<?xml version="1.0"encoding="US-ASCII"?> <!-- This template is for creating an Internet Draft using xml2rfc, which is available here: http://xml.resource.org. -->encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ <!-- One method to get references from the online citation libraries. There has to be one entity for each item to be referenced. An alternate method (rfc include) is described in the references. --> <!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> <!ENTITY RFC3986 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3986.xml"> <!ENTITY RFC4648 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4648.xml"> <!ENTITY RFC7049 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7049.xml"> <!ENTITY RFC7203 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7203.xml"> <!ENTITY RFC7970 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7970.xml"> <!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml"> <!ENTITY RFC8259 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8259.xml"> <!ENTITY RFC8610 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8610.xml"> ]> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <!-- used by XSLT processors --> <!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. --> <!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.32) --> <?rfc strict="yes" ?> <!-- give errors regarding ID-nits and DTD validation --> <!-- control the table of contents (ToC) --> <?rfc toc="yes"?> <!-- generate a ToC --> <?rfc tocdepth="4"?> <!-- the number of levels of subsections in ToC. default: 3 --> <!-- control references --> <?rfc symrefs="yes"?> <!-- use symbolic references tags, i.e, [RFC2119] instead of [1] --> <?rfc sortrefs="yes" ?> <!-- sort the reference entries alphabetically --> <!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) --> <?rfc compact="yes" ?> <!-- do not start each main section on a new page --> <?rfc subcompact="no" ?> <!-- keep one blank line between list items --> <!-- end of list of popular I-D processing instructions -->"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-mile-jsoniodef-14"ipr="trust200902"> <!-- category values: std, bcp, info, exp, and historic ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902, or pre5378Trust200902 you can add the attributes updates="NNNN" and obsoletes="NNNN" they will automatically be output with "(if approved)" --> <!-- ***** FRONT MATTER ***** -->number="8727" ipr="trust200902" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3"> <front><!-- The abbreviated title is used in the page header - it is only necessary if the full title is longer than 39 characters --><title abbrev="JSON-IODEF">JSONbindingBinding ofIODEF</title> <!-- add 'role="editor"' below fortheeditors if appropriate --> <!-- Another author who claims to be an editor -->Incident Object Description Exchange Format</title> <seriesInfo name="RFC" value="8727"/> <author fullname="Takeshi Takahashi"initials="T.T."initials="T." surname="Takahashi"> <organization abbrev="NICT"> National Institute of Information and Communications Technology</organization> <address> <postal> <extaddr></extaddr> <street>4-2-1 Nukui-Kitamachi</street><city>Koganei</city> <region>Tokyo</region><region>Koganei, Tokyo</region> <code>184-8795</code> <country>Japan</country> </postal> <phone>+81 42 327 5862</phone> <email>takeshi_takahashi@nict.go.jp</email><!-- uri and facsimile elements may also be added --></address> </author> <author fullname="Roman Danyliw"initials="R.D."initials="R." surname="Danyliw"> <organization abbrev="CERT">CERT, Software Engineering Institute, Carnegie Mellon University</organization> <address> <postal> <street>4500 Fifth Avenue</street> <city>Pittsburgh</city> <region>PA</region><country>USA</country><country>United States of America</country> </postal> <email>rdd@cert.org</email><!-- uri and facsimile elements may also be added --></address> </author> <author fullname="Mio Suzuki"initials="M.S."initials="M." surname="Suzuki"> <organization abbrev="NICT"> National Institute of Information and Communications Technology</organization> <address> <postal> <extaddr></extaddr> <street>4-2-1 Nukui-Kitamachi</street><city>Koganei</city> <region>Tokyo</region><region>Koganei, Tokyo</region> <code>184-8795</code> <country>Japan</country> </postal> <email>mio@nict.go.jp</email><!-- uri and facsimile elements may also be added --></address> </author> <date year="2020" month="August" /><!-- If the month and year are both specified and are the current ones, xml2rfc will fill in the current day for you. If only the current year is specified, xml2rfc will fill<area>Security</area> <workgroup>MILE</workgroup> <keyword>CBOR</keyword> <keyword>JSON</keyword> <keyword>IODEF</keyword> <abstract> <t>The Incident Object Description Exchange Format (IODEF) defined inthe current dayRFC 7970 provides an information model andmonth for you. If the year is not the current one, it is necessary to specify at leastamonth (xml2rfc assumes day="1" if not specifiedcorresponding XML data model forthe purpose of calculating the expiry date). With drafts it is normally sufficientexchanging incident and indicator information. This document gives implementers and operators an alternative format tospecify just the year. --> <!-- Meta-data Declarations --> <area>Security</area> <workgroup>MILE</workgroup> <!-- WG name at the upperleft corner of the doc, IETF is fine for individual submissions. If this element is not present, the default is "Network Working Group", which is used by the RFC Editor as a nod to the history of the IETF. --> <keyword>CBOR, JSON, IODEF</keyword> <!-- Keywords will be incorporated into HTML output files in a meta tag but they have no effect on text or nroff output. If you submit your draft to the RFC Editor, the keywords will be used for the search engine. --> <abstract> <t>The Incident Object Description Exchange Format defined in RFC 7970 provides an information model and a corresponding XML data model for exchanging incident and indicator information. This draft gives implementers and operators an alternative format to exchangeexchange the same information by defining an alternative data model implementation in JSON and its encoding inCBOR.</t>Concise Binary Object Representation (CBOR).</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t><xreftarget="RFC7970">Thetarget="RFC7970" format="default">The Incident Object Description Exchange Format (IODEF)</xref> defines a data representation for security incident reports and indicators commonly exchanged by operational security teams. It facilitates the automated exchange of this information to enable mitigation and watch-and-warning.Section 3 of <xref target="RFC7970" /> defined anAn information model using Unified Modeling Language (UML) is defined in <xref target="RFC7970" sectionFormat="of" section="3"/> and a corresponding Extensible Markup Language (XML) schema data model is defined inSection 8.<xref target="RFC7970" sectionFormat="of" section="8"/>. This UML-based information model and XML-based data model are referred to as IODEF UML and IODEF XML,respectivelyrespectively, in this document.</t> <t>IODEF documents are structured and thus suitable for machine processing. They will streamline incident response operations. Another well-used and structured format that is suitable for machine processing is <xreftarget="RFC8259">JavaScripttarget="RFC8259" format="default">JavaScript Object Notation (JSON)</xref>. To facilitate the automation of incident response operations, IODEF documents and implementations should support JSON representation anditits encoding in <xreftarget="RFC7049">Concisetarget="RFC7049" format="default">Concise Binary Object Representation (CBOR)</xref>.</t> <t>This document defines an alternate implementation of the IODEF UML information model by specifying aJavaScript Object Notation (JSON)JSON data model using <xreftarget="RFC8610">Concisetarget="RFC8610" format="default">Concise Data Definition Language (CDDL)</xref> and a JSON Schema <xreftarget="I-D.handrews-json-schema-validation"/>.target="I-D.handrews-json-schema-validation" format="default"/>. This JSON data model is referred to as IODEF JSON in this document. IODEF JSON provides all of the expressivity of IODEF XML. It gives implementers and operators an alternative format to exchange the same information.</t> <t>The normative IODEF JSON data model is found in <xref target="cddlSection"/>.format="default"/>. Sections <xref target="dt"/>format="counter"/> and <xref target="dm"/>format="counter"/> describe the data types and elements of this data model. <xref target="examples"/>format="default"/> provides examples. </t> <sectiontitle="Requirements Language"> <t>Thenumbered="true" toc="default"> <name>Requirements Language</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xreftarget="RFC2119"/><xreftarget="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> </section> <sectiontitle="IODEFanchor="dt" numbered="true" toc="default"> <name>IODEF DataTypes" anchor="dt">Types</name> <t>IODEF JSON implements the abstract data types specified inSection 2 of<xref target="RFC7970"/>.</t>sectionFormat="of" section="2"/>.</t> <sectiontitle="Abstractnumbered="true" toc="default"> <name>Abstract Data Type to JSON Data TypeMapping">Mapping</name> <t>IODEF JSON uses native and derived JSON data types. <xref target="dtmap"/>format="default"/> describes the mapping between the abstract data types inSection 2 of<xref target="RFC7970"/>sectionFormat="of" section="2"/> and their corresponding implementations in IODEF JSON.</t><figure align="center"<table anchor="dtmap"title="JSONalign="left"> <name>JSON DataTypes"><artwork align="left"><![CDATA[ +-----------------+-------------------+-------------------------------+ | IODEFTypes</name> <thead> <tr> <th>IODEF DataType | [RFC7970] | JSONType</th> <th>Reference</th> <th>JSON DataType | | | Reference | | +-----------------+-------------------+-------------------------------+ | INTEGER | Section 2.1 | integer,Type</th> </tr> </thead> <tbody> <tr> <td>INTEGER</td> <td><xref target="RFC7970" sectionFormat="of" section="2.1"/></td> <td>integer; seeSection 2.2.1 | | REAL | Section 2.2 | "number"<xref target="integer"/></td> </tr> <tr> <td>REAL</td> <td><xref target="RFC7970" sectionFormat="of" section="2.2"/></td> <td>"number" per[RFC8259] | | CHARACTER | Section 2.3 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>CHARACTER</td> <td><xref target="RFC7970" sectionFormat="of" section="2.3"/></td> <td>"string" per[RFC8259] | | STRING | Section 2.3 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>STRING</td> <td><xref target="RFC7970" sectionFormat="of" section="2.3"/></td> <td>"string" per[RFC8259] | | ML_STRING | Section 2.4 | see Section 2.2.2 | | BYTE | Section 2.5.1 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>ML_STRING</td> <td><xref target="RFC7970" sectionFormat="of" section="2.4"/></td> <td>see <xref target="ml_string"/></td> </tr> <tr> <td>BYTE</td> <td><xref target="RFC7970" sectionFormat="of" section="2.5.1"/></td> <td>"string" per[RFC8259] | | BYTE[] | Section 2.5.1 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>BYTE[]</td> <td><xref target="RFC7970" sectionFormat="of" section="2.5.1"/></td> <td>"string" per[RFC8259] | | HEXBIN | Section 2.5.2 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>HEXBIN</td> <td><xref target="RFC7970" sectionFormat="of" section="2.5.2"/></td> <td>"string" per[RFC8259] | | HEXBIN[] | Section 2.5.2 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>HEXBIN[]</td> <td><xref target="RFC7970" sectionFormat="of" section="2.5.2"/></td> <td>"string" per[RFC8259] | | ENUM | Section 2.6 | see Section 2.2.3 | | DATETIME | Section 2.7 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>ENUM</td> <td><xref target="RFC7970" sectionFormat="of" section="2.6"/></td> <td>see <xref target="enum"/></td> </tr> <tr> <td>DATETIME</td> <td><xref target="RFC7970" sectionFormat="of" section="2.7"/></td> <td>"string" per[RFC8259] | | TIMEZONE | Section 2.8 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>TIMEZONE</td> <td><xref target="RFC7970" sectionFormat="of" section="2.8"/></td> <td>"string" per[RFC8259] | | PORTLIST | Section 2.9 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>PORTLIST</td> <td><xref target="RFC7970" sectionFormat="of" section="2.9"/></td> <td>"string" per[RFC8259] | | POSTAL | Section 2.10 | ML_STRING, Section 2.2.2 | | PHONE | Section 2.11 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>POSTAL</td> <td><xref target="RFC7970" sectionFormat="of" section="2.10"/></td> <td>ML_STRING; see <xref target="ml_string"/></td> </tr> <tr> <td>PHONE</td> <td><xref target="RFC7970" sectionFormat="of" section="2.11"/></td> <td>"string" per[RFC8259] | | EMAIL | Section 2.12 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>EMAIL</td> <td><xref target="RFC7970" sectionFormat="of" section="2.12"/></td> <td>"string" per[RFC8259] | | URL | Section 2.13 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>URL</td> <td><xref target="RFC7970" sectionFormat="of" section="2.13"/></td> <td>"string" per[RFC8259] | | ID | Section 2.14 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>ID</td> <td><xref target="RFC7970" sectionFormat="of" section="2.14"/></td> <td>"string" per[RFC8259] | | IDREF | Section 2.14 | "string"<xref target="RFC8259"/></td> </tr> <tr> <td>IDREF</td> <td><xref target="RFC7970" sectionFormat="of" section="2.14"/></td> <td>"string" per[RFC8259] | | SOFTWARE | Section 2.15 | see Section 2.2.4 | | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.5 | | EXTENSION | Section 2.16 | see Section 2.2.6 | +-----------------+-------------------+-------------------------------+ ]]></artwork></figure> <figure align="center"<xref target="RFC8259"/></td> </tr> <tr> <td>SOFTWARE</td> <td><xref target="RFC7970" sectionFormat="of" section="2.15"/></td> <td>see <xref target="software"/></td> </tr> <tr> <td>STRUCTUREDINFO</td> <td><xref target="RFC7203" sectionFormat="of" section="4.4"/></td> <td>see <xref target="STRUCTUREDINFO"/></td> </tr> <tr> <td>EXTENSION</td> <td><xref target="RFC7970" sectionFormat="of" section="2.16"/></td> <td>see <xref target="extension"/></td> </tr> </tbody> </table> <table anchor="dtmap_cbor"title="CBORalign="left"> <name>CBOR DataTypes"><artwork align="left"><![CDATA[ +-----------------+------------------+---------------------------------+ | IODEFTypes</name> <thead> <tr> <th>IODEF DataType | CBORType</th> <th>CBOR DataType | CDDL prelude | | | | [RFC8610] | +-----------------+------------------+---------------------------------+ | INTEGER |Type</th> <th>CDDL Prelude <xref target="RFC8610"/></th> </tr> </thead> <tbody> <tr> <td>INTEGER</td> <td> 0, 1, 6 tag 2,| integer | | |6 tag3 | | | REAL | 73</td> <td>integer</td> </tr> <tr> <td>REAL</td> <td>7 bits26 | float32 | | CHARACTER | 3 | text | | STRING | 3 | text | | ML_STRING | 5 | Maps/Structs (Section 3.5.1) | | BYTE | 626</td> <td>float32</td> </tr> <tr> <td>CHARACTER</td> <td>3</td> <td>text</td> </tr> <tr> <td>STRING</td> <td>3</td> <td>text</td> </tr> <tr> <td>ML_STRING</td> <td>5</td> <td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of"/>)</td> </tr> <tr> <td>BYTE</td> <td>6 tag22 | eb64legacy | | BYTE[] | 622</td> <td>eb64legacy</td> </tr> <tr> <td>BYTE[]</td> <td>6 tag22 | eb64legacy | | HEXBIN | 622</td> <td>eb64legacy</td> </tr> <tr> <td>HEXBIN</td> <td>6 tag23 | eb16 | | HEXBIN[] | 623</td> <td>eb16</td> </tr> <tr> <td>HEXBIN[]</td> <td>6 tag23 | eb16 | | ENUM | - | Choices (Section 2.2.2) | | DATETIME | 623</td> <td>eb16</td> </tr> <tr> <td>ENUM</td> <td>-</td> <td>Choices (<xref target="RFC8610" section="2.2.2" sectionFormat="of"/>)</td> </tr> <tr> <td>DATETIME</td> <td>6 tag0 | tdate | | TIMEZONE | 3 | text | | PORTLIST | 3 | text | | POSTAL | 3 | ML_STRING (Section 2.2.1) | | PHONE | 3 | text | | EMAIL | 3 | text | | URL | 60</td> <td>tdate</td> </tr> <tr> <td>TIMEZONE</td> <td>3</td> <td>text</td> </tr> <tr> <td>PORTLIST</td> <td>3</td> <td>text</td> </tr> <tr> <td>POSTAL</td> <td>3</td> <td>ML_STRING (<xref target="ml_string"/>)</td> </tr> <tr> <td>PHONE</td> <td>3</td> <td>text</td> </tr> <tr> <td>EMAIL</td> <td>3</td> <td>text</td> </tr> <tr> <td>URL</td> <td>6 tag32 | uri | | ID | 3 | text | | IDREF | 3 | text | | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | | EXTENSION | 5 | Maps/Structs (Section 3.5.1) | +-----------------+------------------+---------------------------------+ ]]></artwork></figure>32</td> <td>uri</td> </tr> <tr> <td>ID</td> <td>3</td> <td>text</td> </tr> <tr> <td>IDREF</td> <td>3</td> <td>text</td> </tr> <tr> <td>SOFTWARE</td> <td>5</td> <td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of"/>)</td> </tr> <tr> <td>STRUCTUREDINFO</td> <td>5</td> <td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of"/>)</td> </tr> <tr> <td>EXTENSION</td> <td>5</td> <td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of"/>)</td> </tr> </tbody> </table> </section> <sectiontitle="Complexnumbered="true" toc="default"> <name>Complex JSONTypes">Types</name> <sectiontitle="Integer">numbered="true" toc="default" anchor="integer"> <name>Integer</name> <t>An integer is a subset of the "number" type of JSON, which represents signed digits encoded in Base 10. The definition of this integer is "[ minus ] int"inper <xreftarget="RFC8259"/> Section 6 manner.</t>target="RFC8259" sectionFormat="comma" section="6"/>.</t> </section> <sectiontitle="Multilingual Strings">numbered="true" toc="default" anchor="ml_string"> <name>Multilingual Strings</name> <t>A string that needs to be represented in a human-readable language different from the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as either an object with "value", "lang", and "translation-id" elements or a text string as defined in <xreftarget="cddlSection"/>.target="cddlSection" format="default"/>. An example is shown below.</t><figure align="center"><artwork align="left"><![CDATA[<sourcecode type=""><![CDATA[ "MLStringType": { "value": "free-form text", # STRING "lang": "en", # ENUM "translation-id": "jp2en0023" # STRING }]]></artwork></figure>]]></sourcecode> <t>Note that in figures throughout this document, some supplementary information follows "#", but these are not valid syntax inJSON, butJSON; instead, they are intended to facilitate reader understanding.</t> </section> <sectiontitle="Enum">numbered="true" toc="default" anchor="enum"> <name>Enum</name> <t>Enum is an ordered list of acceptable string values. Each value has a representative keyword. Within the data model, the enumerated type keywords are used as attribute values.