<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
    which is available here: http://xml.resource.org. --> encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
    There has to be one entity for each item to be referenced.
    An alternate method (rfc include) is described in the references. -->

<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3986 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3986.xml">
<!ENTITY RFC4648 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4648.xml">
<!ENTITY RFC7049 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7049.xml">
<!ENTITY RFC7203 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7203.xml">
<!ENTITY RFC7970 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7970.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC8259 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8259.xml">
<!ENTITY RFC8610 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.8610.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
    please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
    (Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
    (using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions --> "rfc2629-xhtml.ent">

<rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="std" consensus="true" docName="draft-ietf-mile-jsoniodef-14" ipr="trust200902">
 <!-- category values: std, bcp, info, exp, and historic
    ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902,
       or pre5378Trust200902
    you can add the attributes updates="NNNN" and obsoletes="NNNN"
    they will automatically be output with "(if approved)" -->

 <!-- ***** FRONT MATTER ***** --> number="8727" ipr="trust200902" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDepth="4" symRefs="true" sortRefs="true" version="3">

 <front>
   <!-- The abbreviated title is used in the page header - it is only necessary if the
        full title is longer than 39 characters -->
   <title abbrev="JSON-IODEF">JSON binding Binding of IODEF</title>

   <!-- add 'role="editor"' below for the editors if appropriate -->

   <!-- Another author who claims to be an editor --> Incident Object Description Exchange Format</title>
   <seriesInfo name="RFC" value="8727"/>
   <author fullname="Takeshi Takahashi" initials="T.T." initials="T." surname="Takahashi">
      <organization abbrev="NICT"> National Institute of Information and Communications Technology</organization>
      <address>
        <postal>
	  <extaddr></extaddr>
          <street>4-2-1 Nukui-Kitamachi</street>
         <city>Koganei</city>
         <region>Tokyo</region>
          <region>Koganei, Tokyo</region>
          <code>184-8795</code>
          <country>Japan</country>
        </postal>
        <phone>+81 42 327 5862</phone>
        <email>takeshi_takahashi@nict.go.jp</email>

       <!-- uri and facsimile elements may also be added -->
     </address>
    </author>
    <author fullname="Roman Danyliw" initials="R.D." initials="R." surname="Danyliw">
      <organization abbrev="CERT">CERT, Software Engineering Institute, Carnegie Mellon University</organization>
      <address>
        <postal>
          <street>4500 Fifth Avenue</street>
          <city>Pittsburgh</city>
          <region>PA</region>
         <country>USA</country>
          <country>United States of America</country>
        </postal>
        <email>rdd@cert.org</email>

       <!-- uri and facsimile elements may also be added -->
     </address>
    </author>
    <author fullname="Mio Suzuki" initials="M.S." initials="M." surname="Suzuki">
      <organization abbrev="NICT"> National Institute of Information and Communications Technology</organization>
      <address>
        <postal>
          <extaddr></extaddr>
          <street>4-2-1 Nukui-Kitamachi</street>
         <city>Koganei</city>
         <region>Tokyo</region>
          <region>Koganei, Tokyo</region>
          <code>184-8795</code>
          <country>Japan</country>
        </postal>
        <email>mio@nict.go.jp</email>

       <!-- uri and facsimile elements may also be added -->
     </address>
    </author>
   <date year="2020" month="August" />

   <!-- If the month and year are both specified and are the current ones, xml2rfc will fill
        in the current day for you. If only the current year is specified, xml2rfc will fill

   <area>Security</area>
    <workgroup>MILE</workgroup>

<keyword>CBOR</keyword>
<keyword>JSON</keyword>
<keyword>IODEF</keyword>

   <abstract>
      <t>The Incident Object Description Exchange Format (IODEF) defined in the current day RFC 7970 provides an information model and month for you. If the year is not the current one, it is
	 necessary to specify at least a month (xml2rfc assumes day="1" if not specified corresponding XML data model for the
	 purpose of calculating the expiry date).  With drafts it is normally sufficient exchanging incident and indicator information. This document gives implementers and operators an alternative format to
	 specify just the year. -->

   <!-- Meta-data Declarations -->

   <area>Security</area>

   <workgroup>MILE</workgroup>

   <!-- WG name at the upperleft corner of the doc,
        IETF is fine for individual submissions.
	 If this element is not present, the default is "Network Working Group",
        which is used by the RFC Editor as a nod to the history of the IETF. -->

   <keyword>CBOR, JSON, IODEF</keyword>

   <!-- Keywords will be incorporated into HTML output
        files in a meta tag but they have no effect on text or nroff
        output. If you submit your draft to the RFC Editor, the
        keywords will be used for the search engine. -->

   <abstract>
   <t>The Incident Object Description Exchange Format defined in RFC 7970 provides an information model and a corresponding XML data model for exchanging incident and indicator information. This draft gives implementers and operators an alternative format to exchange exchange the same information by defining an alternative data model implementation in JSON and its encoding in CBOR.</t> Concise Binary Object Representation (CBOR).</t>
    </abstract>
  </front>
  <middle>
    <section title="Introduction"> numbered="true" toc="default">
      <name>Introduction</name>
      <t><xref target="RFC7970">The target="RFC7970" format="default">The Incident Object Description Exchange Format (IODEF)</xref> defines a data representation for security incident reports and indicators commonly exchanged by operational security teams.  It facilitates the automated exchange of this information to enable mitigation and watch-and-warning. Section 3 of <xref target="RFC7970" /> defined an  An information model using Unified Modeling Language (UML) is defined in <xref target="RFC7970" sectionFormat="of" section="3"/> and a corresponding Extensible Markup Language (XML) schema data model is defined in Section 8. <xref target="RFC7970" sectionFormat="of" section="8"/>.  This UML-based information model and XML-based data model are referred to as IODEF UML and IODEF XML, respectively respectively, in this document.</t>

      <t>IODEF documents are structured and thus suitable for machine processing. They will streamline incident response operations.
Another well-used and structured format that is suitable for machine processing is <xref target="RFC8259">JavaScript target="RFC8259" format="default">JavaScript Object Notation (JSON)</xref>.
To facilitate the automation of incident response operations, IODEF documents and implementations should support JSON representation and it its encoding in <xref target="RFC7049">Concise target="RFC7049" format="default">Concise Binary Object Representation (CBOR)</xref>.</t>

      <t>This document defines an alternate implementation of the IODEF UML information model by specifying a JavaScript Object Notation (JSON) JSON data model using <xref target="RFC8610">Concise target="RFC8610" format="default">Concise Data Definition Language (CDDL)</xref> and a JSON Schema <xref target="I-D.handrews-json-schema-validation"/>. target="I-D.handrews-json-schema-validation" format="default"/>.  This JSON data model is referred to as IODEF JSON in this document. IODEF JSON provides all of the expressivity of IODEF XML.  It gives implementers and operators an alternative format to exchange the same information.</t>

      <t>The normative IODEF JSON data model is found in <xref target="cddlSection" />. format="default"/>.  Sections <xref target="dt" /> format="counter"/> and <xref target="dm" /> format="counter"/> describe the data types and elements of this data model.  <xref target="examples" /> format="default"/> provides examples. </t>
      <section title="Requirements Language">
       <t>The numbered="true" toc="default">
        <name>Requirements Language</name>
        <t>
    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
       "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
    NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and
       "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
    described in BCP
       14 BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC2119"/><xref target="RFC8174"/>
    when, and only when, they appear in all capitals, as shown here.</t> here.
        </t>
      </section>
    </section>
    <section title="IODEF anchor="dt" numbered="true" toc="default">
      <name>IODEF Data Types" anchor="dt"> Types</name>
      <t>IODEF JSON implements the abstract data types specified in Section 2 of <xref target="RFC7970" />.</t> sectionFormat="of" section="2"/>.</t>
      <section title="Abstract numbered="true" toc="default">
        <name>Abstract Data Type to JSON Data Type Mapping"> Mapping</name>
        <t>IODEF JSON uses native and derived JSON data types. <xref target="dtmap" /> format="default"/> describes the mapping between the abstract data types in Section 2 of <xref target="RFC7970" /> sectionFormat="of" section="2"/> and their corresponding implementations in IODEF JSON.</t>

<figure align="center"

<table anchor="dtmap" title="JSON align="left">
  <name>JSON Data Types"><artwork align="left"><![CDATA[
+-----------------+-------------------+-------------------------------+
| IODEF Types</name>
  <thead>
    <tr>
      <th>IODEF Data Type |      [RFC7970]    |       JSON Type</th>
      <th>Reference</th>
      <th>JSON Data Type          |
|                 |      Reference    |                               |
+-----------------+-------------------+-------------------------------+
| INTEGER         | Section 2.1       | integer, Type</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>INTEGER</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.1"/></td>
      <td>integer; see Section 2.2.1    |
| REAL            | Section 2.2       | "number" <xref target="integer"/></td>
    </tr>
 <tr>
      <td>REAL</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.2"/></td>
      <td>"number" per [RFC8259]        |
| CHARACTER       | Section 2.3       | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>CHARACTER</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.3"/></td>
      <td>"string" per [RFC8259]        |
| STRING          | Section 2.3       | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>STRING</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.3"/></td>
      <td>"string" per [RFC8259]        |
| ML_STRING       | Section 2.4       | see Section 2.2.2             |
| BYTE            | Section 2.5.1     | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>ML_STRING</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.4"/></td>
      <td>see <xref target="ml_string"/></td>
    </tr>
 <tr>
      <td>BYTE</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.5.1"/></td>
      <td>"string" per [RFC8259]        |
| BYTE[]          | Section 2.5.1     | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>BYTE[]</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.5.1"/></td>
      <td>"string" per [RFC8259]        |
| HEXBIN          | Section 2.5.2     | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>HEXBIN</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.5.2"/></td>
      <td>"string" per [RFC8259]        |
| HEXBIN[]        | Section 2.5.2     | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>HEXBIN[]</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.5.2"/></td>
      <td>"string" per [RFC8259]        |
| ENUM            | Section 2.6       | see Section 2.2.3             |
| DATETIME        | Section 2.7       | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>ENUM</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.6"/></td>
      <td>see <xref target="enum"/></td>
    </tr>
 <tr>
      <td>DATETIME</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.7"/></td>
      <td>"string" per [RFC8259]        |
| TIMEZONE        | Section 2.8       | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>TIMEZONE</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.8"/></td>
      <td>"string" per [RFC8259]        |
| PORTLIST        | Section 2.9       | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>PORTLIST</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.9"/></td>
      <td>"string" per [RFC8259]        |
| POSTAL          | Section 2.10      | ML_STRING, Section 2.2.2      |
| PHONE           | Section 2.11      | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>POSTAL</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.10"/></td>
      <td>ML_STRING; see <xref target="ml_string"/></td>
    </tr>
 <tr>
      <td>PHONE</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.11"/></td>
      <td>"string" per [RFC8259]        |
| EMAIL           | Section 2.12      | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>EMAIL</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.12"/></td>
      <td>"string" per [RFC8259]        |
| URL             | Section 2.13      | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>URL</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.13"/></td>
      <td>"string" per [RFC8259]        |
| ID              | Section 2.14      | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>ID</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.14"/></td>
      <td>"string" per [RFC8259]        |
| IDREF           | Section 2.14      | "string" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>IDREF</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.14"/></td>
      <td>"string" per [RFC8259]        |
| SOFTWARE        | Section 2.15      | see Section 2.2.4             |
| STRUCTUREDINFO  | [RFC 7203]        | see Section 2.2.5             |
| EXTENSION       | Section 2.16      | see Section 2.2.6             |
+-----------------+-------------------+-------------------------------+
]]></artwork></figure>

<figure align="center" <xref target="RFC8259"/></td>
    </tr>
 <tr>
      <td>SOFTWARE</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.15"/></td>
      <td>see <xref target="software"/></td>
    </tr>
 <tr>
      <td>STRUCTUREDINFO</td>
      <td><xref target="RFC7203" sectionFormat="of" section="4.4"/></td>
      <td>see <xref target="STRUCTUREDINFO"/></td>
    </tr>
 <tr>
      <td>EXTENSION</td>
      <td><xref target="RFC7970" sectionFormat="of" section="2.16"/></td>
      <td>see <xref target="extension"/></td>
    </tr>
</tbody>
</table>

<table anchor="dtmap_cbor" title="CBOR align="left">
  <name>CBOR Data Types"><artwork align="left"><![CDATA[
+-----------------+------------------+---------------------------------+
| IODEF Types</name>
  <thead>
    <tr>
      <th>IODEF Data Type |  CBOR Type</th>
      <th>CBOR Data Type  |          CDDL prelude           |
|                 |                  |            [RFC8610]            |
+-----------------+------------------+---------------------------------+
| INTEGER         | Type</th>
      <th>CDDL Prelude <xref target="RFC8610"/></th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>INTEGER</td>
      <td> 0, 1, 6 tag 2,   | integer                         |
|                 | 6 tag 3         |                                 |
| REAL            | 7 3</td>
      <td>integer</td>
    </tr>
  <tr>
      <td>REAL</td>
      <td>7 bits 26        | float32                         |
| CHARACTER       | 3                | text                            |
| STRING          | 3                | text                            |
| ML_STRING       | 5                | Maps/Structs (Section 3.5.1)    |
| BYTE            | 6 26</td>
      <td>float32</td>
    </tr>
  <tr>
      <td>CHARACTER</td>
      <td>3</td>
      <td>text</td>
    </tr>
 <tr>
      <td>STRING</td>
      <td>3</td>
      <td>text</td>
    </tr>
 <tr>
      <td>ML_STRING</td>
      <td>5</td>
      <td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of"/>)</td>
    </tr>
 <tr>
      <td>BYTE</td>
      <td>6 tag 22         | eb64legacy                      |
| BYTE[]          | 6 22</td>
      <td>eb64legacy</td>
    </tr>
 <tr>
      <td>BYTE[]</td>
      <td>6 tag 22         | eb64legacy                      |
| HEXBIN          | 6 22</td>
      <td>eb64legacy</td>
    </tr>
 <tr>
      <td>HEXBIN</td>
      <td>6 tag 23         | eb16                            |
| HEXBIN[]        | 6 23</td>
      <td>eb16</td>
    </tr>
 <tr>
      <td>HEXBIN[]</td>
      <td>6 tag 23         | eb16                            |
| ENUM            | -                | Choices (Section 2.2.2)         |
| DATETIME        | 6 23</td>
      <td>eb16</td>
    </tr>
 <tr>
      <td>ENUM</td>
      <td>-</td>
      <td>Choices (<xref target="RFC8610" section="2.2.2" sectionFormat="of"/>)</td>
    </tr>
 <tr>
      <td>DATETIME</td>
      <td>6 tag 0          | tdate                           |
| TIMEZONE        | 3                | text                            |
| PORTLIST        | 3                | text                            |
| POSTAL          | 3                | ML_STRING (Section 2.2.1)       |
| PHONE           | 3                | text                            |
| EMAIL           | 3                | text                            |
| URL             | 6 0</td>
      <td>tdate</td>
    </tr>
 <tr>
      <td>TIMEZONE</td>
      <td>3</td>
      <td>text</td>
    </tr>
 <tr>
      <td>PORTLIST</td>
      <td>3</td>
      <td>text</td>
    </tr>
 <tr>
      <td>POSTAL</td>
      <td>3</td>
      <td>ML_STRING (<xref target="ml_string"/>)</td>
    </tr>
 <tr>
      <td>PHONE</td>
      <td>3</td>
      <td>text</td>
    </tr>
 <tr>
      <td>EMAIL</td>
      <td>3</td>
      <td>text</td>
    </tr>
 <tr>
      <td>URL</td>
      <td>6 tag 32         | uri                             |
| ID              | 3                | text                            |
| IDREF           | 3                | text                            |
| SOFTWARE        | 5                | Maps/Structs (Section 3.5.1)    |
| STRUCTUREDINFO  | 5                | Maps/Structs (Section 3.5.1)    |
| EXTENSION       | 5                | Maps/Structs (Section 3.5.1)    |
+-----------------+------------------+---------------------------------+
]]></artwork></figure> 32</td>
      <td>uri</td>
    </tr>
 <tr>
      <td>ID</td>
      <td>3</td>
      <td>text</td>
    </tr>
 <tr>
      <td>IDREF</td>
      <td>3</td>
      <td>text</td>
    </tr>
 <tr>
      <td>SOFTWARE</td>
      <td>5</td>
      <td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of"/>)</td>
    </tr>
 <tr>
      <td>STRUCTUREDINFO</td>
      <td>5</td>
      <td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of"/>)</td>
    </tr>
 <tr>
      <td>EXTENSION</td>
      <td>5</td>
      <td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of"/>)</td>
    </tr>
</tbody>
</table>

      </section>
      <section title="Complex numbered="true" toc="default">
        <name>Complex JSON Types"> Types</name>
        <section title="Integer"> numbered="true" toc="default" anchor="integer">
          <name>Integer</name>
          <t>An integer is a subset of the "number" type of JSON, which represents signed digits encoded in Base 10. The definition of this integer is "[ minus ] int" in per <xref target="RFC8259"/> Section 6 manner.</t> target="RFC8259" sectionFormat="comma" section="6"/>.</t>
        </section>
        <section title="Multilingual Strings"> numbered="true" toc="default" anchor="ml_string">
          <name>Multilingual Strings</name>
          <t>A string that needs to be represented in a human-readable language different from the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as either an object with "value", "lang", and "translation-id" elements or a text string as defined in <xref target="cddlSection"/>. target="cddlSection" format="default"/>. An example is shown below.</t>

