HashData: HashData iodef-HashData => HashData,
 ? Signature: iodef-Signature => [+ BYTE] BYTE],
 ? AssociatedSoftware: SoftwareType iodef-AssociatedSoftware => SoftwareType,
 ? FileProperties: iodef-FileProperties => [+ ExtensionType]
}

HashData = {
 scope:
 iodef-scope => "file-contents" / "file-pe-section" / "file-pe-iat" /
"file-pe-resource" / "file-pdf-object" / "email-hash" /
"email-headers-hash" / "email-body-hash" / "ext-value" "ext-value",
 ? HashTargetID: text iodef-HashTargetID => text,
 ? Hash: iodef-Hash => [+ Hash] Hash],
 ? FuzzyHash: iodef-FuzzyHash => [+ FuzzyHash]
}

Hash = {
 DigestMethod: BYTE
 DigestValue: BYTE
 iodef-DigestMethod => BYTE,
 iodef-DigestValue => BYTE,
 ? iodef-CanonicalizationMethod => BYTE,
 ? CanonicalizationMethod: BYTE
 ? Application: iodef-Application => SoftwareType
}

FuzzyHash = {
 FuzzyHashValue:
 iodef-FuzzyHashValue => [+ ExtensionType] ExtensionType],
 ? Application: SoftwareType iodef-Application => SoftwareType,
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

Indicator = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text
 IndicatorID: IndicatorID iodef-ext-restriction => text,
 iodef-IndicatorID => IndicatorID,
 ? AlternativeIndicatorID: iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID] AlternativeIndicatorID],
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? StartTime: DATETIME iodef-StartTime => DATETIME,
 ? EndTime: DATETIME iodef-EndTime => DATETIME,
 ? Confidence: Confidence iodef-Confidence => Confidence,
 ? Contact: iodef-Contact => [+ Contact]
 (Observable: Contact],
 (iodef-Observable => Observable // uid-ref: iodef-uid-ref => IDREFType //
  IndicatorExpression:
  iodef-IndicatorExpression => IndicatorExpression //
  IndicatorReference: IndicatorReference)
  iodef-IndicatorReference => IndicatorReference),
 ? NodeRole: iodef-NodeRole => [+ NodeRole] NodeRole],
 ? AttackPhase: iodef-AttackPhase => [+ AttackPhase] AttackPhase],
 ? Reference: iodef-Reference => [+ Reference] Reference],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

IndicatorID = {
 id: IDtype
 name: text
 version:
 iodef-id => IDtype,
 iodef-name => text,
 iodef-version => text
}

AlternativeIndicatorID = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text
 IndicatorID: iodef-ext-restriction => text,
 iodef-IndicatorID => [+ IndicatorID]
}

Observable = {
 ? restriction: iodef-restriction => restriction .default "private" "private",
 ? ext-restriction: text iodef-ext-restriction => text,
 ? (System: (iodef-System => System // Address: iodef-Address => Address // DomainData: iodef-DomainData => DomainData //
  EmailData:
    iodef-EmailData => EmailData // Service: iodef-Service => Service //
  WindowsRegistryKeysModified:
    iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified //
  FileData:
    iodef-FileData => FileData // CertificateData: iodef-CertificateData => CertificateData //
  RegistryHandle:
    iodef-RegistryHandle => RegistryHandle // RecordData: iodef-RecordData => RecordData //
  EventData:
    iodef-EventData => EventData // Incident: iodef-Incident => Incident //
  Expectation: iodef-Expectation => Expectation // Reference:
    iodef-Reference => Reference //
  Assessment: iodef-Assessment => Assessment // DetectionPattern:
    iodef-DetectionPattern => DetectionPattern //
  HistoryItem: iodef-HistoryItem => HistoryItem // BulkObservable:
    iodef-BulkObservable => BulkObservable //
  AdditionalData: iodef-AdditionalData => [+ ExtensionType])
}

BulkObservable = {
 ? type: iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
"mac" / "site-uri" / "domain-name" / "domain-to-ipv4" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
"windows-reg-key" / "file-hash" / "email-x-mailer" /
"email-subject" / "http-user-agent" / "http-request-uri" /
"mutex" / "file-path" / "user-name" / "ext-value"
 ? ext-type: text "ext-value",
 ? BulkObservableFormat: BulkObservableFormat
 BulkObservableList: text iodef-ext-type => text,
 ? iodef-BulkObservableFormat => BulkObservableFormat,
 iodef-BulkObservableList => text,
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

BulkObservableFormat = {
 (Hash:
 (iodef-Hash => Hash // AdditionalData: iodef-AdditionalData => [+ ExtensionType])
}

IndicatorExpression = {
 ? operator: iodef-operator => "not" / "and" / "or" / "xor" .default "and" "and",
 ? ext-operator: text iodef-ext-operator => text,
 ? IndicatorExpression: iodef-IndicatorExpression => [+ IndicatorExpression] IndicatorExpression],
 ? Observable: iodef-Observable => [+ Observable] Observable],
 ? uid-ref: iodef-uid-ref => [+ IDREFType] IDREFType],
 ? IndicatorReference: iodef-IndicatorReference => [+ IndicatorReference] IndicatorReference],
 ? Confidence: Confidence iodef-Confidence => Confidence,
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}

IndicatorReference = {
 (uid-ref:
 (iodef-uid-ref => IDREFType // euid-ref: text) iodef-euid-ref => text),
 ? version: iodef-version => text
}

AttackPhase = {
 ? AttackPhaseID: iodef-AttackPhaseID => [+ text] text],
 ? URL: iodef-URL => [+ URLtype] URLtype],
 ? Description: iodef-Description => [+ MLStringType] MLStringType],
 ? AdditionalData: iodef-AdditionalData => [+ ExtensionType]
}
                       Figure 8: 9: Data Model in CDDL

6.