</t> </section> <sectiontitle="Softwarenumbered="true" toc="default" anchor="software"> <name>Software and SoftwareReference">Reference</name> <t>A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, <xreftarget="RFC3986">atarget="RFC3986" format="default">a Uniform Resource Locator (URL)</xref>, orwithfree-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined in <xreftarget="cddlSection"/>.target="cddlSection" format="default"/>. Examples are shown below.</t><figure align="center"><artwork align="left"><![CDATA[<sourcecode type=""><![CDATA[ "SoftwareType": { "SoftwareReference": {...}, # SoftwareReference "Description": ["MS Windows"] # STRING }]]></artwork></figure>]]></sourcecode> <t>SoftwareReference class is a reference to a particular version of software. Examples are shown below.</t><figure align="center"><artwork align="left"><![CDATA[<sourcecode type=""><![CDATA[ "SoftwareReference": { "value": "cpe:/a:google:chrome:59.0.3071.115", # STRING "spec-name": "cpe", # ENUM "dtype": "string" # ENUM }]]></artwork></figure>]]></sourcecode> </section> <sectiontitle="Structured Information" anchor="StructuredInfo">anchor="STRUCTUREDINFO" numbered="true" toc="default"> <name>Structured Information</name> <t>Information provided inathe form of a structured string, such as an ID, or structured information, such as XML documents, is represented in the information model by the STRUCTUREDINFO data type. Note that this type was originally specified inSection 4.4 of<xref target="RFC7203"/>sectionFormat="of" section="4.4"/> as a basic structure of its extension classes. The STRUCTUREDINFO data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", and "Reference" elements. An example for embedding a structured ID is shown below.</t><figure align="center"><artwork align="left"><![CDATA[ "StructuredInfo":<sourcecode type=""><![CDATA[ "STRUCTUREDINFO": { "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM "ContentID": "CWE-89" # STRING }]]></artwork></figure>]]></sourcecode> <t>When embedding the raw data, it should be encoded as a BYTE type object, as shown below.</t><figure align="center"><artwork align="left"><![CDATA[ "StructuredInfo":<sourcecode type=""><![CDATA[ "STRUCTUREDINFO": { "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM "RawData": "<<< encoded structured data >>>" # BYTE }]]></artwork></figure>]]></sourcecode> <t>When embedding the raw data, base64 encoding defined inSection 4 of<xreftarget="RFC4648"/> MUSTtarget="RFC4648" sectionFormat="of" section="4"/> <bcp14>MUST</bcp14> be used for JSON IODEF while binary representationMUST<bcp14>MUST</bcp14> be used for CBOR IODEF.</t> </section> <sectiontitle="EXTENSION">numbered="true" toc="default" anchor="extension"> <name>EXTENSION</name> <t>Information not otherwise represented in the IODEF can be added using the EXTENSION data type. This data type is a generic extension mechanism. The EXTENSION data type is implemented as an ExtensionType object with "value", "name", "dtype", "ext-dtype", "meaning", "formatid", "restriction", "ext-restriction", and "observable-id" elements. An example for embedding a structured ID is shown below.</t><figure align="center"><artwork align="left"><![CDATA[<sourcecode type=""><![CDATA[ "ExtensionType": { "value": "xxxxxxx", # STRING "name": "Syslog", # STRING "dtype": "string", # ENUM "meaning": "Syslog from the security appliance X" # STRING }]]></artwork></figure>]]></sourcecode> <t>Note that this data type is specified in <xref target="RFC7970"/>format="default"/> as its generic extension mechanism. If a data item has internal structure that is intended to be processed outside of the IODEF framework, one may consider usingStructuredInfothe STRUCTUREDINFO data type mentioned in <xreftarget="StructuredInfo"/>.</t>target="STRUCTUREDINFO" format="default"/>.</t> </section> </section> </section> <sectiontitle="IODEFanchor="dm" numbered="true" toc="default"> <name>IODEF JSON DataModel" anchor="dm">Model</name> <sectiontitle="Classesnumbered="true" toc="default"> <name>Classes andElements">Elements</name> <t> The following table shows the list of IODEFClasses,classes and theirelements,elements and the correspondingsectionsections in <xref target="RFC7970"/>.format="default"/>. Note that the complete JSON schema is defined in <xreftarget="cddlSection"/>target="cddlSection" format="default"/> using CDDL.</t><figure align="center"<table anchor="iodef_classes"title="IODEF Classes"><artwork align="left"><![CDATA[ +-----------------------------+--------------------+---------------+ | IODEF Class | Class | Corresponding | | | Elements and | Section | | | Attribute | in [RFC7970] | +-----------------------------+--------------------+---------------+ | IODEF-Document | version | 3.1 | | | lang? | | | | format-id? | | | | private-enum-name? | | | | private-enum-id? | | | | Incident+ | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Incident | purpose | 3.2 | | | ext-purpose? | | | | status? | | | | ext-status? | | | | lang? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentID | | | | AlternativeID? | | | | RelatedActivity* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | GenerationTime | | | | Description* | | | | Discovery* | | | | Assessment* | | | | Method* | | | | Contact+ | | | | EventData* | | | | Indicator* | | | | History? | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | IncidentID | id | 3.4 | | | name | | | | instance? | | | | restriction? | | | | ext-restriction? | | +-----------------------------+--------------------+---------------+ | AlternativeID | restriction? | 3.5 | | | ext-restriction? | | | | IncidentID+ | | +-----------------------------+--------------------+---------------+ | RelatedActivity | restriction? | 3.6 | | | ext-restriction? | | | | IncidentID* | | | | URL* | | | | ThreatActor* | | | | Campaign* | | | | IndicatorID* | | | | Confidence? | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | ThreatActor | restriction? | 3.7 | | | ext-restriction? | | | | ThreatActorID* | | | | URL* | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Campaign | restriction? | | | | ext-restriction? | | | | CampaignID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.8 | +-----------------------------+--------------------+---------------+ | Contact | role | | | | ext-role? | | | | type | | | | ext-type? | | | | restriction? | | | | ext-restriction? | | | | ContactName*, | | | | ContactTitle* | | | | Description* | | | | RegistryHandle* | | | | PostalAddress* | | | | Email* | | | | Telephone* | | | | Timezone? | | | | Contact* | | | | AdditionalData* | 3.9 | +-----------------------------+--------------------+---------------+ | RegistryHandle | handle | | | | registry | | | | ext-registry? | 3.9.1 | +-----------------------------+--------------------+---------------+ | PostalAddress | type? | | | | ext-type? | | | | PAddress | | | | Description* | 3.9.2 | +-----------------------------+--------------------+---------------+ | Email | type? | | | | ext-type? | | | | EmailTo | | | | Description* | 3.9.3 | +-----------------------------+--------------------+---------------+ | Telephone | type? | | | | ext-type? | | | | TelephoneNumber | | | | Description* | 3.9.4 | +-----------------------------+--------------------+---------------+ | Discovery | source? | | | | ext-source? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | Contact* | | | | DetectionPattern* | 3.10 | +-----------------------------+--------------------+---------------+ | DetectionPattern | restriction? | 3.10.1 | | | ext-restriction? | | | | observable-id? | | | | Application | | | | Description* | | | | DetectionConfiguration* | | +-----------------------------+--------------------+---------------+ | Method | restriction? | | | | ext-restriction? | | | | Reference* | | | | Description* | | | | AttackPattern* | | | | Vulnerability* | | | | Weakness* | | | | AdditionalData* | 3.11 | +-----------------------------+--------------------+---------------+ | Weakness (TBD) | restriction? | | | | ext-restriction? | | +-----------------------------+--------------------+---------------+ | Reference | observable-id? | | | | ReferenceName? | | | | URL* | | | | Description* | 3.11.1 | +-----------------------------+--------------------+---------------+ | Assessment | occurence? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentCategory* | | | | SystemImpact* | | | | BusinessImpact* | | | | TimeImpact* | | | | MonetaryImpact* | | | | IntendedImpact* | | | | Counter* | | | | MitigatingFactor* | | | | Cause* | | | | Confidence? | | | | AdditionalData* | 3.12 | +-----------------------------+--------------------+---------------+ | SystemImpact | severity? | | | | completion? | | | | type | | | | ext-type? | | | | Description* | 3.12.1 | +-----------------------------+--------------------+---------------+ | BusinessImpact | severity? | | | | ext-severity? | | | | type | | | | ext-type? | | | | Description* | 3.12.2 | +-----------------------------+--------------------+---------------+ | TimeImpact | value | | | | severity? | | | | metric | | | | ext-metric? | | | | duration? | | | | ext-duration? | 3.12.3 | +-----------------------------+--------------------+---------------+ | MonetaryImpact | value | | | | severity? | | | | currency? | 3.12.4 | +-----------------------------+--------------------+---------------+ | Confidence | value | | | | rating | | | | ext-rating? | 3.12.5 | +-----------------------------+--------------------+---------------+ | History | restriction? | | | | ext-restriction? | | | | HistoryItem+ | 3.13 | +-----------------------------+--------------------+---------------+ | HistoryItem | action | | | | ext-action? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime | | | | IncidentID? | | | | Contact? | | | | Description* | | | | DefinedCOA* | | | | AdditionalData* | 3.13.1 | +-----------------------------+--------------------+---------------+ | EventData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | Contact* | | | | Discovery* | | | | Assessment? | | | | Method* | | | | System* | | | | Expectation* | | | | RecordData* | | | | EventData* | | | | AdditionalData* | 3.14 | +-----------------------------+--------------------+---------------+ | Expectation | action? | | | | ext-action? | | | | severity? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | DefinedCOA* | | | | StartTime? | | | | EndTime? | | | | Contact? | 3.15 | +-----------------------------+--------------------+---------------+ | System | category? | | | | ext-category? | | | | interface? | | | | spoofed? | | | | virtual? | | | | ownership? | | | | ext-ownership? | | | | restriction? | | | | ext-restriction? | | | | Node | | | | NodeRole* | | | | Service* | | | | OperatingSystem* | | | | Counter* | | | | AssetID* | | | | Description* | | | | AdditionalData* | 3.17 | +-----------------------------+--------------------+---------------+ | Node | DomainData* | | | | Address* | | | | PostalAddress? | | | | Location* | | | | Counter* | 3.18 | +-----------------------------+--------------------+---------------+ | Address | value | | | | category | | | | ext-category? | | | | vlan-name? | | | | vlan-num? | | | | observable-id? | 3.18.1 | +-----------------------------+--------------------+---------------+ | NodeRole | category | | | | ext-category? | | | | Description* | 3.18.2 | +-----------------------------+--------------------+---------------+ | Counter | value | | | | type | | | | ext-type? | | | | unit | | | | ext-unit? | | | | meaning? | | | | duration? | | | | ext-duration? | 3.18.3 | +-----------------------------+--------------------+---------------+ | DomainData | system-status | | | | ext-system-status? | | | | domain-status | | | | ext-domain-status? | | | | observable-id? | | | | Name | | | | DateDomainWasChecked?| | | | RegistrationDate? | | | | ExpirationDate? | | | | RelatedDNS* | | | | Nameservers* | | | | DomainContacts? | 3.19 | +-----------------------------+--------------------+---------------+ | Nameserver | Server | | | | Address* | 3.19.1 | +-----------------------------+--------------------+---------------+ | DomainContacts | SameDomainContact? | | | | Contact+ | 3.19.2 | +-----------------------------+--------------------+---------------+ | Service | ip-protocol? | | | | observable-id? | | | | ServiceName? | | | | Port? | | | | Portlist? | | | | ProtoCode? | | | | ProtoType? | | | | ProtoField? | | | | ApplicationHeaderField*| | | | EmailData? | | | | Application? | 3.20 | +-----------------------------+--------------------+---------------+ | ServiceName | IANAService? | | | | URL* | | | | Description* | 3.20.1 | +-----------------------------+--------------------+---------------+ | EmailData | observable-id? | | | | EmailTo* | | | | EmailFrom? | | | | EmailSubject? | | | | EmailX-Mailer? | | | | EmailHeaderField* | | | | EmailHeaders? | | | | EmailBody? | | | | EmailMessage? | | | | HashData* | | | | Signature* | 3.21 | +-----------------------------+--------------------+---------------+ | RecordData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime? | | | | Description* | | | | Application? | | | | RecordPattern* | | | | RecordItem* | | | | URL* | | | | FileData* | | | | WindowsRegistryKeysModified*| | | | CertificateData* | | | | AdditionalData* | 3.22.1 | +-----------------------------+--------------------+---------------+ | RecordPattern | type | | | | ext-type? | | | | offset? | | | | offsetunit? | | | | ext-offsetunit? | | | | instance? | | | | value | 3.22.2 | +-----------------------------+--------------------+---------------+ | WindowsRegistryKeysModified | observable-id? | 3.23 | | | Key+ | | +-----------------------------+--------------------+---------------+ | Key | registryaction? | | | | ext-registryaction?| | | | observable-id? | | | | KeyName | | | | KeyValue? | 3.23.1 | +-----------------------------+--------------------+---------------+ | CertificateData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Certificate+ | 3.24 | +-----------------------------+--------------------+---------------+ | Certificate | observable-id? | | | | X509Data | | | | Description* | 3.24.1 | +-----------------------------+--------------------+---------------+ | FileData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | File+ | 3.25 | +-----------------------------+--------------------+---------------+ | File | observable-id? | | | | FileName? | | | | FileSize? | | | | FileType? | | | | URL* | | | | HashData? | | | | Signature* | | | | AssociatedSoftware?| | | | FileProperties* | 3.25.1 | +-----------------------------+--------------------+---------------+ | HashData | scope | | | | HashTargetID? | | | | Hash* | | | | FuzzyHash* | 3.26 | +-----------------------------+--------------------+---------------+ | Hash | DigestMethod | | | | DigestValue | | | | CanonicalizationMethod?| | | | Application? | 3.26.1 | +-----------------------------+--------------------+---------------+ | FuzzyHash | FuzzyHashValue+ | | | | Application? | | | | AdditionalData* | 3.26.2 | +-----------------------------+--------------------+---------------+ | Indicator | restriction? | | | | ext-restriction? | | | | IndicatorID | | | | AlternativeIndicatorID*| | | | Description* | | | | StartTime? | | | | EndTime? | | | | Confidence? | | | | Contact* | | | | Observable? | | | | uid-ref? | | | | IndicatorExpression?| | | | IndicatorReference?| | | | NodeRole* | | | | AttackPhase* | | | | Reference* | | | | AdditionalData* | 3.29 | +-----------------------------+--------------------+---------------+ | IndicatorID | id | | | | name | | | | version | 3.29.1 | +-----------------------------+--------------------+---------------+ | AlternativeIndicatorID | restriction? | | | | ext-restriction? | | | | IndicatorID+ | 3.29.2 | +-----------------------------+--------------------+---------------+ | Observable | restriction? | | | | ext-restriction? | | | | System? | | | | Address? | | | | DomainData? | | | | Service? | | | | EmailData? | | | | WindowsRegistryKeysModified?| | | | FileData? | | | | CertificateData? | | | | RegistryHandle? | | | | RecordData? | | | | EventData? | | | | Incident? | | | | Expectation? | | | | Reference? | | | | Assessment? | | | | DetectionPattern? | | | | HistoryItem? | | | | BulkObservable? | | | | AdditionalData* | 3.29.3 | +-----------------------------+--------------------+---------------+ | BulkObservable | type? | | | | ext-type? | | | | BulkObservableFormat?| | | | BulkObservableList | | | | AdditionalData* | 3.29.4 | +-----------------------------+--------------------+---------------+ | BulkObservableFormat | Hash? | | | | AdditionalData* | 3.29.5 | +-----------------------------+--------------------+---------------+ | IndicatorExpression | operator? | | | | ext-operator? | | | | IndicatorExpression*| | | | Observable* | | | | uid-ref* | | | | IndicatorReference*| | | | Confidence? | | | | AdditionalData* | 3.29.6 | +-----------------------------+--------------------+---------------+ | IndicatorReference | uid-ref? | | | | euid-ref? | | | | version? | 3.29.7 | +-----------------------------+--------------------+---------------+ | AttackPhase | AttackPhaseID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.29.8 | +-----------------------------+--------------------+---------------+ ]]></artwork></figure>align="left"> <name>IODEF Classes</name> <thead> <tr> <th>IODEF Class</th> <th>Class, Element, and Attribute</th> <th>Section in <xref target="RFC7970"/></th> </tr> </thead> <tbody> <tr> <td>IODEF-Document</td> <td><ul bare="true" empty="true" spacing="compact"> <li>version</li> <li>lang?</li> <li>format-id?</li> <li>private-enum-name?</li> <li>private-enum-id?</li> <li>Incident+</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.1"/></td> </tr> <tr> <td>Incident</td> <td><ul bare="true" empty="true" spacing="compact"> <li>purpose</li> <li>ext-purpose?</li> <li>status?</li> <li>ext-status?</li> <li>lang?</li> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>IncidentID</li> <li>AlternativeID?</li> <li>RelatedActivity*</li> <li>DetectTime?</li> <li>StartTime?</li> <li>EndTime?</li> <li>RecoveryTime?</li> <li>ReportTime?</li> <li>GenerationTime</li> <li>Description*</li> <li>Discovery*</li> <li>Assessment*</li> <li>Method*</li> <li>Contact+</li> <li>EventData*</li> <li>Indicator*</li> <li>History?</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.2"/></td> </tr> <tr> <td>IncidentID</td> <td><ul bare="true" empty="true" spacing="compact"> <li>id</li> <li>name</li> <li>instance?</li> <li>restriction?</li> <li>ext-restriction?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.4"/></td> </tr> <tr> <td>AlternativeID</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>IncidentID+</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.5"/></td> </tr> <tr> <td>RelatedActivity</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>IncidentID*</li> <li>URL*</li> <li>ThreatActor*</li> <li>Campaign*</li> <li>IndicatorID*</li> <li>Confidence?