| MILE | T. Takahashi |
| Internet-Draft | NICT |
| Intended status: Standards Track | R. Danyliw |
| Expires: April 25, 2019 | CERT |
| M. Suzuki | |
| NICT | |
| October 22, 2018 |
CBOR/JSON binding of IODEF
draft-ietf-mile-jsoniodef-05
RFC7970 specified an information model and a corresponding XML data model for exchanging incident and indicator information. This draft provides an alternative data model implementation in JSON.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
[RFC7970] defines a data representation for security incident reports and indicators commonly exchanged by operational security teams. It facilitates the automated exchange of this information to enable mitigation and watch-and-warning. Section 3 of [RFC7970] defined an information model using Unified Modeling Language (UML) and a corresponding Extensible Markup Language (XML) schema data model in Section 8. This UML-based information model and XML-based data model are referred to as IODEF UML and IODEF XML, respectively in this document.
This document defines an alternate implementation of the IODEF UML information model by specifying a JavaScript Object Notation (JSON) data model using CDDL and JSON Schema [jsonschema]. This JSON data model is referred to as IODEF JSON in this document.
IODEF JSON provides all of the expressivity of IODEF XML. It gives implementers and operators an alternative format to exchange the same information.
The normative IODEF JSON data model is found in Section 5. Section 2 and Section 3 describe the data types and elements of this data model. Section 4 provides examples.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
The abstract IODEF JSON implements the abstract data types specified in Section 2 of [RFC7970].
IODEF JSON uses native and derived JSON data types. Figure 1 describes the mapping between the abstract data types in Section 2 of [RFC7970] and their corresponding implementations in IODEF JSON.
+-----------------+-------------------+-------------------------------+ | IODEF Data Type | [RFC7970] | JSON Data Type | | | Reference | | +-----------------+-------------------+-------------------------------+ | INTEGER | Section 2.1 | "integer" per [jsonschema] | | REAL | Section 2.2 | "number" per [jsonschema] | | CHARACTER | Section 2.3 | "string" per [jsonschema] | | STRING | Section 2.3 | "string" per [jsonschema] | | ML_STRING | Section 2.4 | see Section 2.2.1 | | BYTE | Section 2.5.1 | "string" per [jsonschema] | | BYTE[] | Section 2.5.1 | "string" per [jsonschema] | | HEXBIN | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | | ENUM | Section 2.6 | "enum" array per [jsonschema] | | DATETIME | Section 2.7 | "string" per [jsonschema] | | TIMEZONE | Section 2.8 | "string" per [jsonschema] | | PORTLIST | Section 2.9 | "string" per [jsonschema] | | POSTAL | Section 2.10 | "string" per [jsonschema] | | | | / ML_STRING, Section 2.2.1 | | PHONE | Section 2.11 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] | | ID | Section 2.14 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] | | SOFTWARE | Section 2.15 | see Section 2.2.2 | | STRUCTURED | RFC 7213 | see Section 2.2.3 | | EXTENSION | Section 2.16 | see Section 2.2.4 | +-----------------+-------------------+-------------------------------+
Figure 1
+-----------------+------------------+-------------------------------------+ | IODEF Data Type | CBOR Data Type | CDDL prelude | | | | [draft-ietf-cbor-cddl-05] Reference | +-----------------+------------------+-------------------------------------+ | INTEGER | 6 tag 2, 6 tag 3 | integer | | REAL | 7 bits 26 | float32 | | CHARACTER | 3 text string | text | | STRING | 3 text string | text | | ML_STRING | 5 map | see Maps/Structs, Section 3.5.1 | | BYTE | 6 tag 22 | eb64legacy | | BYTE[] | 6 tag 22 | eb64legacy | | HEXBIN | 2 byte string | bytes | | HEXBIN[] | 2 byte string | bytes | | ENUM | - | see Choices, Section 2.2.2 | | DATETIME | 6 tag 0 | tdate | | TIMEZONE | 3 text string | text | | PORTLIST | 3 text string | text | | POSTAL | 3 text string | text | | | | / see Maps/Structs, Section 3.5.1 | | PHONE | 3 text string | text | | EMAIL | 3 text string | text | | URL | 6 tag 32 | uri | | ID | 3 text string | text | | IDREF | 3 text string | text | | SOFTWARE | 5 map | see Maps/Structs, Section 3.5.1 | | STRUCTURED | 5 map | see Maps/Structs, Section 3.5.1 | | EXTENSION | 5 map | see Maps/Structs, Section 3.5.1 | +-----------------+------------------+-------------------------------------+
Figure 2
A string that needs to be represented in a human-readable language different than the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as an object with "value", "lang", and "translation-id" elements as defined in Section 5. Examples are shown below.
"MLStringType": {
"value": "free-form text", //STRING
"lang": "en", //ENUM
"translation-id": "jp2en0023" //STRING
}
A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a URL, or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined in Section 5. Examples are shown below.
"SoftwareType": {
"SoftwareReference": {...}, //SoftwareReference
"Description": ["MS Windows"] //STRING
}
SoftwareReference class is a reference to a particular version of software. Examples are shown below.
"SoftwareReference": {
"value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING
"spec-name": "cpe", //ENUM
"dtype": "string", //ENUM
}
Information provided in a form of structured string, such as ID, or structured information, such as XML documents, is represented in the information model by the StructuredInfo data type. Note that this type was originally specified in RFC7203. The StructuredInfo data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", "Reference" elements. An example for embedding a structured ID is shown below.
"StructuredInformation": {
"SpecID": "cve", //ENUM
"ContentID": "CVE-2007-5000" //STRING
}
When embedding the raw data, base64 conversion should be used for encoding the data, as shown below.
"StructuredInformation": {
"SpecID": "oval", //ENUM
"RawData": "<<<strings encoded with base64>>>" //BYTE
}
Information not otherwise represented in the IODEF can be added using the EXTENSION data type. This data type is a generic extension mechanism. The EXTENSION data type is implemented as an ExtensionType object with "value", "name", "dtype", "ext-dtype", "meaning", "formatid", "restriction", "ext-restriction", and "observable-id" elements. An example for embedding a structured ID is shown below.
"ExtensionType": {
"value": "xxxxxxx", //String
"name": "Syslog", //String
"dtype": "string", //String
"meaning": "Syslog from the security appliance X", //String
}
The following table shows the list of IODEF Classes, their elements, and the corresponding section in [RFC7970]. Note that the complete JSON schema is defined in Section 5 usind CDDL.