<figure align="center"><artwork align="left"><![CDATA[
        <sourcecode type=""><![CDATA[
"MLStringType": {
  "value": "free-form text",                              # STRING
  "lang": "en",                                             # ENUM
  "translation-id": "jp2en0023"                           # STRING
}
]]></artwork></figure>
]]></sourcecode>
          <t>Note that in figures throughout this document, some supplementary information follows "#", but these are not valid syntax in JSON, but JSON; instead, they are intended to facilitate reader understanding.</t>
        </section>
        <section title="Enum"> numbered="true" toc="default" anchor="enum">
          <name>Enum</name>
          <t>Enum is an ordered list of acceptable string values. Each value has a representative keyword.  Within the data model, the enumerated type keywords are used as attribute values.</t>
        </section>
        <section title="Software numbered="true" toc="default" anchor="software">
          <name>Software and Software Reference"> Reference</name>
          <t>A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, <xref target="RFC3986">a target="RFC3986" format="default">a Uniform Resource Locator (URL)</xref>, or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined in <xref target="cddlSection"/>. target="cddlSection" format="default"/>. Examples are shown below.</t>

<figure align="center"><artwork align="left"><![CDATA[
         <sourcecode type=""><![CDATA[
"SoftwareType": {
  "SoftwareReference": {...},                  # SoftwareReference
  "Description": ["MS Windows"]                           # STRING
}
]]></artwork></figure>
]]></sourcecode>
          <t>SoftwareReference class is a reference to a particular version of software. Examples are shown below.</t>

<figure align="center"><artwork align="left"><![CDATA[
       <sourcecode type=""><![CDATA[
"SoftwareReference": {
  "value": "cpe:/a:google:chrome:59.0.3071.115",          # STRING
  "spec-name": "cpe",                                       # ENUM
  "dtype": "string"                                         # ENUM
}
]]></artwork></figure>
]]></sourcecode>
        </section>
        <section title="Structured Information" anchor="StructuredInfo"> anchor="STRUCTUREDINFO" numbered="true" toc="default">
          <name>Structured Information</name>
          <t>Information provided in a the form of a structured string, such as an ID, or structured information, such as XML documents, is represented in the information model by the STRUCTUREDINFO data type. Note that this type was originally specified in Section 4.4 of <xref target="RFC7203" /> sectionFormat="of" section="4.4"/> as a basic structure of its extension classes. The STRUCTUREDINFO data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", and "Reference" elements. An example for embedding a structured ID is shown below.</t>

<figure align="center"><artwork align="left"><![CDATA[
"StructuredInfo":
         <sourcecode type=""><![CDATA[
"STRUCTUREDINFO": {
  "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3",          # ENUM
  "ContentID": "CWE-89"                                   # STRING
}
]]></artwork></figure>
]]></sourcecode>
          <t>When embedding the raw data, it should be encoded as a BYTE type object, as shown below.</t>

<figure align="center"><artwork align="left"><![CDATA[
"StructuredInfo":
        <sourcecode type=""><![CDATA[
"STRUCTUREDINFO": {
  "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2",        # ENUM
  "RawData": "<<< encoded structured data >>>"              # BYTE
}
]]></artwork></figure>
]]></sourcecode>
          <t>When embedding the raw data, base64 encoding defined in Section 4 of <xref target="RFC4648"/> MUST target="RFC4648" sectionFormat="of" section="4"/> <bcp14>MUST</bcp14> be used for JSON IODEF while binary representation MUST <bcp14>MUST</bcp14> be used for CBOR IODEF.</t>
        </section>
        <section title="EXTENSION"> numbered="true" toc="default" anchor="extension">
          <name>EXTENSION</name>
          <t>Information not otherwise represented in the IODEF can be added using the EXTENSION data type.  This data type is a generic extension mechanism. The EXTENSION data type is implemented as an ExtensionType object with "value", "name", "dtype", "ext-dtype", "meaning", "formatid", "restriction", "ext-restriction", and "observable-id" elements. An example for embedding a structured ID is shown below.</t>

<figure align="center"><artwork align="left"><![CDATA[
         <sourcecode type=""><![CDATA[
"ExtensionType": {
  "value": "xxxxxxx",                                     # STRING
  "name": "Syslog",                                       # STRING
  "dtype": "string",                                        # ENUM
  "meaning": "Syslog from the security appliance X"       # STRING
}
]]></artwork></figure>
]]></sourcecode>
          <t>Note that this data type is specified in <xref target="RFC7970" /> format="default"/> as its generic extension mechanism. If a data item has internal structure that is intended to be processed outside of the IODEF framework, one may consider using StructuredInfo the STRUCTUREDINFO data type mentioned in <xref target="StructuredInfo"/>.</t> target="STRUCTUREDINFO" format="default"/>.</t>
        </section>
      </section>
    </section>
    <section title="IODEF anchor="dm" numbered="true" toc="default">
      <name>IODEF JSON Data Model" anchor="dm"> Model</name>
      <section title="Classes numbered="true" toc="default">
        <name>Classes and Elements"> Elements</name>
        <t> The following table shows the list of IODEF Classes, classes and their elements, elements and the corresponding section sections in <xref target="RFC7970" />. format="default"/>. Note that the complete JSON schema is defined in <xref target="cddlSection"/> target="cddlSection" format="default"/> using CDDL.</t>

<figure align="center"

<table anchor="iodef_classes" title="IODEF Classes"><artwork align="left"><![CDATA[
+-----------------------------+--------------------+---------------+
| IODEF Class                 | Class              | Corresponding |
|                             | Elements and       | Section       |
|                             | Attribute          | in [RFC7970]  |
+-----------------------------+--------------------+---------------+
| IODEF-Document              | version            | 3.1           |
|                             | lang?              |               |
|                             | format-id?         |               |
|                             | private-enum-name? |               |
|                             | private-enum-id?   |               |
|                             | Incident+          |               |
|                             | AdditionalData*    |               |
+-----------------------------+--------------------+---------------+
| Incident                    | purpose            | 3.2           |
|                             | ext-purpose?       |               |
|                             | status?            |               |
|                             | ext-status?        |               |
|                             | lang?              |               |
|                             | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | IncidentID         |               |
|                             | AlternativeID?     |               |
|                             | RelatedActivity*   |               |
|                             | DetectTime?        |               |
|                             | StartTime?         |               |
|                             | EndTime?           |               |
|                             | RecoveryTime?      |               |
|                             | ReportTime?        |               |
|                             | GenerationTime     |               |
|                             | Description*       |               |
|                             | Discovery*         |               |
|                             | Assessment*        |               |
|                             | Method*            |               |
|                             | Contact+           |               |
|                             | EventData*         |               |
|                             | Indicator*         |               |
|                             | History?           |               |
|                             | AdditionalData*    |               |
+-----------------------------+--------------------+---------------+
| IncidentID                  | id                 | 3.4           |
|                             | name               |               |
|                             | instance?          |               |
|                             | restriction?       |               |
|                             | ext-restriction?   |               |
+-----------------------------+--------------------+---------------+
| AlternativeID               | restriction?       | 3.5           |
|                             | ext-restriction?   |               |
|                             | IncidentID+        |               |
+-----------------------------+--------------------+---------------+
| RelatedActivity             | restriction?       | 3.6           |
|                             | ext-restriction?   |               |
|                             | IncidentID*        |               |
|                             | URL*               |               |
|                             | ThreatActor*       |               |
|                             | Campaign*          |               |
|                             | IndicatorID*       |               |
|                             | Confidence?        |               |
|                             | Description*       |               |
|                             | AdditionalData*    |               |
+-----------------------------+--------------------+---------------+
| ThreatActor                 | restriction?       | 3.7           |
|                             | ext-restriction?   |               |
|                             | ThreatActorID*     |               |
|                             | URL*               |               |
|                             | Description*       |               |
|                             | AdditionalData*    |               |
+-----------------------------+--------------------+---------------+
| Campaign                    | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | CampaignID*        |               |
|                             | URL*               |               |
|                             | Description*       |               |
|                             | AdditionalData*    | 3.8           |
+-----------------------------+--------------------+---------------+
| Contact                     | role               |               |
|                             | ext-role?          |               |
|                             | type               |               |
|                             | ext-type?          |               |
|                             | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | ContactName*,      |               |
|                             | ContactTitle*      |               |
|                             | Description*       |               |
|                             | RegistryHandle*    |               |
|                             | PostalAddress*     |               |
|                             | Email*             |               |
|                             | Telephone*         |               |
|                             | Timezone?          |               |
|                             | Contact*           |               |
|                             | AdditionalData*    | 3.9           |
+-----------------------------+--------------------+---------------+
| RegistryHandle              | handle             |               |
|                             | registry           |               |
|                             | ext-registry?      | 3.9.1         |
+-----------------------------+--------------------+---------------+
| PostalAddress               | type?              |               |
|                             | ext-type?          |               |
|                             | PAddress           |               |
|                             | Description*       | 3.9.2         |
+-----------------------------+--------------------+---------------+
| Email                       | type?              |               |
|                             | ext-type?          |               |
|                             | EmailTo            |               |
|                             | Description*       | 3.9.3         |
+-----------------------------+--------------------+---------------+
| Telephone                   | type?              |               |
|                             | ext-type?          |               |
|                             | TelephoneNumber    |               |
|                             | Description*       | 3.9.4         |
+-----------------------------+--------------------+---------------+
| Discovery                   | source?            |               |
|                             | ext-source?        |               |
|                             | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | Description*       |               |
|                             | Contact*           |               |
|                             | DetectionPattern*  | 3.10          |
+-----------------------------+--------------------+---------------+
| DetectionPattern            | restriction?       | 3.10.1        |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | Application        |               |
|                             | Description*       |               |
|                             | DetectionConfiguration*  |         |
+-----------------------------+--------------------+---------------+
| Method                      | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | Reference*         |               |
|                             | Description*       |               |
|                             | AttackPattern*     |               |
|                             | Vulnerability*     |               |
|                             | Weakness*          |               |
|                             | AdditionalData*    | 3.11          |
+-----------------------------+--------------------+---------------+
| Weakness (TBD)              | restriction?       |               |
|                             | ext-restriction?   |               |
+-----------------------------+--------------------+---------------+
| Reference                   | observable-id?     |               |
|                             | ReferenceName?     |               |
|                             | URL*               |               |
|                             | Description*       | 3.11.1        |
+-----------------------------+--------------------+---------------+
| Assessment                  | occurence?         |               |
|                             | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | IncidentCategory*  |               |
|                             | SystemImpact*      |               |
|                             | BusinessImpact*    |               |
|                             | TimeImpact*        |               |
|                             | MonetaryImpact*    |               |
|                             | IntendedImpact*    |               |
|                             | Counter*           |               |
|                             | MitigatingFactor*  |               |
|                             | Cause*             |               |
|                             | Confidence?        |               |
|                             | AdditionalData*    | 3.12          |
+-----------------------------+--------------------+---------------+
| SystemImpact                | severity?          |               |
|                             | completion?        |               |
|                             | type               |               |
|                             | ext-type?          |               |
|                             | Description*       | 3.12.1        |
+-----------------------------+--------------------+---------------+
| BusinessImpact              | severity?          |               |
|                             | ext-severity?      |               |
|                             | type               |               |
|                             | ext-type?          |               |
|                             | Description*       | 3.12.2        |
+-----------------------------+--------------------+---------------+
| TimeImpact                  | value              |               |
|                             | severity?          |               |
|                             | metric             |               |
|                             | ext-metric?        |               |
|                             | duration?          |               |
|                             | ext-duration?      | 3.12.3        |
+-----------------------------+--------------------+---------------+
| MonetaryImpact              | value              |               |
|                             | severity?          |               |
|                             | currency?          | 3.12.4        |
+-----------------------------+--------------------+---------------+
| Confidence                  | value              |               |
|                             | rating             |               |
|                             | ext-rating?        | 3.12.5        |
+-----------------------------+--------------------+---------------+
| History                     | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | HistoryItem+       | 3.13          |
+-----------------------------+--------------------+---------------+
| HistoryItem                 | action             |               |
|                             | ext-action?        |               |
|                             | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | DateTime           |               |
|                             | IncidentID?        |               |
|                             | Contact?           |               |
|                             | Description*       |               |
|                             | DefinedCOA*        |               |
|                             | AdditionalData*    | 3.13.1        |
+-----------------------------+--------------------+---------------+
| EventData                   | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | Description*       |               |
|                             | DetectTime?        |               |
|                             | StartTime?         |               |
|                             | EndTime?           |               |
|                             | RecoveryTime?      |               |
|                             | ReportTime?        |               |
|                             | Contact*           |               |
|                             | Discovery*         |               |
|                             | Assessment?        |               |
|                             | Method*            |               |
|                             | System*            |               |
|                             | Expectation*       |               |
|                             | RecordData*        |               |
|                             | EventData*         |               |
|                             | AdditionalData*    | 3.14          |
+-----------------------------+--------------------+---------------+
| Expectation                 | action?            |               |
|                             | ext-action?        |               |
|                             | severity?          |               |
|                             | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | Description*       |               |
|                             | DefinedCOA*        |               |
|                             | StartTime?         |               |
|                             | EndTime?           |               |
|                             | Contact?           | 3.15          |
+-----------------------------+--------------------+---------------+
| System                      | category?          |               |
|                             | ext-category?      |               |
|                             | interface?         |               |
|                             | spoofed?           |               |
|                             | virtual?           |               |
|                             | ownership?         |               |
|                             | ext-ownership?     |               |
|                             | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | Node               |               |
|                             | NodeRole*          |               |
|                             | Service*           |               |
|                             | OperatingSystem*   |               |
|                             | Counter*           |               |
|                             | AssetID*           |               |
|                             | Description*       |               |
|                             | AdditionalData*    | 3.17          |
+-----------------------------+--------------------+---------------+
| Node                        | DomainData*        |               |
|                             | Address*           |               |
|                             | PostalAddress?     |               |
|                             | Location*          |               |
|                             | Counter*           | 3.18          |
+-----------------------------+--------------------+---------------+
| Address                     | value              |               |
|                             | category           |               |
|                             | ext-category?      |               |
|                             | vlan-name?         |               |
|                             | vlan-num?          |               |
|                             | observable-id?     | 3.18.1        |
+-----------------------------+--------------------+---------------+
| NodeRole                    | category           |               |
|                             | ext-category?      |               |
|                             | Description*       | 3.18.2        |
+-----------------------------+--------------------+---------------+
| Counter                     | value              |               |
|                             | type               |               |
|                             | ext-type?          |               |
|                             | unit               |               |
|                             | ext-unit?          |               |
|                             | meaning?           |               |
|                             | duration?          |               |
|                             | ext-duration?      | 3.18.3        |
+-----------------------------+--------------------+---------------+
| DomainData                  | system-status      |               |
|                             | ext-system-status? |               |
|                             | domain-status      |               |
|                             | ext-domain-status? |               |
|                             | observable-id?     |               |
|                             | Name               |               |
|                             | DateDomainWasChecked?|             |
|                             | RegistrationDate?  |               |
|                             | ExpirationDate?    |               |
|                             | RelatedDNS*        |               |
|                             | Nameservers*       |               |
|                             | DomainContacts?    | 3.19          |
+-----------------------------+--------------------+---------------+
| Nameserver                  | Server             |               |
|                             | Address*           | 3.19.1        |
+-----------------------------+--------------------+---------------+
| DomainContacts              | SameDomainContact? |               |
|                             | Contact+           | 3.19.2        |
+-----------------------------+--------------------+---------------+
| Service                     | ip-protocol?       |               |
|                             | observable-id?     |               |
|                             | ServiceName?       |               |
|                             | Port?              |               |
|                             | Portlist?          |               |
|                             | ProtoCode?         |               |
|                             | ProtoType?         |               |
|                             | ProtoField?        |               |
|                             | ApplicationHeaderField*|           |
|                             | EmailData?         |               |
|                             | Application?       | 3.20          |
+-----------------------------+--------------------+---------------+
| ServiceName                 | IANAService?       |               |
|                             | URL*               |               |
|                             | Description*       | 3.20.1        |
+-----------------------------+--------------------+---------------+
| EmailData                   | observable-id?     |               |
|                             | EmailTo*           |               |
|                             | EmailFrom?         |               |
|                             | EmailSubject?      |               |
|                             | EmailX-Mailer?     |               |
|                             | EmailHeaderField*  |               |
|                             | EmailHeaders?      |               |
|                             | EmailBody?         |               |
|                             | EmailMessage?      |               |
|                             | HashData*          |               |
|                             | Signature*         | 3.21          |
+-----------------------------+--------------------+---------------+
| RecordData                  | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | DateTime?          |               |
|                             | Description*       |               |
|                             | Application?       |               |
|                             | RecordPattern*     |               |
|                             | RecordItem*        |               |
|                             | URL*               |               |
|                             | FileData*          |               |
|                             | WindowsRegistryKeysModified*|      |
|                             | CertificateData*   |               |
|                             | AdditionalData*    | 3.22.1        |
+-----------------------------+--------------------+---------------+
| RecordPattern               | type               |               |
|                             | ext-type?          |               |
|                             | offset?            |               |
|                             | offsetunit?        |               |
|                             | ext-offsetunit?    |               |
|                             | instance?          |               |
|                             | value              | 3.22.2        |
+-----------------------------+--------------------+---------------+
| WindowsRegistryKeysModified | observable-id?     | 3.23          |
|                             | Key+               |               |
+-----------------------------+--------------------+---------------+
| Key                         | registryaction?    |               |
|                             | ext-registryaction?|               |
|                             | observable-id?     |               |
|                             | KeyName            |               |
|                             | KeyValue?          | 3.23.1        |
+-----------------------------+--------------------+---------------+
| CertificateData             | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | Certificate+       | 3.24          |
+-----------------------------+--------------------+---------------+
| Certificate                 | observable-id?     |               |
|                             | X509Data           |               |
|                             | Description*       | 3.24.1        |
+-----------------------------+--------------------+---------------+
| FileData                    | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | observable-id?     |               |
|                             | File+              | 3.25          |
+-----------------------------+--------------------+---------------+
| File                        | observable-id?     |               |
|                             | FileName?          |               |
|                             | FileSize?          |               |
|                             | FileType?          |               |
|                             | URL*               |               |
|                             | HashData?          |               |
|                             | Signature*         |               |
|                             | AssociatedSoftware?|               |
|                             | FileProperties*    | 3.25.1        |
+-----------------------------+--------------------+---------------+
| HashData                    | scope              |               |
|                             | HashTargetID?      |               |
|                             | Hash*              |               |
|                             | FuzzyHash*         | 3.26          |
+-----------------------------+--------------------+---------------+
| Hash                        | DigestMethod       |               |
|                             | DigestValue        |               |
|                             | CanonicalizationMethod?|           |
|                             | Application?       | 3.26.1        |
+-----------------------------+--------------------+---------------+
| FuzzyHash                   | FuzzyHashValue+    |               |
|                             | Application?       |               |
|                             | AdditionalData*    | 3.26.2        |
+-----------------------------+--------------------+---------------+
| Indicator                   | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | IndicatorID        |               |
|                             | AlternativeIndicatorID*|           |
|                             | Description*       |               |
|                             | StartTime?         |               |
|                             | EndTime?           |               |
|                             | Confidence?        |               |
|                             | Contact*           |               |
|                             | Observable?        |               |
|                             | uid-ref?           |               |
|                             | IndicatorExpression?|              |
|                             | IndicatorReference?|               |
|                             | NodeRole*          |               |
|                             | AttackPhase*       |               |
|                             | Reference*         |               |
|                             | AdditionalData*    | 3.29          |
+-----------------------------+--------------------+---------------+
| IndicatorID                 | id                 |               |
|                             | name               |               |
|                             | version            | 3.29.1        |
+-----------------------------+--------------------+---------------+
| AlternativeIndicatorID      | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | IndicatorID+       | 3.29.2        |
+-----------------------------+--------------------+---------------+
| Observable                  | restriction?       |               |
|                             | ext-restriction?   |               |
|                             | System?            |               |
|                             | Address?           |               |
|                             | DomainData?        |               |
|                             | Service?           |               |
|                             | EmailData?         |               |
|                             | WindowsRegistryKeysModified?|      |
|                             | FileData?          |               |
|                             | CertificateData?   |               |
|                             | RegistryHandle?    |               |
|                             | RecordData?        |               |
|                             | EventData?         |               |
|                             | Incident?          |               |
|                             | Expectation?       |               |
|                             | Reference?         |               |
|                             | Assessment?        |               |
|                             | DetectionPattern?  |               |
|                             | HistoryItem?       |               |
|                             | BulkObservable?    |               |
|                             | AdditionalData*    | 3.29.3        |
+-----------------------------+--------------------+---------------+
| BulkObservable              | type?              |               |
|                             | ext-type?          |               |
|                             | BulkObservableFormat?|             |
|                             | BulkObservableList |               |
|                             | AdditionalData*    | 3.29.4        |
+-----------------------------+--------------------+---------------+
| BulkObservableFormat        | Hash?              |               |
|                             | AdditionalData*    | 3.29.5        |
+-----------------------------+--------------------+---------------+
| IndicatorExpression         | operator?          |               |
|                             | ext-operator?      |               |
|                             | IndicatorExpression*|              |
|                             | Observable*        |               |
|                             | uid-ref*           |               |
|                             | IndicatorReference*|               |
|                             | Confidence?        |               |
|                             | AdditionalData*    | 3.29.6        |
+-----------------------------+--------------------+---------------+
| IndicatorReference          | uid-ref?           |               |
|                             | euid-ref?          |               |
|                             | version?           | 3.29.7        |
+-----------------------------+--------------------+---------------+
| AttackPhase                 | AttackPhaseID*     |               |
|                             | URL*               |               |
|                             | Description*       |               |
|                             | AdditionalData*    | 3.29.8        |
+-----------------------------+--------------------+---------------+
]]></artwork></figure> align="left">
  <name>IODEF Classes</name>
  <thead>
    <tr>
      <th>IODEF Class</th>
      <th>Class, Element, and Attribute</th>
      <th>Section in <xref target="RFC7970"/></th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>IODEF-Document</td>
      <td><ul bare="true" empty="true" spacing="compact">
<li>version</li>
<li>lang?</li>
<li>format-id?</li>
<li>private-enum-name?</li>
<li>private-enum-id?</li>
<li>Incident+</li>
<li>AdditionalData*</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.1"/></td>
    </tr>