</li> <li>Description*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.6"/></td> </tr> <tr> <td>ThreatActor</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>ThreatActorID*</li> <li>URL*</li> <li>Description*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.7"/></td> </tr> <tr> <td>Campaign</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>CampaignID*</li> <li>URL*</li> <li>Description*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.8"/></td> </tr> <tr> <td>Contact</td> <td><ul bare="true" empty="true" spacing="compact"> <li>role</li> <li>ext-role?</li> <li>type</li> <li>ext-type?</li> <li>restriction?</li> <li>ext-restriction?</li> <li>ContactName*</li> <li>ContactTitle*</li> <li>Description*</li> <li>RegistryHandle*</li> <li>PostalAddress*</li> <li>Email*</li> <li>Telephone*</li> <li>Timezone?</li> <li>Contact*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.9"/></td> </tr> <tr> <td>RegistryHandle</td> <td><ul bare="true" empty="true" spacing="compact"> <li>handle</li> <li>registry</li> <li>ext-registry?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.9.1"/></td> </tr> <tr> <td>PostalAddress</td> <td><ul bare="true" empty="true" spacing="compact"> <li>type?</li> <li>ext-type?</li> <li>PAddress</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.9.2"/></td> </tr> <tr> <td>Email</td> <td><ul bare="true" empty="true" spacing="compact"> <li>type?</li> <li>ext-type?</li> <li>EmailTo</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.9.3"/></td> </tr> <tr> <td>Telephone</td> <td><ul bare="true" empty="true" spacing="compact"> <li>type?</li> <li>ext-type?</li> <li>TelephoneNumber</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.9.4"/></td> </tr> <tr> <td>Discovery</td> <td><ul bare="true" empty="true" spacing="compact"> <li>source?</li> <li>ext-source?</li> <li>restriction?</li> <li>ext-restriction?</li> <li>Description*</li> <li>Contact*</li> <li>DetectionPattern*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.10"/></td> </tr> <tr> <td>DetectionPattern</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>Application</li> <li>Description*</li> <li>DetectionConfiguration*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.10.1"/></td> </tr> <tr> <td>Method</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>Reference*</li> <li>Description*</li> <li>AttackPattern*</li> <li>Vulnerability*</li> <li>Weakness*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.11"/></td> </tr> <tr> <td>Weakness</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> </ul></td> <td><xref target="RFC7203" sectionFormat="bare" section="4.5.5"/> in <xref target="RFC7203"/></td> </tr> <tr> <td>Reference</td> <td><ul bare="true" empty="true" spacing="compact"> <li>observable-id?</li> <li>ReferenceName?</li> <li>URL*</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.11.1"/></td> </tr> <tr> <td>Assessment</td> <td><ul bare="true" empty="true" spacing="compact"> <li>occurrence?</li> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>IncidentCategory*</li> <li>SystemImpact*</li> <li>BusinessImpact*</li> <li>TimeImpact*</li> <li>MonetaryImpact*</li> <li>IntendedImpact*</li> <li>Counter*</li> <li>MitigatingFactor*</li> <li>Cause*</li> <li>Confidence?</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.12"/></td> </tr> <tr> <td>SystemImpact</td> <td><ul bare="true" empty="true" spacing="compact"> <li>severity?</li> <li>completion?</li> <li>type</li> <li>ext-type?</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.12.1"/></td> </tr> <tr> <td>BusinessImpact</td> <td><ul bare="true" empty="true" spacing="compact"> <li>severity?</li> <li>ext-severity?</li> <li>type</li> <li>ext-type?</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.12.2"/></td> </tr> <tr> <td>TimeImpact</td> <td><ul bare="true" empty="true" spacing="compact"> <li>value</li> <li>severity?</li> <li>metric</li> <li>ext-metric?</li> <li>duration?</li> <li>ext-duration?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.12.3"/></td> </tr> <tr> <td>MonetaryImpact</td> <td><ul bare="true" empty="true" spacing="compact"> <li>value</li> <li>severity?</li> <li>currency?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.12.4"/></td> </tr> <tr> <td>Confidence</td> <td><ul bare="true" empty="true" spacing="compact"> <li>value</li> <li>rating</li> <li>ext-rating?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.12.5"/></td> </tr> <tr> <td>History</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>HistoryItem+</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.13"/></td> </tr> <tr> <td>HistoryItem</td> <td><ul bare="true" empty="true" spacing="compact"> <li>action</li> <li>ext-action?</li> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>DateTime</li> <li>IncidentID?</li> <li>Contact?</li> <li>Description*</li> <li>DefinedCOA*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.13.1"/></td> </tr> <tr> <td>EventData</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>Description*</li> <li>DetectTime?</li> <li>StartTime?</li> <li>EndTime?</li> <li>RecoveryTime?</li> <li>ReportTime?</li> <li>Contact*</li> <li>Discovery*</li> <li>Assessment?</li> <li>Method*</li> <li>System*</li> <li>Expectation*</li> <li>RecordData*</li> <li>EventData*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.14"/></td> </tr> <tr> <td>Expectation</td> <td><ul bare="true" empty="true" spacing="compact"> <li>action?</li> <li>ext-action?</li> <li>severity?</li> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>Description*</li> <li>DefinedCOA*</li> <li>StartTime?</li> <li>EndTime?</li> <li>Contact?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.15"/></td> </tr> <tr> <td>System</td> <td><ul bare="true" empty="true" spacing="compact"> <li>category?</li> <li>ext-category?</li> <li>interface?</li> <li>spoofed?</li> <li>virtual?</li> <li>ownership?</li> <li>ext-ownership?</li> <li>restriction?</li> <li>ext-restriction?</li> <li>Node</li> <li>NodeRole*</li> <li>Service*</li> <li>OperatingSystem*</li> <li>Counter*</li> <li>AssetID*</li> <li>Description*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.17"/></td> </tr> <tr> <td>Node</td> <td><ul bare="true" empty="true" spacing="compact"> <li>DomainData*</li> <li>Address*</li> <li>PostalAddress?</li> <li>Location*</li> <li>Counter*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.18"/></td> </tr> <tr> <td>Address</td> <td><ul bare="true" empty="true" spacing="compact"> <li>value</li> <li>category</li> <li>ext-category?</li> <li>vlan-name?</li> <li>vlan-num?</li> <li>observable-id?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.18.1"/></td> </tr> <tr> <td>NodeRole</td> <td><ul bare="true" empty="true" spacing="compact"> <li>category</li> <li>ext-category?</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.18.2"/></td> </tr> <tr> <td>Counter</td> <td><ul bare="true" empty="true" spacing="compact"> <li>value</li> <li>type</li> <li>ext-type?</li> <li>unit</li> <li>ext-unit?</li> <li>meaning?</li> <li>duration?</li> <li>ext-duration?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.18.3"/></td> </tr> <tr> <td>DomainData</td> <td><ul bare="true" empty="true" spacing="compact"> <li>system-status</li> <li>ext-system-status?</li> <li>domain-status</li> <li>ext-domain-status?</li> <li>observable-id?</li> <li>Name</li> <li>DateDomainWasChecked?</li> <li>RegistrationDate?</li> <li>ExpirationDate?</li> <li>RelatedDNS*</li> <li>Nameservers*</li> <li>DomainContacts?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.19"/></td> </tr> <tr> <td>Nameservers</td> <td><ul bare="true" empty="true" spacing="compact"> <li>Server</li> <li>Address*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.19.1"/></td> </tr> <tr> <td>DomainContacts</td> <td><ul bare="true" empty="true" spacing="compact"> <li>SameDomainContact?</li> <li>Contact+</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.19.2"/></td> </tr> <tr> <td>Service</td> <td><ul bare="true" empty="true" spacing="compact"> <li>ip-protocol?</li> <li>observable-id?</li> <li>ServiceName?</li> <li>Port?</li> <li>Portlist?</li> <li>ProtoCode?</li> <li>ProtoType?</li> <li>ProtoField?</li> <li>ApplicationHeaderField*</li> <li>EmailData?</li> <li>Application?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.20"/></td> </tr> <tr> <td>ServiceName</td> <td><ul bare="true" empty="true" spacing="compact"> <li>IANAService?</li> <li>URL*</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.20.1"/></td> </tr> <tr> <td>EmailData</td> <td><ul bare="true" empty="true" spacing="compact"> <li>observable-id?</li> <li>EmailTo*</li> <li>EmailFrom?</li> <li>EmailSubject?</li> <li>EmailX-Mailer?</li> <li>EmailHeaderField*</li> <li>EmailHeaders?</li> <li>EmailBody?</li> <li>EmailMessage?</li> <li>HashData*</li> <li>Signature*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.21"/></td> </tr> <tr> <td>RecordData</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>DateTime?</li> <li>Description*</li> <li>Application?</li> <li>RecordPattern*</li> <li>RecordItem*</li> <li>URL*</li> <li>FileData*</li> <li>WindowsRegistryKeysModified*</li> <li>CertificateData*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.22.1"/></td> </tr> <tr> <td>RecordPattern</td> <td><ul bare="true" empty="true" spacing="compact"> <li>type</li> <li>ext-type?</li> <li>offset?</li> <li>offsetunit?</li> <li>ext-offsetunit?</li> <li>instance?</li> <li>value</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.22.2"/></td> </tr> <tr> <td>WindowsRegistryKeysModified</td> <td><ul bare="true" empty="true" spacing="compact"> <li>observable-id?</li> <li>Key+</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.23"/></td> </tr> <tr> <td>Key</td> <td><ul bare="true" empty="true" spacing="compact"> <li>registryaction?</li> <li>ext-registryaction?</li> <li>observable-id?</li> <li>KeyName</li> <li>KeyValue?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.23.1"/></td> </tr> <tr> <td>CertificateData</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>Certificate+</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.24"/></td> </tr> <tr> <td>Certificate</td> <td><ul bare="true" empty="true" spacing="compact"> <li>observable-id?</li> <li>X509Data</li> <li>Description*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.24.1"/></td> </tr> <tr> <td>FileData</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>observable-id?</li> <li>File+</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.25"/></td> </tr> <tr> <td>File</td> <td><ul bare="true" empty="true" spacing="compact"> <li>observable-id?</li> <li>FileName?</li> <li>FileSize?</li> <li>FileType?</li> <li>URL*</li> <li>HashData?</li> <li>Signature*</li> <li>AssociatedSoftware?</li> <li>FileProperties*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.25.1"/></td> </tr> <tr> <td>HashData</td> <td><ul bare="true" empty="true" spacing="compact"> <li>scope</li> <li>HashTargetID?</li> <li>Hash*</li> <li>FuzzyHash*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.26"/></td> </tr> <tr> <td>Hash</td> <td><ul bare="true" empty="true" spacing="compact"> <li>DigestMethod</li> <li>DigestValue</li> <li>CanonicalizationMethod?</li> <li>Application?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.26.1"/></td> </tr> <tr> <td>FuzzyHash</td> <td><ul bare="true" empty="true" spacing="compact"> <li>FuzzyHashValue+</li> <li>Application?</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.26.2"/></td> </tr> <tr> <td>Indicator</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>IndicatorID</li> <li>AlternativeIndicatorID*</li> <li>Description*</li> <li>StartTime?</li> <li>EndTime?</li> <li>Confidence?</li> <li>Contact*</li> <li>Observable?</li> <li>uid-ref?</li> <li>IndicatorExpression?</li> <li>IndicatorReference?</li> <li>NodeRole*</li> <li>AttackPhase*</li> <li>Reference*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29"/></td> </tr> <tr> <td>IndicatorID</td> <td><ul bare="true" empty="true" spacing="compact"> <li>id</li> <li>name</li> <li>version</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29.1"/></td> </tr> <tr> <td>AlternativeIndicatorID</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>IndicatorID+</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29.2"/></td> </tr> <tr> <td>Observable</td> <td><ul bare="true" empty="true" spacing="compact"> <li>restriction?</li> <li>ext-restriction?</li> <li>System?</li> <li>Address?</li> <li>DomainData?</li> <li>Service?</li> <li>EmailData?</li> <li>WindowsRegistryKeysModified?</li> <li>FileData?</li> <li>CertificateData?</li> <li>RegistryHandle?</li> <li>RecordData?</li> <li>EventData?</li> <li>Incident?</li> <li>Expectation?</li> <li>Reference?</li> <li>Assessment?</li> <li>DetectionPattern?</li> <li>HistoryItem?</li> <li>BulkObservable?</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29.3"/></td> </tr> <tr> <td>BulkObservable</td> <td><ul bare="true" empty="true" spacing="compact"> <li>type?</li> <li>ext-type?</li> <li>BulkObservableFormat?</li> <li>BulkObservableList</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29.3.1"/></td> </tr> <tr> <td>BulkObservableFormat</td> <td><ul bare="true" empty="true" spacing="compact"> <li>Hash?</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29.3.1.1"/></td> </tr> <tr> <td>IndicatorExpression</td> <td><ul bare="true" empty="true" spacing="compact"> <li>operator?</li> <li>ext-operator?</li> <li>IndicatorExpression*</li> <li>Observable*</li> <li>uid-ref*</li> <li>IndicatorReference*</li> <li>Confidence?</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29.4"/></td> </tr> <tr> <td>IndicatorReference</td> <td><ul bare="true" empty="true" spacing="compact"> <li>uid-ref?</li> <li>euid-ref?</li> <li>version?</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29.7"/></td> </tr> <tr> <td>AttackPhase</td> <td><ul bare="true" empty="true" spacing="compact"> <li>AttackPhaseID*</li> <li>URL*</li> <li>Description*</li> <li>AdditionalData*</li> </ul></td> <td><xref target="RFC7970" sectionFormat="bare" section="3.29.8"/></td> </tr> </tbody> </table> </section> <sectiontitle="Mappinganchor="mapping" numbered="true" toc="default"> <name>Mapping between JSON and XMLIODEF" anchor="mapping"> <t> <list style="symbols"> <t>AttributesIODEF</name> <ul spacing="normal"> <li>Attributes and elements of each class in the XML IODEF document are both presented as JSON attributes in the JSON IODEF document, and the order of their appearances isignored.</t> <t>Flowignored.</li> <li>Flow class is deleted, and classes with its instances now directly have instances of the EventData class that used to belong to the Flowclass.</t> <t>ApplicationHeaderclass.</li> <li>ApplicationHeader class is deleted, and classes with its instances now directly have instances of the ApplicationHeaderField class that used to belong to the ApplicationHeaderclass.</t> <t>SignatureDataclass.</li> <li>SignatureData class is deleted, and classes with its instances now directly haveinstanceinstances of the Signature class that used to belong to the SignatureDataclass.</t> <t>IndicatorDataclass.</li> <li>IndicatorData class is deleted, and classes with its instances now directly havetheinstances of the Indicator class that used to belong to the IndicatorDataclass.</t> <t>ObservableReferenceclass.</li> <li>ObservableReference class is deleted, and classes with its instances now directly have uid-ref as anelement.</t> <t>Recordelement.</li> <li>Record class is deleted, and classes with its instances now directly havetheinstances of the RecordData class that used to belong to the Recordclass.</t> <t>Theclass.</li> <li>The MLStringTypewerewas modified to support simple string by allowing the type to have not only a predefined object type but also a text type, in order to allow simple descriptions of elements of the type. Implementations need to be capable of parsing an MLStringType that could take the form of both text andobject.</t> <t>Thean object.</li> <li>The elements of the ML_STRING type in the XML IODEF document are presented as either STRING type or ML_STRING type in the JSON IODEF document. When converting from the XML IODEF document to the JSONoneIODEF document, or vice versa, the information contained in the original data of the ML_STRING type must be preserved. When STRING is used instead of ML_STRING, parsers can assume that its "xml:lang" is set to"en".</t> <t>Data"en".</li> <li>Data models of the extension classes defined by <xref target="RFC7203"/>format="default"/> and referenced by <xref target="RFC7970"/>format="default"/> are represented byStructuredInfothe STRUCTUREDINFO class defined in thisdocument.</t> <t>Signature,document.</li> <li>Signature, X509Data, and RawData are encoded using base64 encoding for JSON IODEF and binary representation for CBOR IODEF to represent them as BYTEobject.</t> <t>EmailBodyobjects.</li> <li>EmailBody representsana whole message body including MIME structure in the same manner defined in <xref target="RFC7970"/>.format="default"/>. In case of an email composed of a MIME multipart, the EmailBody contains multiple body parts separated by boundarystrings.</t> <t>Thestrings.</li> <li>The "ipv6-net-mask" type attribute of the BulkObservable class remains available for the purpose of backwardcompatibility purpose,compatibility, but the use of this attribute is not recommended becauseIPV6IPv6 does not use netmask anymore.</t> <t>ENUMmore.</li> <li>ENUM values in this documentisare extensible andismanaged by IANA,as withwhich is also the case in <xref target="RFC7970"/>.format="default"/>. The values in the table are used both by <xref target="RFC7970"/>format="default"/> implementations and by their JSON (and CBOR) bindings as specified by thisdocument.</t> <t>Thisdocument.</li> <li>This document uses JSON's "number" type to represent integers that onlyhashave full precision for integer values between-2**53-2<sup>53</sup> and2**53.2<sup>53</sup>. When dealing with integers outside the range, this issue needs to beconsidered.</t> <t>Binariesconsidered.</li> <li>Binaries are encoded in bytes. Note that XML IODEF in <xref target="RFC7970"/>format="default"/> uses HEXBIN due to the incapability of XML for embedding binaries as theyare.</t> </list> </t>are.</li> </ul> </section> </section> <sectiontitle="Examples" anchor="examples">anchor="examples" numbered="true" toc="default"> <name>Examples</name> <t> This section provides examples of IODEF documents. These examples do not represent the full capabilities of the data model or the only way to encode particular information. </t> <sectiontitle="Minimal Example">numbered="true" toc="default"> <name>Minimal Example</name> <t>A document containing only the mandatory elements and attributes is shown below in JSON and CBOR, respectively.