7.  IANA Considerations

   This document does not require any IANA actions.

7.

8.  Security Considerations

   This document provides a mapping from XML IODEF defined in [RFC7970]
   to JSON, and Section 3.2 describes several issues that arise when
   converting XML IODEF and JSON IODEF.  Though it does not provide any
   further security considerations than the one described in [RFC7970].

8. [RFC7970],
   impelementers of this document should be aware of those issues to
   avoid any unintended outcome.

9.  Acknowledgments

   We would like to thank Henk Birkholz, Carsten Bormann, Benjamin
   Kaduk, Yasuaki Morita, and Takahiko Nagata for their insightful
   comments on this document and CDDL.

9.

10.  References

9.1.

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986>.

   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/info/rfc4648>.

   [RFC7049]  Bormann, C. and P. Hoffman, "Concise Binary Object
              Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
              October 2013, <https://www.rfc-editor.org/info/rfc7049>.

   [RFC7203]  Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
              Incident Object Description Exchange Format (IODEF)
              Extension for Structured Cybersecurity Information",
              RFC 7203, DOI 10.17487/RFC7203, April 2014,
              <https://www.rfc-editor.org/info/rfc7203>.

   [RFC7970]  Danyliw, R., "The Incident Object Description Exchange
              Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
              November 2016, <https://www.rfc-editor.org/info/rfc7970>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", STD 90, RFC 8259,
              DOI 10.17487/RFC8259, December 2017,
              <https://www.rfc-editor.org/info/rfc8259>.

   [RFC8610]  Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
              Definition Language (CDDL): A Notational Convention to
              Express Concise Binary Object Representation (CBOR) and
              JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
              June 2019, <https://www.rfc-editor.org/info/rfc8610>.

9.2.

10.2.  Informative References

   [jsonschema]
              Francis Galiegue, Kris Zyp,

   [I-D.handrews-json-schema-validation]
              Wright, A., Andrews, H., and Gary Court, B. Hutton, "JSON Schema:
              core definitions and terminology", 2013. Schema
              Validation: A Vocabulary for Structural Validation of
              JSON", draft-handrews-json-schema-validation-02 (work in
              progress), September 2019.

Appendix A.  Data Types used in this document

   The CDDL prelude used in this document is mapped to JSON as shown in
   the table below.

   +-----------------+-------------------+----------------------------+
   | CDDL Prelude    | Use of JSON   |  Instance | Validation         |
   +-----------------+-------------------+----------------------------+
   | bytes           | n/a           | string    | tool available     |
   | text            | string        | string    | unnecessary        |
   | tdate           | n/a           | string    | 7.3.1 date-time    |
   | integer         | n/a           | number    | integer            |
   | eb64legacy      | n/a           | string    | tool available     |
   | uri             | n/a           | string    | 7.3.6 uri          |
   | float32         | float32       | number    | unnecessary        |
   +-----------------+-------------------+----------------------------+

                  Figure 9: 10: CDDL Prelude mapping in JSON

Appendix B.  The IODEF Data Model (JSON Schema)

   This section provides a JSON schema [jsonschema]
   [I-D.handrews-json-schema-validation] that defines the IODEF Data
   Model defined in this draft.  Note that this section is Informative.

{ "$schema": "http://json-schema.org/draft-04/schema#",
  "definitions": {
    "action": {"enum": ["nothing","contact-source-site",
       "contact-target-site","contact-sender","investigate",
       "block-host","block-network","block-port","rate-limit-host",
       "rate-limit-network","rate-limit-port","redirect-traffic",
       "honeypot","upgrade-software","rebuild-asset","harden-asset",
       "remediate-other","status-triage","status-new-info",
       "watch-and-report","training","defined-coa","other",
       "ext-value"]},
    "duration":{"enum":["second","minute","hour","day","month",
       "quarter","year","ext-value"]},
    "SpecID":{
      "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]},
    "lang": {
      "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
    "purpose": {"enum": ["traceback","mitigation","reporting","watch",
      "other","ext-value"]},
    "restriction":{"enum":["public","partner","need-to-know","private",
      "default","white","green","amber","red","ext-value"]},
    "status": {"enum": ["new","in-progress","forwarded","resolved",
      "future","ext-value"]},
    "DATETIME": {"type": "string","format": "date-time"},
    "BYTE": {"type": "string"},
    "PortlistType": {
      "type": "string","pattern": "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"},
    "TimeZonetype": {
      "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
    "URLtype": {
      "type": "string",
      "pattern":
        "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"},
    "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"},
    "IDREFType": {"$ref": "#/definitions/IDtype"},
    "MLStringType": {
      "oneOf": [{"type": "string"},
                {"type": "object",
                  "properties": {
                    "value": {"type": "string"},
                    "lang": {"$ref": "#/definitions/lang"},
                    "translation-id": {"type": "string"}},
                   "required": ["value"],
                   "additionalProperties":false}]},
    "PositiveFloatType": {"type": "number","minimum": 0},
    "PAddressType": {"$ref": "#/definitions/MLStringType"},
    "ExtensionType": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "name": {"type": "string"},
        "dtype":{"enum":["boolean","byte","bytes","character", "json",
          "date-time","ntpstamp","integer","portlist","real","string",
          "file","path","frame","packet","ipv4-packet","ipv6-packet",
          "url", "csv","winreg","xml","ext-value"],"default": "string"},
        "ext-dtype": {"type": "string"},
        "meaning": {"type": "string"},
        "formatid": {"type": "string"},
        "restriction": {
          "$ref": "#/definitions/restriction","default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"}},
      "required": ["value","dtype"],
      "additionalProperties":false},
    "ExtensionTypeList": {
      "type": "array",
      "items": {"$ref": "#/definitions/ExtensionType"},
      "minItems": 1},
    "SoftwareType": {
      "type": "object",
      "properties": {
        "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype",
          "minItems": 1}},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1 }},
      "required": [],
      "additionalProperties": false},
    "SoftwareReference": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "spec-name": {"enum": ["custom","cpe","swid","ext-value"]},
        "ext-spec-name": {"type": "string"},
        "dtype": {"enum": ["bytes","integer","real","string","xml",
                           "ext-value"] ,  "default": "string"},
        "ext-dtype": {"type": "string"}},