  <tr>
      <td>Incident</td>
      <td><ul bare="true" empty="true" spacing="compact">
<li>purpose</li>
<li>ext-purpose?</li>
<li>status?</li>
<li>ext-status?</li>
<li>lang?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>IncidentID</li>
<li>AlternativeID?</li>
<li>RelatedActivity*</li>
<li>DetectTime?</li>
<li>StartTime?</li>
<li>EndTime?</li>
<li>RecoveryTime?</li>
<li>ReportTime?</li>
<li>GenerationTime</li>
<li>Description*</li>
<li>Discovery*</li>
<li>Assessment*</li>
<li>Method*</li>
<li>Contact+</li>
<li>EventData*</li>
<li>Indicator*</li>
<li>History?</li>
<li>AdditionalData*</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.2"/></td>
    </tr>

   <tr>
      <td>IncidentID</td>
      <td><ul bare="true" empty="true" spacing="compact">
<li>id</li>
<li>name</li>
<li>instance?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.4"/></td>
    </tr>
 <tr>
      <td>AlternativeID</td>
      <td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>IncidentID+</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.5"/></td>
    </tr>
 <tr>
      <td>RelatedActivity</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>IncidentID*</li>
<li>URL*</li>
<li>ThreatActor*</li>
<li>Campaign*</li>
<li>IndicatorID*</li>
<li>Confidence?</li>
<li>Description*</li>
<li>AdditionalData*</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.6"/></td>
    </tr>
<tr>
      <td>ThreatActor</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>ThreatActorID*</li>
<li>URL*</li>
<li>Description*</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.7"/></td>
    </tr>
<tr>
      <td>Campaign</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>CampaignID*</li>
<li>URL*</li>
<li>Description*</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.8"/></td>
     </tr>
<tr>
      <td>Contact</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>role</li>
<li>ext-role?</li>
<li>type</li>
<li>ext-type?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>ContactName*</li>
<li>ContactTitle*</li>
<li>Description*</li>
<li>RegistryHandle*</li>
<li>PostalAddress*</li>
<li>Email*</li>
<li>Telephone*</li>
<li>Timezone?</li>
<li>Contact*</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.9"/></td>
     </tr>
 <tr>
      <td>RegistryHandle</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>handle</li>
<li>registry</li>
<li>ext-registry?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.9.1"/></td>
     </tr>
<tr>
      <td>PostalAddress</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type?</li>
<li>ext-type?</li>
<li>PAddress</li>
<li>Description*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.9.2"/></td>
     </tr>

<tr>
      <td>Email</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type?</li>
<li>ext-type?</li>
<li>EmailTo</li>
<li>Description*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.9.3"/></td>
     </tr>
<tr>
      <td>Telephone</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type?</li>
<li>ext-type?</li>
<li>TelephoneNumber</li>
<li>Description*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.9.4"/></td>
     </tr>
<tr>
      <td>Discovery</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>source?</li>
<li>ext-source?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>Description*</li>
<li>Contact*</li>
<li>DetectionPattern*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.10"/></td>
     </tr>

<tr>
      <td>DetectionPattern</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>Application</li>
<li>Description*</li>
<li>DetectionConfiguration*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.10.1"/></td>
    </tr>
<tr>
      <td>Method</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>Reference*</li>
<li>Description*</li>
<li>AttackPattern*</li>
<li>Vulnerability*</li>
<li>Weakness*</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.11"/></td>
     </tr>

<tr>
      <td>Weakness</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
      </ul></td>
      <td><xref target="RFC7203" sectionFormat="bare" section="4.5.5"/> in <xref target="RFC7203"/></td>

    </tr>
<tr>
      <td>Reference</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>ReferenceName?</li>
<li>URL*</li>
<li>Description*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.11.1"/></td>
     </tr>
<tr>
      <td>Assessment</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>occurrence?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>IncidentCategory*</li>
<li>SystemImpact*</li>
<li>BusinessImpact*</li>
<li>TimeImpact*</li>
<li>MonetaryImpact*</li>
<li>IntendedImpact*</li>
<li>Counter*</li>
<li>MitigatingFactor*</li>
<li>Cause*</li>
<li>Confidence?</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.12"/></td>
     </tr>
<tr>
      <td>SystemImpact</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>severity?</li>
<li>completion?</li>
<li>type</li>
<li>ext-type?</li>
<li>Description*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.12.1"/></td>
     </tr>
<tr>
      <td>BusinessImpact</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>severity?</li>
<li>ext-severity?</li>
<li>type</li>
<li>ext-type?</li>
<li>Description*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.12.2"/></td>
     </tr>
<tr>
      <td>TimeImpact</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>value</li>
<li>severity?</li>
<li>metric</li>
<li>ext-metric?</li>
<li>duration?</li>
<li>ext-duration?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.12.3"/></td>
     </tr>
<tr>
      <td>MonetaryImpact</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>value</li>
<li>severity?</li>
<li>currency?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.12.4"/></td>
     </tr>
<tr>
      <td>Confidence</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>value</li>
<li>rating</li>
<li>ext-rating?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.12.5"/></td>
     </tr>
<tr>
      <td>History</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>HistoryItem+</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.13"/></td>
     </tr>
<tr>
      <td>HistoryItem</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>action</li>
<li>ext-action?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>DateTime</li>
<li>IncidentID?</li>
<li>Contact?</li>
<li>Description*</li>
<li>DefinedCOA*</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.13.1"/></td>
     </tr>
<tr>
      <td>EventData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>Description*</li>
<li>DetectTime?</li>
<li>StartTime?</li>
<li>EndTime?</li>
<li>RecoveryTime?</li>
<li>ReportTime?</li>
<li>Contact*</li>
<li>Discovery*</li>
<li>Assessment?</li>
<li>Method*</li>
<li>System*</li>
<li>Expectation*</li>
<li>RecordData*</li>
<li>EventData*</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.14"/></td>
     </tr>
 <tr>
      <td>Expectation</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>action?</li>
<li>ext-action?</li>
<li>severity?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>Description*</li>
<li>DefinedCOA*</li>
<li>StartTime?</li>
<li>EndTime?</li>
<li>Contact?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.15"/></td>
     </tr>
<tr>
      <td>System</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>category?</li>
<li>ext-category?</li>
<li>interface?</li>
<li>spoofed?</li>
<li>virtual?</li>
<li>ownership?</li>
<li>ext-ownership?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>Node</li>
<li>NodeRole*</li>
<li>Service*</li>
<li>OperatingSystem*</li>
<li>Counter*</li>
<li>AssetID*</li>
<li>Description*</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.17"/></td>
     </tr>
<tr>
      <td>Node</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>DomainData*</li>
<li>Address*</li>
<li>PostalAddress?</li>
<li>Location*</li>
<li>Counter*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.18"/></td>
     </tr>
<tr>
      <td>Address</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>value</li>
<li>category</li>
<li>ext-category?</li>
<li>vlan-name?</li>
<li>vlan-num?</li>
<li>observable-id?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.18.1"/></td>
     </tr>
<tr>
      <td>NodeRole</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>category</li>
<li>ext-category?</li>
<li>Description*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.18.2"/></td>
     </tr>
<tr>
      <td>Counter</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>value</li>
<li>type</li>
<li>ext-type?</li>
<li>unit</li>
<li>ext-unit?</li>
<li>meaning?</li>
<li>duration?</li>
<li>ext-duration?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.18.3"/></td>
     </tr>
 <tr>
      <td>DomainData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>system-status</li>
<li>ext-system-status?</li>
<li>domain-status</li>
<li>ext-domain-status?</li>
<li>observable-id?</li>
<li>Name</li>
<li>DateDomainWasChecked?</li>
<li>RegistrationDate?</li>
<li>ExpirationDate?</li>
<li>RelatedDNS*</li>
<li>Nameservers*</li>
<li>DomainContacts?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.19"/></td>
     </tr>
 <tr>
      <td>Nameservers</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>Server</li>
<li>Address*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.19.1"/></td>
    </tr>
<tr>
      <td>DomainContacts</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>SameDomainContact?</li>
<li>Contact+</li>

      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.19.2"/></td>
    </tr>

 <tr>
      <td>Service</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>ip-protocol?</li>
<li>observable-id?</li>
<li>ServiceName?</li>
<li>Port?</li>
<li>Portlist?</li>
<li>ProtoCode?</li>
<li>ProtoType?</li>
<li>ProtoField?</li>
<li>ApplicationHeaderField*</li>
<li>EmailData?</li>
<li>Application?</li>

      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.20"/></td>
     </tr>
<tr>
      <td>ServiceName</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>IANAService?</li>
<li>URL*</li>
<li>Description*</li>

      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.20.1"/></td>
    </tr>
<tr>
      <td>EmailData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>EmailTo*</li>
<li>EmailFrom?</li>
<li>EmailSubject?</li>
<li>EmailX-Mailer?</li>
<li>EmailHeaderField*</li>
<li>EmailHeaders?</li>
<li>EmailBody?</li>
<li>EmailMessage?</li>
<li>HashData*</li>
<li>Signature*</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.21"/></td>
     </tr>

<tr>
      <td>RecordData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>DateTime?</li>
<li>Description*</li>
<li>Application?</li>
<li>RecordPattern*</li>
<li>RecordItem*</li>
<li>URL*</li>
<li>FileData*</li>
<li>WindowsRegistryKeysModified*</li>
<li>CertificateData*</li>
<li>AdditionalData*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.22.1"/></td>
     </tr>

<tr>
      <td>RecordPattern</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type</li>
<li>ext-type?</li>
<li>offset?</li>
<li>offsetunit?</li>
<li>ext-offsetunit?</li>
<li>instance?</li>
<li>value</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.22.2"/></td>
     </tr>
<tr>
      <td>WindowsRegistryKeysModified</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>Key+</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.23"/></td>
    </tr>
<tr>
      <td>Key</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>registryaction?</li>
<li>ext-registryaction?</li>
<li>observable-id?</li>
<li>KeyName</li>
<li>KeyValue?</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.23.1"/></td>
     </tr>

<tr>
      <td>CertificateData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>Certificate+</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.24"/></td>
     </tr>

<tr>
      <td>Certificate</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>X509Data</li>
<li>Description*</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.24.1"/></td>
     </tr>
<tr>
      <td>FileData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>File+</li>

      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.25"/></td>
     </tr>
<tr>
      <td>File</td>

<td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>FileName?</li>
<li>FileSize?</li>
<li>FileType?</li>
<li>URL*</li>
<li>HashData?</li>
<li>Signature*</li>
<li>AssociatedSoftware?</li>
<li>FileProperties*</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.25.1"/></td>
     </tr>
<tr>
      <td>HashData</td>

<td><ul bare="true" empty="true" spacing="compact">
<li>scope</li>
<li>HashTargetID?</li>
<li>Hash*</li>
<li>FuzzyHash*</li>
      </ul></td>

      <td><xref target="RFC7970" sectionFormat="bare" section="3.26"/></td>
     </tr>

<tr>
      <td>Hash</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>DigestMethod</li>
<li>DigestValue</li>
<li>CanonicalizationMethod?</li>
<li>Application?</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.26.1"/></td>
     </tr>

<tr>
      <td>FuzzyHash</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>FuzzyHashValue+</li>
<li>Application?</li>
<li>AdditionalData*</li>
      </ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.26.2"/></td>
    </tr>

<tr>
      <td>Indicator</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>IndicatorID</li>
<li>AlternativeIndicatorID*</li>
<li>Description*</li>
<li>StartTime?</li>
<li>EndTime?</li>
<li>Confidence?</li>
<li>Contact*</li>
<li>Observable?</li>
<li>uid-ref?</li>
<li>IndicatorExpression?</li>
<li>IndicatorReference?</li>
<li>NodeRole*</li>
<li>AttackPhase*</li>
<li>Reference*</li>
<li>AdditionalData*</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29"/></td>
     </tr>

<tr>
      <td>IndicatorID</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>id</li>
<li>name</li>
<li>version</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29.1"/></td>
     </tr>
<tr>
      <td>AlternativeIndicatorID</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>IndicatorID+</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29.2"/></td>
     </tr>
<tr>
      <td>Observable</td>
<td><ul bare="true" empty="true" spacing="compact">

<li>restriction?</li>
<li>ext-restriction?</li>
<li>System?</li>
<li>Address?</li>
<li>DomainData?</li>
<li>Service?</li>
<li>EmailData?</li>
<li>WindowsRegistryKeysModified?</li>
<li>FileData?</li>
<li>CertificateData?</li>
<li>RegistryHandle?</li>
<li>RecordData?</li>
<li>EventData?</li>
<li>Incident?</li>
<li>Expectation?</li>
<li>Reference?</li>
<li>Assessment?</li>
<li>DetectionPattern?</li>
<li>HistoryItem?</li>
<li>BulkObservable?</li>
<li>AdditionalData*</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29.3"/></td>
     </tr>