</t> <figurealign="center" anchor="minimal_example_json" title="Aanchor="minimal_example_json"> <name>A Minimal Example inJSON"> <artwork align="left"><![CDATA[JSON</name> <sourcecode type="json"><![CDATA[ { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "reporting", "restriction": "private", "IncidentID": { "id": "492382", "name": "csirt.example.com" }, "GenerationTime": "2015-07-18T09:00:00-05:00", "Contact": [{ "type": "organization", "role": "creator", "Email": [{"EmailTo": "contact@csirt.example.com"}] }] }] }]]></artwork>]]></sourcecode> </figure> <figurealign="center" anchor="minimal_example_cbor" title="Aanchor="minimal_example_cbor"> <name>A Minimal Example inCBOR"> <artwork align="left"><![CDATA[CBOR</name> <sourcecode type="cbor"><![CDATA[ A3 # map(3) 37 # negative(23) 63 # text(3) 322E30 # "2.0" 36 # negative(22) 62 # text(2) 656E # "en" 32 # negative(18) 81 # array(1) A5 # map(5) 21 # negative(1) 69 # text(9) 7265706F7274696E67 # "reporting" 29 # negative(9) 67 # text(7) 70726976617465 # "private" 02 # unsigned(2) A2 # map(2) 12 # unsigned(18) 66 # text(6) 343932333832 # "492382" 2E # negative(14) 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 0A # unsigned(10) 78 19 # text(25) 323031352D30372D31385430393A30303A30302D30353A3030 #"2015-07-18T09:00:00-05:00""2015-07-18T09:00:00 # -05:00" 0E # unsigned(14) 81 # array(1) A3 # map(3) 18 1C # unsigned(28) 6C # text(12) 6F7267616E697A6174696F6E # "organization" 18 1A # unsigned(26) 67 # text(7) 63726561746F72 # "creator" 18 22 # unsigned(34) 81 # array(1) A1 # map(1) 18 29 # unsigned(41) 78 19 # text(25)636F6E746163744063736972742E6578616D706C652E636F6D636F6E746163744063736972742E6578616D70 6C652E636F6D # "contact@csirt.example.com"]]></artwork>]]></sourcecode> </figure> </section> <sectiontitle="Indicatorsnumbered="true" toc="default"> <name>Indicators from aCampaign">Campaign</name> <t>An example of C2 domains from a given campaign is shown below in JSON and CBOR, respectively.</t> <figurealign="center" anchor="campaign_example_json" title="Indicatorsanchor="campaign_example_json"> <name>Indicators from a Campaign inJSON"> <artwork align="left"><![CDATA[JSON</name> <sourcecode type="json"><![CDATA[ { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "watch", "restriction": "green", "IncidentID": { "id": "897923", "name": "csirt.example.com" }, "RelatedActivity": [{ "ThreatActor": [{ "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], "Description": ["Aggressive Butterfly"]}], "Campaign": [{ "CampaignID": ["C-2015-59405"], "Description": ["Orange Giraffe"] }] }], "GenerationTime": "2015-10-02T11:18:00-05:00", "Description": ["Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."], "Assessment": [{ "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] }], "Contact": [{ "type": "organization", "role": "creator", "ContactName": ["CSIRT for example.com"], "Email": [{ "EmailTo": "contact@csirt.example.com" }] }], "Indicator": [{ "IndicatorID": { "id": "G90823490", "name": "csirt.example.com", "version": "1" }, "Description": ["C2 domains"], "StartTime": "2014-12-02T11:18:00-05:00", "Observable": { "BulkObservable": { "type": "domain-name", "BulkObservableList": "kj290023j09r34.example.com"} } }] }]}]]></artwork>}]]></sourcecode> </figure> <figurealign="center" anchor="campaign_example_cbor" title="Indicatorsanchor="campaign_example_cbor"> <name>Indicators from a Campaign inCBOR"> <artwork align="left"><![CDATA[CBOR</name> <sourcecode type="cbor"><![CDATA[ A3 # map(3) 37 # negative(23) 63 # text(3) 322E30 # "2.0" 36 # negative(22) 62 # text(2) 656E # "en" 32 # negative(18) 81 # array(1) A9 # map(9) 21 # negative(1) 65 # text(5) 7761746368 # "watch" 29 # negative(9) 65 # text(5) 677265656E # "green" 02 # unsigned(2) A2 # map(2) 12 # unsigned(18) 66 # text(6) 383937393233 # "897923" 2E # negative(14) 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 04 # unsigned(4) 81 # array(1) A2 # map(2) 14 # unsigned(20) 81 # array(1) A2 # map(2) 18 18 # unsigned(24) 81 # array(1) 78 1A # text(26)54412D31322D414747524553534956452D425554544552464C5954412D31322D414747524553534956452D4 25554544552464C59 #"TA-12-AGGRESSIVE-BUTTERFLY""TA-12-AGGRESSIVE # -BUTTERFLY" 24 # negative(4) 81 # array(1) 74 # text(20)4167677265737369766520427574746572666C7941676772657373697665204275747465726 66C79 # "Aggressive Butterfly" 15 # unsigned(21) 81 # array(1) A2 # map(2) 18 19 # unsigned(25) 81 # array(1) 6C # text(12) 432D323031352D3539343035 # "C-2015-59405" 24 # negative(4) 81 # array(1) 6E # text(14) 4F72616E67652047697261666665 # "Orange Giraffe" 0A # unsigned(10) 78 19 # text(25) 323031352D31302D30325431313A31383A30302D30353A3030 # "2015-10-02T11:18:00-05:00" 24 # negative(4) 81 # array(1) 78 6F # text(111)53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F7220746865204F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E53756D6D6172697A65732074686520496E64696361746F7 273206F6620436F6D70726F6D69736520666F7220746865 204F72616E676520476972616666652063616D706169676 E206F662074686520416767726573736976652042757474 6572666C79206372696D652067616E672E # "Summarizes the Indicatorsof# of Compromise for the # Orange Giraffe#campaign # of the Aggressive # Butterfly crime gang." 0C # unsigned(12) 81 # array(1) A1 # map(1) 18 3F # unsigned(63) 81 # array(1) A1 # map(1) 18 41 # unsigned(65) A1 # map(1) 18 1C # unsigned(28) 72 # text(18) 6272656163682D70726F7072696574617279 # "breach-proprietary" 0E # unsigned(14) 81 # array(1) A4 # map(4) 18 1C # unsigned(28) 6C # text(12) 6F7267616E697A6174696F6E # "organization" 18 1A # unsigned(26) 67 # text(7) 63726561746F72 # "creator"18 1E # unsigned(30) 81 # array(1) 75 # text(21) 435349525420666F72206578616D706C652E636F6D # "CSIRT for example.com" 18 22 # unsigned(34) 81 # array(1) A1 # map(1) 18 29 # unsigned(41) 78 19 # text(25) 636F6E746163744063736972742E6578616D706C652E636F6D # "contact@csirt.example.com" 10 # unsigned(16) 81 # array(1) A4 # map(4) 16 # unsigned(22) A3 # map(3) 12 # unsigned(18) 69 # text(9) 473930383233343930 # "G90823490" 2E # negative(14) 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 37 # negative(23) 61 # text(1) 31 # "1" 24 # negative(4) 81 # array(1) 6A # text(10) 433220646F6D61696E73 # "C2 domains" 06 # unsigned(6) 78 19 # text(25) 323031342D31322D30325431313A31383A30302D30353A3030 # "2014-12-02T11:18:00-05:00" 18 AB # unsigned(171) A1 # map(1) 18 B0 # unsigned(176) A2 # map(2) 18 1C # unsigned(28) 6B # text(11) 646F6D61696E2D6E616D65 # "domain-name" 18 B2 # unsigned(178) 78 1A # text(26) 6B6A3239303032336A30397233342E6578616D706C652E636F6D # "kj290023j09r34.example.com" ]]></artwork> </figure> </section> </section> <section title="Mapkeys" anchor="mapkeys"> <t>The mapkeys are provided in Table <xref target="fig_mapkeys"/> for minimizing the CBOR size.</t> <figure align="center" anchor="fig_mapkeys" title="Mapkeys"> <artwork align="left"><![CDATA[ +-----------------------------------+-------+ |mapkey |cborkey| +-----------------------------------+-------+ | iodef-version | -24 | | iodef-lang | -23 | | iodef-format-id | -22 | | iodef-private-enum-name | -21 | | iodef-private-enum-id | -20 | | iodef-Incident | -19 | | iodef-AdditionalData | -18 | | iodef-value | -17 | | iodef-translation-id | -16 | | iodef-name | -15 | | iodef-dtype | -14 | | iodef-ext-dtype | -13 | | iodef-meaning | -12 | | iodef-formatid | -11 | | iodef-restriction | -10 | | iodef-ext-restriction | -9 | | iodef-observable-id | -8 | | iodef-SoftwareReference | -7 | | iodef-URL | -6 | | iodef-Description | -5 | | iodef-spec-name | -4 | | iodef-ext-spec-name | -3 | | iodef-purpose | -2 | | iodef-ext-purpose | -1 | | iodef-status | 0 | | iodef-ext-status | 1 | | iodef-IncidentID | 2 | | iodef-AlternativeID | 3 | | iodef-RelatedActivity | 4 | | iodef-DetectTime | 5 | | iodef-StartTime | 6 | | iodef-EndTime | 7 | | iodef-RecoveryTime | 8 | | iodef-ReportTime | 9 | | iodef-GenerationTime | 10 | | iodef-Discovery | 11 | | iodef-Assessment | 12 | | iodef-Method | 13 | | iodef-Contact | 14 | | iodef-EventData | 15 | | iodef-Indicator | 16 | | iodef-History | 17 | | iodef-id | 18 | | iodef-instance | 19 | | iodef-ThreatActor | 20 | | iodef-Campaign | 21 | | iodef-IndicatorID | 22 | | iodef-Confidence | 23 | | iodef-ThreatActorID | 24 | | iodef-CampaignID | 25 | | iodef-role | 26 | | iodef-ext-role | 27 | | iodef-type | 28 | | iodef-ext-type | 29 | | iodef-ContactName | 30 | | iodef-ContactTitle | 31 | | iodef-RegistryHandle | 32 | | iodef-PostalAddress | 33 | | iodef-Email | 34 | | iodef-Telephone | 35 | | iodef-Timezone | 36 | | iodef-handle | 37 | | iodef-registry | 38 | | iodef-ext-registry | 39 | | iodef-PAddress | 40 | | iodef-EmailTo | 41 | | iodef-TelephoneNumber | 42 | | iodef-source | 43 | | iodef-ext-source | 44 | | iodef-DetectionPattern | 45 | | iodef-DetectionConfiguration | 46 | | iodef-Application | 47 | | iodef-Reference | 48 | | iodef-AttackPattern | 49 | | iodef-Vulnerability | 50 | | iodef-Weakness | 51 | | iodef-SpecID | 52 | | iodef-ext-SpecID | 53 | | iodef-ContentID | 54 | | iodef-RawData | 55 | | iodef-Platform | 56 | | iodef-Scoring | 57 | | iodef-ReferenceName | 58 | | iodef-specIndex | 59 | | iodef-ID | 60 | | iodef-occurrence | 61 | | iodef-IncidentCategory | 62 | | iodef-Impact | 63 | | iodef-SystemImpact | 64 | | iodef-BusinessImpact | 65 | | iodef-TimeImpact | 66 | | iodef-MonetaryImpact | 67 | | iodef-IntendedImpact | 68 | | iodef-Counter | 69 | | iodef-MitigatingFactor | 70 | | iodef-Cause | 71 | | iodef-severity | 72 | | iodef-completion | 73 | | iodef-ext-severity | 74 | | iodef-metric | 75 | | iodef-ext-metric | 76 | | iodef-duration | 77 | | iodef-ext-duration | 78 | | iodef-currency | 79 | | iodef-rating | 80 | | iodef-ext-rating | 81 | | iodef-HistoryItem | 82 | | iodef-action | 83 | | iodef-ext-action | 84 | | iodef-DateTime | 85 | | iodef-DefinedCOA | 86 | | iodef-System | 87 | | iodef-Expectation | 88 | | iodef-RecordData | 89 | | iodef-category | 90 | | iodef-ext-category | 91 | | iodef-interface | 92 | | iodef-spoofed | 93 | | iodef-virtual | 94 | | iodef-ownership | 95 | | iodef-ext-ownership | 96 | | iodef-Node | 97 | | iodef-NodeRole | 98 | | iodef-Service | 99 | | iodef-OperatingSystem | 100 | | iodef-AssetID | 101 | | iodef-DomainData | 102 | | iodef-Address | 103 | | iodef-Location | 104 | | iodef-vlan-name | 105 | | iodef-vlan-num | 106 | | iodef-unit | 107 | | iodef-ext-unit | 108 | | iodef-system-status | 109 | | iodef-ext-system-status | 110 | | iodef-domain-status | 111 | | iodef-ext-domain-status | 112 | | iodef-Name | 113 | | iodef-DateDomainWasChecked | 114 | | iodef-RegistrationDate | 115 | | iodef-ExpirationDate | 116 | | iodef-RelatedDNS | 117 | | iodef-NameServers | 118 | | iodef-DomainContacts | 119 | | iodef-Server | 120 | | iodef-SameDomainContact | 121 | | iodef-ip-protocol | 122 | | iodef-ServiceName | 123 | | iodef-Port | 124 | | iodef-Portlist | 125 | | iodef-ProtoCode | 126 | | iodef-ProtoType | 127 | | iodef-ProtoField | 128 | | iodef-ApplicationHeaderField | 129 | | iodef-EmailData | 130 | | iodef-IANAService | 131 | | iodef-EmailFrom | 132 | | iodef-EmailSubject | 133 | | iodef-EmailX-Mailer | 134 | | iodef-EmailHeaderField | 135 | | iodef-EmailHeaders | 136 | | iodef-EmailBody | 137 | | iodef-EmailMessage | 138 | | iodef-HashData | 139 | | iodef-Signature | 140 | | iodef-RecordPattern | 141 | | iodef-RecordItem | 142 | | iodef-FileData | 143 | | iodef-WindowsRegistryKeysModified | 169 | | iodef-CertificateData | 145 | | iodef-offset | 146 | | iodef-offsetunit | 147 | | iodef-ext-offsetunit | 148 | | iodef-Key | 149 | | iodef-registryaction | 150 | | iodef-ext-registryaction | 151 | | iodef-KeyName | 152 | | iodef-KeyValue | 153 | | iodef-Certificate | 154 | | iodef-X509Data | 155 | | iodef-File | 156 | | iodef-FileName | 157 | | iodef-FileSize | 158 | | iodef-FileType | 159 | | iodef-AssociatedSoftware | 160 | | iodef-FileProperties | 161 | | iodef-scope | 162 | | iodef-HashTargetID | 163 | | iodef-Hash | 164 | | iodef-FuzzyHash | 165 | | iodef-DigestMethod | 166 | | iodef-DigestValue | 167 | | iodef-CanonicalizationMethod | 168 | | iodef-FuzzyHashValue | 169 | | iodef-AlternativeIndicatorID | 170 | | iodef-Observable | 171 | | iodef-uid-ref | 172 | | iodef-IndicatorExpression | 173 | | iodef-IndicatorReference | 174 | | iodef-AttackPhase | 175 | | iodef-BulkObservable | 176 | | iodef-BulkObservableFormat | 177 | | iodef-BulkObservableList | 178 | | iodef-operator | 179 | | iodef-ext-operator | 180 | | iodef-euid-ref | 181 | | iodef-AttackPhaseID | 182 | +-----------------------------------+-------+ ]]></artwork>18 1E # unsigned(30) 81 # array(1) 75 # text(21) 435349525420666F72206578616D706C652E636F6D # "CSIRT for example.com" 18 22 # unsigned(34) 81 # array(1) A1 # map(1) 18 29 # unsigned(41) 78 19 # text(25) 636F6E746163744063736972742E6578616D70 6C652E636F6D # "contact@csirt.example.com" 10 # unsigned(16) 81 # array(1) A4 # map(4) 16 # unsigned(22) A3 # map(3) 12 # unsigned(18) 69 # text(9) 473930383233343930 # "G90823490" 2E # negative(14) 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 37 # negative(23) 61 # text(1) 31 # "1" 24 # negative(4) 81 # array(1) 6A # text(10) 433220646F6D61696E73 # "C2 domains" 06 # unsigned(6) 78 19 # text(25) 323031342D31322D30325431313A31383A30302D30353A3030 # "2014-12-02T11:18:00-05:00" 18 AB # unsigned(171) A1 # map(1) 18 B0 # unsigned(176) A2 # map(2) 18 1C # unsigned(28) 6B # text(11) 646F6D61696E2D6E616D65 # "domain-name" 18 B2 # unsigned(178) 78 1A # text(26) 6B6A3239303032336A30397233342E6578616D 706C652E636F6D # "kj290023j09r34.example.com" ]]></sourcecode> </figure> </section> </section> <section anchor="mapkeys" numbered="true" toc="default"> <name>Mapkeys</name> <t>The mapkeys are provided in <xref target="fig_mapkeys" format="default"/> for minimizing the CBOR size.</t> <table align="left" anchor="fig_mapkeys"> <name>Mapkeys</name> <thead> <tr> <th>mapkey</th> <th>cborkey</th> </tr> </thead> <tbody> <tr> <td>iodef-version</td> <td>-24</td> </tr> <tr> <td>iodef-lang</td> <td>-23</td> </tr> <tr> <td>iodef-format-id</td> <td>-22</td> </tr> <tr> <td>iodef-private-enum-name</td> <td>-21</td> </tr> <tr> <td>iodef-private-enum-id</td> <td>-20</td> </tr> <tr> <td>iodef-Incident</td> <td>-19</td> </tr> <tr> <td>iodef-AdditionalData</td> <td>-18</td> </tr> <tr> <td>iodef-value</td> <td>-17</td> </tr> <tr> <td>iodef-translation-id</td> <td>-16</td> </tr> <tr> <td>iodef-name</td> <td>-15</td> </tr> <tr> <td>iodef-dtype</td> <td>-14</td> </tr> <tr> <td>iodef-ext-dtype</td> <td>-13</td> </tr> <tr> <td>iodef-meaning</td> <td>-12</td> </tr> <tr> <td>iodef-formatid</td> <td>-11</td> </tr> <tr> <td>iodef-restriction</td> <td>-10</td> </tr> <tr> <td>iodef-ext-restriction</td> <td>-9</td> </tr> <tr> <td>iodef-observable-id</td> <td>-8</td> </tr> <tr> <td>iodef-SoftwareReference</td> <td>-7</td> </tr> <tr> <td>iodef-URL</td> <td>-6</td> </tr> <tr> <td>iodef-Description</td> <td>-5</td> </tr> <tr> <td>iodef-spec-name</td> <td>-4</td> </tr> <tr> <td>iodef-ext-spec-name</td> <td>-3</td> </tr> <tr> <td>iodef-purpose</td> <td>-2</td> </tr> <tr> <td>iodef-ext-purpose</td> <td>-1</td> </tr> <tr> <td>iodef-status</td> <td>0</td> </tr> <tr> <td>iodef-ext-status</td> <td>1</td> </tr> <tr> <td>iodef-IncidentID</td> <td>2</td> </tr> <tr> <td>iodef-AlternativeID</td> <td>3</td> </tr> <tr> <td>iodef-RelatedActivity</td> <td>4</td> </tr> <tr> <td>iodef-DetectTime</td> <td>5</td> </tr> <tr> <td>iodef-StartTime</td> <td>6</td> </tr> <tr> <td>iodef-EndTime</td> <td>7</td> </tr> <tr> <td>iodef-RecoveryTime</td> <td>8</td> </tr> <tr> <td>iodef-ReportTime</td> <td>9</td> </tr> <tr> <td>iodef-GenerationTime</td> <td>10</td> </tr> <tr> <td>iodef-Discovery</td> <td>11</td> </tr> <tr> <td>iodef-Assessment</td> <td>12</td> </tr> <tr> <td>iodef-Method</td> <td>13</td> </tr> <tr> <td>iodef-Contact</td> <td>14</td> </tr> <tr> <td>iodef-EventData</td> <td>15</td> </tr> <tr> <td>iodef-Indicator</td> <td>16</td> </tr> <tr> <td>iodef-History</td> <td>17</td> </tr> <tr> <td>iodef-id</td> <td>18</td> </tr> <tr> <td>iodef-instance</td> <td>19</td> </tr> <tr> <td>iodef-ThreatActor</td> <td>20</td> </tr> <tr> <td>iodef-Campaign</td> <td>21</td> </tr> <tr> <td>iodef-IndicatorID</td> <td>22</td> </tr> <tr> <td>iodef-Confidence</td> <td>23</td> </tr> <tr> <td>iodef-ThreatActorID</td> <td>24</td> </tr> <tr> <td>iodef-CampaignID</td> <td>25</td> </tr> <tr> <td>iodef-role</td> <td>26</td> </tr> <tr> <td>iodef-ext-role</td> <td>27</td> </tr> <tr> <td>iodef-type</td> <td>28</td> </tr> <tr> <td>iodef-ext-type</td> <td>29</td> </tr> <tr> <td>iodef-ContactName</td> <td>30</td> </tr> <tr> <td>iodef-ContactTitle</td> <td>31</td> </tr> <tr> <td>iodef-RegistryHandle</td> <td>32</td> </tr> <tr> <td>iodef-PostalAddress</td> <td>33</td> </tr> <tr> <td>iodef-Email</td> <td>34</td> </tr> <tr> <td>iodef-Telephone</td> <td>35</td> </tr> <tr> <td>iodef-Timezone</td> <td>36</td> </tr> <tr> <td>iodef-handle</td> <td>37</td> </tr> <tr> <td>iodef-registry</td> <td>38</td> </tr> <tr> <td>iodef-ext-registry</td> <td>39</td> </tr> <tr> <td>iodef-PAddress</td> <td>40</td> </tr> <tr> <td>iodef-EmailTo</td> <td>41</td> </tr> <tr> <td>iodef-TelephoneNumber</td> <td>42</td> </tr> <tr> <td>iodef-source</td> <td>43</td> </tr> <tr> <td>iodef-ext-source</td> <td>44</td> </tr> <tr> <td>iodef-DetectionPattern</td> <td>45</td> </tr> <tr> <td>iodef-DetectionConfiguration</td> <td>46</td> </tr> <tr> <td>iodef-Application</td> <td>47</td> </tr> <tr> <td>iodef-Reference</td> <td>48</td> </tr> <tr> <td>iodef-AttackPattern</td> <td>49</td> </tr> <tr> <td>iodef-Vulnerability</td> <td>50</td> </tr> <tr> <td>iodef-Weakness</td> <td>51</td> </tr> <tr> <td>iodef-SpecID</td> <td>52</td> </tr> <tr> <td>iodef-ext-SpecID</td> <td>53</td> </tr> <tr> <td>iodef-ContentID</td> <td>54</td> </tr> <tr> <td>iodef-RawData</td> <td>55</td> </tr> <tr> <td>iodef-Platform</td> <td>56</td> </tr> <tr> <td>iodef-Scoring</td> <td>57</td> </tr> <tr> <td>iodef-ReferenceName</td> <td>58</td> </tr> <tr> <td>iodef-specIndex</td> <td>59</td> </tr> <tr> <td>iodef-ID</td> <td>60</td> </tr> <tr> <td>iodef-occurrence</td> <td>61</td> </tr> <tr> <td>iodef-IncidentCategory</td> <td>62</td> </tr> <tr> <td>iodef-Impact</td> <td>63</td> </tr> <tr> <td>iodef-SystemImpact</td> <td>64</td> </tr> <tr> <td>iodef-BusinessImpact</td> <td>65</td> </tr> <tr> <td>iodef-TimeImpact</td> <td>66</td> </tr> <tr> <td>iodef-MonetaryImpact</td> <td>67</td> </tr> <tr> <td>iodef-IntendedImpact</td> <td>68</td> </tr> <tr> <td>iodef-Counter</td> <td>69</td> </tr> <tr> <td>iodef-MitigatingFactor</td> <td>70</td> </tr> <tr> <td>iodef-Cause</td> <td>71</td> </tr> <tr> <td>iodef-severity</td> <td>72</td> </tr> <tr> <td>iodef-completion</td> <td>73</td> </tr> <tr> <td>iodef-ext-severity</td> <td>74</td> </tr> <tr> <td>iodef-metric</td> <td>75</td> </tr> <tr> <td>iodef-ext-metric</td> <td>76</td> </tr> <tr> <td>iodef-duration</td> <td>77</td> </tr> <tr> <td>iodef-ext-duration</td> <td>78</td> </tr> <tr> <td>iodef-currency</td> <td>79</td> </tr> <tr> <td>iodef-rating</td> <td>80</td> </tr> <tr> <td>iodef-ext-rating</td> <td>81</td> </tr> <tr> <td>iodef-HistoryItem</td> <td>82</td> </tr> <tr> <td>iodef-action</td> <td>83</td> </tr> <tr> <td>iodef-ext-action</td> <td>84</td> </tr> <tr> <td>iodef-DateTime</td> <td>85</td> </tr> <tr> <td>iodef-DefinedCOA</td> <td>86</td> </tr> <tr> <td>iodef-System</td> <td>87</td> </tr> <tr> <td>iodef-Expectation</td> <td>88</td> </tr> <tr> <td>iodef-RecordData</td> <td>89</td> </tr> <tr> <td>iodef-category</td> <td>90</td> </tr> <tr> <td>iodef-ext-category</td> <td>91</td> </tr> <tr> <td>iodef-interface</td> <td>92</td> </tr> <tr> <td>iodef-spoofed</td> <td>93</td> </tr> <tr> <td>iodef-virtual</td> <td>94</td> </tr> <tr> <td>iodef-ownership</td> <td>95</td> </tr> <tr> <td>iodef-ext-ownership</td> <td>96</td> </tr> <tr> <td>iodef-Node</td> <td>97</td> </tr> <tr> <td>iodef-NodeRole</td> <td>98</td> </tr> <tr> <td>iodef-Service</td> <td>99</td> </tr> <tr> <td>iodef-OperatingSystem</td> <td>100</td> </tr> <tr> <td>iodef-AssetID</td> <td>101</td> </tr> <tr> <td>iodef-DomainData</td> <td>102</td> </tr> <tr> <td>iodef-Address</td> <td>103</td> </tr> <tr> <td>iodef-Location</td> <td>104</td> </tr> <tr> <td>iodef-vlan-name</td> <td>105</td> </tr> <tr> <td>iodef-vlan-num</td> <td>106</td> </tr> <tr> <td>iodef-unit</td> <td>107</td> </tr> <tr> <td>iodef-ext-unit</td> <td>108</td> </tr> <tr> <td>iodef-system-status</td> <td>109</td> </tr> <tr> <td>iodef-ext-system-status</td> <td>110</td> </tr> <tr> <td>iodef-domain-status</td> <td>111</td> </tr> <tr> <td>iodef-ext-domain-status</td> <td>112</td> </tr> <tr> <td>iodef-Name</td> <td>113</td> </tr> <tr> <td>iodef-DateDomainWasChecked</td> <td>114</td> </tr> <tr> <td>iodef-RegistrationDate</td> <td>115</td> </tr> <tr> <td>iodef-ExpirationDate</td> <td>116</td> </tr> <tr> <td>iodef-RelatedDNS</td> <td>117</td> </tr> <tr> <td>iodef-NameServers</td> <td>118</td> </tr> <tr> <td>iodef-DomainContacts</td> <td>119</td> </tr> <tr> <td>iodef-Server</td> <td>120</td> </tr> <tr> <td>iodef-SameDomainContact</td> <td>121</td> </tr> <tr> <td>iodef-ip-protocol</td> <td>122</td> </tr> <tr> <td>iodef-ServiceName</td> <td>123</td> </tr> <tr> <td>iodef-Port</td> <td>124</td> </tr> <tr> <td>iodef-Portlist</td> <td>125</td> </tr> <tr> <td>iodef-ProtoCode</td> <td>126</td> </tr> <tr> <td>iodef-ProtoType</td> <td>127</td> </tr> <tr> <td>iodef-ProtoField</td> <td>128</td> </tr> <tr> <td>iodef-ApplicationHeaderField</td> <td>129</td> </tr> <tr> <td>iodef-EmailData</td> <td>130</td> </tr> <tr> <td>iodef-IANAService</td> <td>131</td> </tr> <tr> <td>iodef-EmailFrom</td> <td>132</td> </tr> <tr> <td>iodef-EmailSubject</td> <td>133</td> </tr> <tr> <td>iodef-EmailX-Mailer</td> <td>134</td> </tr> <tr> <td>iodef-EmailHeaderField</td> <td>135</td> </tr> <tr> <td>iodef-EmailHeaders</td> <td>136</td> </tr> <tr> <td>iodef-EmailBody</td> <td>137</td> </tr> <tr> <td>iodef-EmailMessage</td> <td>138</td> </tr> <tr> <td>iodef-HashData</td> <td>139</td> </tr> <tr> <td>iodef-Signature</td> <td>140</td> </tr> <tr> <td>iodef-RecordPattern</td> <td>141</td> </tr> <tr> <td>iodef-RecordItem</td> <td>142</td> </tr> <tr> <td>iodef-FileData</td> <td>143</td> </tr> <tr> <td>iodef-WindowsRegistryKeysModified</td> <td>144</td> </tr> <tr> <td>iodef-CertificateData</td> <td>145</td> </tr> <tr> <td>iodef-offset</td> <td>146</td> </tr> <tr> <td>iodef-offsetunit</td> <td>147</td> </tr> <tr> <td>iodef-ext-offsetunit</td> <td>148</td> </tr> <tr> <td>iodef-Key</td> <td>149</td> </tr> <tr> <td>iodef-registryaction</td> <td>150</td> </tr> <tr> <td>iodef-ext-registryaction</td> <td>151</td> </tr> <tr> <td>iodef-KeyName</td> <td>152</td> </tr> <tr> <td>iodef-KeyValue</td> <td>153</td> </tr> <tr> <td>iodef-Certificate</td> <td>154</td> </tr> <tr> <td>iodef-X509Data</td> <td>155</td> </tr> <tr> <td>iodef-File</td> <td>156</td> </tr> <tr> <td>iodef-FileName</td> <td>157</td> </tr> <tr> <td>iodef-FileSize</td> <td>158</td> </tr> <tr> <td>iodef-FileType</td> <td>159</td> </tr> <tr> <td>iodef-AssociatedSoftware</td> <td>160</td> </tr> <tr> <td>iodef-FileProperties</td> <td>161</td> </tr> <tr> <td>iodef-scope</td> <td>162</td> </tr> <tr> <td>iodef-HashTargetID</td> <td>163</td> </tr> <tr> <td>iodef-Hash</td> <td>164</td> </tr> <tr> <td>iodef-FuzzyHash</td> <td>165</td> </tr> <tr> <td>iodef-DigestMethod</td> <td>166</td> </tr> <tr> <td>iodef-DigestValue</td> <td>167</td> </tr> <tr> <td>iodef-CanonicalizationMethod</td> <td>168</td> </tr> <tr> <td>iodef-FuzzyHashValue</td> <td>169</td> </tr> <tr> <td>iodef-AlternativeIndicatorID</td> <td>170</td> </tr> <tr> <td>iodef-Observable</td> <td>171</td> </tr> <tr> <td>iodef-uid-ref</td> <td>172</td> </tr> <tr> <td>iodef-IndicatorExpression</td> <td>173</td> </tr> <tr> <td>iodef-IndicatorReference</td> <td>174</td> </tr> <tr> <td>iodef-AttackPhase</td> <td>175</td> </tr> <tr> <td>iodef-BulkObservable</td> <td>176</td> </tr> <tr> <td>iodef-BulkObservableFormat</td> <td>177</td> </tr> <tr> <td>iodef-BulkObservableList</td> <td>178</td> </tr> <tr> <td>iodef-operator</td> <td>179</td> </tr> <tr> <td>iodef-ext-operator</td> <td>180</td> </tr> <tr> <td>iodef-euid-ref</td> <td>181</td> </tr> <tr> <td>iodef-AttackPhaseID</td> <td>182</td> </tr> </tbody> </table> </section> <sectiontitle="Theanchor="cddlSection" numbered="true" toc="default"> <name>The IODEF Data Model(CDDL)" anchor="cddlSection"> <t>This(CDDL)</name> <t keepWithNext="true">This section provides the IODEF data model. Note that mapkeys are described at the beginning of the CDDL data model for better readability.</t> <!--Note: per the author's note in the datatracker, "? iodef-Indicator f=> [+ Indicator]," was updated to be "? iodef-Indicator => [+ Indicator]," in the figure below. --> <figurealign="center" anchor="cddl" title="Dataanchor="cddl"> <name>Data Model inCDDL"> <artwork align="left"><![CDATA[CDDL</name> <sourcecode type="cddl"><![CDATA[ start = iodef ;;; iodef.json: IODEF-Document iodef-version = -24 iodef-lang = -23 iodef-format-id = -22 iodef-private-enum-name = -21 iodef-private-enum-id = -20 iodef-Incident = -19 iodef-AdditionalData = -18 iodef-value = -17 iodef-translation-id = -16 iodef-name = -15 iodef-dtype = -14 iodef-ext-dtype = -13 iodef-meaning = -12 iodef-formatid = -11 iodef-restriction = -10 iodef-ext-restriction = -9 iodef-observable-id = -8 iodef-SoftwareReference = -7 iodef-URL = -6 iodef-Description = -5 iodef-spec-name = -4 iodef-ext-spec-name = -3 iodef-purpose = -2 iodef-ext-purpose = -1 iodef-status = 0 iodef-ext-status = 1 iodef-IncidentID = 2 iodef-AlternativeID = 3 iodef-RelatedActivity = 4 iodef-DetectTime = 5 iodef-StartTime = 6 iodef-EndTime = 7 iodef-RecoveryTime = 8 iodef-ReportTime = 9 iodef-GenerationTime = 10 iodef-Discovery = 11 iodef-Assessment = 12 iodef-Method = 13 iodef-Contact = 14 iodef-EventData = 15 iodef-Indicator = 16 iodef-History = 17 iodef-id = 18 iodef-instance = 19 iodef-ThreatActor = 20 iodef-Campaign = 21 iodef-IndicatorID = 22 iodef-Confidence = 23 iodef-ThreatActorID = 24 iodef-CampaignID = 25 iodef-role = 26 iodef-ext-role = 27 iodef-type = 28 iodef-ext-type = 29 iodef-ContactName = 30 iodef-ContactTitle = 31 iodef-RegistryHandle = 32 iodef-PostalAddress = 33 iodef-Email = 34 iodef-Telephone = 35 iodef-Timezone = 36 iodef-handle = 37 iodef-registry = 38 iodef-ext-registry = 39 iodef-PAddress = 40 iodef-EmailTo = 41 iodef-TelephoneNumber = 42 iodef-source = 43 iodef-ext-source = 44 iodef-DetectionPattern = 45 iodef-DetectionConfiguration = 46 iodef-Application = 47 iodef-Reference = 48 iodef-AttackPattern = 49 iodef-Vulnerability = 50 iodef-Weakness = 51 iodef-SpecID = 52 iodef-ext-SpecID = 53 iodef-ContentID = 54 iodef-RawData = 55 iodef-Platform = 56 iodef-Scoring = 57 iodef-ReferenceName = 58 iodef-specIndex = 59 iodef-ID = 60 iodef-occurrence = 61 iodef-IncidentCategory = 62 iodef-Impact = 63 iodef-SystemImpact = 64 iodef-BusinessImpact = 65 iodef-TimeImpact = 66 iodef-MonetaryImpact = 67 iodef-IntendedImpact = 68 iodef-Counter = 69 iodef-MitigatingFactor = 70 iodef-Cause = 71 iodef-severity = 72 iodef-completion = 73 iodef-ext-severity = 74 iodef-metric = 75 iodef-ext-metric = 76 iodef-duration = 77 iodef-ext-duration = 78 iodef-currency = 79 iodef-rating = 80 iodef-ext-rating = 81 iodef-HistoryItem = 82 iodef-action = 83 iodef-ext-action = 84 iodef-DateTime = 85 iodef-DefinedCOA = 86 iodef-System = 87 iodef-Expectation = 88 iodef-RecordData = 89 iodef-category = 90 iodef-ext-category = 91 iodef-interface = 92 iodef-spoofed = 93 iodef-virtual = 94 iodef-ownership = 95 iodef-ext-ownership = 96 iodef-Node = 97 iodef-NodeRole = 98 iodef-Service = 99 iodef-OperatingSystem = 100 iodef-AssetID = 101 iodef-DomainData = 102 iodef-Address = 103 iodef-Location = 104 iodef-vlan-name = 105 iodef-vlan-num = 106 iodef-unit = 107 iodef-ext-unit = 108 iodef-system-status = 109 iodef-ext-system-status = 110 iodef-domain-status = 111 iodef-ext-domain-status = 112 iodef-Name = 113 iodef-DateDomainWasChecked = 114 iodef-RegistrationDate = 115 iodef-ExpirationDate = 116 iodef-RelatedDNS = 117 iodef-NameServers = 118 iodef-DomainContacts = 119 iodef-Server = 120 iodef-SameDomainContact = 121 iodef-ip-protocol = 122 iodef-ServiceName = 123 iodef-Port = 124 iodef-Portlist = 125 iodef-ProtoCode = 126 iodef-ProtoType = 127 iodef-ProtoField = 128 iodef-ApplicationHeaderField = 129 iodef-EmailData = 130 iodef-IANAService = 131 iodef-EmailFrom = 132 iodef-EmailSubject = 133 iodef-EmailX-Mailer = 134 iodef-EmailHeaderField = 135 iodef-EmailHeaders = 136 iodef-EmailBody = 137 iodef-EmailMessage = 138 iodef-HashData = 139 iodef-Signature = 140 iodef-RecordPattern = 141 iodef-RecordItem = 142 iodef-FileData = 143 iodef-WindowsRegistryKeysModified =169144 iodef-CertificateData = 145 iodef-offset = 146 iodef-offsetunit = 147 iodef-ext-offsetunit = 148 iodef-Key = 149 iodef-registryaction = 150 iodef-ext-registryaction = 151 iodef-KeyName = 152 iodef-KeyValue = 153 iodef-Certificate = 154 iodef-X509Data = 155 iodef-File = 156 iodef-FileName = 157 iodef-FileSize = 158 iodef-FileType = 159 iodef-AssociatedSoftware = 160 iodef-FileProperties = 161 iodef-scope = 162 iodef-HashTargetID = 163 iodef-Hash = 164 iodef-FuzzyHash = 165 iodef-DigestMethod = 166 iodef-DigestValue = 167 iodef-CanonicalizationMethod = 168 iodef-FuzzyHashValue = 169 iodef-AlternativeIndicatorID = 170 iodef-Observable = 171 iodef-uid-ref = 172 iodef-IndicatorExpression = 173 iodef-IndicatorReference = 174 iodef-AttackPhase = 175 iodef-BulkObservable = 176 iodef-BulkObservableFormat = 177 iodef-BulkObservableList = 178 iodef-operator = 179 iodef-ext-operator = 180 iodef-euid-ref = 181 iodef-AttackPhaseID = 182 iodef = { iodef-version => text, ? iodef-lang => lang, ? iodef-format-id => text ? iodef-private-enum-name => text, ? iodef-private-enum-id => text, iodef-Incident => [+ Incident], ? iodef-AdditionalData => [+ ExtensionType] } duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / "year" / "ext-value" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" restriction = "public" / "partner" / "need-to-know" / "private" / "default" / "white" / "green" / "amber" / "red" / "ext-value" SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" IDREFType = IDtype URLtype = uri TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]" PortlistType = text .regexp "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*" action = "nothing" / "contact-source-site" / "contact-target-site" / "contact-sender" / "investigate" / "block-host" / "block-network" / "block-port" / "rate-limit-host" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "honeypot" / "upgrade-software" / "rebuild-asset" / "harden-asset" / "remediate-other" / "status-triage" / "status-new-info" / "watch-and-report" / "training" / "defined-coa" / "other" / "ext-value" DATETIME = tdate BYTE = eb64legacy MLStringType = { iodef-value => text, ? iodef-lang => lang, ? iodef-translation-id => text } / text PositiveFloatType = float32 .gt 0 PAddressType = MLStringType ExtensionType = { iodef-value => text, ? iodef-name => text, iodef-dtype => "boolean" / "byte" / "bytes" / "character" / "date-time" / "ntpstamp" / "integer" / "portlist" / "real" / "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string" ? iodef-ext-dtype => text, ? iodef-meaning => text, ? iodef-formatid => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, } SoftwareType = { ? iodef-SoftwareReference => SoftwareReference, ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType] } SoftwareReference = { ? iodef-value => text, iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value", ? iodef-ext-spec-name => text, ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string", ? iodef-ext-dtype => text } Incident = { iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" / "other" / "ext-value", ? iodef-ext-purpose => text, ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" / "future" / "ext-value", ? iodef-ext-status => text, ? iodef-lang => lang, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-IncidentID => IncidentID, ? iodef-AlternativeID => AlternativeID, ? iodef-RelatedActivity => [+ RelatedActivity], ? iodef-DetectTime => DATETIME, ? iodef-StartTime => DATETIME, ? iodef-EndTime => DATETIME, ? iodef-RecoveryTime => DATETIME, ? iodef-ReportTime => DATETIME, iodef-GenerationTime => DATETIME, ? iodef-Description => [+ MLStringType], ? iodef-Discovery => [+ Discovery], ? iodef-Assessment => [+ Assessment], ? iodef-Method => [+ Method], iodef-Contact => [+ Contact], ? iodef-EventData => [+ EventData], ? iodef-Indicatorf=>=> [+ Indicator], ? iodef-History => History, ? iodef-AdditionalData => [+ ExtensionType] } IncidentID = { iodef-id => text, iodef-name => text, ? iodef-instance => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text } AlternativeID = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, iodef-IncidentID => [+ IncidentID] } RelatedActivity = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-IncidentID => [+ IncidentID], ? iodef-URL => [+ URLtype], ? iodef-ThreatActor => [+ ThreatActor], ? iodef-Campaign => [+ Campaign], ? iodef-IndicatorID => [+ IndicatorID], ? iodef-Confidence => Confidence, ? iodef-Description => [+ text], ? iodef-AdditionalData => [+ ExtensionType] } ThreatActor = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-ThreatActorID => [+ text], ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType], ? iodef-AdditionalData => [+ ExtensionType] } Campaign = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-CampaignID => [+ text], ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType], ? iodef-AdditionalData => [+ ExtensionType] } Contact = { iodef-role => "creator" / "reporter" / "admin" / "tech" / "provider" / "user"/,/ "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" / "victim" / "victim-notified" / "ext-value", ? iodef-ext-role => text, iodef-type => "person" / "organization" / "ext-value", ? iodef-ext-type => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-ContactName => [+ MLStringType], ? iodef-ContactTitle => [+ MLStringType], ? iodef-Description => [+ MLStringType], ? iodef-RegistryHandle => [+ RegistryHandle], ? iodef-PostalAddress => [+ PostalAddress], ? iodef-Email => [+ Email], ? iodef-Telephone => [+ Telephone], ? iodef-Timezone => TimeZonetype, ? iodef-Contact => [+ Contact], ? iodef-AdditionalData => [+ ExtensionType] } RegistryHandle = { iodef-handle => text, iodef-registry => "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / "local" / "ext-value", ? iodef-ext-registry => text } PostalAddress = { ? iodef-type => "street" / "mailing" / "ext-value", ? iodef-ext-type => text, iodef-PAddress => PAddressType, ? iodef-Description => [+ MLStringType] } Email = { ? iodef-type => "direct" / "hotline" / "ext-value", ? iodef-ext-type => text, iodef-EmailTo => text, ? iodef-Description => [+ MLStringType] } Telephone = { ? iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value", ? iodef-ext-type => text, iodef-TelephoneNumber => text, ? iodef-Description => [+ MLStringType] } Discovery = { ? iodef-source => "nidps"/"hips" /"siem" /"av" /"third-party-monitoring"/ "hips" / "siem" / "av" / "third-party-monitoring" / "incident" / "os-log" / "application-log" / "device-log" / "network-flow" / "passive-dns" / "investigation" / "audit" / "internal-notification" / "external-notification" / "leo" / "partner" / "actor" / "unknown" / "ext-value", ? iodef-ext-source => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-Description => [+ MLStringType], ? iodef-Contact => [+ Contact], ? iodef-DetectionPattern => [+ DetectionPattern] } DetectionPattern = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, (iodef-Description => [+ MLStringType] // iodef-DetectionConfiguration => [+ text]), iodef-Application => SoftwareType } Method = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-Reference => [+ Reference], ? iodef-Description => [+ MLStringType], ? iodef-AttackPattern => [+StructuredInfo],STRUCTUREDINFO], ? iodef-Vulnerability => [+StructuredInfo],STRUCTUREDINFO], ? iodef-Weakness => [+StructuredInfo],STRUCTUREDINFO], ? iodef-AdditionalData => [+ ExtensionType] }StructuredInfoSTRUCTUREDINFO = { iodef-SpecID => SpecID, ? iodef-ext-SpecID => text, ? iodef-ContentID => text, ? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]), ? iodef-Platform => [+ Platform], ? iodef-Scoring => [+ Scoring] } Platform = { iodef-SpecID => SpecID, ? iodef-ext-SpecID => text, ? iodef-ContentID => text, ? iodef-RawData => [+ BYTE], ? iodef-Reference => [+ Reference] } Scoring = { iodef-SpecID => SpecID, ? iodef-ext-SpecID => text, ? iodef-ContentID => text, ? iodef-RawData => [+ BYTE], ? iodef-Reference => [+ Reference] } Reference = { ? iodef-observable-id => IDtype, ? iodef-ReferenceName => ReferenceName, ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType] } ReferenceName = { iodef-specIndex => integer, iodef-ID => IDtype } Assessment = { ? iodef-occurrence => "actual" / "potential", ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, ? iodef-IncidentCategory => [+ MLStringType], iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} / {iodef-BusinessImpact => BusinessImpact / {iodef-TimeImpact => TimeImpact} / {iodef-MonetaryImpact => MonetaryImpact} / {iodef-IntendedImpact => BusinessImpact}], ? iodef-Counter => [+ Counter], ? iodef-MitigatingFactor => [+ MLStringType], ? iodef-Cause => [+ MLStringType], ? iodef-Confidence => Confidence, ? iodef-AdditionalData => [+ ExtensionType] } SystemImpact = { ? iodef-severity => "low" / "medium" / "high", ? iodef-completion => "failed" / "succeeded", iodef-type => "takeover-account" / "takeover-service" / "takeover-system" / "cps-manipulation" / "cps-damage" / "availability-data" / "availability-account" / "availability-service" / "availability-system" / "damaged-system" / "damaged-data" / "breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-configuration" / "integrity-data" / "integrity-configuration" / "integrity-hardware" / "traffic-redirection" / "monitoring-traffic" / "monitoring-host" / "policy" / "unknown" / "ext-value" .default "unknown", ? iodef-ext-type => text, ? iodef-Description => [+ MLStringType] } BusinessImpact = { ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown", ? iodef-ext-severity => text, iodef-type => "breach-proprietary" / "breach-privacy" / "breach-credential" / "loss-of-integrity" / "loss-of-service" / "theft-financial" / "theft-service" / "degraded-reputation" / "asset-damage" / "asset-manipulation" / "legal" / "extortion" / "unknown" / "ext-value" .default "unknown", ? iodef-ext-type => text, ? iodef-Description => [+ MLStringType] } TimeImpact = { iodef-value => PositiveFloatType, ? iodef-severity => "low" / "medium" / "high", iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value", ? iodef-ext-metric => text, ? iodef-duration => duration .default "hour", ? iodef-ext-duration => text } MonetaryImpact = { iodef-value => PositiveFloatType, ? iodef-severity => "low" / "medium" / "high", ? iodef-currency => text } Confidence = { iodef-value => float32, iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value", ? iodef-ext-rating => text } History = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, iodef-HistoryItem => [+ HistoryItem] } HistoryItem = { iodef-action => action .default "other", ? iodef-ext-action => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-DateTime => DATETIME, ? iodef-IncidentID => IncidentID, ? iodef-Contact => Contact, ? iodef-Description => [+ MLStringType], ? iodef-DefinedCOA => [+ text], ? iodef-AdditionalData => [+ ExtensionType] } EventData = { ? iodef-restriction => restriction .default "default", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, ? iodef-Description => [+ MLStringType], ? iodef-DetectTime => DATETIME, ? iodef-StartTime => DATETIME, ? iodef-EndTime => DATETIME, ? iodef-RecoveryTime => DATETIME, ? iodef-ReportTime => DATETIME, ? iodef-Contact => [+ Contact], ? iodef-Discovery => [+ Discovery], ? iodef-Assessment => Assessment, ? iodef-Method => [+ Method], ? iodef-System => [+ System], ? iodef-Expectation => [+ Expectation], ? iodef-RecordData => [+ RecordData], ? iodef-EventData => [+ EventData], ? iodef-AdditionalData => [+ ExtensionType] } Expectation = { ? iodef-action => action .default "other", ? iodef-ext-action => text, ? iodef-severity => "low" / "medium" / "high", ? iodef-restriction => restriction .default "default", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, ? iodef-Description => [+ MLStringType], ? iodef-DefinedCOA => [+ text], ? iodef-StartTime => DATETIME, ? iodef-EndTime => DATETIME, ? iodef-Contact => Contact } System = { ? iodef-category => "source" / "target" / "intermediate" / "sensor" / "infrastructure" / "ext-value", ? iodef-ext-category => text, ? iodef-interface => text, ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown", ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown", ? iodef-ownership => "organization" / "personal" / "partner" / "customer" / "no-relationship" / "unknown" / "ext-value", ? iodef-ext-ownership => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-Node => Node, ? iodef-NodeRole => [+ NodeRole], ? iodef-Service => [+ Service], ? iodef-OperatingSystem => [+ SoftwareType], ? iodef-Counter => [+ Counter], ? iodef-AssetID => [+ text], ? iodef-Description => [+ MLStringType], ? iodef-AdditionalData => [+ ExtensionType] } Node = { (iodef-DomainData => [+ DomainData] // iodef-Address => [+ Address]), ? iodef-PostalAddress => PostalAddress, ? iodef-Location => [+ MLStringType], ? iodef-Counter => [+ Counter] } Address = { iodef-value => text, iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / "ext-value" .default "ipv6-addr", ? iodef-ext-category => text, ? iodef-vlan-name => text, ? iodef-vlan-num => integer, ? iodef-observable-id => IDtype } NodeRole = { iodef-category => "client" / "client-enterprise" / "client-partner" / "client-remote" / "client-kiosk" / "client-mobile" / "server-internal" / "server-public" / "www" / "mail" / "webmail" / "messaging" / "streaming" / "voice" / "file" / "ftp" / "p2p" / "name" / "directory" / "credential" / "print" / "application" / "database" / "backup" / "dhcp" / "assessment" / "source-control" / "config-management" / "monitoring" / "infra" / "infra-firewall" / "infra-router" / "infra-switch" / "camera" / "proxy" / "remote-access" / "log" / "virtualization" / "pos" / "scada" / "scada-supervisory" / "sinkhole" / "honeypot" / "anomyzation" / "c2-server" / "malware-distribution" / "drop-server" / "hop-point" / "reflector" / "phishing-site" / "spear-phishing-site" / "recruiting-site" / "fraudulent-site" / "ext-value", ? iodef-ext-category => text, ? iodef-Description => [+ MLStringType] } Counter = { iodef-value => float32, iodef-type => "count" / "peak" / "average" / "ext-value", ? iodef-ext-type => text, iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / "message" / "event" / "host" / "site" / "organization" / "ext-value", ? iodef-ext-unit => text, ? iodef-meaning => text, ? iodef-duration => duration .default "hour", ? iodef-ext-duration => text } DomainData = { iodef-system-status => "spoofed" / "fraudulent" / "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value", ? iodef-ext-system-status => text, iodef-domain-status => "reservedDelegation" / "assignedAndActive" / "assignedAndInactive" / "assignedAndOnHold" / "revoked" / "transferPending" / "registryLock" / "registrarLock" / "other" / "unknown" / "ext-value", ? iodef-ext-domain-status => text, ? iodef-observable-id => IDtype, iodef-Name => text, ? iodef-DateDomainWasChecked => DATETIME, ? iodef-RegistrationDate => DATETIME, ? iodef-ExpirationDate => DATETIME, ? iodef-RelatedDNS => [+ ExtensionType], ? iodef-NameServers => [+ NameServers], ? iodef-DomainContacts => DomainContacts } NameServers = { iodef-Server => text, iodef-Address => [+ Address] } DomainContacts = { (iodef-SameDomainContact => text // iodef-Contact => [+ Contact]) } Service = { ? iodef-ip-protocol => integer, ? iodef-observable-id => IDtype, ? iodef-ServiceName => ServiceName, ? iodef-Port => integer, ? iodef-Portlist => PortlistType, ? iodef-ProtoCode => integer, ? iodef-ProtoType => integer, ? iodef-ProtoField => integer, ? iodef-ApplicationHeaderField => [+ ExtensionType], ? iodef-EmailData => EmailData, ? iodef-Application => SoftwareType } ServiceName = { ? iodef-IANAService => text, ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType] } EmailData = { ? iodef-observable-id => IDtype, ? iodef-EmailTo => [+ text], ? iodef-EmailFrom => text, ? iodef-EmailSubject => text, ? iodef-EmailX-Mailer => text, ? iodef-EmailHeaderField => [+ ExtensionType], ? iodef-EmailHeaders => text, ? iodef-EmailBody => text, ? iodef-EmailMessage => text, ? iodef-HashData => [+ HashData], ? iodef-Signature => [+ BYTE] } RecordData = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, ? iodef-DateTime => DATETIME, ? iodef-Description => [+ MLStringType], ? iodef-Application => SoftwareType, ? iodef-RecordPattern => [+ RecordPattern], ? iodef-RecordItem => [+ ExtensionType], ? iodef-URL => [+ URLtype], ? iodef-FileData => [+ FileData], ? iodef-WindowsRegistryKeysModified => [+ WindowsRegistryKeysModified], ? iodef-CertificateData => [+ CertificateData], ? iodef-AdditionalData => [+ ExtensionType] } RecordPattern = { iodef-value => text, iodef-type => "regex" / "binary" / "xpath" / "ext-value" .default "regex", ? iodef-ext-type => text, ? iodef-offset => integer, ? iodef-offsetunit => "line" / "byte" / "ext-value" .default "line", ? iodef-ext-offsetunit => text, ? iodef-instance => integer } WindowsRegistryKeysModified = { ? iodef-observable-id => IDtype, iodef-Key => [+ Key] } Key = { ? iodef-registryaction => "add-key" / "add-value" / "delete-key" / "delete-value" / "modify-key" / "modify-value" / "ext-value", ? iodef-ext-registryaction => text, ? iodef-observable-id => IDtype, iodef-KeyName => text, ? iodef-KeyValue => text } CertificateData = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-Certificate => [+ Certificate] } Certificate = { ? iodef-observable-id => IDtype, iodef-X509Data => BYTE, ? iodef-Description => [+ MLStringType] } FileData = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-File => [+ File] } File = { ? iodef-observable-id => IDtype, ? iodef-FileName => text, ? iodef-FileSize => integer, ? iodef-FileType => text, ? iodef-URL => [+ URLtype], ? iodef-HashData => HashData, ? iodef-Signature => [+ BYTE], ? iodef-AssociatedSoftware => SoftwareType, ? iodef-FileProperties => [+ ExtensionType] } HashData = { iodef-scope => "file-contents" / "file-pe-section" / "file-pe-iat" / "file-pe-resource" / "file-pdf-object" / "email-hash" / "email-headers-hash" / "email-body-hash" / "ext-value", ? iodef-HashTargetID => text, ? iodef-Hash => [+ Hash], ? iodef-FuzzyHash => [+ FuzzyHash] } Hash = { iodef-DigestMethod => BYTE, iodef-DigestValue => BYTE, ? iodef-CanonicalizationMethod => BYTE, ? iodef-Application => SoftwareType } FuzzyHash = { iodef-FuzzyHashValue => [+ ExtensionType], ? iodef-Application => SoftwareType, ? iodef-AdditionalData => [+ ExtensionType] } Indicator = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, iodef-IndicatorID => IndicatorID, ? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID], ? iodef-Description => [+ MLStringType], ? iodef-StartTime => DATETIME, ? iodef-EndTime => DATETIME, ? iodef-Confidence => Confidence, ? iodef-Contact => [+ Contact], (iodef-Observable => Observable // iodef-uid-ref => IDREFType // iodef-IndicatorExpression => IndicatorExpression // iodef-IndicatorReference => IndicatorReference), ? iodef-NodeRole => [+ NodeRole], ? iodef-AttackPhase => [+ AttackPhase], ? iodef-Reference => [+ Reference], ? iodef-AdditionalData => [+ ExtensionType] } IndicatorID = { iodef-id => IDtype, iodef-name => text, iodef-version => text } AlternativeIndicatorID = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, iodef-IndicatorID => [+ IndicatorID] } Observable = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? (iodef-System => System // iodef-Address => Address // iodef-DomainData => DomainData // iodef-EmailData => EmailData // iodef-Service => Service // iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified // iodef-FileData => FileData //iodef-CertificateData => CertificateData // iodef-RegistryHandle =>RegistryHandle// iodef-RecordData=>RecordData=> RecordData // iodef-EventData => EventData // iodef-Incident => Incident // iodef-Expectation => Expectation // iodef-Reference => Reference // iodef-Assessment => Assessment // iodef-DetectionPattern => DetectionPattern // iodef-HistoryItem => HistoryItem // iodef-BulkObservable => BulkObservable // iodef-AdditionalData => [+ ExtensionType]) } BulkObservable = { ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / "domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" / "email-x-mailer" / "email-subject" / "http-user-agent" / "http-request-uri" / "mutex" / "file-path" / "user-name" / "ext-value", ? iodef-ext-type => text, ? iodef-BulkObservableFormat => BulkObservableFormat, iodef-BulkObservableList => text, ? iodef-AdditionalData => [+ ExtensionType] } BulkObservableFormat = { (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType]) } IndicatorExpression = { ? iodef-operator => "not" / "and" / "or" / "xor" .default "and", ? iodef-ext-operator => text, ? iodef-IndicatorExpression => [+ IndicatorExpression], ? iodef-Observable => [+ Observable], ? iodef-uid-ref => [+ IDREFType], ? iodef-IndicatorReference => [+ IndicatorReference], ? iodef-Confidence => Confidence, ? iodef-AdditionalData => [+ ExtensionType] } IndicatorReference = { (iodef-uid-ref => IDREFType // iodef-euid-ref => text), ? iodef-version => text } AttackPhase = { ? iodef-AttackPhaseID => [+ text], ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType], ? iodef-AdditionalData => [+ ExtensionType] }]]></artwork>]]></sourcecode> </figure> </section> <section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>This documentdoes not require anyhas no IANA actions.</t> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>This document provides a mapping from XML IODEF defined in <xref target="RFC7970"/>format="default"/> to JSON, and <xref target="mapping"/>format="default"/> describes several issues that arise when converting XML IODEF and JSON IODEF. Though it does not provide any further security considerations other than the one described in <xref target="RFC7970"/>, impelementersformat="default"/>, implementers of this document should be aware of those issues toavoid any unintended outcome.</t> </section> <section anchor="Acknowledgments" title="Acknowledgments"> <t>We would like to thank Henk Birkholz, Carsten Bormann, Benjamin Kaduk, Alexey Melnikov, Yasuaki Morita, and Takahiko Nagata for their insightful comments on this document and CDDL.</t> </section> </middle> <!-- *****BACK MATTER ***** --> <back> <!-- References split into informative and normative --> <!-- There are 2 ways to insert reference entries from the citation libraries: 1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown) 2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml") Both are cited textually in the same manner: by using xref elements. If you use the PI option, xml2rfc will, by default, try to find included files in the same directory as the including file. You can also define the XML_LIBRARY environment variable with a value containing a set of directories to search. These can be either in the local filing system or remote ones accessed by http (http://domain/dir/... ).--> <references title="Normative References"> <!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?--> &RFC2119; &RFC3986; &RFC4648; &RFC7049; &RFC7203; &RFC7970; &RFC8174; &RFC8259; &RFC8610; <!-- <reference anchor="jsonschema"> <front> <title>JSON Schema</title> <author> <organization></organization> </author> <date year="2006" /> </front> <annotation>http://json-schema.org/</annotation> </reference> -->avoid any unintended outcome.</t> </section> </middle> <back> <displayreference target="I-D.handrews-json-schema-validation" to="JSON-SCHEMA"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7049.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7203.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7970.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"/> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/> </references> <references> <name>Informative References</name> <!--draft-handrews-json-schema-validation-02; expired--> <xi:include href="https://www.rfc-editor.org/refs/bibxml3/reference.I-D.handrews-json-schema-validation.xml"/> </references><references title="Informative References"> <!-- Here we use entities that we defined at the beginning. --> <?rfc include="reference.I-D.handrews-json-schema-validation.xml"?> <!-- A reference written by by an organization not a person. --></references> <sectiontitle="Dataanchor="supportedCborDataType" numbered="true" toc="default"> <name>Data TypesusedUsed inthis document" anchor="supportedCborDataType">This Document</name> <t>The CDDL prelude used in this document is mapped to JSON as shown in the table below.</t><figure align="center"<table anchor="cborDataType"title="CDDLalign="left"> <name>CDDL PreludemappingMapping inJSON"><artwork align="left"><![CDATA[ +-----------------+-------------------+----------------------------+ | CDDL Prelude | Use of JSON | Instance | Validation | +-----------------+-------------------+----------------------------+ | bytes | n/a | string | tool available | | text | string | string | unnecessary | | tdate | n/a | string | 7.3.1 date-time | | integer | n/a | number | integer | | eb64legacy | n/a | string | tool available | | uri | n/a | string | 7.3.6 uri | | float32 | float32 | number | unnecessary | +-----------------+-------------------+----------------------------+ ]]></artwork></figure>JSON</name> <thead> <tr> <th>CDDL Prelude</th> <th>Use of JSON</th> <th>Instance</th> <th>Validation</th> </tr> </thead> <tbody> <tr> <td>bytes</td> <td>n/a</td> <td>string</td> <td>tool available</td> </tr> <tr> <td>text</td> <td>string</td> <td>string</td> <td>unnecessary</td> </tr> <tr> <td>tdate</td> <td>n/a</td> <td>string</td> <td>date-time per <xref target="I-D.handrews-json-schema-validation" sectionFormat="of" section="7.3.1"/></td> </tr> <tr> <td>integer</td> <td>n/a</td> <td>number</td> <td>integer</td> </tr> <tr> <td>eb64legacy</td> <td>n/a</td> <td>string</td> <td>tool available</td> </tr> <tr> <td>uri</td> <td>n/a</td> <td>string</td> <td>uri per <xref target="I-D.handrews-json-schema-validation" sectionFormat="of" section="7.3.6"/></td> </tr> <tr> <td>float32</td> <td>float32</td> <td>number</td> <td>unnecessary</td> </tr> </tbody> </table> </section> <sectiontitle="Theanchor="jsonSchemaSection" numbered="true" toc="default"> <name>The IODEF Data Model (JSONSchema)" anchor="jsonSchemaSection"> <t>ThisSchema)</name> <t keepWithNext="true">This section provides a <xreftarget="I-D.handrews-json-schema-validation">JSONtarget="I-D.handrews-json-schema-validation" format="default">JSON schema</xref> that defines the IODEFData Modeldata model defined in thisdraft.document. Note that this section isInformative.</t>informative.