      "required": ["spec-name"],
      "additionalProperties": false},
    "StructuredInfo": {
      "type": "object",
      "properties": {
        "SpecID": {"$ref":"#/definitions/SpecID"},
        "ext-SpecID": {"type": "string"},
        "ContentID": {"type": "string"},
        "RawData": {
           "type": "array",
           "items": {"$ref":"#/definitions/BYTE"},
           "minItems": 1
        },
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1
        },
        "Platform": {
          "type": "array",
          "items": {"$ref": "#/definitions/Platform"},
          "minItems": 1
        },
        "Scoring": {
          "type": "array",
          "items": {"$ref": "#/definitions/Scoring"},
          "minItems": 1}},
      "allOf": [
         {"required": ["SpecID"]},
         {"anyOf": [
           {"oneOf": [
             {"required":["Reference"]},
             {"required":["RawData"]}]},
           { "not" : {"required":["Reference", "RawData"]}}]}],
      "additionalProperties": false},
    "Platform": {
      "type": "object",
      "properties": {
        "SpecID": {"$ref":"#/definitions/SpecID"},
        "ext-SpecID": {"type": "string"},
        "ContentID": {"type": "string"},
        "RawData": {
           "type": "array",
           "items": {"$ref":"#/definitions/BYTE"},
           "minItems": 1
        },
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1}},
      "required": ["SpecID"],
      "additionalProperties": false},
    "Scoring": {
      "type": "object",
      "properties": {
        "SpecID": {"$ref":"#/definitions/SpecID"},
        "ext-SpecID": {"type": "string"},
        "ContentID": {"type": "string"},
        "RawData": {
           "type": "array",
           "items": {"$ref":"#/definitions/BYTE"},
           "minItems": 1
        },
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1}},
      "required": ["SpecID"],
      "additionalProperties": false},
    "Incident": {
      "title": "Incident",
      "description": "JSON schema for Incident class",
      "type": "object",
      "properties": {
        "purpose": {"$ref": "#/definitions/purpose"},
        "ext-purpose": {"type": "string"},
        "status": {"$ref": "#/definitions/status"},
        "ext-status": {"type": "string"},
        "lang": {"$ref": "#/definitions/lang"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "IncidentID": {"$ref": "#/definitions/IncidentID"},
        "AlternativeID": {"$ref": "#/definitions/AlternativeID"},
        "RelatedActivity": {
          "type": "array",
          "items": {"$ref": "#/definitions/RelatedActivity"},
          "minItems": 1},
        "DetectTime": {"$ref": "#/definitions/DATETIME"},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
        "ReportTime": {"$ref": "#/definitions/DATETIME"},
        "GenerationTime": {"$ref": "#/definitions/DATETIME"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Discovery": {
          "type": "array",
          "items": {"$ref": "#/definitions/Discovery"},
          "minItems": 1},
        "Assessment": {
          "type": "array",
          "items": {"$ref": "#/definitions/Assessment"},
          "minItems": 1},
        "Method": {
          "type": "array",
          "items": {"$ref": "#/definitions/Method"},
          "minItems": 1},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "EventData": {
          "type": "array",
          "items": {"$ref": "#/definitions/EventData"},
          "minItems": 1},
        "Indicator": {
          "type": "array",
          "items": {"$ref": "#/definitions/Indicator"},
          "minItems": 1},
        "History": {"$ref": "#/definitions/History"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["IncidentID","GenerationTime","Contact","purpose"],
      "additionalProperties": false},
    "IncidentID": {
      "title": "IncidentID",
      "description": "JSON schema for IncidentID class",
      "type": "object",
      "properties": {
        "id": {"type": "string"},
        "name": {"type": "string"},
        "instance": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"}},
      "required": ["id","name"],
      "additionalProperties": false},
    "AlternativeID": {
      "title": "AlternativeID",
      "description": "JSON schema for AlternativeID class",
      "type": "object",
      "properties": {
        "IncidentID": {
          "type": "array",
          "items":{"$ref": "#/definitions/IncidentID"},
          "minItems": 1},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"}},
      "required": ["IncidentID"],
      "additionalProperties": false},
    "RelatedActivity": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "IncidentID": {
          "type": "array",
          "items": {"$ref": "#/definitions/IncidentID"},
          "minItems": 1},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype"},
          "minItems": 1},
        "ThreatActor": {
          "type": "array",
          "items": {"$ref": "#/definitions/ThreatActor"},
          "minItems": 1},
        "Campaign": {
          "type": "array",
          "items": {"$ref": "#/definitions/Campaign"},
          "minItems": 1},
        "IndicatorID": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorID"},
          "minItems": 1},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "Description": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false},
    "ThreatActor": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "ThreatActorID": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "URL": {
          "type":"array",
          "items":{"$ref":"#/definitions/URLtype"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false},
    "Campaign": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "CampaignID": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "URL": {
          "type":"array",
          "items":{"$ref":"#/definitions/URLtype"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
    "Contact": {
      "type": "object",
      "properties": {
        "role": {
          "enum":["creator","reporter","admin","tech","provider","user",
                  "billing","legal","irt","abuse","cc","cc-irt","leo",
                  "vendor","vendor-support","victim","victim-notified",
                  "ext-value"]},
        "ext-role": {"type": "string"},
        "type": {"enum": ["person","organization","ext-value"]},
        "ext-type": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "ContactName": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "ContactTitle": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "RegistryHandle": {
          "type":"array",
          "items":{"$ref":"#/definitions/RegistryHandle"},
          "minItems": 1},
        "PostalAddress": {
          "type":"array",
          "items":{"$ref":"#/definitions/PostalAddress"},
          "minItems": 1},
        "Email": {
          "type": "array",
          "items": {"$ref": "#/definitions/Email"},
          "minItems": 1},
        "Telephone": {
          "type": "array",
          "items": {"$ref": "#/definitions/Telephone"},
          "minItems": 1},
        "Timezone": {"$ref": "#/definitions/TimeZonetype"},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["role","type"],
      "additionalProperties": false},
    "RegistryHandle": {
      "type": "object",
      "properties": {
        "handle": {"type": "string"},
        "registry": {
          "enum": ["internic","apnic","arin","lacnic","ripe","afrinic",
                   "local","ext-value"]},
        "ext-registry": {"type": "string"}},
      "required": ["handle","registry"],
      "additionalProperties": false},
    "PostalAddress": {
      "type": "object",
      "properties": {
        "type": {
          "enum": ["street","mailing","ext-value"]},