<tr>
      <td>BulkObservable</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type?</li>
<li>ext-type?</li>
<li>BulkObservableFormat?</li>
<li>BulkObservableList</li>
<li>AdditionalData*</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29.3.1"/></td>
     </tr>
<tr>
      <td>BulkObservableFormat</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>Hash?</li>
<li>AdditionalData*</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29.3.1.1"/></td>
     </tr>
<tr>
      <td>IndicatorExpression</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>operator?</li>
<li>ext-operator?</li>
<li>IndicatorExpression*</li>
<li>Observable*</li>
<li>uid-ref*</li>
<li>IndicatorReference*</li>
<li>Confidence?</li>
<li>AdditionalData*</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29.4"/></td>
     </tr>
<tr>
      <td>IndicatorReference</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>uid-ref?</li>
<li>euid-ref?</li>
<li>version?</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29.7"/></td>
     </tr>
<tr>
      <td>AttackPhase</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>AttackPhaseID*</li>
<li>URL*</li>
<li>Description*</li>
<li>AdditionalData*</li>
</ul></td>
      <td><xref target="RFC7970" sectionFormat="bare" section="3.29.8"/></td>
     </tr>

  </tbody>
</table>

      </section>
      <section title="Mapping anchor="mapping" numbered="true" toc="default">
        <name>Mapping between JSON and XML IODEF" anchor="mapping">

<t>
<list style="symbols">
<t>Attributes IODEF</name>
        <ul spacing="normal">
          <li>Attributes and elements of each class in the XML IODEF document are both presented as JSON attributes in the JSON IODEF document, and the order of their appearances is ignored.</t>
<t>Flow ignored.</li>
          <li>Flow class is deleted, and classes with its instances now directly have instances of the EventData class that used to belong to the Flow class.</t>
<t>ApplicationHeader class.</li>

          <li>ApplicationHeader class is deleted, and classes with its instances now directly have instances of the ApplicationHeaderField class that used to belong to the ApplicationHeader class.</t>
<t>SignatureData class.</li>

          <li>SignatureData class is deleted, and classes with its instances now directly have instance instances of the Signature class that used to belong to the SignatureData class.</t>
<t>IndicatorData class.</li>

          <li>IndicatorData class is deleted, and classes with its instances now directly have the instances of the Indicator class that used to belong to the IndicatorData class.</t>
<t>ObservableReference class.</li>

          <li>ObservableReference class is deleted, and classes with its instances now directly have uid-ref as an element.</t>
<t>Record element.</li>
          <li>Record class is deleted, and classes with its instances now directly have the instances of the RecordData class that used to belong to the Record class.</t>
<t>The class.</li>

          <li>The MLStringType were was modified to support simple string by allowing the type to have not only a predefined object type but also a text type, in order to allow simple descriptions of elements of the type. Implementations need to be capable of parsing an MLStringType that could take the form of both text and object.</t>
<t>The an object.</li>

          <li>The elements of the ML_STRING type in the XML IODEF document are presented as either STRING type or ML_STRING type in the JSON IODEF document.
When converting from the XML IODEF document to the JSON one IODEF document, or vice versa, the information contained in the original data of the ML_STRING type must be preserved.
When STRING is used instead of ML_STRING, parsers can assume that its "xml:lang" is set to "en".</t>
<t>Data "en".</li>

          <li>Data models of the extension classes defined by <xref target="RFC7203" /> format="default"/> and referenced by <xref target="RFC7970" /> format="default"/> are represented by StructuredInfo the STRUCTUREDINFO class defined in this document.</t>
<t>Signature, document.</li>

          <li>Signature, X509Data, and RawData are encoded using base64 encoding for JSON IODEF and binary representation for CBOR IODEF to represent them as BYTE object.</t>
<t>EmailBody objects.</li>

          <li>EmailBody represents an a whole message body including MIME structure in the same manner defined in <xref target="RFC7970" />. format="default"/>. In case of an email composed of a MIME multipart, the EmailBody contains multiple body parts separated by boundary strings.</t>
<t>The strings.</li>

          <li>The "ipv6-net-mask" type attribute of the BulkObservable class
	  remains available for the purpose of backward compatibility purpose, compatibility, but the use of this attribute is not recommended because IPV6 IPv6 does not use netmask any more.</t>
<t>ENUM more.</li>

          <li>ENUM values in this document is are extensible and is managed by IANA, as with which is also the case in <xref target="RFC7970" />. format="default"/>. The values in the table are used both by <xref target="RFC7970" /> format="default"/> implementations and by their JSON (and CBOR) bindings as specified by this document.</t>
<t>This document.</li>

          <li>This document uses JSON's "number" type to represent integers that only has have full precision for integer values between -2**53 -2<sup>53</sup> and 2**53. 2<sup>53</sup>. When dealing with integers outside the range, this issue needs to be considered.</t>
<t>Binaries considered.</li>

          <li>Binaries are encoded in bytes. Note that XML IODEF in <xref target="RFC7970" /> format="default"/> uses HEXBIN due to the incapability of XML for embedding binaries as they are.</t>
</list>
</t> are.</li>
        </ul>
      </section>
    </section>
    <section title="Examples" anchor="examples"> anchor="examples" numbered="true" toc="default">
      <name>Examples</name>
      <t>
   This section provides examples of IODEF documents.  These examples do
   not represent the full capabilities of the data model or the only
   way to encode particular information.
</t>
      <section title="Minimal Example"> numbered="true" toc="default">
        <name>Minimal Example</name>
        <t>A document containing only the mandatory elements and attributes is shown below in JSON and CBOR, respectively.</t>
        <figure align="center" anchor="minimal_example_json" title="A anchor="minimal_example_json">
          <name>A Minimal Example in JSON">
<artwork align="left"><![CDATA[ JSON</name>

<sourcecode type="json"><![CDATA[
{
  "version": "2.0",
  "lang": "en",
  "Incident": [{
      "purpose": "reporting",
      "restriction": "private",
      "IncidentID": {
        "id": "492382",
        "name": "csirt.example.com"
      },
      "GenerationTime": "2015-07-18T09:00:00-05:00",
      "Contact": [{
          "type": "organization",
          "role": "creator",
          "Email": [{"EmailTo": "contact@csirt.example.com"}]
      }]
  }]
}
]]></artwork>
]]></sourcecode>
        </figure>
        <figure align="center" anchor="minimal_example_cbor" title="A anchor="minimal_example_cbor">
          <name>A Minimal Example in CBOR">
<artwork align="left"><![CDATA[ CBOR</name>
         <sourcecode type="cbor"><![CDATA[
A3                                    # map(3)
   37                                 # negative(23)
   63                                 # text(3)
      322E30                          # "2.0"
   36                                 # negative(22)
   62                                 # text(2)
      656E                            # "en"
   32                                 # negative(18)
   81                                 # array(1)
      A5                              # map(5)
         21                           # negative(1)
         69                           # text(9)
            7265706F7274696E67        # "reporting"
         29                           # negative(9)
         67                           # text(7)
            70726976617465            # "private"
         02                           # unsigned(2)
         A2                           # map(2)
            12                        # unsigned(18)
            66                        # text(6)
               343932333832           # "492382"
            2E                        # negative(14)
            71                        # text(17)
               63736972742E6578616D706C652E636F6D
                                      # "csirt.example.com"
         0A                           # unsigned(10)
         78 19                        # text(25)
            323031352D30372D31385430393A30303A30302D30353A3030
                                      # "2015-07-18T09:00:00-05:00" "2015-07-18T09:00:00
                                      # -05:00"
         0E                           # unsigned(14)
         81                           # array(1)
            A3                        # map(3)
               18 1C                  # unsigned(28)
               6C                     # text(12)
                  6F7267616E697A6174696F6E # "organization"
               18 1A                  # unsigned(26)
               67                     # text(7)
                  63726561746F72      # "creator"
               18 22                  # unsigned(34)
               81                     # array(1)
                  A1                  # map(1)
                     18 29            # unsigned(41)
                     78 19            # text(25)
                        636F6E746163744063736972742E6578616D706C652E636F6D
                        636F6E746163744063736972742E6578616D70
                        6C652E636F6D
                                      # "contact@csirt.example.com"
]]></artwork>
]]></sourcecode>
        </figure>
      </section>
      <section title="Indicators numbered="true" toc="default">
        <name>Indicators from a Campaign"> Campaign</name>
        <t>An example of C2 domains from a given campaign is shown below in JSON and CBOR, respectively.</t>
        <figure align="center" anchor="campaign_example_json" title="Indicators anchor="campaign_example_json">
          <name>Indicators from a Campaign in JSON">
<artwork align="left"><![CDATA[ JSON</name>
      <sourcecode type="json"><![CDATA[
{
  "version": "2.0",
  "lang": "en",
  "Incident": [{
    "purpose": "watch",
    "restriction": "green",
    "IncidentID": {
      "id": "897923",
      "name": "csirt.example.com"
    },
    "RelatedActivity": [{
      "ThreatActor": [{
        "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"],
        "Description": ["Aggressive Butterfly"]}],
      "Campaign": [{
        "CampaignID": ["C-2015-59405"],
        "Description": ["Orange Giraffe"]
      }]
    }],
    "GenerationTime": "2015-10-02T11:18:00-05:00",
    "Description": ["Summarizes the Indicators of Compromise for the
      Orange Giraffe campaign of the Aggressive Butterfly crime
      gang."],
    "Assessment": [{
      "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}]
    }],
    "Contact": [{
      "type": "organization",
      "role": "creator",
      "ContactName": ["CSIRT for example.com"],
      "Email": [{
        "EmailTo": "contact@csirt.example.com"
      }]
    }],
    "Indicator": [{
      "IndicatorID": {
        "id": "G90823490",
        "name": "csirt.example.com",
        "version": "1"
      },
      "Description": ["C2 domains"],
      "StartTime": "2014-12-02T11:18:00-05:00",
      "Observable": {
        "BulkObservable": {
          "type": "domain-name",
          "BulkObservableList": "kj290023j09r34.example.com"}
      }
    }]
  }]
}]]></artwork>
}]]></sourcecode>
        </figure>
        <figure align="center" anchor="campaign_example_cbor" title="Indicators anchor="campaign_example_cbor">
          <name>Indicators from a Campaign in CBOR">
<artwork align="left"><![CDATA[ CBOR</name>
       <sourcecode type="cbor"><![CDATA[
A3                                      # map(3)
   37                                   # negative(23)
   63                                   # text(3)
      322E30                            # "2.0"
   36                                   # negative(22)
   62                                   # text(2)
      656E                              # "en"
   32                                   # negative(18)
   81                                   # array(1)
      A9                                # map(9)
         21                             # negative(1)
         65                             # text(5)
            7761746368                  # "watch"
         29                             # negative(9)
         65                             # text(5)
            677265656E                  # "green"
         02                             # unsigned(2)
         A2                             # map(2)
            12                          # unsigned(18)
            66                          # text(6)
               383937393233             # "897923"
            2E                          # negative(14)
            71                          # text(17)
               63736972742E6578616D706C652E636F6D
                                        # "csirt.example.com"
         04                             # unsigned(4)
         81                             # array(1)
            A2                          # map(2)
               14                       # unsigned(20)
               81                       # array(1)
                  A2                    # map(2)
                     18 18              # unsigned(24)
                     81                 # array(1)
                        78 1A           # text(26)
                           54412D31322D414747524553534956452D425554544552464C59
                           54412D31322D414747524553534956452D4
                           25554544552464C59
                                        # "TA-12-AGGRESSIVE-BUTTERFLY" "TA-12-AGGRESSIVE
                                        # -BUTTERFLY"
                     24                 # negative(4)
                     81                 # array(1)
                        74              # text(20)
                           4167677265737369766520427574746572666C79
                           41676772657373697665204275747465726
                           66C79
                                        # "Aggressive Butterfly"
               15                       # unsigned(21)
               81                       # array(1)
                  A2                    # map(2)
                     18 19              # unsigned(25)
                     81                 # array(1)
                        6C              # text(12)
                           432D323031352D3539343035
                                        # "C-2015-59405"
                     24                 # negative(4)
                     81                 # array(1)
                        6E              # text(14)
                           4F72616E67652047697261666665
 # "Orange Giraffe"
         0A                             # unsigned(10)
         78 19                          # text(25)
            323031352D31302D30325431313A31383A30302D30353A3030
                                       # "2015-10-02T11:18:00-05:00"
         24                             # negative(4)
         81                             # array(1)
            78 6F                       # text(111)
               53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F7220746865204F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E
               53756D6D6172697A65732074686520496E64696361746F7
               273206F6620436F6D70726F6D69736520666F7220746865
               204F72616E676520476972616666652063616D706169676
               E206F662074686520416767726573736976652042757474
               6572666C79206372696D652067616E672E
                                        # "Summarizes the Indicators of
                                        # of Compromise for the
                                        # Orange Giraffe
                                        # campaign
                                        # of the Aggressive
                                        # Butterfly crime gang."
         0C                             # unsigned(12)
         81                             # array(1)
            A1                          # map(1)
               18 3F                    # unsigned(63)
               81                       # array(1)
                  A1                    # map(1)
                     18 41              # unsigned(65)
                     A1                 # map(1)
                        18 1C           # unsigned(28)
                        72              # text(18)
                           6272656163682D70726F7072696574617279
                                        # "breach-proprietary"
         0E                             # unsigned(14)
         81                             # array(1)
            A4                          # map(4)
               18 1C                    # unsigned(28)
               6C                       # text(12)
                  6F7267616E697A6174696F6E
                                        # "organization"
               18 1A                    # unsigned(26)
               67                       # text(7)
                  63726561746F72        # "creator"
               18 1E                    # unsigned(30)
               81                       # array(1)
                  75                    # text(21)
                     435349525420666F72206578616D706C652E636F6D
                                        # "CSIRT for example.com"
               18 22                    # unsigned(34)
               81                       # array(1)
                  A1                    # map(1)
                     18 29              # unsigned(41)
                     78 19              # text(25)
                        636F6E746163744063736972742E6578616D706C652E636F6D
                                        # "contact@csirt.example.com"
         10                             # unsigned(16)
         81                             # array(1)
            A4                          # map(4)
               16                       # unsigned(22)
               A3                       # map(3)
                  12                    # unsigned(18)
                  69                    # text(9)
                     473930383233343930 # "G90823490"
                  2E                    # negative(14)
                  71                    # text(17)
                     63736972742E6578616D706C652E636F6D
                                        # "csirt.example.com"
                  37                    # negative(23)
                  61                    # text(1)
                     31                 # "1"
               24                       # negative(4)
               81                       # array(1)
                  6A                    # text(10)
                     433220646F6D61696E73 # "C2 domains"
               06                       # unsigned(6)
               78 19                    # text(25)
                  323031342D31322D30325431313A31383A30302D30353A3030
                                        # "2014-12-02T11:18:00-05:00"
               18 AB                    # unsigned(171)
               A1                       # map(1)
                  18 B0                 # unsigned(176)
                  A2                    # map(2)
                     18 1C              # unsigned(28)
                     6B                 # text(11)
                        646F6D61696E2D6E616D65
                                        # "domain-name"
                     18 B2              # unsigned(178)
                     78 1A              # text(26)
                        6B6A3239303032336A30397233342E6578616D706C652E636F6D
                                        # "kj290023j09r34.example.com"
]]></artwork>
</figure>

</section>

</section>

<section title="Mapkeys" anchor="mapkeys">

<t>The mapkeys are provided in Table <xref target="fig_mapkeys"/> for minimizing the CBOR size.</t>