</t> <figurealign="center" anchor="jsonSchema" title="JSON schema"> <artwork align="left"><![CDATA[anchor="jsonSchema"> <name>JSON Schema</name> <sourcecode type="json"><![CDATA[ { "$schema":"http://json-schema.org/draft-04/schema#","https://json-schema.org/draft-04/schema#", "definitions": { "action": {"enum":["nothing","contact-source-site", "contact-target-site","contact-sender","investigate", "block-host","block-network","block-port","rate-limit-host", "rate-limit-network","rate-limit-port","redirect-traffic", "honeypot","upgrade-software","rebuild-asset","harden-asset", "remediate-other","status-triage","status-new-info", "watch-and-report","training","defined-coa","other",["nothing", "contact-source-site", "contact-target-site", "contact-sender", "investigate", "block-host", "block-network", "block-port", "rate-limit-host", "rate-limit-network", "rate-limit-port", "redirect-traffic", "honeypot", "upgrade-software", "rebuild-asset", "harden-asset", "remediate-other", "status-triage", "status-new-info", "watch-and-report", "training", "defined-coa", "other", "ext-value"]}, "duration":{"enum":["second", "minute", "hour", "day", "month", "quarter", "year", "ext-value"]},"duration":{"enum":["second","minute","hour","day","month", "quarter","year","ext-value"]},"SpecID":{"enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]},"enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2", "private"]}, "lang": {"type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},"type":"string", "pattern": "^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, "purpose": {"enum":["traceback","mitigation","reporting","watch", "other","ext-value"]}, "restriction":{"enum":["public","partner","need-to-know","private", "default","white","green","amber","red","ext-value"]},["traceback", "mitigation", "reporting", "watch", "other", "ext-value"]}, "restriction":{"enum": ["public", "partner", "need-to-know", "private", "default", "white", "green", "amber", "red", "ext-value"]}, "status": {"enum":["new","in-progress","forwarded","resolved", "future","ext-value"]},["new", "in-progress", "forwarded", "resolved", "future", "ext-value"]}, "DATETIME": {"type":"string","format":"string", "format": "date-time"}, "BYTE": {"type": "string"}, "PortlistType": { "type":"string","pattern":"string", "pattern": "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"}, "TimeZonetype": {"type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},"type":"string", "pattern": "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, "URLtype": { "type": "string", "pattern":"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"},"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*)) ?(#(.*))?"}, "IDtype": {"type":"string","pattern":"string", "pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, "IDREFType": {"$ref": "#/definitions/IDtype"}, "MLStringType": { "oneOf": [{"type": "string"}, {"type": "object", "properties": { "value": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "translation-id": {"type": "string"}}, "required": ["value"], "additionalProperties":false}]}, "PositiveFloatType": {"type":"number","minimum":"number", "minimum": 0}, "PAddressType": {"$ref": "#/definitions/MLStringType"}, "ExtensionType": { "type": "object", "properties": { "value": {"type": "string"}, "name": {"type": "string"},"dtype":{"enum":["boolean","byte","bytes","character","dtype":{"enum":["boolean", "byte", "bytes", "character", "json","date-time","ntpstamp","integer","portlist","real","string", "file","path","frame","packet","ipv4-packet","ipv6-packet","date-time", "ntpstamp", "integer", "portlist", "real", "string", "file", "path", "frame", "packet", "ipv4-packet", "ipv6-packet", "url","csv","winreg","xml","ext-value"],"default":"csv", "winreg", "xml", "ext-value"], "default": "string"}, "ext-dtype": {"type": "string"}, "meaning": {"type": "string"}, "formatid": {"type": "string"}, "restriction": { "$ref":"#/definitions/restriction","default":"#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required":["value","dtype"],["value", "dtype"], "additionalProperties":false}, "ExtensionTypeList": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "SoftwareType": { "type": "object", "properties": {"SoftwareReference":{"$ref": "#/definitions/SoftwareReference"},"SoftwareReference":{ "$ref":"#/definitions/SoftwareReference"}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype", "minItems": 1}}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1 }}, "required": [], "additionalProperties": false}, "SoftwareReference": { "type": "object", "properties": { "value": {"type": "string"}, "spec-name": {"enum":["custom","cpe","swid","ext-value"]},["custom", "cpe", "swid", "ext-value"]}, "ext-spec-name": {"type": "string"}, "dtype": {"enum":["bytes","integer","real","string","xml", "ext-value"] ,["bytes", "integer", "real", "string", "xml", "ext-value"], "default": "string"}, "ext-dtype": {"type": "string"}}, "required": ["spec-name"], "additionalProperties": false},"StructuredInfo":"STRUCTUREDINFO": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1 }, "Platform": { "type": "array", "items": {"$ref": "#/definitions/Platform"}, "minItems": 1 }, "Scoring": { "type": "array", "items": {"$ref": "#/definitions/Scoring"}, "minItems": 1}}, "allOf": [ {"required": ["SpecID"]}, {"anyOf": [ {"oneOf": [ {"required":["Reference"]}, {"required":["RawData"]}]}, { "not" : {"required":["Reference", "RawData"]}}]}], "additionalProperties": false}, "Platform": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}}, "required": ["SpecID"], "additionalProperties": false}, "Scoring": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}}, "required": ["SpecID"], "additionalProperties": false}, "Incident": { "title": "Incident", "description": "JSON schema for Incident class", "type": "object", "properties": { "purpose": {"$ref": "#/definitions/purpose"}, "ext-purpose": {"type": "string"}, "status": {"$ref": "#/definitions/status"}, "ext-status": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "AlternativeID":{"$ref": "#/definitions/AlternativeID"},{ "$ref":"#/definitions/AlternativeID"}, "RelatedActivity": { "type": "array", "items": {"$ref": "#/definitions/RelatedActivity"}, "minItems": 1}, "DetectTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"}, "GenerationTime": {"$ref": "#/definitions/DATETIME"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Discovery": { "type": "array", "items": {"$ref": "#/definitions/Discovery"}, "minItems": 1}, "Assessment": { "type": "array", "items": {"$ref": "#/definitions/Assessment"}, "minItems": 1}, "Method": { "type": "array", "items": {"$ref": "#/definitions/Method"}, "minItems": 1}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "EventData": { "type": "array", "items": {"$ref": "#/definitions/EventData"}, "minItems": 1}, "Indicator": { "type": "array", "items": {"$ref": "#/definitions/Indicator"}, "minItems": 1}, "History": {"$ref": "#/definitions/History"}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required":["IncidentID","GenerationTime","Contact","purpose"],["IncidentID", "GenerationTime", "Contact", "purpose"], "additionalProperties": false}, "IncidentID": { "title": "IncidentID", "description": "JSON schema for IncidentID class", "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "instance": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}}, "required":["id","name"],["id", "name"], "additionalProperties": false}, "AlternativeID": { "title": "AlternativeID", "description": "JSON schema for AlternativeID class", "type": "object", "properties": { "IncidentID": { "type": "array", "items":{"$ref": "#/definitions/IncidentID"}, "minItems": 1}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}}, "required": ["IncidentID"], "additionalProperties": false}, "RelatedActivity": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IncidentID": { "type": "array", "items": {"$ref": "#/definitions/IncidentID"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "ThreatActor": { "type": "array", "items": {"$ref": "#/definitions/ThreatActor"}, "minItems": 1}, "Campaign": { "type": "array", "items": {"$ref": "#/definitions/Campaign"}, "minItems": 1}, "IndicatorID": { "type": "array", "items": {"$ref": "#/definitions/IndicatorID"}, "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Description": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref": "#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "ThreatActor": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "ThreatActorID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "URL": { "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "Campaign": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "CampaignID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "URL": { "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}}},{ "$ref":"#/definitions/ExtensionTypeList"}}}, "Contact": { "type": "object", "properties": { "role": {"enum":["creator","reporter","admin","tech","provider","user", "billing","legal","irt","abuse","cc","cc-irt","leo", "vendor","vendor-support","victim","victim-notified","enum":["creator", "reporter", "admin", "tech", "provider", "user", "billing", "legal", "irt", "abuse", "cc", "cc-irt", "leo", "vendor", "vendor-support", "victim", "victim-notified", "ext-value"]}, "ext-role": {"type": "string"}, "type":{"enum": ["person","organization","ext-value"]},{ "enum": ["person", "organization", "ext-value"]}, "ext-type": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "ContactName": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "ContactTitle": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "RegistryHandle": { "type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}, "minItems": 1}, "PostalAddress": { "type":"array", "items":{"$ref":"#/definitions/PostalAddress"}, "minItems": 1}, "Email": { "type": "array", "items": {"$ref": "#/definitions/Email"}, "minItems": 1}, "Telephone": { "type": "array", "items": {"$ref": "#/definitions/Telephone"}, "minItems": 1}, "Timezone": {"$ref": "#/definitions/TimeZonetype"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required":["role","type"],["role", "type"], "additionalProperties": false}, "RegistryHandle": { "type": "object", "properties": { "handle": {"type": "string"}, "registry": { "enum":["internic","apnic","arin","lacnic","ripe","afrinic", "local","ext-value"]},["internic", "apnic", "arin", "lacnic", "ripe", "afrinic", "local", "ext-value"]}, "ext-registry": {"type": "string"}}, "required":["handle","registry"],["handle", "registry"], "additionalProperties": false}, "PostalAddress": { "type": "object", "properties": { "type": { "enum":["street","mailing","ext-value"]},["street", "mailing", "ext-value"]}, "ext-type": {"type": "string"}, "PAddress": {"$ref": "#/definitions/PAddressType"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["PAddress"], "additionalProperties": false}, "Email": { "type": "object", "properties": { "type": {"enum":["direct","hotline","ext-value"]},"enum":["direct", "hotline", "ext-value"]}, "ext-type": {"type": "string"}, "EmailTo": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["EmailTo"], "additionalProperties": false}, "Telephone": { "type": "object", "properties": { "type": {"enum":["wired","mobile","fax","hotline","ext-value"]},"enum":["wired", "mobile", "fax", "hotline", "ext-value"]}, "ext-type": {"type": "string"}, "TelephoneNumber": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["TelephoneNumber"], "additionalProperties": false}, "Discovery": { "type": "object", "properties": { "source": {"enum":["nidps","hips","siem","av","third-party-monitoring", "incident","os-log","application-log","device-log", "network-flow","passive-dns","investigation","audit", "internal-notification","external-notification","leo", "partner","actor","unknown","ext-value"]},"enum":["nidps", "hips", "siem", "av", "third-party-monitoring", "incident", "os-log", "application-log", "device-log", "network-flow", "passive-dns", "investigation", "audit", "internal-notification", "external-notification", "leo", "partner", "actor", "unknown", "ext-value"]}, "ext-source": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "DetectionPattern": { "type":"array", "items":{"$ref":"#/definitions/DetectionPattern"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "DetectionPattern": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Application": {"$ref": "#/definitions/SoftwareType"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DetectionConfiguration": { "type": "array", "items": {"type": "string"}, "minItems": 1}}, "allOf": [ {"required": ["Application"]}, {"oneOf": [ {"required":["Description"]}, {"required":["DetectionConfiguration"]}]}], "additionalProperties": false}, "Method": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AttackPattern": { "type":"array","items":{"$ref":"#/definitions/StructuredInfo"},"items":{"$ref":"#/definitions/STRUCTUREDINFO"}, "minItems": 1}, "Vulnerability": { "type":"array","items":{"$ref":"#/definitions/StructuredInfo"},"items":{"$ref":"#/definitions/STRUCTUREDINFO"}, "minItems": 1}, "Weakness": { "type":"array","items":{"$ref":"#/definitions/StructuredInfo"},"items":{"$ref":"#/definitions/STRUCTUREDINFO"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Reference": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "ReferenceName":{"$ref":"#/definitions/ReferenceName"},{ "$ref":"#/definitions/ReferenceName"}, "URL":{ "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "ReferenceName" : { "type": "object", "properties": { "specIndex": {"type": "number"}, "ID": {"$ref":"#/definitions/IDtype"}}, "required":["specIndex","ID"],["specIndex", "ID"], "additionalProperties": false}, "Assessment": { "type": "object", "properties": { "occurrence":{"enum":["actual","potential"]},{"enum":["actual", "potential"]}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentCategory": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Impact": { "type": "array", "items": { "properties": {"SystemImpact":{"$ref":"#/definitions/SystemImpact"}, "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"},"SystemImpact":{ "$ref":"#/definitions/SystemImpact"}, "BusinessImpact":{ "$ref":"#/definitions/BusinessImpact"}, "TimeImpact":{"$ref":"#/definitions/TimeImpact"},"MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}},"MonetaryImpact":{ "$ref":"#/definitions/MonetaryImpact"}, "IntendedImpact":{ "$ref":"#/definitions/BusinessImpact"}}, "additionalProperties":false}, "minItems" : 1 }, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}, "minItems": 1}, "MitigatingFactor": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Cause": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Impact"], "additionalProperties": false}, "SystemImpact": { "type": "object", "properties": { "severity":{"enum":["low","medium","high"]},{"enum":["low", "medium", "high"]}, "completion":{"enum":["failed","succeeded"]},{"enum":["failed", "succeeded"]}, "type": {"enum":["takeover-account","takeover-service", "takeover-system","cps-manipulation","cps-damage", "availability-data","availability-account", "availability-service","availability-system", "damaged-system","damaged-data","breach-proprietary", "breach-privacy","breach-credential", "breach-configuration","integrity-data", "integrity-configuration","integrity-hardware", "traffic-redirection","monitoring-traffic", "monitoring-host","policy","unknown","ext-value"]},"enum":["takeover-account", "takeover-service", "takeover-system", "cps-manipulation", "cps-damage", "availability-data", "availability-account", "availability-service", "availability-system", "damaged-system", "damaged-data", "breach-proprietary", "breach-privacy", "breach-credential", "breach-configuration", "integrity-data", "integrity-configuration", "integrity-hardware", "traffic-redirection", "monitoring-traffic", "monitoring-host", "policy", "unknown", "ext-value"]}, "ext-type": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "BusinessImpact": { "type": "object", "properties": { "severity":{"enum":["none","low","medium","high","unknown", "ext-value"],"default":{"enum":["none", "low", "medium", "high", "unknown", "ext-value"], "default": "unknown"}, "ext-severity": {"type":"string"}, "type":{"enum":["breach-proprietary","breach-privacy", "breach-credential","loss-of-integrity","loss-of-service", "theft-financial","theft-service","degraded-reputation", "asset-damage","asset-manipulation","legal","extortion", "unknown","ext-value"]},{"enum":["breach-proprietary", "breach-privacy", "breach-credential", "loss-of-integrity", "loss-of-service", "theft-financial", "theft-service", "degraded-reputation", "asset-damage", "asset-manipulation", "legal", "extortion", "unknown", "ext-value"]}, "ext-type": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "TimeImpact": { "type": "object", "properties": { "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum":["low","medium","high"]},["low", "medium", "high"]}, "metric": {"enum":["labor","elapsed","downtime","ext-value"]},["labor", "elapsed", "downtime", "ext-value"]}, "ext-metric": {"type": "string"}, "duration":{"$ref":"#/definitions/duration","default":{ "$ref":"#/definitions/duration", "default": "hour"}, "ext-duration": {"type": "string"}}, "required":["value","metric"],["value", "metric"], "additionalProperties": false}, "MonetaryImpact": { "type": "object", "properties": { "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity":{"enum":["low","medium","high"]},{"enum":["low", "medium", "high"]}, "currency": {"type": "string"}}, "required": ["value"], "additionalProperties": false}, "Confidence": { "type": "object", "properties": { "value": {"type": "number"}, "rating": {"enum":["low","medium","high","numeric","unknown",["low", "medium", "high", "numeric", "unknown", "ext-value"]}, "ext-rating": {"type":"string"}}, "required":["value","rating"],["value", "rating"], "additionalProperties": false}, "History": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "HistoryItem": { "type": "array", "items": {"$ref": "#/definitions/HistoryItem"}, "minItems": 1}}, "required": ["HistoryItem"], "additionalProperties": false}, "HistoryItem": { "type": "object", "properties": { "action":{"$ref": "#/definitions/action","default":{ "$ref": "#/definitions/action", "default": "other"}, "ext-action": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "Contact": {"$ref": "#/definitions/Contact"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DefinedCOA": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required":["DateTime","action"],["DateTime", "action"], "additionalProperties": false}, "EventData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": {"type": "array", "items": { "$ref":"#/definitions/MLStringType"}}, "DetectTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "Discovery": { "type": "array", "items": {"$ref": "#/definitions/Discovery"}, "minItems": 1}, "Assessment": {"$ref": "#/definitions/Assessment"}, "Method": { "type": "array", "items": {"$ref": "#/definitions/Method"}, "minItems": 1}, "System": { "type": "array", "items": {"$ref": "#/definitions/System"}, "minItems": 1}, "Expectation": { "type": "array", "items": {"$ref": "#/definitions/Expectation"}, "minItems": 1}, "RecordData": { "type": "array", "items": {"$ref": "#/definitions/RecordData"}, "minItems": 1}, "EventData": { "type": "array", "items": {"$ref": "#/definitions/EventData"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Expectation": { "type": "object", "properties": { "action":{"$ref":"#/definitions/action","default":{ "$ref":"#/definitions/action", "default": "other"}, "ext-action": {"type": "string"}, "severity": {"enum":["low","medium","high"]},["low", "medium", "high"]}, "restriction": {"$ref": "#/definitions/restriction", "default": "default"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DefinedCOA": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Contact": {"$ref": "#/definitions/Contact"}}, "required": [], "additionalProperties": false}, "System": { "type": "object", "properties": { "category": { "enum":["source","target","intermediate","sensor", "infrastructure","ext-value"]},["source", "target", "intermediate", "sensor", "infrastructure", "ext-value"]}, "ext-category": {"type": "string"}, "interface": {"type": "string"}, "spoofed":{"enum": ["unknown","yes","no"],"default":"unknown"},{ "enum": ["unknown", "yes", "no"], "default":"unknown"}, "virtual":{"enum": ["yes","no","unknown"],"default":"unknown"},{ "enum": ["yes", "no", "unknown"], "default":"unknown"}, "ownership": {"enum":["organization","personal","partner","customer", "no-relationship","unknown","ext-value"]},"enum":["organization", "personal", "partner", "customer", "no-relationship", "unknown", "ext-value"]}, "ext-ownership": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Node": {"$ref": "#/definitions/Node"}, "NodeRole": { "type": "array", "items": {"$ref": "#/definitions/NodeRole"}, "minItems": 1}, "Service": { "type": "array", "items": {"$ref": "#/definitions/Service"}, "minItems": 1}, "OperatingSystem": { "type": "array", "items": {"$ref": "#/definitions/SoftwareType"}, "minItems": 1}, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}, "minItems": 1}, "AssetID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Node"], "additionalProperties": false}, "Node": { "type": "object", "properties": { "DomainData": { "type": "array", "items": {"$ref": "#/definitions/DomainData"}, "minItems": 1}, "Address": { "type": "array", "items": {"$ref": "#/definitions/Address"}, "minItems": 1}, "PostalAddress":{"$ref":{ "$ref": "#/definitions/PostalAddress"}, "Location": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Counter": { "type":"array", "items":{"$ref":"#/definitions/Counter"}, "minItems": 1}}, "anyOf": [ {"required": ["DomainData"]}, {"required": ["Address"]} ], "additionalProperties": false}, "Address": { "type": "object", "properties": { "value": {"type": "string"}, "category": {"enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv6-net-masked","mac","site-uri","ext-value"],"enum":["asn", "atm", "e-mail", "ipv4-addr", "ipv4-net", "ipv4-net-masked", "ipv4-net-mask", "ipv6-addr", "ipv6-net", "ipv6-net-masked", "mac", "site-uri", "ext-value"], "default": "ipv6-addr"}, "ext-category": {"type": "string"}, "vlan-name": {"type": "string"}, "vlan-num": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required":["value","category"],["value", "category"], "additionalProperties": false}, "NodeRole": { "type": "object", "properties": { "category": {"enum":["client","client-enterprise","client-partner", "client-remote","client-kiosk","client-mobile", "server-internal","server-public","www","mail","webmail", "messaging","streaming","voice","file","ftp","p2p","name", "directory","credential","print","application","database", "backup","dhcp","assessment","source-control", "config-management","monitoring","infra","infra-firewall", "infra-router","infra-switch","camera","proxy", "remote-access","log","virtualization","pos","enum":["client", "client-enterprise", "client-partner", "client-remote", "client-kiosk", "client-mobile", "server-internal", "server-public", "www", "mail", "webmail", "messaging", "streaming", "voice", "file", "ftp", "p2p", "name", "directory", "credential", "print", "application", "database", "backup", "dhcp", "assessment", "source-control", "config-management", "monitoring", "infra", "infra-firewall", "infra-router", "infra-switch", "camera", "proxy", "remote-access", "log", "virtualization", "pos", "scada","scada-supervisory","sinkhole","honeypot","anomyzation", "c2-server","malware-distribution","drop-server", "hop-point","reflector","phishing-site", "spear-phishing-site","recruiting-site","fraudulent-site","scada-supervisory", "sinkhole", "honeypot", "anomyzation", "c2-server", "malware-distribution", "drop-server", "hop-point", "reflector", "phishing-site", "spear-phishing-site", "recruiting-site", "fraudulent-site", "ext-value"]}, "ext-category": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["category"], "additionalProperties": false}, "Counter": { "type": "object", "properties": { "value": {"type": "number"}, "type":{"enum": ["count","peak","average","ext-value"]},{ "enum": ["count", "peak", "average", "ext-value"]}, "ext-type": {"type": "string"},"unit":{"enum":["byte","mbit","packet","flow","session","alert", "message","event","host","site","organization","ext-value"]},"unit":{"enum":["byte", "mbit", "packet", "flow", "session", "alert", "message", "event", "host", "site", "organization", "ext-value"]}, "ext-unit": {"type": "string"}, "meaning": {"type": "string"}, "duration":{"$ref":"#/definitions/duration","default":{ "$ref":"#/definitions/duration", "default": "hour"}, "ext-duration": {"type": "string"}}, "required":["value","type","unit"],["value", "type", "unit"], "additionalProperties": false}, "DomainData": { "type": "object", "properties": { "system-status": { "enum":["spoofed","fraudulent","innocent-hacked", "innocent-hijacked","unknown","ext-value"]},["spoofed", "fraudulent", "innocent-hacked", "innocent-hijacked", "unknown", "ext-value"]}, "ext-system-status": {"type": "string"}, "domain-status": { "enum": ["reservedDelegation","assignedAndActive", "assignedAndInactive","assignedAndOnHold","revoked", "transferPending","registryLock","registrarLock", "other","unknown","ext-value"]},"reservedDelegation", "assignedAndActive", "assignedAndInactive", "assignedAndOnHold", "revoked", "transferPending", "registryLock", "registrarLock", "other", "unknown", "ext-value"]}, "ext-domain-status": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Name": {"type": "string"}, "DateDomainWasChecked":{"$ref":{ "$ref": "#/definitions/DATETIME"}, "RegistrationDate":{"$ref":{ "$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "RelatedDNS": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "NameServers": { "type": "array", "items": {"$ref": "#/definitions/NameServers"}, "minItems": 1}, "DomainContacts":{"$ref":{ "$ref": "#/definitions/DomainContacts"}}, "required":["Name","system-status","domain-status"],["Name", "system-status", "domain-status"], "additionalProperties": false}, "NameServers": { "type": "object", "properties": { "Server": {"type": "string"}, "Address": { "type":"array", "items":{"$ref":"#/definitions/Address"}, "minItems": 1}}, "required":["Server","Address"],["Server", "Address"], "additionalProperties": false}, "DomainContacts": { "type": "object", "properties": { "SameDomainContact": {"type": "string"}, "Contact": { "type":"array", "items":{"$ref":"#/definitions/Contact"}, "minItems": 1}}, "oneOf": [ {"required": ["SameDomainContact"]}, {"required": ["Contact"]}], "additionalProperties": false}, "Service": { "type": "object", "properties": { "ip-protocol": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "ServiceName": {"$ref": "#/definitions/ServiceName"}, "Port": {"type": "number"}, "Portlist": {"$ref": "#/definitions/PortlistType"}, "ProtoCode": {"type": "number"}, "ProtoType": {"type": "number"}, "ProtoField": {"type": "number"}, "ApplicationHeaderField":{ "$ref":"#/definitions/ExtensionTypeList"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Application":{"$ref":{ "$ref": "#/definitions/SoftwareType"}}, "required": [], "additionalProperties": false}, "ServiceName": { "type": "object", "properties": { "IANAService": {"type": "string"}, "URL": { "type":"array","items": {"$ref":"array", "items": { "$ref": "#/definitions/URLtype"}}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "EmailData": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "EmailTo": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "EmailFrom": {"type": "string"}, "EmailSubject": {"type": "string"}, "EmailX-Mailer": {"type": "string"}, "EmailHeaderField": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "EmailHeaders": {"type": "string"}, "EmailBody": {"type": "string"}, "EmailMessage": {"type": "string"}, "HashData": { "type": "array", "items": {"$ref": "#/definitions/HashData"}, "minItems": 1}, "Signature": { "type": "array", "items": {"$ref": "#/definitions/BYTE"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "RecordData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "RecordPattern": { "type": "array", "items": {"$ref": "#/definitions/RecordPattern"}, "minItems": 1}, "RecordItem": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "FileData": { "type": "array", "items": {"$ref": "#/definitions/FileData"}, "minItems": 1}, "WindowsRegistryKeysModified": { "type": "array", "items":{"$ref":"#/definitions/WindowsRegistryKeysModified"},{ "$ref":"#/definitions/WindowsRegistryKeysModified"}, "minItems": 1}, "CertificateData": { "type":"array", "items":{"$ref":"#/definitions/CertificateData"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "RecordPattern": { "type": "object", "properties": { "value": {"type": "string"}, "type":{"enum": ["regex","binary","xpath","ext-value"],{ "enum": ["regex", "binary", "xpath", "ext-value"], "default": "regex"}, "ext-type": {"type": "string"}, "offset": {"type": "number"}, "offsetunit":{"enum":["line","byte","ext-value"]{"enum":["line", "byte", "ext-value"] , "default": "line"}, "ext-offsetunit": {"type": "string"}, "instance": {"type": "number"}}, "required":["value","type"],["value", "type"], "additionalProperties": false}, "WindowsRegistryKeysModified": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "Key": { "type": "array", "items": {"$ref": "#/definitions/Key"}, "minItems": 1}}, "required": ["Key"], "additionalProperties": false}, "Key": { "type": "object", "properties": { "registryaction": {"enum":["add-key","add-value","delete-key", "delete-value","modify-key","modify-value",["add-key", "add-value", "delete-key", "delete-value", "modify-key", "modify-value", "ext-value"]}, "ext-registryaction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "KeyName": {"type":"string"}, "KeyValue": {"type": "string"}}, "required": ["KeyName"], "additionalProperties": false}, "CertificateData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Certificate": { "type": "array", "items": {"$ref": "#/definitions/Certificate"}, "minItems": 1}}, "required": ["Certificate"], "additionalProperties": false}, "Certificate": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "X509Data": {"$ref": "#/definitions/BYTE"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["X509Data"], "additionalProperties": false}, "FileData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "File": { "type": "array", "items": {"$ref": "#/definitions/File"}, "minItems": 1}}, "required": ["File"], "additionalProperties": false}, "File": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "FileName": {"type": "string"}, "FileSize": {"type": "number"}, "FileType": {"type": "string"}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "HashData": {"$ref": "#/definitions/HashData"}, "Signature": { "type": "array", "items": {"$ref": "#/definitions/BYTE"}, "minItems": 1}, "AssociatedSoftware":{"$ref":{ "$ref": "#/definitions/SoftwareType"}, "FileProperties": { "type":"array", "items":{"$ref":"#/definitions/ExtensionType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "HashData": { "type": "object", "properties": { "scope": {"enum":["file-contents","file-pe-section", "file-pe-iat","file-pe-resource","file-pdf-object", "email-hash","email-headers-hash","email-body-hash",["file-contents", "file-pe-section", "file-pe-iat", "file-pe-resource", "file-pdf-object", "email-hash", "email-headers-hash", "email-body-hash", "ext-value"]}, "HashTargetID": {"type": "string"}, "Hash": { "type": "array", "items": {"$ref": "#/definitions/Hash"}, "minItems": 1}, "FuzzyHash": { "type": "array", "items": {"$ref": "#/definitions/FuzzyHash"}, "minItems": 1}}, "required": ["scope"], "additionalProperties": false}, "Hash": { "type": "object", "properties": { "DigestMethod": {"$ref": "#/definitions/BYTE"}, "DigestValue": {"$ref": "#/definitions/BYTE"}, "CanonicalizationMethod":{"$ref":{ "$ref": "#/definitions/BYTE"}, "Application":{"$ref":{ "$ref": "#/definitions/SoftwareType"}}, "required":["DigestMethod","DigestValue"],["DigestMethod", "DigestValue"], "additionalProperties": false}, "FuzzyHash": { "type": "object", "properties": { "FuzzyHashValue": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": ["FuzzyHashValue"], "additionalProperties": false}, "Indicator": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "AlternativeIndicatorID": { "type": "array", "items":{"$ref":{ "$ref": "#/definitions/AlternativeIndicatorID"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "Observable": {"$ref": "#/definitions/Observable"}, "uid-ref": {"$ref": "#/definitions/IDREFType"}, "IndicatorExpression":{ "$ref":"#/definitions/IndicatorExpression"}, "IndicatorReference":{ "$ref": "#/definitions/IndicatorReference"}, "NodeRole": { "type": "array", "items": {"$ref": "#/definitions/NodeRole"}, "minItems": 1}, "AttackPhase": { "type": "array", "items": {"$ref": "#/definitions/AttackPhase"}, "minItems": 1}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "allOf": [ {"required": ["IndicatorID"]}, {"oneOf": [ {"required":["Observable"]}, {"required":["uid-ref"]}, {"required":["IndicatorExpression"]}, {"required":["IndicatorReference"]}]}], "additionalProperties": false}, "IndicatorID": { "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "version": {"type": "string"}}, "required":["id","name","version"],["id", "name", "version"], "additionalProperties": false}, "AlternativeIndicatorID": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorID": { "type": "array", "items": {"$ref": "#/definitions/IndicatorID"}, "minItems": 1}}, "required": ["IndicatorID"], "additionalProperties": false}, "Observable": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "System": {"$ref": "#/definitions/System"}, "Address": {"$ref": "#/definitions/Address"}, "DomainData": {"$ref": "#/definitions/DomainData"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Service": {"$ref": "#/definitions/Service"}, "WindowsRegistryKeysModified": { "$ref": "#/definitions/WindowsRegistryKeysModified"}, "FileData": {"$ref": "#/definitions/FileData"}, "CertificateData":{"$ref":{ "$ref": "#/definitions/CertificateData"}, "RegistryHandle":{"$ref":{ "$ref": "#/definitions/RegistryHandle"}, "RecordData": {"$ref": "#/definitions/RecordData"}, "EventData": {"$ref": "#/definitions/EventData"}, "Incident": {"$ref": "#/definitions/Incident"}, "Expectation": {"$ref": "#/definitions/Expectation"}, "Reference": {"$ref": "#/definitions/Reference"}, "Assessment": {"$ref": "#/definitions/Assessment"}, "DetectionPattern":{"$ref":{ "$ref": "#/definitions/DetectionPattern"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "BulkObservable":{"$ref":{ "$ref": "#/definitions/BulkObservable"}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "oneOf": [ {"required":["System"]}, {"required":["Address"]}, {"required":["DomainData"]}, {"required":["EmailData"]}, {"required":["Service"]}, {"required":["WindowsRegistryKeysModified"]}, {"required":["FileData"]}, {"required":["CertificateData"]}, {"required":["RegistryHandle"]}, {"required":["RecordData"]}, {"required":["EventData"]}, {"required":["Incident"]}, {"required":["Expectation"]}, {"required":["Reference"]}, {"required":["Assessment"]}, {"required":["DetectionPattern"]}, {"required":["HistoryItem"]}, {"required":["BulkObservable"]}, {"required":["AdditionalData"]}], "additionalProperties": false}, "BulkObservable": { "type": "object", "properties": { "type": {"enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", "mac","site-uri","domain-name","domain-to-ipv4", "domain-to-ipv6","domain-to-ipv4-timestamp", "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", "windows-reg-key","file-hash","email-x-mailer", "email-subject","http-user-agent","http-request-url", "mutex","file-path","user-name","ext-value"]},["asn", "atm", "e-mail", "ipv4-addr", "ipv4-net", "ipv4-net-mask", "ipv6-addr", "ipv6-net", "ipv6-net-mask", "mac", "site-uri", "domain-name", "domain-to-ipv4", "domain-to-ipv6", "domain-to-ipv4-timestamp", "domain-to-ipv6-timestamp", "ipv4-port", "ipv6-port", "windows-reg-key", "file-hash", "email-x-mailer", "email-subject", "http-user-agent", "http-request-url", "mutex", "file-path", "user-name", "ext-value"]}, "ext-type": {"type": "string"}, "BulkObservableFormat":{ "$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableList": {"type": "string"}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": ["BulkObservableList"], "additionalProperties": false}, "BulkObservableFormat": { "type": "object", "properties": { "Hash": {"$ref": "#/definitions/Hash"}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "oneOf": [ {"required": ["Hash"]}, {"required": ["AdditionalData"]} ], "additionalProperties": false}, "IndicatorExpression": { "type": "object", "properties": { "operator":{"enum": ["not","and","or","xor"],"default":{ "enum": ["not", "and", "or", "xor"], "default": "and"}, "ext-operator": {"type": "string"}, "IndicatorExpression": { "type": "array", "items":{"$ref":{ "$ref": "#/definitions/IndicatorExpression"}, "minItems": 1}, "Observable": { "type": "array", "items": {"$ref": "#/definitions/Observable"}, "minItems": 1}, "uid-ref": { "type": "array", "items": {"$ref": "#/definitions/IDREFType"}, "minItems": 1}, "IndicatorReference": { "type": "array", "items":{"$ref":{ "$ref": "#/definitions/IndicatorReference"}, "minItems": 1}, "Confidence": {"$ref":"#/definitions/Confidence"}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorReference": { "type": "object", "properties": { "uid-ref": {"$ref":"#/definitions/IDREFType"}, "euid-ref": {"type": "string"}, "version": {"type": "string"}}, "oneOf": [ {"required": ["uid-ref"]}, {"required": ["euid-ref"]} ], "additionalProperties": false}, "AttackPhase": { "type": "object", "properties": { "AttackPhaseID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}}, "title": "IODEF-Document", "description": "JSON schema for IODEF-Document class", "type": "object", "properties": { "version": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "format-id": {"type": "string"}, "private-enum-name": {"type": "string"}, "private-enum-id": {"type": "string"}, "Incident": { "type": "array", "items": {"$ref": "#/definitions/Incident"}, "minItems": 1}, "AdditionalData":{"$ref":"#/definitions/ExtensionTypeList"}},{ "$ref":"#/definitions/ExtensionTypeList"}}, "required":["version","Incident"],["version", "Incident"], "additionalProperties": false}]]></artwork>]]></sourcecode> </figure> </section> <section anchor="Acknowledgments" numbered="false" toc="default"> <name>Acknowledgments</name> <t>We would like to thank <contact fullname="Henk Birkholz"/>, <contact fullname="Carsten Bormann"/>, <contact fullname="Benjamin Kaduk"/>, <contact fullname="Alexey Melnikov"/>, <contact fullname="Yasuaki Morita"/>, and <contact fullname="Takahiko Nagata"/> for their insightful comments on this document and CDDL.</t> </section> </back> </rfc>