        "ext-type": {"type": "string"},
        "PAddress": {"$ref": "#/definitions/PAddressType"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["PAddress"],
      "additionalProperties": false},
    "Email": {
      "type": "object",
      "properties": {
        "type": {
          "enum":["direct","hotline","ext-value"]},
        "ext-type": {"type": "string"},
        "EmailTo": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["EmailTo"],
      "additionalProperties": false},
    "Telephone": {
      "type": "object",
      "properties": {
        "type": {
          "enum":["wired","mobile","fax","hotline","ext-value"]},
        "ext-type": {"type": "string"},
        "TelephoneNumber": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["TelephoneNumber"],
      "additionalProperties": false},
    "Discovery": {
      "type": "object",
      "properties": {
        "source": {
          "enum":["nidps","hips","siem","av","third-party-monitoring",
                  "incident","os-log","application-log","device-log",
                  "network-flow","passive-dns","investigation","audit",
                  "internal-notification","external-notification","leo",
                  "partner","actor","unknown","ext-value"]},
        "ext-source": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "DetectionPattern": {
          "type":"array",
          "items":{"$ref":"#/definitions/DetectionPattern"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "DetectionPattern": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "DetectionConfiguration": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1}},
      "allOf": [
        {"required": ["Application"]},
        {"oneOf": [
          {"required":["Description"]},
          {"required":["DetectionConfiguration"]}]}],
      "additionalProperties": false},
    "Method": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "AttackPattern": {
          "type":"array",
          "items":{"$ref":"#/definitions/StructuredInfo"},
          "minItems": 1},
        "Vulnerability": {
          "type":"array",
          "items":{"$ref":"#/definitions/StructuredInfo"},
          "minItems": 1},
        "Weakness": {
          "type":"array",
          "items":{"$ref":"#/definitions/StructuredInfo"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "Reference": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "ReferenceName": {"$ref":"#/definitions/ReferenceName"},
        "URL":{
          "type":"array",
          "items":{"$ref":"#/definitions/URLtype"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "ReferenceName" : {
      "type": "object",
      "properties": {
        "specIndex": {"type": "number"},
        "ID": {"$ref":"#/definitions/IDtype"}},
      "required": ["specIndex","ID"],
      "additionalProperties": false},
    "Assessment": {
      "type": "object",
      "properties": {
        "occurrence": {"enum":["actual","potential"]},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "IncidentCategory": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Impact": {
         "type": "array",
         "items": {
           "properties": {
             "SystemImpact":{"$ref":"#/definitions/SystemImpact"},
             "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"},
             "TimeImpact":{"$ref":"#/definitions/TimeImpact"},
             "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"},
             "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}},
           "additionalProperties":false},
         "minItems" : 1
        },
        "Counter": {
          "type": "array",
          "items": {"$ref": "#/definitions/Counter"},
          "minItems": 1},
        "MitigatingFactor": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Cause": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["Impact"],
      "additionalProperties": false},
    "SystemImpact": {
      "type": "object",
      "properties": {
        "severity": {"enum":["low","medium","high"]},
        "completion": {"enum":["failed","succeeded"]},
        "type": {
          "enum":["takeover-account","takeover-service",
            "takeover-system","cps-manipulation","cps-damage",
            "availability-data","availability-account",
            "availability-service","availability-system",
            "damaged-system","damaged-data","breach-proprietary",
            "breach-privacy","breach-credential",
            "breach-configuration","integrity-data",
            "integrity-configuration","integrity-hardware",
            "traffic-redirection","monitoring-traffic",
            "monitoring-host","policy","unknown","ext-value"]},
        "ext-type": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["type"],
      "additionalProperties": false},
    "BusinessImpact": {
      "type": "object",
      "properties": {
        "severity": {"enum":["none","low","medium","high","unknown",
                     "ext-value"],"default": "unknown"},
        "ext-severity": {"type":"string"},
        "type": {"enum":["breach-proprietary","breach-privacy",
          "breach-credential","loss-of-integrity","loss-of-service",
          "theft-financial","theft-service","degraded-reputation",
          "asset-damage","asset-manipulation","legal","extortion",
          "unknown","ext-value"]},
        "ext-type": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["type"],
      "additionalProperties": false},
    "TimeImpact": {
      "type": "object",
      "properties": {
        "value": {"$ref": "#/definitions/PositiveFloatType"},
        "severity": {"enum": ["low","medium","high"]},
        "metric": {"enum": ["labor","elapsed","downtime","ext-value"]},
        "ext-metric": {"type": "string"},
        "duration": {"$ref":"#/definitions/duration","default": "hour"},
        "ext-duration": {"type": "string"}},
      "required": ["value","metric"],
      "additionalProperties": false},
    "MonetaryImpact": {
      "type": "object",
      "properties": {
        "value": {"$ref": "#/definitions/PositiveFloatType"},
        "severity": {"enum":["low","medium","high"]},
        "currency": {"type": "string"}},
      "required": ["value"],
      "additionalProperties": false},
    "Confidence": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "rating": {"enum": ["low","medium","high","numeric","unknown",
                   "ext-value"]},