+-----------------------------+--------------------+---------------+ | IODEF Class | Class | Corresponding | | | Elements and | Section | | | Attribute | in [RFC7970] | +-----------------------------+--------------------+---------------+ | IODEF-Document | version | 3.1 | | | lang? | | | | format-id? | | | | private-enum-name? | | | | private-enum-id? | | | | Incident+ | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Incident | purpose | 3.2 | | | ext-purpose? | | | | status? | | | | ext-status? | | | | lang? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentID | | | | AlternativeID? | | | | RelatedActivity* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | GenerationTime | | | | Description* | | | | Discovery* | | | | Assessment* | | | | Method* | | | | Contact+ | | | | EventData* | | | | Indicator* | | | | History? | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | IncidentID | id | 3.4 | | | name | | | | instance? | | | | restriction? | | | | ext-restriction? | | +-----------------------------+--------------------+---------------+ | AlternativeID | restriction? | 3.5 | | | ext-restriction? | | | | IncidentID+ | | +-----------------------------+--------------------+---------------+ | RelatedActivity | restriction? | 3.6 | | | ext-restriction? | | | | IncidentID* | | | | URL* | | | | ThreatActor* | | | | Campaign* | | | | IndicatorID* | | | | Confidence? | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | ThreatActor | restriction? | 3.7 | | | ext-restriction? | | | | ThreatActorID* | | | | URL* | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Campaign | restriction? | | | | ext-restriction? | | | | CampaignID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.8 | +-----------------------------+--------------------+---------------+ | Contact | role | | | | ext-role? | | | | type | | | | ext-type? | | | | restriction? | | | | ext-restriction? | | | | ContactName*, | | | | ContactTitle* | | | | Description* | | | | RegistryHandle* | | | | PostalAddress* | | | | Email* | | | | Telephone* | | | | Timezone? | | | | Contact* | | | | AdditionalData* | 3.9 | +-----------------------------+--------------------+---------------+ | RegistryHandle | handle | | | | registry | | | | ext-registry? | 3.9.1 | +-----------------------------+--------------------+---------------+ | PostalAddress | type? | | | | ext-type? | | | | PAddress | | | | Description* | 3.9.2 | +-----------------------------+--------------------+---------------+ | Email | type? | | | | ext-type? | | | | EmailTo | | | | Description* | 3.9.3 | +-----------------------------+--------------------+---------------+ | Telephone | type? | | | | ext-type? | | | | TelephoneNumber | | | | Description* | 3.9.4 | +-----------------------------+--------------------+---------------+ | Discovery | source? | | | | ext-source? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | Contact* | | | | DetectionPattern* | 3.10 | +-----------------------------+--------------------+---------------+ | DetectionPattern | restriction? | 3.10.1 | | | ext-restriction? | | | | observable-id? | | | | Application | | | | Description* | | | | DetectionConfiguration* | | +-----------------------------+--------------------+---------------+ | Method | restriction? | | | | ext-restriction? | | | | Reference* | | | | Description* | | | | AttackPattern* | | | | Vulnerability* | | | | Weakness* | | | | AdditionalData* | 3.11 | +-----------------------------+--------------------+---------------+ | Reference | observable-id? | | | | ReferenceName? | | | | URL* | | | | Description* | 3.11.1 | +-----------------------------+--------------------+---------------+ | Assessment | occurence? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentCategory* | | | | SystemImpact* | | | | BusinessImpact* | | | | TimeImpact* | | | | MonetaryImpact* | | | | IntendedImpact* | | | | Counter* | | | | MitigatingFactor* | | | | Cause* | | | | Confidence? | | | | AdditionalData* | 3.12 | +-----------------------------+--------------------+---------------+ | SystemImpact | severity? | | | | completion? | | | | type | | | | ext-type? | | | | Description* | 3.12.1 | +-----------------------------+--------------------+---------------+ | BusinessImpact | severity? | | | | ext-severity? | | | | type | | | | ext-type? | | | | Description* | 3.12.2 | +-----------------------------+--------------------+---------------+ | TimeImpact | value | | | | severity? | | | | metric | | | | ext-metric? | | | | duration? | | | | ext-duration? | 3.12.3 | +-----------------------------+--------------------+---------------+ | MonetaryImpact | value | | | | severity? | | | | currency? | 3.12.4 | +-----------------------------+--------------------+---------------+ | Confidence | value | | | | rating | | | | ext-rating? | 3.12.5 | +-----------------------------+--------------------+---------------+ | History | restriction? | | | | ext-restriction? | | | | HistoryItem+ | 3.13 | +-----------------------------+--------------------+---------------+ | HistoryItem | action | | | | ext-action? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime | | | | IncidentID? | | | | Contact? | | | | Description* | | | | DefinedCOA* | | | | AdditionalData* | 3.13.1 | +-----------------------------+--------------------+---------------+ | EventData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | Contact* | | | | Discovery* | | | | Assessment? | | | | Method* | | | | System* | | | | Expectation* | | | | RecordData* | | | | EventData* | | | | AdditionalData* | 3.14 | +-----------------------------+--------------------+---------------+ | Expectation | action? | | | | ext-action? | | | | severity? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | DefinedCOA* | | | | StartTime? | | | | EndTime? | | | | Contact? | 3.15 | +-----------------------------+--------------------+---------------+ | System | category? | | | | ext-category? | | | | interface? | | | | spoofed? | | | | virtual? | | | | ownership? | | | | ext-ownership? | | | | restriction? | | | | ext-restriction? | | | | Node | | | | NodeRole* | | | | Service* | | | | OperatingSystem* | | | | Counter* | | | | AssetID* | | | | Description* | | | | AdditionalData* | 3.16 | +-----------------------------+--------------------+---------------+ | Node | DomainData* | | | | Address* | | | | PostalAddress? | | | | Location* | | | | Counter* | 3.17 | +-----------------------------+--------------------+---------------+ | Address | value | | | | category | | | | ext-category? | | | | vlan-name? | | | | vlan-num? | | | | observable-id? | 3.17.1 | +-----------------------------+--------------------+---------------+ | NodeRole | category | | | | ext-category? | | | | Description* | 3.17.2 | +-----------------------------+--------------------+---------------+ | Counter | value | | | | type | | | | ext-type? | | | | unit | | | | ext-unit? | | | | meaning? | | | | duration? | | | | ext-duration? | 3.17.3 | +-----------------------------+--------------------+---------------+ | DomainData | system-status | | | | ext-system-status? | | | | domain-status | | | | ext-domain-status? | | | | observable-id? | | | | Name | | | | DateDomainWasChecked?| | | | RegistrationDate? | | | | ExpirationDate? | | | | RelatedDNS* | | | | Nameservers* | | | | DomainContacts? | 3.18 | +-----------------------------+--------------------+---------------+ | Nameserver | Server | | | | Address* | 3.18.1 | +-----------------------------+--------------------+---------------+ | DomainContacts | SameDomainContact? | | | | Contact+ | 3.18.2 | +-----------------------------+--------------------+---------------+ | Service | ip-protocol? | | | | observable-id? | | | | ServiceName? | | | | Port? | | | | Portlist? | | | | ProtoCode? | | | | ProtoType? | | | | ProtoField? | | | | ApplicationHeaderField*| | | | EmailData? | | | | Application? | 3.19 | +-----------------------------+--------------------+---------------+ | ServiceName | IANAService? | | | | URL* | | | | Description* | 3.19.1 | +-----------------------------+--------------------+---------------+ | EmailData | observable-id? | | | | EmailTo* | | | | EmailFrom? | | | | EmailSubject? | | | | EmailX-Mailer? | | | | EmailHeaderField* | | | | EmailHeaders? | | | | EmailBody? | | | | EmailMessage? | | | | HashData* | | | | Signature* | 3.19.2 | +-----------------------------+--------------------+---------------+ | RecordData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime? | | | | Description* | | | | Application? | | | | RecordPattern* | | | | RecordItem* | | | | URL* | | | | FileData* | | | | WindowsRegistryKeysModified*| | | | CertificateData* | | | | AdditionalData* | 3.19.3 | +-----------------------------+--------------------+---------------+ | RecordPattern | type | | | | ext-type? | | | | offset? | | | | offsetunit? | | | | ext-offsetunit? | | | | instance? | | | | value | 3.19.4 | +-----------------------------+--------------------+---------------+ | WindowsRegistryKeysModified | observable-id? | 3.20 | | | Key+ | | +-----------------------------+--------------------+---------------+ | Key | registryaction? | | | | ext-registryaction?| | | | observable-id? | | | | KeyName | | | | KeyValue? | 3.20.1 | +-----------------------------+--------------------+---------------+ | CertificateData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Certificate+ | 3.21 | +-----------------------------+--------------------+---------------+ | Certificate | observable-id? | | | | X509Data | | | | Description* | 3.21.1 | +-----------------------------+--------------------+---------------+ | FileData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | File+ | 3.22 | +-----------------------------+--------------------+---------------+ | File | observable-id? | | | | FileName? | | | | FileSize? | | | | FileType? | | | | URL* | | | | HashData? | | | | Signature* | | | | AssociatedSoftware?| | | | FileProperties* | 3.22.1 | +-----------------------------+--------------------+---------------+ | HashData | scope | | | | HashTargetID? | | | | Hash* | | | | FuzzyHash* | 3.23 | +-----------------------------+--------------------+---------------+ | Hash | DigestMethod | | | | DigestValue | | | | CanonicalizationMethod?| | | | Application? | 3.23.1 | +-----------------------------+--------------------+---------------+ | FuzzyHash | FuzzyHashValue+ | | | | Application? | | | | AdditionalData* | 3.23.2 | +-----------------------------+--------------------+---------------+ | Indicator | restriction? | | | | ext-restriction? | | | | IndicatorID | | | | AlternativeIndicatorID*| | | | Description* | | | | StartTime? | | | | EndTime? | | | | Confidence? | | | | Contact* | | | | Observable? | | | | uid-ref? | | | | IndicatorExpression?| | | | IndicatorReference?| | | | NodeRole* | | | | AttackPhase* | | | | Reference* | | | | AdditionalData* | 3.24 | +-----------------------------+--------------------+---------------+ | IndicatorID | id | | | | name | | | | version | 3.24.1 | +-----------------------------+--------------------+---------------+ | AlternativeIndicatorID | restriction? | | | | ext-restriction? | | | | IndicatorReference+| 3.24.2 | +-----------------------------+--------------------+---------------+ | Observable | restriction? | | | | ext-restriction? | | | | System? | | | | Address? | | | | DomainData? | | | | Service? | | | | EmailData? | | | | WindowsRegistryKeysModified?| | | | FileData? | | | | CertificateData? | | | | RegistryHandle? | | | | RecordData? | | | | EventData? | | | | Incident? | | | | Expectation? | | | | Reference? | | | | Assessment? | | | | DetectionPattern? | | | | HistoryItem? | | | | BulkObservable? | | | | AdditionalData* | 3.24.3 | +-----------------------------+--------------------+---------------+ | BulkObservable | type? | | | | ext-type? | | | | BulkObservableFormat?| | | | BulkObservableList | | | | AdditionalData* | 3.24.4 | +-----------------------------+--------------------+---------------+ | BulkObservableFormat | Hash? | | | | AdditionalData* | 3.24.5 | +-----------------------------+--------------------+---------------+ | IndicatorExpression | operator? | | | | ext-operator? | | | | IndicatorExpression*| | | | Observable* | | | | uid-ref* | | | | IndicatorReference*| | | | Confidence? | | | | AdditionalData* | 3.24.6 | +-----------------------------+--------------------+---------------+ | IndicatorReference | uid-ref? | | | | euid-ref? | | | | version? | 3.24.7 | +-----------------------------+--------------------+---------------+ | AttackPhase | AttackPhaseID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.24.8 | +-----------------------------+--------------------+---------------+
This section provides example of IODEF documents. These examples do not represent the full capabilities of the data model or the the only way to encode particular information.