<figure align="center" anchor="fig_mapkeys" title="Mapkeys">
<artwork align="left"><![CDATA[
+-----------------------------------+-------+
|mapkey                             |cborkey|
+-----------------------------------+-------+
| iodef-version                     | -24   |
| iodef-lang                        | -23   |
| iodef-format-id                   | -22   |
| iodef-private-enum-name           | -21   |
| iodef-private-enum-id             | -20   |
| iodef-Incident                    | -19   |
| iodef-AdditionalData              | -18   |
| iodef-value                       | -17   |
| iodef-translation-id              | -16   |
| iodef-name                        | -15   |
| iodef-dtype                       | -14   |
| iodef-ext-dtype                   | -13   |
| iodef-meaning                     | -12   |
| iodef-formatid                    | -11   |
| iodef-restriction                 | -10   |
| iodef-ext-restriction             | -9    |
| iodef-observable-id               | -8    |
| iodef-SoftwareReference           | -7    |
| iodef-URL                         | -6    |
| iodef-Description                 | -5    |
| iodef-spec-name                   | -4    |
| iodef-ext-spec-name               | -3    |
| iodef-purpose                     | -2    |
| iodef-ext-purpose                 | -1    |
| iodef-status                      | 0     |
| iodef-ext-status                  | 1     |
| iodef-IncidentID                  | 2     |
| iodef-AlternativeID               | 3     |
| iodef-RelatedActivity             | 4     |
| iodef-DetectTime                  | 5     |
| iodef-StartTime                   | 6     |
| iodef-EndTime                     | 7     |
| iodef-RecoveryTime                | 8     |
| iodef-ReportTime                  | 9     |
| iodef-GenerationTime              | 10    |
| iodef-Discovery                   | 11    |
| iodef-Assessment                  | 12    |
| iodef-Method                      | 13    |
| iodef-Contact                     | 14    |
| iodef-EventData                   | 15    |
| iodef-Indicator                   | 16    |
| iodef-History                     | 17    |
| iodef-id                          | 18    |
| iodef-instance                    | 19    |
| iodef-ThreatActor                 | 20    |
| iodef-Campaign                    | 21    |
| iodef-IndicatorID                 | 22    |
| iodef-Confidence                  | 23    |
| iodef-ThreatActorID               | 24    |
| iodef-CampaignID                  | 25    |
| iodef-role                        | 26    |
| iodef-ext-role                    | 27    |
| iodef-type                        | 28    |
| iodef-ext-type                    | 29    |
| iodef-ContactName                 | 30    |
| iodef-ContactTitle                | 31    |
| iodef-RegistryHandle              | 32    |
| iodef-PostalAddress               | 33    |
| iodef-Email                       | 34    |
| iodef-Telephone                   | 35    |
| iodef-Timezone                    | 36    |
| iodef-handle                      | 37    |
| iodef-registry                    | 38    |
| iodef-ext-registry                | 39    |
| iodef-PAddress                    | 40    |
| iodef-EmailTo                     | 41    |
| iodef-TelephoneNumber             | 42    |
| iodef-source                      | 43    |
| iodef-ext-source                  | 44    |
| iodef-DetectionPattern            | 45    |
| iodef-DetectionConfiguration      | 46    |
| iodef-Application                 | 47    |
| iodef-Reference                   | 48    |
| iodef-AttackPattern               | 49    |
| iodef-Vulnerability               | 50    |
| iodef-Weakness                    | 51    |
| iodef-SpecID                      | 52    |
| iodef-ext-SpecID                  | 53    |
| iodef-ContentID                   | 54    |
| iodef-RawData                     | 55    |
| iodef-Platform                    | 56    |
| iodef-Scoring                     | 57    |
| iodef-ReferenceName               | 58    |
| iodef-specIndex                   | 59    |
| iodef-ID                          | 60    |
| iodef-occurrence                  | 61    |
| iodef-IncidentCategory            | 62    |
| iodef-Impact                      | 63    |
| iodef-SystemImpact                | 64    |
| iodef-BusinessImpact              | 65    |
| iodef-TimeImpact                  | 66    |
| iodef-MonetaryImpact              | 67    |
| iodef-IntendedImpact              | 68    |
| iodef-Counter                     | 69    |
| iodef-MitigatingFactor            | 70    |
| iodef-Cause                       | 71    |
| iodef-severity                    | 72    |
| iodef-completion                  | 73    |
| iodef-ext-severity                | 74    |
| iodef-metric                      | 75    |
| iodef-ext-metric                  | 76    |
| iodef-duration                    | 77    |
| iodef-ext-duration                | 78    |
| iodef-currency                    | 79    |
| iodef-rating                      | 80    |
| iodef-ext-rating                  | 81    |
| iodef-HistoryItem                 | 82    |
| iodef-action                      | 83    |
| iodef-ext-action                  | 84    |
| iodef-DateTime                    | 85    |
| iodef-DefinedCOA                  | 86    |
| iodef-System                      | 87    |
| iodef-Expectation                 | 88    |
| iodef-RecordData                  | 89    |
| iodef-category                    | 90    |
| iodef-ext-category                | 91    |
| iodef-interface                   | 92    |
| iodef-spoofed                     | 93    |
| iodef-virtual                     | 94    |
| iodef-ownership                   | 95    |
| iodef-ext-ownership               | 96    |
| iodef-Node                        | 97    |
| iodef-NodeRole                    | 98    |
| iodef-Service                     | 99    |
| iodef-OperatingSystem             | 100   |
| iodef-AssetID                     | 101   |
| iodef-DomainData                  | 102   |
| iodef-Address                     | 103   |
| iodef-Location                    | 104   |
| iodef-vlan-name                   | 105   |
| iodef-vlan-num                    | 106   |
| iodef-unit                        | 107   |
| iodef-ext-unit                    | 108   |
| iodef-system-status               | 109   |
| iodef-ext-system-status           | 110   |
| iodef-domain-status               | 111   |
| iodef-ext-domain-status           | 112   |
| iodef-Name                        | 113   |
| iodef-DateDomainWasChecked        | 114   |
| iodef-RegistrationDate            | 115   |
| iodef-ExpirationDate              | 116   |
| iodef-RelatedDNS                  | 117   |
| iodef-NameServers                 | 118   |
| iodef-DomainContacts              | 119   |
| iodef-Server                      | 120   |
| iodef-SameDomainContact           | 121   |
| iodef-ip-protocol                 | 122   |
| iodef-ServiceName                 | 123   |
| iodef-Port                        | 124   |
| iodef-Portlist                    | 125   |
| iodef-ProtoCode                   | 126   |
| iodef-ProtoType                   | 127   |
| iodef-ProtoField                  | 128   |
| iodef-ApplicationHeaderField      | 129   |
| iodef-EmailData                   | 130   |
| iodef-IANAService                 | 131   |
| iodef-EmailFrom                   | 132   |
| iodef-EmailSubject                | 133   |
| iodef-EmailX-Mailer               | 134   |
| iodef-EmailHeaderField            | 135   |
| iodef-EmailHeaders                | 136   |
| iodef-EmailBody                   | 137   |
| iodef-EmailMessage                | 138   |
| iodef-HashData                    | 139   |
| iodef-Signature                   | 140   |
| iodef-RecordPattern               | 141   |
| iodef-RecordItem                  | 142   |
| iodef-FileData                    | 143   |
| iodef-WindowsRegistryKeysModified | 169   |
| iodef-CertificateData             | 145   |
| iodef-offset                      | 146   |
| iodef-offsetunit                  | 147   |
| iodef-ext-offsetunit              | 148   |
| iodef-Key                         | 149   |
| iodef-registryaction              | 150   |
| iodef-ext-registryaction          | 151   |
| iodef-KeyName                     | 152   |
| iodef-KeyValue                    | 153   |
| iodef-Certificate                 | 154   |
| iodef-X509Data                    | 155   |
| iodef-File                        | 156   |
| iodef-FileName                    | 157   |
| iodef-FileSize                    | 158   |
| iodef-FileType                    | 159   |
| iodef-AssociatedSoftware          | 160   |
| iodef-FileProperties              | 161   |
| iodef-scope                       | 162   |
| iodef-HashTargetID                | 163   |
| iodef-Hash                        | 164   |
| iodef-FuzzyHash                   | 165   |
| iodef-DigestMethod                | 166   |
| iodef-DigestValue                 | 167   |
| iodef-CanonicalizationMethod      | 168   |
| iodef-FuzzyHashValue              | 169   |
| iodef-AlternativeIndicatorID      | 170   |
| iodef-Observable                  | 171   |
| iodef-uid-ref                     | 172   |
| iodef-IndicatorExpression         | 173   |
| iodef-IndicatorReference          | 174   |
| iodef-AttackPhase                 | 175   |
| iodef-BulkObservable              | 176   |
| iodef-BulkObservableFormat        | 177   |
| iodef-BulkObservableList          | 178   |
| iodef-operator                    | 179   |
| iodef-ext-operator                | 180   |
| iodef-euid-ref                    | 181   |
| iodef-AttackPhaseID               | 182   |
+-----------------------------------+-------+
]]></artwork>
               18 1E                    # unsigned(30)
               81                       # array(1)
                  75                    # text(21)
                     435349525420666F72206578616D706C652E636F6D
                                        # "CSIRT for example.com"
               18 22                    # unsigned(34)
               81                       # array(1)
                  A1                    # map(1)
                     18 29              # unsigned(41)
                     78 19              # text(25)
                        636F6E746163744063736972742E6578616D70
                        6C652E636F6D
                                       # "contact@csirt.example.com"
         10                             # unsigned(16)
         81                             # array(1)
            A4                          # map(4)
               16                       # unsigned(22)
               A3                       # map(3)
                  12                    # unsigned(18)
                  69                    # text(9)
                     473930383233343930 # "G90823490"
                  2E                    # negative(14)
                  71                    # text(17)
                     63736972742E6578616D706C652E636F6D
                                        # "csirt.example.com"
                  37                    # negative(23)
                  61                    # text(1)
                     31                 # "1"
               24                       # negative(4)
               81                       # array(1)
                  6A                    # text(10)
                     433220646F6D61696E73 # "C2 domains"
               06                       # unsigned(6)
               78 19                    # text(25)
                  323031342D31322D30325431313A31383A30302D30353A3030
                                       # "2014-12-02T11:18:00-05:00"
               18 AB                    # unsigned(171)
               A1                       # map(1)
                  18 B0                 # unsigned(176)
                  A2                    # map(2)
                     18 1C              # unsigned(28)
                     6B                 # text(11)
                        646F6D61696E2D6E616D65
                                        # "domain-name"
                     18 B2              # unsigned(178)
                     78 1A              # text(26)
                        6B6A3239303032336A30397233342E6578616D
                        706C652E636F6D
                                      # "kj290023j09r34.example.com"
]]></sourcecode>
        </figure>
      </section>
    </section>
    <section anchor="mapkeys" numbered="true" toc="default">
      <name>Mapkeys</name>
      <t>The mapkeys are provided in <xref target="fig_mapkeys" format="default"/> for minimizing the CBOR size.</t>

<table align="left" anchor="fig_mapkeys">
  <name>Mapkeys</name>
  <thead>
    <tr>
      <th>mapkey</th>
      <th>cborkey</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>iodef-version</td>
      <td>-24</td>
    </tr>
   <tr>
      <td>iodef-lang</td>
      <td>-23</td>
    </tr>
<tr>
      <td>iodef-format-id</td>
      <td>-22</td>
    </tr>
<tr>
      <td>iodef-private-enum-name</td>
      <td>-21</td>
    </tr>
<tr>
      <td>iodef-private-enum-id</td>
      <td>-20</td>
    </tr>
<tr>
      <td>iodef-Incident</td>
      <td>-19</td>
    </tr>
<tr>
      <td>iodef-AdditionalData</td>
      <td>-18</td>
    </tr>
<tr>
      <td>iodef-value</td>
      <td>-17</td>
    </tr>
<tr>
      <td>iodef-translation-id</td>
      <td>-16</td>
    </tr>
<tr>
      <td>iodef-name</td>
      <td>-15</td>
    </tr>
<tr>
      <td>iodef-dtype</td>
      <td>-14</td>
    </tr>
<tr>
      <td>iodef-ext-dtype</td>
      <td>-13</td>
    </tr>
<tr>
      <td>iodef-meaning</td>
      <td>-12</td>
    </tr>
<tr>
      <td>iodef-formatid</td>
      <td>-11</td>
    </tr>
<tr>
      <td>iodef-restriction</td>
      <td>-10</td>
    </tr>
<tr>
      <td>iodef-ext-restriction</td>
      <td>-9</td>
    </tr>
<tr>
      <td>iodef-observable-id</td>
      <td>-8</td>
    </tr>
<tr>
      <td>iodef-SoftwareReference</td>
      <td>-7</td>
    </tr>
<tr>
      <td>iodef-URL</td>
      <td>-6</td>
    </tr>
<tr>
      <td>iodef-Description</td>
      <td>-5</td>
    </tr>
<tr>
      <td>iodef-spec-name</td>
      <td>-4</td>
    </tr>
<tr>
      <td>iodef-ext-spec-name</td>
      <td>-3</td>
    </tr>
<tr>
      <td>iodef-purpose</td>
      <td>-2</td>
    </tr>
<tr>
      <td>iodef-ext-purpose</td>
      <td>-1</td>
    </tr>
<tr>
      <td>iodef-status</td>
      <td>0</td>
    </tr>
<tr>
      <td>iodef-ext-status</td>
      <td>1</td>
    </tr>
<tr>
      <td>iodef-IncidentID</td>
      <td>2</td>
    </tr>
<tr>
      <td>iodef-AlternativeID</td>
      <td>3</td>
    </tr>
<tr>
      <td>iodef-RelatedActivity</td>
      <td>4</td>
    </tr>
<tr>
      <td>iodef-DetectTime</td>
      <td>5</td>
    </tr>
<tr>
      <td>iodef-StartTime</td>
      <td>6</td>
    </tr>
<tr>
      <td>iodef-EndTime</td>
      <td>7</td>
    </tr>
<tr>
      <td>iodef-RecoveryTime</td>
      <td>8</td>
    </tr>
<tr>
      <td>iodef-ReportTime</td>
      <td>9</td>
    </tr>
<tr>
      <td>iodef-GenerationTime</td>
      <td>10</td>
    </tr>
<tr>
      <td>iodef-Discovery</td>
      <td>11</td>
    </tr>
<tr>
      <td>iodef-Assessment</td>
      <td>12</td>
    </tr>
<tr>
      <td>iodef-Method</td>
      <td>13</td>
    </tr>
<tr>
      <td>iodef-Contact</td>
      <td>14</td>
    </tr>
<tr>
      <td>iodef-EventData</td>
      <td>15</td>
    </tr>
<tr>
      <td>iodef-Indicator</td>
      <td>16</td>
    </tr>
<tr>
      <td>iodef-History</td>
      <td>17</td>
    </tr>
<tr>
      <td>iodef-id</td>
      <td>18</td>
    </tr>
<tr>
      <td>iodef-instance</td>
      <td>19</td>
    </tr>
<tr>
      <td>iodef-ThreatActor</td>
      <td>20</td>
    </tr>
<tr>
      <td>iodef-Campaign</td>
      <td>21</td>
    </tr>
<tr>
      <td>iodef-IndicatorID</td>
      <td>22</td>
    </tr>
<tr>
      <td>iodef-Confidence</td>
      <td>23</td>
    </tr>
<tr>
      <td>iodef-ThreatActorID</td>
      <td>24</td>
    </tr>
<tr>
      <td>iodef-CampaignID</td>
      <td>25</td>
    </tr>
<tr>
      <td>iodef-role</td>
      <td>26</td>
    </tr>
<tr>
      <td>iodef-ext-role</td>
      <td>27</td>
    </tr>
<tr>
      <td>iodef-type</td>
      <td>28</td>
    </tr>
<tr>
      <td>iodef-ext-type</td>
      <td>29</td>
    </tr>
<tr>
      <td>iodef-ContactName</td>
      <td>30</td>
    </tr>
<tr>
      <td>iodef-ContactTitle</td>
      <td>31</td>
    </tr>
<tr>
      <td>iodef-RegistryHandle</td>
      <td>32</td>
    </tr>
<tr>
      <td>iodef-PostalAddress</td>
      <td>33</td>
    </tr>
<tr>
      <td>iodef-Email</td>
      <td>34</td>
    </tr>
<tr>
      <td>iodef-Telephone</td>
      <td>35</td>
    </tr>
<tr>
      <td>iodef-Timezone</td>
      <td>36</td>
    </tr>
<tr>
      <td>iodef-handle</td>
      <td>37</td>
    </tr>
<tr>
      <td>iodef-registry</td>
      <td>38</td>
    </tr>
<tr>
      <td>iodef-ext-registry</td>
      <td>39</td>
    </tr>
<tr>
      <td>iodef-PAddress</td>
      <td>40</td>
    </tr>
<tr>
      <td>iodef-EmailTo</td>
      <td>41</td>
    </tr>
<tr>
      <td>iodef-TelephoneNumber</td>
      <td>42</td>
    </tr>
<tr>
      <td>iodef-source</td>
      <td>43</td>
    </tr>
<tr>
      <td>iodef-ext-source</td>
      <td>44</td>
    </tr>
<tr>
      <td>iodef-DetectionPattern</td>
      <td>45</td>
    </tr>
<tr>
      <td>iodef-DetectionConfiguration</td>
      <td>46</td>
    </tr>
<tr>
      <td>iodef-Application</td>
      <td>47</td>
    </tr>
<tr>
      <td>iodef-Reference</td>
      <td>48</td>
    </tr>
<tr>
      <td>iodef-AttackPattern</td>
      <td>49</td>
    </tr>
<tr>
      <td>iodef-Vulnerability</td>
      <td>50</td>
    </tr>
<tr>
      <td>iodef-Weakness</td>
      <td>51</td>
    </tr>
<tr>
      <td>iodef-SpecID</td>
      <td>52</td>
    </tr>
<tr>
      <td>iodef-ext-SpecID</td>
      <td>53</td>
    </tr>
<tr>
      <td>iodef-ContentID</td>
      <td>54</td>
    </tr>
<tr>
      <td>iodef-RawData</td>
      <td>55</td>
    </tr>
<tr>
      <td>iodef-Platform</td>
      <td>56</td>
    </tr>
<tr>
      <td>iodef-Scoring</td>
      <td>57</td>
    </tr>
<tr>
      <td>iodef-ReferenceName</td>
      <td>58</td>
    </tr>
<tr>
      <td>iodef-specIndex</td>
      <td>59</td>
    </tr>
<tr>
      <td>iodef-ID</td>
      <td>60</td>
    </tr>
<tr>
      <td>iodef-occurrence</td>
      <td>61</td>
    </tr>
<tr>
      <td>iodef-IncidentCategory</td>
      <td>62</td>
    </tr>
<tr>
      <td>iodef-Impact</td>
      <td>63</td>
    </tr>
<tr>
      <td>iodef-SystemImpact</td>
      <td>64</td>
    </tr>
<tr>
      <td>iodef-BusinessImpact</td>
      <td>65</td>
    </tr>
<tr>
      <td>iodef-TimeImpact</td>
      <td>66</td>
    </tr>
<tr>
      <td>iodef-MonetaryImpact</td>
      <td>67</td>
    </tr>
<tr>
      <td>iodef-IntendedImpact</td>
      <td>68</td>
    </tr>
<tr>
      <td>iodef-Counter</td>
      <td>69</td>
    </tr>
<tr>
      <td>iodef-MitigatingFactor</td>
      <td>70</td>
    </tr>
<tr>
      <td>iodef-Cause</td>
      <td>71</td>
    </tr>
<tr>
      <td>iodef-severity</td>
      <td>72</td>
    </tr>
<tr>
      <td>iodef-completion</td>
      <td>73</td>
    </tr>
<tr>
      <td>iodef-ext-severity</td>
      <td>74</td>
    </tr>
<tr>
      <td>iodef-metric</td>
      <td>75</td>
    </tr>
<tr>
      <td>iodef-ext-metric</td>
      <td>76</td>
    </tr>
<tr>
      <td>iodef-duration</td>
      <td>77</td>
    </tr>