        "ext-rating": {"type":"string"}},
      "required": ["value","rating"],
      "additionalProperties": false},
    "History": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "HistoryItem": {
          "type": "array",
          "items": {"$ref": "#/definitions/HistoryItem"},
          "minItems": 1}},
      "required": ["HistoryItem"],
      "additionalProperties": false},
    "HistoryItem": {
      "type": "object",
      "properties": {
        "action": {"$ref": "#/definitions/action","default": "other"},
        "ext-action": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {"$ref": "#/definitions/DATETIME"},
        "IncidentID": {"$ref": "#/definitions/IncidentID"},
        "Contact": {"$ref": "#/definitions/Contact"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "DefinedCOA": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["DateTime","action"],
      "additionalProperties": false},
    "EventData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Description": {"type": "array",
          "items": { "$ref":"#/definitions/MLStringType"}},
        "DetectTime": {"$ref": "#/definitions/DATETIME"},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
        "ReportTime": {"$ref": "#/definitions/DATETIME"},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "Discovery": {
          "type": "array",
          "items": {"$ref": "#/definitions/Discovery"},
          "minItems": 1},
        "Assessment": {"$ref": "#/definitions/Assessment"},
        "Method": {
          "type": "array",
          "items": {"$ref": "#/definitions/Method"},
          "minItems": 1},
        "System": {
          "type": "array",
          "items": {"$ref": "#/definitions/System"},
          "minItems": 1},
        "Expectation": {
          "type": "array",
          "items": {"$ref": "#/definitions/Expectation"},
          "minItems": 1},
        "RecordData": {
          "type": "array",
          "items": {"$ref": "#/definitions/RecordData"},
          "minItems": 1},
        "EventData": {
          "type": "array",
          "items": {"$ref": "#/definitions/EventData"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "Expectation": {
      "type": "object",
      "properties": {
        "action": {"$ref":"#/definitions/action","default": "other"},
        "ext-action": {"type": "string"},
        "severity": {"enum": ["low","medium","high"]},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "default"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "DefinedCOA": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "Contact": {"$ref": "#/definitions/Contact"}},
      "required": [],
      "additionalProperties": false},
    "System": {
      "type": "object",
      "properties": {
        "category": {
          "enum": ["source","target","intermediate","sensor",
                   "infrastructure","ext-value"]},
        "ext-category": {"type": "string"},
        "interface": {"type": "string"},
        "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"},
        "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"},
        "ownership": {
          "enum":["organization","personal","partner","customer",
                  "no-relationship","unknown","ext-value"]},
        "ext-ownership": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Node": {"$ref": "#/definitions/Node"},
        "NodeRole": {
          "type": "array",
          "items": {"$ref": "#/definitions/NodeRole"},
          "minItems": 1},
        "Service": {
          "type": "array",
          "items": {"$ref": "#/definitions/Service"},
          "minItems": 1},
        "OperatingSystem": {
          "type": "array",
          "items": {"$ref": "#/definitions/SoftwareType"},
          "minItems": 1},
        "Counter": {
          "type": "array",
          "items": {"$ref": "#/definitions/Counter"},
          "minItems": 1},
        "AssetID": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["Node"],
      "additionalProperties": false},
    "Node": {
      "type": "object",
      "properties": {
        "DomainData": {
          "type": "array",
          "items": {"$ref": "#/definitions/DomainData"},
          "minItems": 1},
        "Address": {
          "type": "array",
          "items": {"$ref": "#/definitions/Address"},
          "minItems": 1},
        "PostalAddress": {"$ref": "#/definitions/PostalAddress"},
        "Location": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Counter": {
          "type":"array",
          "items":{"$ref":"#/definitions/Counter"},
          "minItems": 1}},
      "anyOf": [
         {"required": ["DomainData"]},
         {"required": ["Address"]}
      ],
      "additionalProperties": false},
    "Address": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "category": {
          "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net",
            "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
            "ipv6-net-masked","mac","site-uri","ext-value"],
            "default": "ipv6-addr"},
        "ext-category": {"type": "string"},
        "vlan-name": {"type": "string"},
        "vlan-num": {"type": "number"},
        "observable-id": {"$ref": "#/definitions/IDtype"}},
      "required": ["value","category"],
      "additionalProperties": false},