A document containing only the mandatory elements and attributes.
{
"version": "2.0",
"lang": "en",
"Incident": [{
"purpose": "reporting",
"restriction": "private",
"IncidentID": {
"id": "492382",
"name": "csirt.example.com"
},
"GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [{
"type": "organization",
"role": "creator",
"Email": [{
"EmailTo": "contact@csirt.example.com"
}]
}]
}]
}
An example of C2 domains from a given campaign.
{
"version": "2.0",
"lang": "en",
"Incidents": [
{
"purpose": "watch",
"restriction": "green",
"IncidentID": {
"id": "897923",
"name": "csirt.example.com"
},
"RelatedActivity": [
{
"ThreatActor": [
{
"ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY",
"Description": "Aggressive Butterfly"
}
],
"Campaign": [
{
"CampaignID": "C-2015-59405",
"Description": "Orange Giraffe"
}
]
}
],
"GenerationTime": "2015-10-02T11:18:00-05:00",
"Description": [
"Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."
],
"Assessment": [
{
"BusinessImpact": {
"type": "breach-proprietary"
}
}
],
"Contacts": [
{
"type": "organization",
"role": "creator",
"ContactName": "CSIRT for example.com",
"Email": {
"emailTo": "contact@csirt.example.com"
}
}
],
"IndicatorList": [
{
"IndicatorID": {
"id": "G90823490",
"name": "csirt.example.com",
"version": "1"
},
"Description": "C2 domains",
"StartTime": "2014-12-02T11:18:00-05:00",
"Observable": {
"BulkObservable": {
"type": "fqdn"
},
"BulkObservableList": [
"kj290023j09r34.example.com",
"09ijk23jfj0k8.example.net",
"klknjwfjiowjefr923.example.org",
"oimireik79msd.example.org"
]
}
}
]
}
]
}
start = iodef
;;; iodef.json: IODEF-Document
iodef = {
version: text
? lang: lang
? format-id: text
? private-enum-name: text
? private-enum-id: text
Incident: [+ Incident]
? AdditionalData: [+ ExtensionType]
}
duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" /
"year" / "ext-value"
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" /
"ext-value"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype
TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp "\d+(\-\d+)?(,\d+(\-\d+)?)*"
action = "nothing" / "contact-source-site" / "cotact-target-site" /
"contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value"
MLStringType = {
value: text
?lang: lang
?translation-id: text
}
PositiveFloatType = {
value: float32 .gt 0
}
PAddressType = MLStringType
ExtensionType = {
value: text
? Name: text
dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" /
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string"
? ext-dtype: text
? meaning: text
? formatid: text
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
}
SoftwareType = {
? SoftwareReference: SoftwareReference
? URL: [+ uri]
? Description: [+ text / MLStringType]
}
SoftwareReference = {
? value: text
spec-name: "custom" / "cpe" / "swid" / "ext-value"
? ext-spec-name: text
? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string"
? ext-dtype: text
}
Incident = {
purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" /
"ext-value"
? ext-purpose: text
? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" /
"ext-value"
? ext-status: text
? lang: lang
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
IncidentID: IncidentID
? AlternativeID: AlternativeID
? RelatedActivity: [+ RelatedActivity]
? DetectTime: tdate
? StartTime: tdate
? EndTime: tdate
? RecoveryTime: tdate
? ReportTime: tdate
GenerationTime: tdate
? Description: [+ text / MLStringType]
? Discovery: [+ Discovery]
? Assessment: [+ Assessment]
? Method: [+ Method]
Contact: [+ Contact]
? EventData: [+ EventData]
? Indicator: [+ Indicator]
? History: History
? AdditionalData: [+ ExtensionType]
}
IncidentID = {
id: text
name: text
? instance: text
? restriction: restriction .default "private"
? ext-restriction: text
}
AlternativeID = {
? restriction: restriction .default "private"
? ext-restriction: text
IncidentID: [+ IncidentID]
}
RelatedActivity = {
? restriction: restriction .default "private"
? ext-restriction: text
? IncidentID: [+ IncidentID]
? URL: [+ uri]
? ThreatActor: [+ ThreatActor]
? Campaign: [+ Campaign]
? IndicatorID: [+ IndicatorID]
? Confidence: Confidence
? Description: [+ text]
? AdditionalData: [+ ExtensionType]
}
ThreatActor = {
? restriction: restriction .default "private"
? ext-restriction: text
? ThreatActorID: [+ text]
? URL: [+ uri]
? Description: [+ text / MLStringType]
? AdditionalData: [+ ExtensionType]
}
Campaign = {
? restriction: restriction .default "private"
? ext-restriction: text
? CampaignID: [+ text]
? URL: [+ uri]
? Description: [+ text / MLStringType]
? AdditionalData: [+ ExtensionType]
}
Contact = {
role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
"vendor" / "vendor-support" / "victim" / "victim-notified" /
"ext-value"
? ext-role: text
type: "person" / "organization" / "ext-value"
? ext-type: text
? restriction: restriction .default "private"
? ext-restriction: text
? ContactName: [+ text / MLStringType]
? ContactTitle: [+ text / MLStringType]
? Description: [+ text / MLStringType]
? RegistryHandle: [+ RegistryHandle]
? PostalAddress: [+ PostalAddress]
? Email: [+ Email]
? Telephone: [+ Telephone]
? Timezone: TimeZonetype
? Contact: [+ Contact]
? AdditionalData: [+ ExtensionType]
}
RegistryHandle = {
handle: text
registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" /
"local" / "ext-value"
? ext-registry: text
}
PostalAddress = {
? type: text
? ext-type: text
PAddress: PAddressType
? Description: [+ text / MLStringTYpe]
}
Email = {
? type: "direct" / "hotline" / "ext-value"
? ext-type: text
EmailTo: text
? Description: [+ text / MLStringType]
}
Telephone = {
? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value"
? ext-type: text
TelephoneNumber: text
? Description: [+ text / MLStringType]
}
Discovery = {
? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
"incident" / "os-log" / "application-log" / "device-log" /
"network-flow" / "passive-dns" / "investiation" / "audit" /
"international-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value"
? ext-source: text
? restriction: restriction .default "private"
? ext-restriction: text
? Description: [+ text / MLStringType]
? Contact: [+ Contact]
? DetectionPattern: [+ DetectionPattern]
}
DetectionPattern = {
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
Application: SoftwareType
? Description: [+ text / MLStringType]
? DetectionConfiguration: [+ text]
}
Method = {
? restriction: restriction .default "private"
? ext-restriction: text
? Reference: [+ Reference]
? Description: [+ text / MLStringType]
? AttackPattern: [+ StructuredInformation]
? Vulnerability: [+ StructuredInformation]
? Weakness: [+ StructuredInformation]
? AdditionalData: [+ ExtensionType]
}
StructuredInformation = {
specID: text
? ext-specID: text
? contentID: text
? RawData: any
? URL: uri
}
Reference = {
? observable-id: IDtype
? ReferenceName: ReferenceName
? URL: [+ uri]
? Description: [+ text / MLStringType]
}
ReferenceName = {
specIndex: integer
ID: IDtype
}
Assessment = {
? occurrence: "actual" / "potential"
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
? IncidentCategory: [+ text / MLStringType]
Impact: [+ {SystemImpact: SystemImpact} / {BusinessImpact: BusinessImpact} /
{TimeImpact: TimeImpact} / {MonetaryImpact: MonetaryImpact} /
{MonetaryImpact: MonetaryImpact} / {IntendedImpact: BusinessImpact}]
? Counter: [+ Counter]
? MitigatingFactor: [+ text / MLStringType]
? Cause: [+ text / MLStringType]
? Confidence: Confidence
? AdditionalData: [+ ExtensionType]
}
SystemImpact = {
? severity: "low" / "medium" / "high"
? completion: "failed" / "succeeded"
type: "takeover-account" / "takeover-service" / "takeover-system" /
"cps-manipulation" / "cps-damage" / "availability-data" /
"availability-account" / "availability-service" /
"availability-system" / "damaged-system" / "damaged-data" /
"breach-proprietary" / "breach-privacy" / "breach-credential" /
"breack-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown"