<tr>
      <td>iodef-ext-duration</td>
      <td>78</td>
    </tr>

<tr>
      <td>iodef-currency</td>
      <td>79</td>
    </tr>

<tr>
      <td>iodef-rating</td>
      <td>80</td>
    </tr>

<tr>
      <td>iodef-ext-rating</td>
      <td>81</td>
    </tr>

<tr>
      <td>iodef-HistoryItem</td>
      <td>82</td>
    </tr>

<tr>
      <td>iodef-action</td>
      <td>83</td>
    </tr>

<tr>
      <td>iodef-ext-action</td>
      <td>84</td>
    </tr>

<tr>
      <td>iodef-DateTime</td>
      <td>85</td>
    </tr>

<tr>
      <td>iodef-DefinedCOA</td>
      <td>86</td>
    </tr>

<tr>
      <td>iodef-System</td>
      <td>87</td>
    </tr>

<tr>
      <td>iodef-Expectation</td>
      <td>88</td>
    </tr>

<tr>
      <td>iodef-RecordData</td>
      <td>89</td>
    </tr>

<tr>
      <td>iodef-category</td>
      <td>90</td>
    </tr>

<tr>
      <td>iodef-ext-category</td>
      <td>91</td>
    </tr>

<tr>
      <td>iodef-interface</td>
      <td>92</td>
    </tr>

<tr>
      <td>iodef-spoofed</td>
      <td>93</td>
    </tr>

<tr>
      <td>iodef-virtual</td>
      <td>94</td>
    </tr>
<tr>
      <td>iodef-ownership</td>
      <td>95</td>
    </tr>
<tr>
      <td>iodef-ext-ownership</td>
      <td>96</td>
    </tr>
<tr>
      <td>iodef-Node</td>
      <td>97</td>
    </tr>
<tr>
      <td>iodef-NodeRole</td>
      <td>98</td>
    </tr>
<tr>
      <td>iodef-Service</td>
      <td>99</td>
    </tr>
<tr>
      <td>iodef-OperatingSystem</td>
      <td>100</td>
    </tr>
<tr>
      <td>iodef-AssetID</td>
      <td>101</td>
    </tr>
<tr>
      <td>iodef-DomainData</td>
      <td>102</td>
    </tr>
<tr>
      <td>iodef-Address</td>
      <td>103</td>
    </tr>
<tr>
      <td>iodef-Location</td>
      <td>104</td>
    </tr>
<tr>
      <td>iodef-vlan-name</td>
      <td>105</td>
    </tr>
<tr>
      <td>iodef-vlan-num</td>
      <td>106</td>
    </tr>
<tr>
      <td>iodef-unit</td>
      <td>107</td>
    </tr>
<tr>
      <td>iodef-ext-unit</td>
      <td>108</td>
    </tr>
<tr>
      <td>iodef-system-status</td>
      <td>109</td>
    </tr>
<tr>
      <td>iodef-ext-system-status</td>
      <td>110</td>
    </tr>
<tr>
      <td>iodef-domain-status</td>
      <td>111</td>
    </tr>
<tr>
      <td>iodef-ext-domain-status</td>
      <td>112</td>
    </tr>
<tr>
      <td>iodef-Name</td>
      <td>113</td>
    </tr>
<tr>
      <td>iodef-DateDomainWasChecked</td>
      <td>114</td>
    </tr>
<tr>
      <td>iodef-RegistrationDate</td>
      <td>115</td>
    </tr>
<tr>
      <td>iodef-ExpirationDate</td>
      <td>116</td>
    </tr>
<tr>
      <td>iodef-RelatedDNS</td>
      <td>117</td>
    </tr>
<tr>
      <td>iodef-NameServers</td>
      <td>118</td>
    </tr>
<tr>
      <td>iodef-DomainContacts</td>
      <td>119</td>
    </tr>
<tr>
      <td>iodef-Server</td>
      <td>120</td>
    </tr>
<tr>
      <td>iodef-SameDomainContact</td>
      <td>121</td>
    </tr>
<tr>
      <td>iodef-ip-protocol</td>
      <td>122</td>
    </tr>
<tr>
      <td>iodef-ServiceName</td>
      <td>123</td>
    </tr>
<tr>
      <td>iodef-Port</td>
      <td>124</td>
    </tr>
<tr>
      <td>iodef-Portlist</td>
      <td>125</td>
    </tr>
<tr>
      <td>iodef-ProtoCode</td>
      <td>126</td>
    </tr>
<tr>
      <td>iodef-ProtoType</td>
      <td>127</td>
    </tr>
<tr>
      <td>iodef-ProtoField</td>
      <td>128</td>
    </tr>
<tr>
      <td>iodef-ApplicationHeaderField</td>
      <td>129</td>
    </tr>

<tr>
      <td>iodef-EmailData</td>
      <td>130</td>
    </tr>

<tr>
      <td>iodef-IANAService</td>
      <td>131</td>
    </tr>

<tr>
      <td>iodef-EmailFrom</td>
      <td>132</td>
    </tr>

<tr>
      <td>iodef-EmailSubject</td>
      <td>133</td>
    </tr>

<tr>
      <td>iodef-EmailX-Mailer</td>
      <td>134</td>
    </tr>

<tr>
      <td>iodef-EmailHeaderField</td>
      <td>135</td>
    </tr>

<tr>
      <td>iodef-EmailHeaders</td>
      <td>136</td>
    </tr>

<tr>
      <td>iodef-EmailBody</td>
      <td>137</td>
    </tr>

<tr>
      <td>iodef-EmailMessage</td>
      <td>138</td>
    </tr>

<tr>
      <td>iodef-HashData</td>
      <td>139</td>
    </tr>

<tr>
      <td>iodef-Signature</td>
      <td>140</td>
    </tr>

<tr>
      <td>iodef-RecordPattern</td>
      <td>141</td>
    </tr>

<tr>
      <td>iodef-RecordItem</td>
      <td>142</td>
    </tr>

<tr>
      <td>iodef-FileData</td>
      <td>143</td>
    </tr>

<tr>
      <td>iodef-WindowsRegistryKeysModified</td>
      <td>144</td>
    </tr>

<tr>
      <td>iodef-CertificateData</td>
      <td>145</td>
    </tr>

<tr>
      <td>iodef-offset</td>
      <td>146</td>
    </tr>

<tr>
      <td>iodef-offsetunit</td>
      <td>147</td>
    </tr>

<tr>
      <td>iodef-ext-offsetunit</td>
      <td>148</td>
    </tr>

<tr>
      <td>iodef-Key</td>
      <td>149</td>
    </tr>

<tr>
      <td>iodef-registryaction</td>
      <td>150</td>
    </tr>

<tr>
      <td>iodef-ext-registryaction</td>
      <td>151</td>
    </tr>

<tr>
      <td>iodef-KeyName</td>
      <td>152</td>
    </tr>

<tr>
      <td>iodef-KeyValue</td>
      <td>153</td>
    </tr>

<tr>
      <td>iodef-Certificate</td>
      <td>154</td>
    </tr>

<tr>
      <td>iodef-X509Data</td>
      <td>155</td>
    </tr>
<tr>
      <td>iodef-File</td>
      <td>156</td>
    </tr>
<tr>
      <td>iodef-FileName</td>
      <td>157</td>
    </tr>
<tr>
      <td>iodef-FileSize</td>
      <td>158</td>
    </tr>
<tr>
      <td>iodef-FileType</td>
      <td>159</td>
    </tr>
<tr>
      <td>iodef-AssociatedSoftware</td>
      <td>160</td>
    </tr>
<tr>
      <td>iodef-FileProperties</td>
      <td>161</td>
    </tr>
<tr>
      <td>iodef-scope</td>
      <td>162</td>
    </tr>
<tr>
      <td>iodef-HashTargetID</td>
      <td>163</td>
    </tr>
<tr>
      <td>iodef-Hash</td>
      <td>164</td>
    </tr>
<tr>
      <td>iodef-FuzzyHash</td>
      <td>165</td>
    </tr>
<tr>
      <td>iodef-DigestMethod</td>
      <td>166</td>
    </tr>
<tr>
      <td>iodef-DigestValue</td>
      <td>167</td>
    </tr>
<tr>
      <td>iodef-CanonicalizationMethod</td>
      <td>168</td>
    </tr>
<tr>
      <td>iodef-FuzzyHashValue</td>
      <td>169</td>
    </tr>
<tr>
      <td>iodef-AlternativeIndicatorID</td>
      <td>170</td>
    </tr>
<tr>
      <td>iodef-Observable</td>
      <td>171</td>
    </tr>
<tr>
      <td>iodef-uid-ref</td>
      <td>172</td>
    </tr>
<tr>
      <td>iodef-IndicatorExpression</td>
      <td>173</td>
    </tr>
<tr>
      <td>iodef-IndicatorReference</td>
      <td>174</td>
    </tr>
<tr>
      <td>iodef-AttackPhase</td>
      <td>175</td>
    </tr>
<tr>
      <td>iodef-BulkObservable</td>
      <td>176</td>
    </tr>
<tr>
      <td>iodef-BulkObservableFormat</td>
      <td>177</td>
    </tr>
<tr>
      <td>iodef-BulkObservableList</td>
      <td>178</td>
    </tr>
<tr>
      <td>iodef-operator</td>
      <td>179</td>
    </tr>
<tr>
      <td>iodef-ext-operator</td>
      <td>180</td>
    </tr>
<tr>
      <td>iodef-euid-ref</td>
      <td>181</td>
    </tr>
<tr>
      <td>iodef-AttackPhaseID</td>
      <td>182</td>
    </tr>
  </tbody>
</table>

    </section>
    <section title="The anchor="cddlSection" numbered="true" toc="default">
      <name>The IODEF Data Model (CDDL)" anchor="cddlSection">

<t>This (CDDL)</name>
      <t keepWithNext="true">This section provides the IODEF data model.
Note that mapkeys are described at the beginning of the CDDL data model for better readability.</t>

<!--Note: per the author's note in the datatracker, "? iodef-Indicator
f=> [+ Indicator]," was updated to be "? iodef-Indicator => [+
Indicator]," in the figure below.
-->

      <figure align="center" anchor="cddl" title="Data anchor="cddl">
        <name>Data Model in CDDL">
<artwork align="left"><![CDATA[ CDDL</name>
<sourcecode type="cddl"><![CDATA[
start = iodef

;;; iodef.json: IODEF-Document

iodef-version = -24
iodef-lang = -23
iodef-format-id = -22
iodef-private-enum-name = -21
iodef-private-enum-id = -20
iodef-Incident = -19
iodef-AdditionalData = -18
iodef-value = -17
iodef-translation-id = -16
iodef-name = -15
iodef-dtype = -14
iodef-ext-dtype = -13
iodef-meaning = -12
iodef-formatid = -11
iodef-restriction = -10
iodef-ext-restriction = -9
iodef-observable-id = -8
iodef-SoftwareReference = -7
iodef-URL = -6
iodef-Description = -5
iodef-spec-name = -4
iodef-ext-spec-name = -3
iodef-purpose = -2
iodef-ext-purpose = -1
iodef-status = 0
iodef-ext-status = 1
iodef-IncidentID = 2
iodef-AlternativeID = 3
iodef-RelatedActivity = 4
iodef-DetectTime = 5
iodef-StartTime = 6
iodef-EndTime = 7
iodef-RecoveryTime = 8
iodef-ReportTime = 9
iodef-GenerationTime = 10
iodef-Discovery = 11
iodef-Assessment = 12
iodef-Method = 13
iodef-Contact = 14
iodef-EventData = 15
iodef-Indicator = 16
iodef-History = 17
iodef-id = 18
iodef-instance = 19
iodef-ThreatActor = 20
iodef-Campaign = 21
iodef-IndicatorID = 22
iodef-Confidence = 23
iodef-ThreatActorID = 24
iodef-CampaignID = 25
iodef-role = 26
iodef-ext-role = 27
iodef-type = 28
iodef-ext-type = 29
iodef-ContactName = 30
iodef-ContactTitle = 31
iodef-RegistryHandle = 32
iodef-PostalAddress = 33
iodef-Email = 34
iodef-Telephone = 35
iodef-Timezone = 36
iodef-handle = 37
iodef-registry = 38
iodef-ext-registry = 39
iodef-PAddress = 40
iodef-EmailTo = 41
iodef-TelephoneNumber = 42
iodef-source = 43
iodef-ext-source = 44
iodef-DetectionPattern = 45
iodef-DetectionConfiguration = 46
iodef-Application = 47
iodef-Reference = 48
iodef-AttackPattern = 49
iodef-Vulnerability = 50
iodef-Weakness = 51
iodef-SpecID = 52
iodef-ext-SpecID = 53
iodef-ContentID = 54
iodef-RawData = 55
iodef-Platform = 56
iodef-Scoring = 57
iodef-ReferenceName = 58
iodef-specIndex = 59
iodef-ID = 60
iodef-occurrence = 61
iodef-IncidentCategory = 62
iodef-Impact = 63
iodef-SystemImpact = 64
iodef-BusinessImpact = 65
iodef-TimeImpact = 66
iodef-MonetaryImpact = 67
iodef-IntendedImpact = 68
iodef-Counter = 69
iodef-MitigatingFactor = 70
iodef-Cause = 71
iodef-severity = 72
iodef-completion = 73
iodef-ext-severity = 74
iodef-metric = 75
iodef-ext-metric = 76
iodef-duration = 77
iodef-ext-duration = 78
iodef-currency = 79
iodef-rating = 80
iodef-ext-rating = 81
iodef-HistoryItem = 82
iodef-action = 83
iodef-ext-action = 84
iodef-DateTime = 85
iodef-DefinedCOA = 86
iodef-System = 87
iodef-Expectation = 88
iodef-RecordData = 89
iodef-category = 90
iodef-ext-category = 91
iodef-interface = 92
iodef-spoofed = 93
iodef-virtual = 94
iodef-ownership = 95
iodef-ext-ownership = 96
iodef-Node = 97
iodef-NodeRole = 98
iodef-Service = 99
iodef-OperatingSystem = 100
iodef-AssetID = 101
iodef-DomainData = 102
iodef-Address = 103
iodef-Location = 104
iodef-vlan-name = 105
iodef-vlan-num = 106
iodef-unit = 107
iodef-ext-unit = 108
iodef-system-status = 109
iodef-ext-system-status = 110
iodef-domain-status = 111
iodef-ext-domain-status = 112
iodef-Name = 113
iodef-DateDomainWasChecked = 114
iodef-RegistrationDate = 115
iodef-ExpirationDate = 116
iodef-RelatedDNS = 117
iodef-NameServers = 118
iodef-DomainContacts = 119
iodef-Server = 120
iodef-SameDomainContact = 121
iodef-ip-protocol = 122
iodef-ServiceName = 123
iodef-Port = 124
iodef-Portlist = 125
iodef-ProtoCode = 126
iodef-ProtoType = 127
iodef-ProtoField = 128
iodef-ApplicationHeaderField = 129
iodef-EmailData = 130
iodef-IANAService = 131
iodef-EmailFrom = 132
iodef-EmailSubject = 133
iodef-EmailX-Mailer = 134
iodef-EmailHeaderField = 135
iodef-EmailHeaders = 136
iodef-EmailBody = 137
iodef-EmailMessage = 138
iodef-HashData = 139
iodef-Signature = 140
iodef-RecordPattern = 141
iodef-RecordItem = 142
iodef-FileData = 143
iodef-WindowsRegistryKeysModified = 169 144
iodef-CertificateData = 145
iodef-offset = 146
iodef-offsetunit = 147
iodef-ext-offsetunit = 148
iodef-Key = 149
iodef-registryaction = 150
iodef-ext-registryaction = 151
iodef-KeyName = 152
iodef-KeyValue = 153
iodef-Certificate = 154
iodef-X509Data = 155
iodef-File = 156
iodef-FileName = 157
iodef-FileSize = 158
iodef-FileType = 159
iodef-AssociatedSoftware = 160
iodef-FileProperties = 161
iodef-scope = 162
iodef-HashTargetID = 163
iodef-Hash = 164
iodef-FuzzyHash = 165
iodef-DigestMethod = 166
iodef-DigestValue = 167
iodef-CanonicalizationMethod = 168
iodef-FuzzyHashValue = 169
iodef-AlternativeIndicatorID = 170
iodef-Observable = 171
iodef-uid-ref = 172
iodef-IndicatorExpression = 173
iodef-IndicatorReference = 174
iodef-AttackPhase = 175
iodef-BulkObservable = 176
iodef-BulkObservableFormat = 177
iodef-BulkObservableList = 178
iodef-operator = 179
iodef-ext-operator = 180
iodef-euid-ref = 181
iodef-AttackPhaseID = 182

iodef = {
 iodef-version => text,
 ? iodef-lang => lang,
 ? iodef-format-id => text
 ? iodef-private-enum-name => text,
 ? iodef-private-enum-id => text,
 iodef-Incident => [+ Incident],
 ? iodef-AdditionalData => [+ ExtensionType]
}

duration = "second" / "minute" / "hour" / "day" / "month" /
"quarter" / "year" / "ext-value"
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"

restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" /
"ext-value"
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" /  "private"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype
URLtype = uri
TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp
                        "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
action = "nothing" / "contact-source-site" / "contact-target-site" /
"contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value"

DATETIME = tdate

BYTE = eb64legacy

MLStringType = {
    iodef-value => text,
    ? iodef-lang => lang,
    ? iodef-translation-id => text
} / text

PositiveFloatType = float32 .gt 0

PAddressType = MLStringType

ExtensionType  = {
 iodef-value => text,
 ? iodef-name => text,
 iodef-dtype => "boolean" / "byte" / "bytes" / "character" /
"date-time" / "ntpstamp" / "integer" / "portlist" / "real" /
"string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
"json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" /
"ext-value"
.default "string"
 ? iodef-ext-dtype => text,
 ? iodef-meaning => text,
 ? iodef-formatid => text,
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
}