    "NodeRole": {
      "type": "object",
      "properties": {
        "category": {
          "enum":["client","client-enterprise","client-partner",
            "client-remote","client-kiosk","client-mobile",
            "server-internal","server-public","www","mail","webmail",
            "messaging","streaming","voice","file","ftp","p2p","name",
            "directory","credential","print","application","database",
            "backup","dhcp","assessment","source-control",
            "config-management","monitoring","infra","infra-firewall",
            "infra-router","infra-switch","camera","proxy",
            "remote-access","log","virtualization","pos", "scada",
            "scada-supervisory","sinkhole","honeypot","anomyzation",
            "c2-server","malware-distribution","drop-server",
            "hop-point","reflector","phishing-site",
            "spear-phishing-site","recruiting-site","fraudulent-site",
            "ext-value"]},
        "ext-category": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["category"],
      "additionalProperties": false},
    "Counter": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "type": {"enum": ["count","peak","average","ext-value"]},
        "ext-type": {"type": "string"},
        "unit":{"enum":["byte","mbit","packet","flow","session","alert",
          "message","event","host","site","organization","ext-value"]},
        "ext-unit": {"type": "string"},
        "meaning": {"type": "string"},
        "duration": {"$ref":"#/definitions/duration","default": "hour"},
        "ext-duration": {"type": "string"}},
      "required": ["value","type","unit"],
      "additionalProperties": false},
    "DomainData": {
      "type": "object",
      "properties": {
        "system-status": {
          "enum": ["spoofed","fraudulent","innocent-hacked",
                   "innocent-hijacked","unknown","ext-value"]},
        "ext-system-status": {"type": "string"},
        "domain-status": {
          "enum": [ "reservedDelegation","assignedAndActive",
                    "assignedAndInactive","assignedAndOnHold","revoked",
                    "transferPending","registryLock","registrarLock",
                    "other","unknown","ext-value"]},
        "ext-domain-status": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Name": {"type": "string"},
        "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"},
        "RegistrationDate": {"$ref": "#/definitions/DATETIME"},
        "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
        "RelatedDNS": {
          "type": "array",
          "items": {"$ref": "#/definitions/ExtensionType"},
          "minItems": 1},
        "NameServers": {
          "type": "array",
          "items": {"$ref": "#/definitions/NameServers"},
          "minItems": 1},
        "DomainContacts": {"$ref": "#/definitions/DomainContacts"}},
      "required": ["Name","system-status","domain-status"],
      "additionalProperties": false},
    "NameServers": {
      "type": "object",
      "properties": {
        "Server": {"type": "string"},
        "Address": {
          "type":"array",
          "items":{"$ref":"#/definitions/Address"},
          "minItems": 1}},
      "required": ["Server","Address"],
      "additionalProperties": false},
    "DomainContacts": {
      "type": "object",
      "properties": {
        "SameDomainContact": {"type": "string"},
        "Contact": {
          "type":"array",
          "items":{"$ref":"#/definitions/Contact"},
          "minItems": 1}},
      "oneOf": [
         {"required": ["SameDomainContact"]},
         {"required": ["Contact"]}],
      "additionalProperties": false},
    "Service": {
      "type": "object",
      "properties": {
        "ip-protocol": {"type": "number"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "ServiceName": {"$ref": "#/definitions/ServiceName"},
        "Port": {"type": "number"},
        "Portlist": {"$ref": "#/definitions/PortlistType"},
        "ProtoCode": {"type": "number"},
        "ProtoType": {"type": "number"},
        "ProtoField": {"type": "number"},
        "ApplicationHeaderField":{
          "$ref":"#/definitions/ExtensionTypeList"},
        "EmailData": {"$ref": "#/definitions/EmailData"},
        "Application": {"$ref": "#/definitions/SoftwareType"}},
      "required": [],
      "additionalProperties": false},
    "ServiceName": {
      "type": "object",
      "properties": {
        "IANAService": {"type": "string"},
        "URL": {
          "type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "EmailData": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "EmailTo": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "EmailFrom": {"type": "string"},
        "EmailSubject": {"type": "string"},
        "EmailX-Mailer": {"type": "string"},
        "EmailHeaderField": {
          "type": "array",
          "items": {"$ref": "#/definitions/ExtensionType"},
          "minItems": 1},
        "EmailHeaders": {"type": "string"},
        "EmailBody": {"type": "string"},
        "EmailMessage": {"type": "string"},
        "HashData": {
          "type": "array",
          "items": {"$ref": "#/definitions/HashData"},
          "minItems": 1},
        "Signature": {
          "type": "array",