? ext-type: text
? Description: [+ text / MLStringType]
}
BusinessImpact = {
? severity: "none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown"
? ext-severity: text
type: "breach-proprietary" / "breach-privacy" / "breach-credential" /
"loss-of-integrity" / "loss-of-service" / "theft-financial" /
"theft-service" / "degraded-reputation" / "asset-damage" /
"asset-manipulation" / "legal" / "extortion" / "unknown" /
"ext-value" .default "unknown"
? ext-type: text
? Description: [+ text / MLStringType]
}
TimeImpact = {
value: PositiveFloatType
? severity: "low" / "medium" / "high"
metric: "labor" / "elapsed" / "downtime" / "ext-value"
? ext-metric: text
? duration: duration .default "hour"
? ext-duration: text
}
MonetaryImpact = {
value: PositiveFloatType
? severity: "low" / "medium" / "high"
? currency: text
}
Confidence = {
value: float32
rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value"
? ext-rating: text
}
History = {
? restriction: restriction .default "private"
? ext-restriction: text
HistoryItem: [+ HistoryItem]
}
HistoryItem = {
action: action .default "other"
? ext-action: text
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
DateTime: tdate
? IncidentID: IncidentID
? Contact: Contact
? Description: [+ text / MLStringType]
? DefinedCOA: [+ text]
? AdditionalData: [+ ExtensionType]
}
EventData = {
? restriction: restriction .default "default"
? ext-restriction: text
? observable-id: IDtype
? Description: [+ text / MLStringType]
? DetectTime: tdate
? StartTime: tdate
? EndTime: tdate
? RecoveryTime: tdate
? ReportTime: tdate
? Contact: [+ Contact]
? Discovery: [+ Discovery]
? Assessment: Assessment
? Method: [+ Method]
? System: [+ System]
? Expectation: [+ Expectation]
? RecordData: [+ RecordData]
? EventData: [+ EventData]
? AdditionalData: [+ ExtensionType]
}
Expectation = {
? action: action .default "other"
? ext-action: text
? severity: "low" / "medium" / "high"
? restriction: restriction .default "default"
? ext-restriction: text
? observable-id: IDtype
? Description: [+ text / MLStringType]
? DefinedCOA: [+ text]
? StartTime: tdate
? EndTime: tdate
? Contact: Contact
}
System = {
? category: "source" / "target" / "intermediate" / "sensor" /
"infrastructure" / "ext-value"
? ext-category: text
? interface: text
? spoofed: "unknown" / "yes" / "no" .default "unknown"
? virtual: "yes" / "no" / "unknown" .default "unknown"
? ownership: "organization" / "personal" / "partner" / "customer" /
"no-relationship" / "unknown" / "ext-value"
? ext-ownership: text
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
Node: Node
? NodeRole: [+ NodeRole]
? Service: [+ Service]
? OperatingSystem: [+ SoftwareType]
? Counter: [+ Counter]
? AssetID: [+ text]
? Description: [+ text / MLStringType]
? AdditionalData: [+ ExtensionType]
}
Node = {
? DomainData: [+ DomainData]
? Address: [+ Address]
? PostalAddress: PAddressType
? Location: [+ text / MLSTringType]
? Counter: [+ Counter]
}
Address = {
value: text
category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" /
"ext-value" .default "ipv6-addr"
? ext-category: text
? vlan-name: text
? vlan-num: integer
? observable-id: IDtype
}
NodeRole = {
category: "client" / "client-enterprise" / "clent-partner" /
"client-remote" / "client-kiosk" / "client-mobile" /
"server-internal" / "server-public" / "www" / "mail" /
"webmail" / "messaging" / "streaming" / "voice" / "file" /
"ftp" / "p2p" / "name" / "directory" / "credential" /
"print" / "application" / "database" / "backup" / "dhcp" /
"assessment" / "source-control" / "config-management" /
"monitoring" / "infra" / "infra-firewall" / "infra-router" /
"infra-switch" / "camera" / "proxy" / "remote-access" /
"log" / "virtualization" / "pos" / "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hot-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value"
? ext-category: text
? Description: [+ text / MLStringType]
}
Counter = {
value: float32
type: "count" / "peak" / "average" / "ext-value"
? ext-type: text
unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
"message" / "event" / "host" / "site" / "organization" /
"ext-value"
? ext-unit: text
? meaning: text / MLStringTYpe
? duration: duration .default "hour"
? ext-duration: text
}
DomainData = {
system-status: "spoofed" / "fraudulent" / "innocent-hacked" /
"innocent-hijacked" / "unknown" / "ext-value"
? ext-system-status: text
domain-status: "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value"
? ext-domain-status: text
? observable-id: IDtype
Name: text
? DateDomainWasChecked: tdate
? RegistrationDate: tdate
? ExpirationDate: tdate
? RelatedDNS: [+ ExtensionType]
? NameServers: [+ NameServers]
? DomainContacts: DomainContacts
}
NameServers = {
Server: text
Address: [+ Address]
}
DomainContacts = {
? SameDomainContact: text
Contact: [+ Contact]
}
Service = {
? ip-protocol: integer
? observable-id: IDtype
? ServiceName: ServiceName
? Port: integer
? Portlist: PortlistType
? ProtoCode: integer
? ProtoType: integer
? ProtoField: integer
? ApplicationHeaderField: [+ ExtensionType]
? EmailData: EmailData
? Application: SoftwareType
}
ServiceName = {
? IANAService: text
? URL: [+ uri]
? Description: [+ text / MLStringType]
}
EmailData = {
? observable-id: IDtype
? EmailTo: [+ text]
? EmailFrom: text
? EmailSubject: text
? EmailX-Mailer: text
? EmailHeaderField: [+ ExtensionType]
? EmailHeaders: text
? EmailBody: text
? EmailMessage: text
? HashData: [+ HashData]
? Signature: [+ text]
}
RecordData = {
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
? DateTime: tdate
? Description: [+ text / MLStringType]
? Applicadtion: SoftwareType
? RecordPattern: [+ RecordPattern]
? RecordItem: [+ ExtensionType]
? URL: [+ uri]
? FileData: [+ FileData]
? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified]
? CertificateData: [+ CertificateData]
? AdditionalData: [+ ExtensionType]
}
RecordPattern = {
value: text
type: "regex" / "binary" / "xpath" / "ext-value" .default "regex"
? ext-type: text
? offset: integer
? offsetunit: "line" / "byte" / "ext-value" .default "line"
? ext-offsetunit: text
? instance: integer
}
WindowsRegistryKeysModified = {
? observable-id: IDtype
Key: [+ Key]
}
Key = {
? registryaction: "add-key" / "add-value" / "delete-key" /
"delete-value" / "modify-key" / "modify-value" /
"ext-value"
? ext-registryaction: text
? observable-id: IDtype
KeyName: text
? KeyValue: text
}
CertificateData = {
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
Certificate: [+ Certificate]
}
Certificate = {
? observable-id: IDtype
X509Data: text
? Description: [+ text / MLStringType]
}
FileData = {
? restriction: restriction .default "private"
? ext-restriction: text
? observable-id: IDtype
File: [+ File]
}
File = {
? observable-id: IDtype
? FileName: text
? FileSize: integer
? FileType: text
? URL: [+ uri]
? HashData: HashData
? Signature: [+ text]
? AssociatedSoftware: SoftwareType
? FileProperties: [+ ExtensionType]
}
HashData = {
scope: "file-contents" / "file-pe-section" / "file-pe-iat" /
"file-pe-resource" / "file-pdf-object" / "email-hash" /
"email-hash-header" / "email-hash-body"
? HashTargetID: text
? Hash: [+ Hash]
? FuzzyHash: [+ FuzzyHash]
}
Hash = {
DigestMethod: text
DigestValue: text
? CanonicalizationMethod: any
? Application: SoftwareType
}
FuzzyHash = {
FuzzyHashValue: [+ ExtensionType]
? Application: SoftwareType
? AdditionalData: [+ ExtensionType]
}
Indicator = {
? restriction: restriction .default "private"
? ext-restriction: text
IndicatorID: IndicatorID
? AlternativeIndicatorID: [+ AlternativeIndicatorID]
? Description: [+ text / MLStringType]
? StartTime: tdate
? EndTime: tdate
? Confidence: Confidence
? Contact: [+ Contact]
? Observable: Observable
? uid-ref: IDREFType
? IndicatorExpression: IndicatorExpression
? IndicatorReference: IndicatorReference
? NodeRole: [+ NodeRole]
? AttackPhase: [+ AttackPhase]
? Reference: [+ Reference]
? AdditionalData: [+ ExtensionType]
}
IndicatorID = {
id: IDtype
name: text
version: text
}
AlternativeIndicatorID = {
? restriction: restriction .default "private"
? ext-restriction: text
IndicatorReference: [+ IndicatorReference]
}
Observable = {
? restriction: restriction .default "private"
? ext-restriction: text
? System: System
? Address: Address
? DomainData: DomainData
? EmailData: EmailData
? Service: Service
? WindowsRegistryKeysModified: WindowsRegistryKeysModified
? FileData: FileData
? CertificateData: CertificateData
? RegistryHandle: RegistryHandle
? RecordData: RecordData
? EventData: EventData
? Incident: Incident
? Expectation: Expectation
? Reference: Reference
? Assessment: Assessment
? DetectionPattern: DetectionPattern
? HistoryItem: HistoryItem
? BulkObservable: BulkObservable
? AdditionalData: [+ ExtensionType]
}
BulkObservable = {
? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
"mac" / "site-url" / "domain-name" / "domain-to-ipv4" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
"windows-reg-key" / "file-hash" / "email-x-mailer" /
"email-subject" / "http-user-agent" / "http-request-uri" /
"mutex" / "file-path" / "user-name" / "ext-value"
? ext-type: text
? BulkObservableFormat: BulkObservableFormat
BulkObservableList: text
? AdditionalData: [+ ExtensionType]
}
BulkObservableFormat = {
? Hash: Hash
? AdditionalData: [+ ExtensionType]
}
IndicatorExpression = {
? operator: "not" / "and" / "or" / "xor" .default "and"
? ext-operator: text
? IndicatorExpression: [+ IndicatorExpression]
? Observable: [+ Observable]
? uid-ref: [+ IDREFType]
? IndicatorReference: [+ IndicatorReference]
? Confidence: Confidence
? AdditionalData: [+ ExtensionType]
}
IndicatorReference = {
? uid-ref: IDREFType
? euid-ref: text
? version: text
}
AttackPhase = {
? AttackPhaseID: [+ text]
? URL: [+ uri]
? Description: [+ text / MLStringType]
? AdditionalData: [+ ExtensionType]
}
Figure 3: Data Model in CDDL
We would like to thank Yasuaki Morita, Henk Birkholz and Carsten Bormann for their insightful comments on CDDL.
This document registers a JSON schema.
This memo does not provide any further security considerations than the one described in [RFC7970].
| [jsonschema] | "JSON Schema", 2006. http://json-schema.org/ |
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
| [RFC7970] | Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016. |
This section provides a JSON schema that defines the IODEF Data Model defined in this draft.
{ "$schema": "http://json-schema.org/draft-04/schema#",
"definitions": {
"action": {"enum": ["nothing","contact-source-site",
"contact-target-site","contact-sender","investigate",
"block-host","block-network","block-port","rate-limit-host",
"rate-limit-network","rate-limit-port","redirect-traffic",
"honeypot","upgrade-software","rebuild-asset","harden-asset",
"remediate-other","status-triage","status-new-info",
"watch-and-report","training","defined-coa","ext-value"]},
"duration": {"enum": ["second","minute","hour","day","month","quarter",
"year","ext-value"]},
"lang": {"enum": ["en","jp"]},
"purpose": {"enum": ["traceback","mitigation","reporting","watch",
"other","ext-value"]},
"restriction": {"enum": ["public","partner","need-to-know","private",
"default","white","green","amber","red","ext-value"]},
"status": {"enum": ["new","in-progress","forwarded","resolved",
"future","ext-value"]},
"DATETIME": {"type": "string"},
"PORTLIST": {"type": "string"},
"URLtype": {"type": "string"},
"IDtype": {"type": "string"},
"ExtensionType": {
"type": "object",
"properties": {
"name": {"type": "string"},
"dtype": {"enum": ["boolean","byte","bytes","character","date-time",
"ntpstamp","integer","portlist","real","string","file",
"path","frame","packet","ipv4-packet","ipv6-packet","url",
"csv","winreg","xml","ext-value"]},
"ext-dtype": {"type": "string"},
"meaning": {"type": "string"},
"formatid": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}}},
"ExtensionTypeList": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"}},
"SoftwareType": {
"type": "object",
"properties": {
"SoftwareReference": {"$ref": "#/definitions/SoftwareReference"},
"URL": {"$ref": "#/definitions/URLtype"},
"Description": {"type": "array", "items": {"type":"string"}}},
"required": [],
"additionalProperties": false},
"SoftwareReference": {
"type": "object",
"properties": {
"value": {"type": "string"},
"spec-name": {"type": "string"},
"ext-spec-name": {"type": "string"},
"dtype": {"type": "string"},
"ext-dtype": {"type": "string"}},
"required": ["spec-name"],
"additionalProperties": false},
"StructuredInfo": {
"type": "object",
"properties": {
"specID": {"type": "string"},
"ext-specID": {"type": "string"},
"contentID": {"type": "string"},
"RawData": {"type": "string"},
"URL": {"$ref": "#/definitions/URLtype"}},
"required": ["specID"],
"additionalProperties": false},
"Incident": {
"title": "Incident",
"description": "JSON schema for Incident class",
"type": "object",
"properties": {
"purpose": {"$ref": "#/definitions/purpose"},
"ext-purpose": {"type": "string"},
"status": {"$ref": "#/definitions/status"},
"ext-status": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentID": {"$ref": "#/definitions/IncidentID"},
"AlternativeID": {"$ref": "#/definitions/AlternativeID"},
"RelatedActivity": {
"type": "array",
"items": {"$ref": "#/definitions/RelatedActivity"}},
"DetectTime": {"type": "string"},
"StartTime": {"type": "string"},
"EndTime": {"type": "string"},
"RecoveryTime": {"type": "string"},
"ReportTime": {"type": "string"},
"GenerationTime": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}},
"Discovery": {
"type": "array","items": {"$ref": "#/definitions/Discovery"}},
"Assessment": {
"type": "array","items": {"$ref": "#/definitions/Assessment"}},
"Methods": {
"type": "array","items": {"$ref": "#/definitions/Method"}},
"Contacts": {
"type": "array","items": {"$ref": "#/definitions/Contact"}},
"EventData": {
"type": "array","items": {"$ref": "#/definitions/EventData"}},
"IndicatorList": {
"type": "array","items": {"$ref": "#/definitions/Indicator"}},
"History": {"$ref": "#/definitions/History"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IncidentID","GenerationTime","Contacts","purpose"],
"additionalProperties": false},
"IncidentID": {
"title": "IncidentID",
"description": "JSON schema for IncidentID class",
"type": "object",
"properties": {
"id": {"type": "string"},
"name": {"type": "string"},
"instance": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}},
"required": ["name"],
"additionalProperties": false},
"AlternativeID": {
"title": "AlternativeID",
"description": "JSON schema for AlternativeID class",
"type": "object",
"properties": {
"IncidentID": {
"type": "array","items":{"$ref": "#/definitions/IncidentID"}},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"}},
"required": ["IncidentID"],
"additionalProperties": false},
"RelatedActivity": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"IncidentID": {
"type": "array","items": {"$ref": "#/definitions/IncidentID"}},
"URL": {
"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"ThreatActor": {
"type": "array","items": {"$ref": "#/definitions/ThreatActor"}},
"Campaign": {
"type": "array","items": {"$ref": "#/definitions/Campaign"}},
"IndicatorID": {
"type": "array","items": {"$ref": "#/definitions/IndicatorID"}},
"Confidence": {"$ref": "#/definitions/Confidence"},
"Description": { "type": "array","items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false},
"ThreatActor": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"ThreatActorID": {"type": "array", "items": {"type": "string"}},
"Description": {"type": "array", "items": {"type": "string"}},
"URL": {"type":"array","items":{"$ref":"#/definitions/URLtype"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false},
"Campaign": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"CampaignID": {"type": "array", "items": {"type": "string"}},
"URL": {"type":"array", "items":{"$ref":"#/definitions/URLtype"}},