SoftwareType = {
 ? iodef-SoftwareReference => SoftwareReference,
 ? iodef-URL => [+ URLtype],
 ? iodef-Description => [+ MLStringType]
}

SoftwareReference = {
 ? iodef-value => text,
 iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
 ? iodef-ext-spec-name => text,
 ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" /
"ext-value" .default "string",
 ? iodef-ext-dtype => text
}

Incident = {
 iodef-purpose => "traceback" / "mitigation" / "reporting" /
"watch" / "other" / "ext-value",
 ? iodef-ext-purpose => text,
 ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" /
"future" / "ext-value",
 ? iodef-ext-status => text,
 ? iodef-lang => lang,
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 iodef-IncidentID => IncidentID,
 ? iodef-AlternativeID => AlternativeID,
 ? iodef-RelatedActivity => [+ RelatedActivity],
 ? iodef-DetectTime => DATETIME,
 ? iodef-StartTime => DATETIME,
 ? iodef-EndTime => DATETIME,
 ? iodef-RecoveryTime => DATETIME,
 ? iodef-ReportTime => DATETIME,
 iodef-GenerationTime => DATETIME,
 ? iodef-Description => [+ MLStringType],
 ? iodef-Discovery => [+ Discovery],
 ? iodef-Assessment => [+ Assessment],
 ? iodef-Method => [+ Method],
 iodef-Contact => [+ Contact],
 ? iodef-EventData => [+ EventData],
 ? iodef-Indicator f=> => [+ Indicator],
 ? iodef-History => History,
 ? iodef-AdditionalData => [+ ExtensionType]
}

IncidentID = {
 iodef-id => text,
 iodef-name => text,
 ? iodef-instance => text,
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text
}

AlternativeID = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 iodef-IncidentID => [+ IncidentID]
}

RelatedActivity = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-IncidentID => [+ IncidentID],
 ? iodef-URL => [+ URLtype],
 ? iodef-ThreatActor => [+ ThreatActor],
 ? iodef-Campaign => [+ Campaign],
 ? iodef-IndicatorID => [+ IndicatorID],
 ? iodef-Confidence => Confidence,
 ? iodef-Description => [+ text],
 ? iodef-AdditionalData => [+ ExtensionType]
}

ThreatActor = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-ThreatActorID => [+ text],
 ? iodef-URL => [+ URLtype],
 ? iodef-Description => [+ MLStringType],
 ? iodef-AdditionalData => [+ ExtensionType]
}

Campaign  = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-CampaignID => [+ text],
 ? iodef-URL => [+ URLtype],
 ? iodef-Description => [+ MLStringType],
 ? iodef-AdditionalData => [+ ExtensionType]
}

Contact = {
 iodef-role => "creator" / "reporter" / "admin" / "tech" /
"provider" / "user" /, / "billing" / "legal" / "irt" / "abuse" /
"cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" /
"victim" / "victim-notified" / "ext-value",
 ? iodef-ext-role => text,
 iodef-type => "person" / "organization" / "ext-value",
 ? iodef-ext-type => text,
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-ContactName => [+ MLStringType],
 ? iodef-ContactTitle => [+ MLStringType],
 ? iodef-Description => [+ MLStringType],
 ? iodef-RegistryHandle => [+ RegistryHandle],
 ? iodef-PostalAddress => [+ PostalAddress],
 ? iodef-Email => [+ Email],
 ? iodef-Telephone => [+ Telephone],
 ? iodef-Timezone => TimeZonetype,
 ? iodef-Contact => [+ Contact],
 ? iodef-AdditionalData => [+ ExtensionType]
}

RegistryHandle = {
 iodef-handle => text,
 iodef-registry => "internic" / "apnic" / "arin" / "lacnic" /
"ripe" / "afrinic" / "local" / "ext-value",
 ? iodef-ext-registry => text
}

PostalAddress = {
 ? iodef-type => "street" / "mailing" / "ext-value",
 ? iodef-ext-type => text,
 iodef-PAddress => PAddressType,
 ? iodef-Description => [+ MLStringType]
}

Email = {
 ? iodef-type => "direct" / "hotline" / "ext-value",
 ? iodef-ext-type => text,
 iodef-EmailTo => text,
 ? iodef-Description => [+ MLStringType]
}

Telephone = {
 ? iodef-type => "wired" / "mobile" / "fax" / "hotline" /
 "ext-value",
 ? iodef-ext-type => text,
 iodef-TelephoneNumber => text,
 ? iodef-Description => [+ MLStringType]
}

Discovery = {
 ? iodef-source => "nidps" /"hips" /"siem" /"av" /"third-party-monitoring" / "hips" / "siem" / "av" /
"third-party-monitoring" / "incident" / "os-log" /
"application-log" / "device-log" / "network-flow" /
"passive-dns" / "investigation" / "audit" /
"internal-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value",
 ? iodef-ext-source => text,
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-Description => [+ MLStringType],
 ? iodef-Contact => [+ Contact],
 ? iodef-DetectionPattern => [+ DetectionPattern]
}

DetectionPattern = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 (iodef-Description => [+ MLStringType] //
               iodef-DetectionConfiguration => [+ text]),
 iodef-Application => SoftwareType
}

Method = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-Reference => [+ Reference],
 ? iodef-Description => [+ MLStringType],
 ? iodef-AttackPattern => [+ StructuredInfo], STRUCTUREDINFO],
 ? iodef-Vulnerability => [+ StructuredInfo], STRUCTUREDINFO],
 ? iodef-Weakness => [+ StructuredInfo], STRUCTUREDINFO],
 ? iodef-AdditionalData => [+ ExtensionType]
}

StructuredInfo

STRUCTUREDINFO = {
 iodef-SpecID => SpecID,
 ? iodef-ext-SpecID => text,
 ? iodef-ContentID => text,
 ? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]),
 ? iodef-Platform => [+ Platform],
 ? iodef-Scoring => [+ Scoring]
}

Platform = {
    iodef-SpecID => SpecID,
    ? iodef-ext-SpecID => text,
    ? iodef-ContentID => text,
    ? iodef-RawData => [+ BYTE],
    ? iodef-Reference => [+ Reference]
}
Scoring = {
    iodef-SpecID => SpecID,
    ? iodef-ext-SpecID => text,
    ? iodef-ContentID => text,
    ? iodef-RawData => [+ BYTE],
    ? iodef-Reference => [+ Reference]
}
Reference = {
 ? iodef-observable-id => IDtype,
 ? iodef-ReferenceName => ReferenceName,
 ? iodef-URL => [+ URLtype],
 ? iodef-Description => [+ MLStringType]
}

ReferenceName = {
 iodef-specIndex => integer,
 iodef-ID => IDtype
}

Assessment = {
 ? iodef-occurrence => "actual" / "potential",
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 ? iodef-IncidentCategory => [+ MLStringType],
 iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} /
          {iodef-BusinessImpact => BusinessImpact /
          {iodef-TimeImpact => TimeImpact} /
          {iodef-MonetaryImpact => MonetaryImpact} /
          {iodef-IntendedImpact => BusinessImpact}],
 ? iodef-Counter => [+ Counter],
 ? iodef-MitigatingFactor => [+ MLStringType],
 ? iodef-Cause => [+ MLStringType],
 ? iodef-Confidence => Confidence,
 ? iodef-AdditionalData => [+ ExtensionType]
}

SystemImpact = {
 ? iodef-severity => "low" / "medium" / "high",
 ? iodef-completion => "failed" / "succeeded",
 iodef-type => "takeover-account" / "takeover-service" /
"takeover-system" / "cps-manipulation" / "cps-damage" /
"availability-data" / "availability-account" /
"availability-service" / "availability-system" / "damaged-system" /
"damaged-data" / "breach-proprietary" / "breach-privacy" /
"breach-credential" / "breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown",
 ? iodef-ext-type => text,
 ? iodef-Description => [+ MLStringType]
}

BusinessImpact = {
? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" /
"ext-value" .default "unknown",
 ? iodef-ext-severity => text,
 iodef-type => "breach-proprietary" / "breach-privacy" /
"breach-credential" / "loss-of-integrity" / "loss-of-service" /
"theft-financial" / "theft-service" / "degraded-reputation" /
"asset-damage" / "asset-manipulation" / "legal" / "extortion" /
"unknown" / "ext-value" .default "unknown",
 ? iodef-ext-type => text,
 ? iodef-Description => [+ MLStringType]
}

TimeImpact = {
 iodef-value => PositiveFloatType,
 ? iodef-severity => "low" / "medium" / "high",
 iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value",
 ? iodef-ext-metric => text,
 ? iodef-duration => duration .default "hour",
 ? iodef-ext-duration => text
}

MonetaryImpact = {
 iodef-value => PositiveFloatType,
 ? iodef-severity => "low" / "medium" / "high",
 ? iodef-currency => text
}

Confidence = {
 iodef-value => float32,
 iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" /
"ext-value",
 ? iodef-ext-rating => text
}

History = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 iodef-HistoryItem => [+ HistoryItem]
}

HistoryItem = {
 iodef-action => action .default "other",
 ? iodef-ext-action => text,
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 iodef-DateTime => DATETIME,
 ? iodef-IncidentID => IncidentID,
 ? iodef-Contact => Contact,
 ? iodef-Description => [+ MLStringType],
 ? iodef-DefinedCOA => [+ text],
 ? iodef-AdditionalData => [+ ExtensionType]
}

EventData = {
 ? iodef-restriction => restriction .default "default",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 ? iodef-Description => [+ MLStringType],
 ? iodef-DetectTime => DATETIME,
 ? iodef-StartTime => DATETIME,
 ? iodef-EndTime => DATETIME,
 ? iodef-RecoveryTime => DATETIME,
 ? iodef-ReportTime => DATETIME,
 ? iodef-Contact => [+ Contact],
 ? iodef-Discovery => [+ Discovery],
 ? iodef-Assessment => Assessment,
 ? iodef-Method => [+ Method],
 ? iodef-System => [+ System],
 ? iodef-Expectation => [+ Expectation],
 ? iodef-RecordData => [+ RecordData],
 ? iodef-EventData => [+ EventData],
 ? iodef-AdditionalData => [+ ExtensionType]
}

Expectation = {
 ? iodef-action => action .default "other",
 ? iodef-ext-action => text,
 ? iodef-severity => "low" / "medium" / "high",
 ? iodef-restriction => restriction .default "default",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 ? iodef-Description => [+ MLStringType],
 ? iodef-DefinedCOA => [+ text],
 ? iodef-StartTime => DATETIME,
 ? iodef-EndTime => DATETIME,
 ? iodef-Contact => Contact
}

System = {
 ? iodef-category => "source" / "target" / "intermediate" /
"sensor" / "infrastructure" / "ext-value",
 ? iodef-ext-category => text,
 ? iodef-interface => text,
 ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown",
 ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown",
 ? iodef-ownership => "organization" / "personal" / "partner" /
"customer" / "no-relationship" / "unknown" / "ext-value",
 ? iodef-ext-ownership => text,
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 iodef-Node => Node,
 ? iodef-NodeRole => [+ NodeRole],
 ? iodef-Service => [+ Service],
 ? iodef-OperatingSystem => [+ SoftwareType],
 ? iodef-Counter => [+ Counter],
 ? iodef-AssetID => [+ text],
 ? iodef-Description => [+ MLStringType],
 ? iodef-AdditionalData => [+ ExtensionType]
}

Node = {
 (iodef-DomainData => [+ DomainData] //
                               iodef-Address => [+ Address]),
 ? iodef-PostalAddress => PostalAddress,
 ? iodef-Location => [+ MLStringType],
 ? iodef-Counter => [+ Counter]
}

Address = {
 iodef-value => text,
 iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" /
"ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
"ext-value" .default "ipv6-addr",
 ? iodef-ext-category => text,
 ? iodef-vlan-name => text,
 ? iodef-vlan-num => integer,
 ? iodef-observable-id => IDtype
}

NodeRole = {
 iodef-category => "client" / "client-enterprise" /
"client-partner" / "client-remote" / "client-kiosk" /
"client-mobile" / "server-internal" / "server-public" /
"www" / "mail" / "webmail" / "messaging" / "streaming" /
"voice" / "file" / "ftp" / "p2p" / "name" / "directory" /
"credential" / "print" / "application" / "database" /
"backup" / "dhcp" / "assessment" / "source-control" /
"config-management" / "monitoring" / "infra" / "infra-firewall" /
"infra-router" / "infra-switch" / "camera" / "proxy" /
"remote-access" / "log" / "virtualization" / "pos" /  "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hop-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value",
 ? iodef-ext-category => text,
 ? iodef-Description => [+ MLStringType]
}

Counter = {
 iodef-value => float32,
 iodef-type => "count" / "peak" / "average" / "ext-value",
 ? iodef-ext-type => text,
 iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" /
"alert" / "message" / "event" / "host" / "site" / "organization" /
"ext-value",
 ? iodef-ext-unit => text,
 ? iodef-meaning => text,
 ? iodef-duration => duration .default "hour",
 ? iodef-ext-duration => text
}

DomainData = {
 iodef-system-status => "spoofed" / "fraudulent" /
"innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value",
 ? iodef-ext-system-status => text,
 iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value",
 ? iodef-ext-domain-status => text,
 ? iodef-observable-id => IDtype,
 iodef-Name => text,
 ? iodef-DateDomainWasChecked => DATETIME,
 ? iodef-RegistrationDate => DATETIME,
 ? iodef-ExpirationDate => DATETIME,
 ? iodef-RelatedDNS => [+ ExtensionType],
 ? iodef-NameServers => [+ NameServers],
 ? iodef-DomainContacts => DomainContacts
}

NameServers = {
 iodef-Server => text,
 iodef-Address => [+ Address]
}

DomainContacts = {
 (iodef-SameDomainContact => text // iodef-Contact => [+ Contact])
}

Service = {
 ? iodef-ip-protocol => integer,
 ? iodef-observable-id => IDtype,
 ? iodef-ServiceName => ServiceName,
 ? iodef-Port => integer,
 ? iodef-Portlist => PortlistType,
 ? iodef-ProtoCode => integer,
 ? iodef-ProtoType => integer,
 ? iodef-ProtoField => integer,
 ? iodef-ApplicationHeaderField => [+ ExtensionType],
 ? iodef-EmailData => EmailData,
 ? iodef-Application => SoftwareType
}

ServiceName = {
 ? iodef-IANAService => text,
 ? iodef-URL => [+ URLtype],
 ? iodef-Description => [+ MLStringType]
}

EmailData = {
 ? iodef-observable-id => IDtype,
 ? iodef-EmailTo => [+ text],
 ? iodef-EmailFrom => text,
 ? iodef-EmailSubject => text,
 ? iodef-EmailX-Mailer => text,
 ? iodef-EmailHeaderField => [+ ExtensionType],
 ? iodef-EmailHeaders => text,
 ? iodef-EmailBody => text,
 ? iodef-EmailMessage => text,
 ? iodef-HashData => [+ HashData],
 ? iodef-Signature => [+ BYTE]
}

RecordData = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 ? iodef-DateTime => DATETIME,
 ? iodef-Description => [+ MLStringType],
 ? iodef-Application => SoftwareType,
 ? iodef-RecordPattern => [+ RecordPattern],
 ? iodef-RecordItem => [+ ExtensionType],
 ? iodef-URL => [+ URLtype],
 ? iodef-FileData => [+ FileData],
 ? iodef-WindowsRegistryKeysModified =>
                                [+ WindowsRegistryKeysModified],
 ? iodef-CertificateData => [+ CertificateData],
 ? iodef-AdditionalData => [+ ExtensionType]
}

RecordPattern = {
 iodef-value => text,
 iodef-type => "regex" / "binary" / "xpath" /
"ext-value"  .default "regex",
 ? iodef-ext-type => text,
 ? iodef-offset => integer,
 ? iodef-offsetunit => "line" / "byte" /
"ext-value" .default "line",
 ? iodef-ext-offsetunit => text,
 ? iodef-instance => integer
}

WindowsRegistryKeysModified = {
 ? iodef-observable-id => IDtype,
 iodef-Key => [+ Key]
}

Key = {
 ? iodef-registryaction => "add-key" / "add-value" / "delete-key" /
"delete-value" / "modify-key" / "modify-value" /
"ext-value",
 ? iodef-ext-registryaction => text,
 ? iodef-observable-id => IDtype,
 iodef-KeyName => text,
 ? iodef-KeyValue => text
}

CertificateData = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 iodef-Certificate => [+ Certificate]
}

Certificate = {
 ? iodef-observable-id => IDtype,
 iodef-X509Data => BYTE,
 ? iodef-Description => [+ MLStringType]
}

FileData = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? iodef-observable-id => IDtype,
 iodef-File => [+ File]
}

File = {
 ? iodef-observable-id => IDtype,
 ? iodef-FileName => text,
 ? iodef-FileSize => integer,
 ? iodef-FileType => text,
 ? iodef-URL => [+ URLtype],
 ? iodef-HashData => HashData,
 ? iodef-Signature => [+ BYTE],
 ? iodef-AssociatedSoftware => SoftwareType,
 ? iodef-FileProperties => [+ ExtensionType]
}

HashData = {
 iodef-scope => "file-contents" / "file-pe-section" /
"file-pe-iat" / "file-pe-resource" / "file-pdf-object" /
"email-hash" / "email-headers-hash" / "email-body-hash" /
"ext-value",
 ? iodef-HashTargetID => text,
 ? iodef-Hash => [+ Hash],
 ? iodef-FuzzyHash => [+ FuzzyHash]
}

Hash = {
 iodef-DigestMethod => BYTE,
 iodef-DigestValue => BYTE,
 ? iodef-CanonicalizationMethod => BYTE,
 ? iodef-Application => SoftwareType
}