          "items": {"$ref": "#/definitions/BYTE"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "RecordData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {"$ref": "#/definitions/DATETIME"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "RecordPattern": {
          "type": "array",
          "items": {"$ref": "#/definitions/RecordPattern"},
          "minItems": 1},
        "RecordItem": {
          "type": "array",
          "items": {"$ref": "#/definitions/ExtensionType"},
          "minItems": 1},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype"},
          "minItems": 1},
        "FileData": {
          "type": "array",
          "items": {"$ref": "#/definitions/FileData"},
          "minItems": 1},
        "WindowsRegistryKeysModified": {
          "type": "array",
          "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"},
          "minItems": 1},
        "CertificateData": {
          "type":"array",
          "items":{"$ref":"#/definitions/CertificateData"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "RecordPattern": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "type": {"enum": ["regex","binary","xpath","ext-value"],
                 "default": "regex"},
        "ext-type": {"type": "string"},
        "offset": {"type": "number"},
        "offsetunit": {"enum":["line","byte","ext-value"] ,
                       "default": "line"},
        "ext-offsetunit": {"type": "string"},
        "instance": {"type": "number"}},
      "required": ["value","type"],
      "additionalProperties": false},
    "WindowsRegistryKeysModified": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Key": {
          "type": "array",
          "items": {"$ref": "#/definitions/Key"},
          "minItems": 1}},
      "required": ["Key"],
      "additionalProperties": false},
    "Key": {
      "type": "object",
      "properties": {
        "registryaction": {"enum": ["add-key","add-value","delete-key",
                          "delete-value","modify-key","modify-value",
                          "ext-value"]},
        "ext-registryaction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "KeyName": {"type":"string"},
        "KeyValue": {"type": "string"}},
      "required": ["KeyName"],
      "additionalProperties": false},
    "CertificateData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Certificate": {
          "type": "array",
          "items": {"$ref": "#/definitions/Certificate"},
          "minItems": 1}},
      "required": ["Certificate"],
      "additionalProperties": false},
    "Certificate": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "X509Data": {"$ref": "#/definitions/BYTE"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["X509Data"],
      "additionalProperties": false},
    "FileData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "File": {
          "type": "array",
          "items": {"$ref": "#/definitions/File"},
          "minItems": 1}},
      "required": ["File"],
      "additionalProperties": false},
    "File": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "FileName": {"type": "string"},
        "FileSize": {"type": "number"},
        "FileType": {"type": "string"},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype"},
          "minItems": 1},
        "HashData": {"$ref": "#/definitions/HashData"},
        "Signature": {
          "type": "array",
          "items": {"$ref": "#/definitions/BYTE"},
          "minItems": 1},
        "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
        "FileProperties": {
          "type":"array",
          "items":{"$ref":"#/definitions/ExtensionType"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "HashData": {
      "type": "object",
      "properties": {
        "scope": {"enum": ["file-contents","file-pe-section",
          "file-pe-iat","file-pe-resource","file-pdf-object",
          "email-hash","email-headers-hash","email-body-hash",
          "ext-value"]},
        "HashTargetID": {"type": "string"},
        "Hash": {
          "type": "array",
          "items": {"$ref": "#/definitions/Hash"},
          "minItems": 1},
        "FuzzyHash": {
          "type": "array",
          "items": {"$ref": "#/definitions/FuzzyHash"},
          "minItems": 1}},
      "required": ["scope"],
      "additionalProperties": false},
    "Hash": {
      "type": "object",
      "properties": {
        "DigestMethod": {"$ref": "#/definitions/BYTE"},
        "DigestValue": {"$ref": "#/definitions/BYTE"},
        "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"},
        "Application": {"$ref": "#/definitions/SoftwareType"}},
      "required": ["DigestMethod","DigestValue"],
      "additionalProperties": false},
    "FuzzyHash": {
      "type": "object",
      "properties": {
        "FuzzyHashValue": {
          "type": "array",
          "items": {"$ref": "#/definitions/ExtensionType"},
          "minItems": 1},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["FuzzyHashValue"],
      "additionalProperties": false},
    "Indicator": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
        "AlternativeIndicatorID": {
          "type": "array",
          "items": {"$ref": "#/definitions/AlternativeIndicatorID"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},