"Description": {"type": "array", "items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
"Contact": {
"type": "object",
"properties": {
"role": {
"enum": ["creator","reporter","admin","tech","provider","user",
"billing","legal","irt","abuse","cc","cc-irt","leo",
"vendor","vendor-support","victim","victim-notified",
"ext-value"]},
"ext-role": {"type": "string"},
"type": {"enum": ["person","organization","ext-value"]},
"ext-type": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"ContactName": {"type": "array", "items": {"type": "string"}},
"ContactTitle": {"type": "array", "items": {"type": "string"}},
"Description": {"type": "array", "items": {"type": "string"}},
"RegistryHandle": {
"type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}},
"PostalAddress": {
"type":"array", "items":{"$ref":"#/definitions/PostalAddress"}},
"Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}},
"Telephone": {
"type": "array", "items": {"$ref": "#/definitions/Telephone"}},
"Timezone": {"type": "string"},
"Contact": {
"type": "array", "items": {"$ref": "#/definitions/Contact"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["role","type"],
"additionalProperties": false},
"RegistryHandle": {
"type": "object",
"properties": {
"handle": {"type": "string"},
"registry": {
"enum": ["internic","apnic","arin","lacnic","ripe","afrinic",
"local","ext-value"]},
"ext-registry": {"type": "string"}},
"required": ["registry"],
"additionalProperties": false},
"PostalAddress": {
"type": "object",
"properties": {
"type": {"type": "string"},
"ext-type": {"type": "string"},
"PAddress": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}}},
"required": ["PAddress"],
"additionalProperties": false},
"Email": {
"type": "object",
"properties": {
"type": {
"enum":["direct","hotline","ext-value"]},
"ext-type": {"type": "string"},
"EmailTo": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}}},
"required": ["EmailTo"],
"additionalProperties": false},
"Telephone": {
"type": "object",
"properties": {
"type": {
"enum":["wired","mobile","fax","hotline","ext-value"]},
"ext-type": {"type": "string"},
"TelephoneNumber": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}}},
"required": ["TelephoneNumber"],
"additionalProperties": false},
"Discovery": {
"type": "object",
"properties": {
"source": {
"enum":["nidps","hips","siem","av","third-party-monitoring",
"incident","os-log","application-log","device-log",
"network-flow","passive-dns","investigation","audit",
"internal-notification","external-notification","leo",
"partner","actor","unknown","ext-value"]},
"ext-source": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"Description": {"type": "array", "items": {"type": "string"}},
"Contact": {
"type": "array", "items": {"$ref": "#/definitions/Contact"}},
"DetectionPattern": {
"type":"array",
"items":{"$ref":"#/definitions/DetectionPattern"}}},
"required": [],
"additionalProperties": false},
"DetectionPattern": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Application": {"$ref": "#/definitions/SoftwareType"},
"Description": {"type": "array", "items": {"type": "string"}},
"DetectionConfiguration": {
"type": "array", "items": {"type": "string"}}},
"required": ["Application"],
"additionalProperties": false},
"Method": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"References": {
"type": "array","items": {"$ref": "#/definitions/Reference"}},
"Description": {"type": "array", "items": {"type": "string"}},
"AttackPattern": {
"type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}},
"Vulnerability": {
"type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}},
"Weakness": {
"type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"Reference": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"ReferenceName": {"type": "string"},
"URL":{"type":"array", "items":{"$ref":"#/definitions/URLtype"}},
"Description": {"type": "array", "items": {"type": "string"}}},
"required": [],
"additionalProperties": false},
"Assessment": {
"type": "object",
"properties": {
"occurrence": {"enum":["actual","potential"]},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentCategory": {"type": "array", "items": {"type": "string"}},
"SystemImpact": {
"type": "array", "items": {"$ref": "#/definitions/SystemImpact"}},
"BusinessImpact": {
"type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}},
"TimeImpact": {
"type": "array", "items": {"$ref": "#/definitions/TimeImpact"}},
"MonetaryImpact": {
"type":"array", "items":{"$ref":"#/definitions/MonetaryImpact"}},
"IntendedImpact": {
"type":"array", "items":{"$ref":"#/definitions/BusinessImpact"}},
"Counter": {
"type": "array", "items": {"$ref": "#/definitions/Counter"}},
"MitigatingFactor": {
"type": "array", "items": {"$type": "string"}},
"Cause": {"type": "array", "items": {"$type": "string"}},
"Confidence": {"$ref": "#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"SystemImpact": {
"type": "object",
"properties": {
"severity": {
"enum":["low","medium","high"]},
"completion": {"enum":["failed","succeeded"]},
"type": {
"enum":["takeover-account","takeover-service","takeover-system",
"cps-manipulation","cps-damage","availability-data",
"availability-account","availability-service",
"availability-system","damaged-system","damaged-data",
"breach-proprietary","breach-privacy","breach-credential",
"breach-configuration","integrity-data",
"integrity-configuration","integrity-hardware",
"traffic-redirection","monitoring-traffic",
"monitoring-host","policy","unknown","ext-value"]},
"ext-type": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}},
"required": ["type"],
"additionalProperties": false},
"BusinessImpact": {
"type": "object",
"properties": {
"severity": {
"enum":["none","low","medium","high","unknown","ext-value"]},
"ext-severity": {"type":"string"},
"type": {
"enum":["breach-proprietary","breach-privacy","breach-credential",
"loss-of-integrity","loss-of-service","theft-financial",
"theft-service","degraded-reputation","asset-damage",
"asset-manipulation","legal","extortion","unknown",
"ext-value"]},
"ext-type": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}},
"required": ["type"],
"additionalProperties": false},
"TimeImpact": {
"type": "object",
"properties": {
"value": {"type": "number"},
"severity": {"enum": ["low","medium","high"]},
"metric": {"enum": ["labor","elapsed","downtime","ext-value"]},
"ext-metric": {"type": "string"},
"duration": {"$ref":"#/definitions/duration"},
"ext-duration": {"type": "string"}},
"required": ["metric"],
"additionalProperties": false},
"MonetaryImpact": {
"type": "object",
"properties": {
"value": {"type": "number"},
"severity": {"enum":["low","medium","high"]},
"currency": {"type": "string"}},
"required": [],
"additionalProperties": false},
"Confidence": {
"type": "object",
"properties": {
"value": {"type": "number"},
"rating": {
"enum": ["low","medium","high","numeric","unknown","ext-value"]},
"ext-rating": {"type":"string"}},
"required": ["rating"],
"additionalProperties": false},
"History": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"HistoryItem": {
"type": "array","items": {"$ref": "#/definitions/HistoryItem"}}},
"required": ["HistoryItem"],
"additionalProperties": false},
"HistoryItem": {
"type": "object",
"properties": {
"action": {"$ref": "#/definitions/action"},
"ext-action": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"},
"IncidentID": {"$ref": "#/definitions/IncidentID"},
"Contact": {"$ref": "#/definitions/Contact"},
"Description": {"type": "array","items": {"type": "string"}},
"DefinedCOA": {"type": "array","items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["DateTime","action"],
"additionalProperties": false},
"EventData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array","items": {"type": "string"}},
"DetectTime": {"type": "string"},
"StartTime": {"type": "string"},
"EndTime": {"type": "string"},
"RecoveryTime": {"type": "string"},
"ReportTime": {"type": "string"},
"Contact": {
"type": "array","items": {"$ref": "#/definitions/Contact"}},