        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "Observable": {"$ref": "#/definitions/Observable"},
        "uid-ref": {"$ref": "#/definitions/IDREFType"},
        "IndicatorExpression":{
         "$ref":"#/definitions/IndicatorExpression"},
        "IndicatorReference":{
         "$ref": "#/definitions/IndicatorReference"},
        "NodeRole": {
          "type": "array",
          "items": {"$ref": "#/definitions/NodeRole"},
          "minItems": 1},
        "AttackPhase": {
          "type": "array",
          "items": {"$ref": "#/definitions/AttackPhase"},
          "minItems": 1},
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "allOf": [
        {"required": ["IndicatorID"]},
        {"oneOf": [
          {"required":["Observable"]},
          {"required":["uid-ref"]},
          {"required":["IndicatorExpression"]},
          {"required":["IndicatorReference"]}]}],
      "additionalProperties": false},
    "IndicatorID": {
      "type": "object",
      "properties": {
        "id": {"type": "string"},
        "name": {"type": "string"},
        "version": {"type": "string"}},
      "required": ["id","name","version"],
      "additionalProperties": false},
    "AlternativeIndicatorID": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
          "default": "private"},
        "ext-restriction": {"type": "string"},
        "IndicatorID": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorID"},
          "minItems": 1}},
      "required": ["IndicatorID"],
      "additionalProperties": false},
    "Observable": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "System": {"$ref": "#/definitions/System"},
        "Address": {"$ref": "#/definitions/Address"},
        "DomainData": {"$ref": "#/definitions/DomainData"},
        "EmailData": {"$ref": "#/definitions/EmailData"},
        "Service": {"$ref": "#/definitions/Service"},
        "WindowsRegistryKeysModified": {
          "$ref": "#/definitions/WindowsRegistryKeysModified"},
        "FileData": {"$ref": "#/definitions/FileData"},
        "CertificateData": {"$ref": "#/definitions/CertificateData"},
        "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"},
        "RecordData":  {"$ref": "#/definitions/RecordData"},
        "EventData": {"$ref": "#/definitions/EventData"},
        "Incident": {"$ref": "#/definitions/Incident"},
        "Expectation": {"$ref": "#/definitions/Expectation"},
        "Reference": {"$ref": "#/definitions/Reference"},
        "Assessment": {"$ref": "#/definitions/Assessment"},
        "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
        "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
        "BulkObservable": {"$ref": "#/definitions/BulkObservable"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
        "oneOf": [
          {"required":["System"]},
          {"required":["Address"]},
          {"required":["DomainData"]},
          {"required":["EmailData"]},
          {"required":["Service"]},
          {"required":["WindowsRegistryKeysModified"]},
          {"required":["FileData"]},
          {"required":["CertificateData"]},
          {"required":["RegistryHandle"]},
          {"required":["RecordData"]},
          {"required":["EventData"]},
          {"required":["Incident"]},
          {"required":["Expectation"]},
          {"required":["Reference"]},
          {"required":["Assessment"]},
          {"required":["DetectionPattern"]},
          {"required":["HistoryItem"]},
          {"required":["BulkObservable"]},
          {"required":["AdditionalData"]}],
      "additionalProperties": false},
    "BulkObservable": {
      "type": "object",
      "properties": {
        "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
          "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask",
          "mac","site-uri","domain-name","domain-to-ipv4",
          "domain-to-ipv6","domain-to-ipv4-timestamp",
          "domain-to-ipv6-timestamp","ipv4-port","ipv6-port",
          "windows-reg-key","file-hash","email-x-mailer",
          "email-subject","http-user-agent","http-request-url",
          "mutex","file-path","user-name","ext-value"]},
        "ext-type": {"type": "string"},
        "BulkObservableFormat":{
          "$ref": "#/definitions/BulkObservableFormat"},
        "BulkObservableList": {"type": "string"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["BulkObservableList"],
      "additionalProperties": false},
    "BulkObservableFormat": {
      "type": "object",
      "properties": {
        "Hash": {"$ref": "#/definitions/Hash"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "oneOf": [
         {"required": ["Hash"]},
         {"required": ["AdditionalData"]}
      ],
      "additionalProperties": false},
    "IndicatorExpression": {
      "type": "object",
      "properties": {
        "operator": {"enum": ["not","and","or","xor"],"default": "and"},
        "ext-operator": {"type": "string"},
        "IndicatorExpression": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorExpression"},
          "minItems": 1},
        "Observable": {
          "type": "array",
          "items": {"$ref": "#/definitions/Observable"},
          "minItems": 1},
        "uid-ref": {
          "type": "array",
          "items": {"$ref": "#/definitions/IDREFType"},
          "minItems": 1},
        "IndicatorReference": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorReference"},
          "minItems": 1},
        "Confidence": {"$ref":"#/definitions/Confidence"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "IndicatorReference": {
      "type": "object",
      "properties": {
        "uid-ref": {"$ref":"#/definitions/IDREFType"},
        "euid-ref": {"type": "string"},
        "version": {"type": "string"}},
      "oneOf": [
         {"required": ["uid-ref"]},
         {"required": ["euid-ref"]}
      ],
      "additionalProperties": false},
    "AttackPhase": {
      "type": "object",
      "properties": {
        "AttackPhaseID": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false}},
  "title": "IODEF-Document",
  "description": "JSON schema for IODEF-Document class",
  "type": "object",
  "properties": {
    "version": {"type": "string"},
    "lang": {"$ref": "#/definitions/lang"},
    "format-id": {"type": "string"},
    "private-enum-name": {"type": "string"},
    "private-enum-id": {"type": "string"},
    "Incident": {
      "type": "array",
      "items": {"$ref": "#/definitions/Incident"},
      "minItems": 1},
    "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
  "required": ["version","Incident"],
  "additionalProperties": false}

                          Figure 10: 11: JSON schema

Authors' Addresses

   Takeshi Takahashi
   National Institute of Information and Communications Technology
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Phone: +81 42 327 5862
   Email: takeshi_takahashi@nict.go.jp

   Roman Danyliw
   CERT, Software Engineering Institute, Carnegie Mellon University
   4500 Fifth Avenue
   Pittsburgh, PA
   USA

   Email: rdd@cert.org

   Mio Suzuki
   National Institute of Information and Communications Technology
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Email: mio@nict.go.jp