"Discovery": {
"type": "array","items": {"$ref": "#/definitions/Discovery"}},
"Assessment": {"$ref": "#/definitions/Assessment"},
"Method": {
"type": "array","items": {"$ref": "#/definitions/Method"}},
"System": {
"type": "array","items": {"$ref": "#/definitions/System"}},
"Expectation": {
"type": "array","items": {"$ref": "#/definitions/Expectation"}},
"RecordData": {"type": "array",
"items": {"$ref": "#/definitions/RecordData"}},
"EventData": {
"type": "array","items": {"$ref": "#/definitions/EventData"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["ReportTime"],
"additionalProperties": false},
"Expectation": {
"type": "object",
"properties": {
"action": {"$ref":"#/definitions/action"},
"ext-action": {"type": "string"},
"severity": {"enum": ["low","medium","high"]},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array","items": {"type": "string"}},
"DefinedCOA": {"type": "array","items": {"type": "string"}},
"StartTime": {"type": "string"},
"EndTime": {"type": "string"},
"Contact": {"$ref": "#/definitions/Contact"}},
"required": [],
"additionalProperties": false},
"System": {
"type": "object",
"properties": {
"category": {
"enum": ["source","target","intermediate","sensor",
"infrastructure","ext-value"]},
"ext-category": {"type": "string"},
"interface": {"type": "string"},
"spoofed": {"enum": ["unknown","yes","no"]},
"virtual": {"enum": ["yes","no","unknown"]},
"ownership": {
"enum":["organization","personal","partner","customer",
"no-relationship","unknown","ext-value"]},
"ext-ownership": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Node": {"$ref": "#/definitions/Node"},
"NodeRole": {
"type": "array","items": {"$ref": "#/definitions/NodeRole"}},
"Service": {
"type": "array","items": {"$ref": "#/definitions/Service"}},
"OperatingSystem": {
"type": "array","items": {"$ref": "#/definitions/SoftwareType"}},
"Counter": {
"type": "array","items": {"$ref": "#/definitions/Counter"}},
"AssetID": {"type": "array","items": {"type": "string"}},
"Description": {"type": "array","items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Node"],
"additionalProperties": false},
"Node": {
"type": "object",
"properties": {
"DomainData": {
"type": "array","items": {"$ref": "#/definitions/DomainData"}},
"Address": {
"type": "array","items": {"$ref": "#/definitions/Address"}},
"PostalAddress": {"type": "string"},
"Location": {"type": "array","items": {"type": "string"}},
"Counter": {"type":"array",
"items":{"$ref":"#/definitions/Counter"}}},
"required": [],
"additionalProperties": false},
"Address": {
"type": "object",
"properties": {
"value": {"type": "string"},
"category": {
"enum":["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
"ipv6-net-masked","mac","site-url","ext-value"]},
"ext-category": {"type": "string"},
"vlan-name": {"type": "string"},
"vlan-num": {"type": "integer"},
"observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["category"],
"additionalProperties": false},
"NodeRole": {
"type": "object",
"properties": {
"category": {
"enum":["client","client-enterprise","clent-partner",
"client-remote","client-kiosk","client-mobile",
"server-internal","server-public","www","mail","webmail",
"messaging","streaming","voice","file","ftp","p2p","name",
"directory","credential","print","application","database",
"backup","dhcp","assessment","source-control",
"config-management","monitoring","infra","infra-firewall",
"infra-router","infra-switch","camera","proxy",
"remote-access","log","virtualization","pos", "scada",
"scada-supervisory","sinkhole","honeypot","anomyzation",
"c2-server","malware-distribution","drop-server",
"hot-point","reflector","phishing-site",
"spear-phishing-site","recruiting-site",
"fraudulent-site","ext-value"]},
"ext-category": {"type": "string"},
"Description": {"type": "array","items": {"type": "string"}}},
"required": ["category"],
"additionalProperties": false},
"Counter": {
"type": "object",
"properties": {
"value": {"type": "string"},
"type": {"enum": ["count","peak","average","ext-value"]},
"ext-type": {"type": "string"},
"unit": {"enum": ["byte","mbit","packet","flow","session","alert",
"message","event","host","site","organization",
"ext-value"]},
"ext-unit": {"type": "string"},
"meaning": {"type": "string"},
"duration": {"$ref":"#/definitions/duration"},
"ext-duration": {"type": "string"}},
"required": ["type","unit"],
"additionalProperties": false},
"DomainData": {
"type": "object",
"properties": {
"system-status": {
"enum": ["spoofed","fraudulent","innocent-hacked",
"innocent-hijacked","unknown","ext-value"]},
"ext-system-status": {"type": "string"},
"domain-status": {
"enum": [
"reservedDelegation","assignedAndActive","assignedAndInactive",
"assignedAndOnHold","revoked","transferPending","registryLock",
"registrarLock","other","unknown","ext-value"]},
"ext-domain-status": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Name": {"type": "string"},
"DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"},
"RegistrationDate": {"$ref": "#/definitions/DATETIME"},
"ExpirationDate": {"$ref": "#/definitions/DATETIME"},
"RelatedDNS": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"NameServers": {
"type": "array","items": {"$ref": "#/definitions/NameServers"}},
"DomainContacts": {
"$ref": "#/definitions/DomainContacts"}},
"required": ["Name","system-status","domain-status"],
"additionalProperties": false},
"NameServers": {
"type": "object",
"properties": {
"Server": {"type": "string"},
"Address": {"type":"array",
"items":{"$ref":"#/definitions/Address"}}},
"required": ["Server","Address"],
"additionalProperties": false},
"DomainContacts": {
"type": "object",
"properties": {
"SameDomainContact": {"type": "string"},
"Contact": {"type":"array",
"items":{"$ref":"#/definitions/Contact"}}},
"required": ["Contact"],
"additionalProperties": false},
"Service": {
"type": "object",
"properties": {
"ip-protocol": {"type": "integer"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"ServiceName": {"$ref": "#/definitions/ServiceName"},
"Port": {"type": "integer"},
"Portlist": {"$ref": "#/definitions/PORTLIST"},
"ProtoCode": {"type": "integer"},
"ProtoType": {"type": "integer"},
"ProtoField": {"type": "integer"},
"ApplicationHeaderField":{"$ref":"#/definitions/ExtensionTypeList"},
"EmailData": {"$ref": "#/definitions/EmailData"},
"Application": {"$ref": "#/definitions/SoftwareType"}},
"required": [],
"additionalProperties": false},
"ServiceName": {
"type": "object",
"properties": {
"IANAService": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"Description": {"type": "array","items": {"type": "string"}}},
"required": [],
"additionalProperties": false},
"EmailData": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"EmailTo": {"type": "array","items": {"type": "string"}},
"EmailFrom": {"type": "string"},
"EmailSubject": {"type": "string"},
"EmailX-Mailer": {"type": "string"},
"EmailHeaderField": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"EmailHeaders": {"type": "string"},
"EmailBody": {"type": "string"},
"EmailMessage": {"type": "string"},
"HashData": {
"type": "array","items": {"$ref": "#/definitions/HashData"}},
"Signature": {"type": "array","items": {"type": "string"}}},
"required": [],
"additionalProperties": false},
"RecordData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"},
"Description": {"type": "array","items": {"type": "string"}},
"Applicadtion": {"$ref": "#/definitions/SoftwareType"},
"RecordPattern": {
"type": "array","items": {"$ref": "#/definitions/RecordPattern"}},
"RecordItem": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"URL": {
"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"FileData": {
"type": "array","items": {"$ref": "#/definitions/FileData"}},
"WindowsRegistryKeysModified": {
"type": "array",
"items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}},
"CertificateData": {
"type":"array","items":{"$ref":"#/definitions/CertificateData"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false
},
"RecordPattern": {
"type": "object",
"properties": {
"value": {"type": "string"},
"type": {"enum": ["regex","binary","xpath","ext-value"]},
"ext-type": {"type": "string"},
"offset": {"type": "integer"},
"offsetunit": {"enum":["line","byte","ext-value"]},
"ext-offsetunit": {"type": "string"},
"instance": {"type": "integer"}},
"required": ["type"],
"additionalProperties": false},
"WindowsRegistryKeysModified": {
"type": "object",
"properties": {
"observabile-id": {"$ref": "#/definitions/IDtype"},
"Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}},
"required": ["Key"],
"additionalProperties": false},
"Key": {
"type": "object",
"properties": {
"registryaction": {"enum": ["add-key","add-value","delete-key",
"delete-value","modify-key","modify-value",
"ext-value"]},
"ext-registryaction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"KeyName": {"type":"string"},
"KeyValue": {"type": "string"}},
"required": ["KeyName"],
"additionalProperties": false},
"CertificateData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Certificate": {
"type": "array","items": {"$ref": "#/definitions/Certificate"}}},
"required": ["Certificate"],
"additionalProperties": false},
"Certificate": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"X509Data": {type: "string"},
"Description": {"type": "array","items": {"type": "string"}}},
"required": ["X509Data"],
"additionalProperties": false},
"FileData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"File": {"type": "array","items": {"$ref": "#/definitions/File"}}},
"required": ["File"],
"additionalProperties": false},
"File": {
"type": "object",
"properties": {
"FileName": {"type": "string"},
"FileSize": {"type": "integer"},
"FileType": {"type": "string"},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"HashData": {"$ref": "#/definitions/HashData"},
"Signature": {"type": "array","items": {"type": "string"}},
"AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
"FileProperties": {
"type":"array","items":{"$ref":"#/definitions/ExtensionType"}}},
"required": [],
"additionalProperties": false},
"HashData": {
"type": "object",
"properties": {
"scope": {"enum": ["file-contents","file-pe-section","file-pe-iat",
"file-pe-resource","file-pdf-object","email-hash",
"email-hash-header","email-hash-body"]},
"HashTargetID": {"type": "string"},
"Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}},
"FuzzyHash": {
"type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}},
"required": ["scope"],
"additionalProperties": false},
"Hash": {
"type": "object",
"properties": {
"DigestMethod": {"type": "string"},
"DigestValue": {"type": "string"},
"CanonicalizationMethod": {},
"Application": {"$ref": "#/definitions/SoftwareType"}},
"required": ["DigestMethod","DigestValue"],
"additionalProperties": false},
"FuzzyHash": {
"type": "object",
"properties": {
"FuzzyHashValue": {
"type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
"Application": {"$ref": "#/definitions/SoftwareType"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["FuzzyHashValue"],
"additionalProperties": false},
"Indicator": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"IndicatorID": {"$ref": "#/definitions/IndicatorID"},
"AlternativeIndicatorID": {
"type": "array",
"items": {"$ref": "#/definitions/AlternativeIndicatorID"}},
"Description": {"type": "array","items": {"type": "string"}},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"Confidence": {"$ref": "#/definitions/Confidence"},
"Contact": {
"type": "array","items": {"$ref": "#/definitions/Contact"}},
"Observable": {"$ref": "#/definitions/Observable"},
"uid-ref": {"type": "string"},
"IndicatorExpression":{"$ref":"#/definitions/IndicatorExpression"},
"IndicatorReference": {"$ref": "#/definitions/IndicatorReference"},
"NodeRole": {
"type": "array","items": {"$ref": "#/definitions/NodeRole"}},
"AttackPhase": {
"type": "array","items": {"$ref": "#/definitions/AttackPhase"}},
"Reference": {
"type": "array","items": {"$ref": "#/definitions/Reference"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IndicatorID"],
"additionalProperties": false},
"IndicatorID": {
"type": "object",
"properties": {
"id": {"type": "string"},
"name": {"type": "string"},
"version": {"type": "string"}},
"required": ["name","version"],
"additionalProperties": false},
"AlternativeIndicatorID": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"IndicatorReference": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorReference"}}},
"required": ["IndicatorReference"],
"additionalProperties": false},
"Observable": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"System": {"$ref": "#/definitions/System"},
"Address": {"$ref": "#/definitions/Address"},
"DomainData": {"$ref": "#/definitions/DomainData"},
"EmailData": {"$ref": "#/definitions/EmailData"},
"Service": {"$ref": "#/definitions/Service"},
"WindowsRegistryKeysModified": {
"$ref": "#/definitions/WindowsRegistryKeysModified"},
"FileData": {"$ref": "#/definitions/FileData"},
"CertificateData": {"$ref": "#/definitions/CertificateData"},
"RegistryHandle": {"$ref": "#/definitions/RegistryHandle"},
"RecordData": {"type": "array",
"item": {"$ref": "#/definitions/Record"}},
"EventData": {"$ref": "#/definitions/EventData"},
"Incident": {"$ref": "#/definitions/Incident"},
"Expectation": {"$ref": "#/definitions/Expectation"},
"Reference": {"$ref": "#/definitions/Reference"},
"Assessment": {"$ref": "#/definitions/Assessment"},
"DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
"HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"BulkObservable": {"$ref": "#/definitions/BulkObservable"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"BulkObservable": {
"type": "object",
"properties": {
"type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
"ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask",
"mac","site-url","domain-name","domain-to-ipv4",
"domain-to-ipv6","domain-to-ipv4-timestamp",
"domain-to-ipv6-timestamp","ipv4-port","ipv6-port",
"windows-reg-key","file-hash","email-x-mailer",
"email-subject","http-user-agent","http-request-url",
"mutex","file-path","user-name","ext-value"]},
"ext-type": {"type": "string"},
"BulkObservableFormant":{
"$ref": "#/definitions/BulkObservableFormat"},
"BulkObservableList": {"type": "array", "item":{"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"BulkObservableFormat": {
"type": "object",
"properties": {
"Hash": {"$ref": "#/definitions/Hash"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"IndicatorExpression": {
"type": "object",
"properties": {
"operator": {"enum": ["not","and","or","xor"]},
"ext-operator": {"type": "string"},
"IndicatorExpression": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorExpression"}},
"Observable": {
"type": "array","items": {"$ref": "#/definitions/Observable"}},
"uid-ref": {"type": "string"},
"IndicatorReference": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorReference"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"IndicatorReference": {
"type": "object",
"properties": {
"uid-ref": {"type": "string"},
"euid-ref": {"type": "string"},
"version": {"type": "string"}},
"required": [],
"additionalProperties": false},
"AttackPhase": {
"type": "object",
"properties": {
"AttackPhaseID": {"type": "array","items": {"type": "string"}},
"URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
"Description": {"type": "array","items": {"type": "string"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false}},
"title": "IODEF-Document",
"description": "JSON schema for IODEF-Document class",
"type": "object",
"properties": {
"version": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"},
"format-id": {"type": "string"},
"private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"},
"Incident": {
"type": "array","items": {"$ref": "#/definitions/Incident"}},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version","Incident"],
"additionalProperties": false}
Figure 4: JSON schema