FuzzyHash = {
 iodef-FuzzyHashValue => [+ ExtensionType],
 ? iodef-Application => SoftwareType,
 ? iodef-AdditionalData => [+ ExtensionType]
}

Indicator = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 iodef-IndicatorID => IndicatorID,
 ? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID],
 ? iodef-Description => [+ MLStringType],
 ? iodef-StartTime => DATETIME,
 ? iodef-EndTime => DATETIME,
 ? iodef-Confidence => Confidence,
 ? iodef-Contact => [+ Contact],
 (iodef-Observable => Observable // iodef-uid-ref => IDREFType //
  iodef-IndicatorExpression => IndicatorExpression //
  iodef-IndicatorReference => IndicatorReference),
 ? iodef-NodeRole => [+ NodeRole],
 ? iodef-AttackPhase => [+ AttackPhase],
 ? iodef-Reference => [+ Reference],
 ? iodef-AdditionalData => [+ ExtensionType]
}

IndicatorID = {
 iodef-id => IDtype,
 iodef-name => text,
 iodef-version => text
}

AlternativeIndicatorID = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 iodef-IndicatorID => [+ IndicatorID]
}

Observable = {
 ? iodef-restriction => restriction .default "private",
 ? iodef-ext-restriction => text,
 ? (iodef-System => System // iodef-Address => Address //
    iodef-DomainData => DomainData //
    iodef-EmailData => EmailData //
    iodef-Service => Service //
    iodef-WindowsRegistryKeysModified =>
                                  WindowsRegistryKeysModified //
    iodef-FileData => FileData //iodef-CertificateData =>
                                              CertificateData //
    iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>RecordData =>
                                                  RecordData //
    iodef-EventData => EventData // iodef-Incident => Incident //
    iodef-Expectation => Expectation // iodef-Reference =>
                                                    Reference //
    iodef-Assessment => Assessment //
    iodef-DetectionPattern => DetectionPattern //
    iodef-HistoryItem => HistoryItem //
    iodef-BulkObservable => BulkObservable //
    iodef-AdditionalData => [+ ExtensionType])
}

BulkObservable = {
 ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" /
"ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" /
"ipv6-net-mask" / "mac" / "site-uri" / "domain-name" /
"domain-to-ipv4" / "domain-to-ipv6" /
"domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" /
"ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" /
"email-x-mailer" / "email-subject" / "http-user-agent" /
"http-request-uri" / "mutex" / "file-path" / "user-name" /
"ext-value",
 ? iodef-ext-type => text,
 ? iodef-BulkObservableFormat => BulkObservableFormat,
 iodef-BulkObservableList => text,
 ? iodef-AdditionalData => [+ ExtensionType]
}

BulkObservableFormat = {
 (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType])
}

IndicatorExpression = {
 ? iodef-operator => "not" / "and" / "or" / "xor" .default "and",
 ? iodef-ext-operator => text,
 ? iodef-IndicatorExpression => [+ IndicatorExpression],
 ? iodef-Observable => [+ Observable],
 ? iodef-uid-ref => [+ IDREFType],
 ? iodef-IndicatorReference => [+ IndicatorReference],
 ? iodef-Confidence => Confidence,
 ? iodef-AdditionalData => [+ ExtensionType]
}

IndicatorReference = {
 (iodef-uid-ref => IDREFType // iodef-euid-ref => text),
 ? iodef-version => text
}

AttackPhase = {
 ? iodef-AttackPhaseID => [+ text],
 ? iodef-URL => [+ URLtype],
 ? iodef-Description => [+ MLStringType],
 ? iodef-AdditionalData => [+ ExtensionType]
}
]]></artwork>
]]></sourcecode>
      </figure>
    </section>
    <section anchor="IANA" title="IANA Considerations"> numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>This document does not require any has no IANA actions.</t>
    </section>
    <section anchor="Security" title="Security Considerations"> numbered="true" toc="default">
      <name>Security Considerations</name>
      <t>This document provides a mapping from XML IODEF defined in <xref target="RFC7970" /> format="default"/> to JSON, and <xref target="mapping" /> format="default"/> describes several issues that arise when converting XML IODEF and JSON IODEF.
Though it does not provide any further security considerations other than the one described in <xref target="RFC7970" />, impelementers format="default"/>, implementers of this document should be aware of those issues to avoid any unintended outcome.</t>
   </section>

   <section anchor="Acknowledgments" title="Acknowledgments">
     <t>We would like to thank Henk Birkholz, Carsten Bormann, Benjamin Kaduk, Alexey Melnikov, Yasuaki Morita, and Takahiko Nagata for their insightful comments on this document and CDDL.</t>
   </section>

 </middle>

 <!--  *****BACK MATTER ***** -->

 <back>
   <!-- References split into informative and normative -->

   <!-- There are 2 ways to insert reference entries from the citation libraries:
    1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
    2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
       (for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")

    Both are cited textually in the same manner: by using xref elements.
    If you use the PI option, xml2rfc will, by default, try to find included files in the same
    directory as the including file. You can also define the XML_LIBRARY environment variable
    with a value containing a set of directories to search.  These can be either in the local
    filing system or remote ones accessed by http (http://domain/dir/... ).-->

   <references title="Normative References">
     <!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
     &RFC2119;
     &RFC3986;
     &RFC4648;
     &RFC7049;
     &RFC7203;
     &RFC7970;
     &RFC8174;
     &RFC8259;
     &RFC8610;

<!--
     <reference anchor="jsonschema">

       <front>
         <title>JSON Schema</title>

         <author>
           <organization></organization>
         </author>

         <date year="2006" />
       </front>
       <annotation>http://json-schema.org/</annotation>
     </reference>
--> avoid any unintended outcome.</t>
    </section>

  </middle>
 <back>

<displayreference target="I-D.handrews-json-schema-validation" to="JSON-SCHEMA"/>

   <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7049.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7203.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7970.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml"/>
        <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/>

   </references>
      <references>
        <name>Informative References</name>

     <!--draft-handrews-json-schema-validation-02; expired-->
     <xi:include href="https://www.rfc-editor.org/refs/bibxml3/reference.I-D.handrews-json-schema-validation.xml"/>

   </references>

   <references title="Informative References">
     <!-- Here we use entities that we defined at the beginning. -->

     <?rfc include="reference.I-D.handrews-json-schema-validation.xml"?>

     <!-- A reference written by by an organization not a person. -->
    </references>
    <section title="Data anchor="supportedCborDataType" numbered="true" toc="default">
      <name>Data Types used Used in this document" anchor="supportedCborDataType"> This Document</name>
      <t>The CDDL prelude used in this document is mapped to JSON as shown in the table below.</t>

<figure align="center"

<table anchor="cborDataType" title="CDDL align="left">
  <name>CDDL Prelude mapping Mapping in JSON"><artwork align="left"><![CDATA[
+-----------------+-------------------+----------------------------+
| CDDL Prelude    | Use of JSON   |  Instance | Validation         |
+-----------------+-------------------+----------------------------+
| bytes           | n/a           | string    | tool available     |
| text            | string        | string    | unnecessary        |
| tdate           | n/a           | string    | 7.3.1 date-time    |
| integer         | n/a           | number    | integer            |
| eb64legacy      | n/a           | string    | tool available     |
| uri             | n/a           | string    | 7.3.6 uri          |
| float32         | float32       | number    | unnecessary        |
+-----------------+-------------------+----------------------------+
]]></artwork></figure> JSON</name>
  <thead>
    <tr>
      <th>CDDL Prelude</th>
      <th>Use of JSON</th>
      <th>Instance</th>
      <th>Validation</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>bytes</td>
      <td>n/a</td>
      <td>string</td>
      <td>tool available</td>
    </tr>
<tr>
      <td>text</td>
      <td>string</td>
      <td>string</td>
      <td>unnecessary</td>
    </tr>
<tr>
      <td>tdate</td>
      <td>n/a</td>
      <td>string</td>
      <td>date-time per <xref target="I-D.handrews-json-schema-validation" sectionFormat="of" section="7.3.1"/></td>
    </tr>
<tr>
      <td>integer</td>
      <td>n/a</td>
      <td>number</td>
      <td>integer</td>
    </tr>
<tr>
      <td>eb64legacy</td>
      <td>n/a</td>
      <td>string</td>
      <td>tool available</td>
    </tr>
<tr>
      <td>uri</td>
      <td>n/a</td>
      <td>string</td>
      <td>uri per <xref target="I-D.handrews-json-schema-validation" sectionFormat="of" section="7.3.6"/></td>
    </tr>
<tr>
      <td>float32</td>
      <td>float32</td>
      <td>number</td>
      <td>unnecessary</td>
    </tr>
      </tbody>
</table>

    </section>
    <section title="The anchor="jsonSchemaSection" numbered="true" toc="default">
      <name>The IODEF Data Model (JSON Schema)" anchor="jsonSchemaSection">

<t>This Schema)</name>
      <t keepWithNext="true">This section provides a <xref target="I-D.handrews-json-schema-validation">JSON target="I-D.handrews-json-schema-validation" format="default">JSON schema</xref> that defines the IODEF Data Model data model defined in this draft. document. Note that this section is Informative.</t> informative.</t>

      <figure align="center" anchor="jsonSchema" title="JSON schema">
<artwork align="left"><![CDATA[ anchor="jsonSchema">
        <name>JSON Schema</name>
<sourcecode type="json"><![CDATA[
{ "$schema": "http://json-schema.org/draft-04/schema#", "https://json-schema.org/draft-04/schema#",
  "definitions": {
    "action": {"enum": ["nothing","contact-source-site",
       "contact-target-site","contact-sender","investigate",
       "block-host","block-network","block-port","rate-limit-host",
       "rate-limit-network","rate-limit-port","redirect-traffic",
       "honeypot","upgrade-software","rebuild-asset","harden-asset",
       "remediate-other","status-triage","status-new-info",
       "watch-and-report","training","defined-coa","other", ["nothing", "contact-source-site",
       "contact-target-site", "contact-sender", "investigate",
       "block-host", "block-network", "block-port",
       "rate-limit-host", "rate-limit-network",
       "rate-limit-port", "redirect-traffic", "honeypot",
       "upgrade-software", "rebuild-asset", "harden-asset",
       "remediate-other", "status-triage", "status-new-info",
       "watch-and-report", "training", "defined-coa", "other",
       "ext-value"]},
    "duration":{"enum":["second", "minute", "hour", "day",
      "month", "quarter", "year", "ext-value"]},
    "duration":{"enum":["second","minute","hour","day","month",
       "quarter","year","ext-value"]},
    "SpecID":{
      "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]},
      "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2",
       "private"]},
    "lang": {
      "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
      "type":"string", "pattern":
        "^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
    "purpose": {"enum": ["traceback","mitigation","reporting","watch",
      "other","ext-value"]},
    "restriction":{"enum":["public","partner","need-to-know","private",
      "default","white","green","amber","red","ext-value"]}, ["traceback", "mitigation",
      "reporting", "watch", "other", "ext-value"]},
    "restriction":{"enum": ["public", "partner",
      "need-to-know", "private", "default", "white", "green",
      "amber", "red", "ext-value"]},
    "status": {"enum": ["new","in-progress","forwarded","resolved",
      "future","ext-value"]}, ["new", "in-progress", "forwarded",
      "resolved", "future", "ext-value"]},
    "DATETIME": {"type": "string","format": "string", "format": "date-time"},
    "BYTE": {"type": "string"},
    "PortlistType": {
      "type": "string","pattern": "string", "pattern":
        "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"},
    "TimeZonetype": {
      "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
      "type":"string", "pattern":
        "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
    "URLtype": {
      "type": "string",
      "pattern":
        "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"},
        "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))
          ?(#(.*))?"},
    "IDtype": {"type": "string","pattern": "string", "pattern":
      "[a-zA-Z_][a-zA-Z0-9_.-]*"},
    "IDREFType": {"$ref": "#/definitions/IDtype"},
    "MLStringType": {
      "oneOf": [{"type": "string"},
                {"type": "object",
                  "properties": {
                    "value": {"type": "string"},
                    "lang": {"$ref": "#/definitions/lang"},
                    "translation-id": {"type": "string"}},
                   "required": ["value"],
                   "additionalProperties":false}]},
    "PositiveFloatType": {"type": "number","minimum": "number", "minimum": 0},
    "PAddressType": {"$ref": "#/definitions/MLStringType"},
    "ExtensionType": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "name": {"type": "string"},
        "dtype":{"enum":["boolean","byte","bytes","character",
        "dtype":{"enum":["boolean", "byte", "bytes",
          "character", "json",
          "date-time","ntpstamp","integer","portlist","real","string",
          "file","path","frame","packet","ipv4-packet","ipv6-packet", "date-time", "ntpstamp",
          "integer", "portlist", "real", "string", "file",
          "path", "frame", "packet", "ipv4-packet",
          "ipv6-packet", "url", "csv","winreg","xml","ext-value"],"default": "csv", "winreg",
          "xml", "ext-value"], "default": "string"},
        "ext-dtype": {"type": "string"},
        "meaning": {"type": "string"},
        "formatid": {"type": "string"},
        "restriction": {
          "$ref": "#/definitions/restriction","default": "#/definitions/restriction", "default":
            "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"}},
      "required": ["value","dtype"], ["value", "dtype"],
      "additionalProperties":false},
    "ExtensionTypeList": {
      "type": "array",
      "items": {"$ref": "#/definitions/ExtensionType"},
      "minItems": 1},
    "SoftwareType": {
      "type": "object",
      "properties": {
        "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"},
        "SoftwareReference":{
          "$ref":"#/definitions/SoftwareReference"},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype",
          "minItems": 1}},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1 }},
      "required": [],
      "additionalProperties": false},
    "SoftwareReference": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, ["custom", "cpe", "swid",
          "ext-value"]},
        "ext-spec-name": {"type": "string"},
        "dtype": {"enum": ["bytes","integer","real","string","xml",
                           "ext-value"] , ["bytes", "integer", "real", "string",
          "xml", "ext-value"], "default": "string"},
        "ext-dtype": {"type": "string"}},
      "required": ["spec-name"],
      "additionalProperties": false},
    "StructuredInfo":
    "STRUCTUREDINFO": {
      "type": "object",
      "properties": {
        "SpecID": {"$ref":"#/definitions/SpecID"},
        "ext-SpecID": {"type": "string"},
        "ContentID": {"type": "string"},
        "RawData": {
           "type": "array",
           "items": {"$ref":"#/definitions/BYTE"},
           "minItems": 1
        },
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1
        },
        "Platform": {
          "type": "array",
          "items": {"$ref": "#/definitions/Platform"},
          "minItems": 1
        },
        "Scoring": {
          "type": "array",
          "items": {"$ref": "#/definitions/Scoring"},
          "minItems": 1}},
      "allOf": [
         {"required": ["SpecID"]},
         {"anyOf": [
           {"oneOf": [
             {"required":["Reference"]},
             {"required":["RawData"]}]},
           { "not" : {"required":["Reference", "RawData"]}}]}],
      "additionalProperties": false},
    "Platform": {
      "type": "object",
      "properties": {
        "SpecID": {"$ref":"#/definitions/SpecID"},
        "ext-SpecID": {"type": "string"},
        "ContentID": {"type": "string"},
        "RawData": {
           "type": "array",
           "items": {"$ref":"#/definitions/BYTE"},
           "minItems": 1
        },
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1}},
      "required": ["SpecID"],
      "additionalProperties": false},
    "Scoring": {
      "type": "object",
      "properties": {
        "SpecID": {"$ref":"#/definitions/SpecID"},
        "ext-SpecID": {"type": "string"},
        "ContentID": {"type": "string"},
        "RawData": {
           "type": "array",
           "items": {"$ref":"#/definitions/BYTE"},
           "minItems": 1
        },
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1}},
      "required": ["SpecID"],
      "additionalProperties": false},
    "Incident": {
      "title": "Incident",
      "description": "JSON schema for Incident class",
      "type": "object",
      "properties": {
        "purpose": {"$ref": "#/definitions/purpose"},
        "ext-purpose": {"type": "string"},
        "status": {"$ref": "#/definitions/status"},
        "ext-status": {"type": "string"},
        "lang": {"$ref": "#/definitions/lang"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "IncidentID": {"$ref": "#/definitions/IncidentID"},
        "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, {
          "$ref":"#/definitions/AlternativeID"},
        "RelatedActivity": {
          "type": "array",
          "items": {"$ref": "#/definitions/RelatedActivity"},
          "minItems": 1},
        "DetectTime": {"$ref": "#/definitions/DATETIME"},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
        "ReportTime": {"$ref": "#/definitions/DATETIME"},
        "GenerationTime": {"$ref": "#/definitions/DATETIME"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Discovery": {
          "type": "array",
          "items": {"$ref": "#/definitions/Discovery"},
          "minItems": 1},
        "Assessment": {
          "type": "array",
          "items": {"$ref": "#/definitions/Assessment"},
          "minItems": 1},
        "Method": {
          "type": "array",
          "items": {"$ref": "#/definitions/Method"},
          "minItems": 1},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "EventData": {
          "type": "array",
          "items": {"$ref": "#/definitions/EventData"},
          "minItems": 1},
        "Indicator": {
          "type": "array",
          "items": {"$ref": "#/definitions/Indicator"},
          "minItems": 1},
        "History": {"$ref": "#/definitions/History"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["IncidentID","GenerationTime","Contact","purpose"], ["IncidentID", "GenerationTime", "Contact",
        "purpose"],
      "additionalProperties": false},
    "IncidentID": {
      "title": "IncidentID",
      "description": "JSON schema for IncidentID class",
      "type": "object",
      "properties": {
        "id": {"type": "string"},
        "name": {"type": "string"},
        "instance": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"}},
      "required": ["id","name"], ["id", "name"],
      "additionalProperties": false},
    "AlternativeID": {
      "title": "AlternativeID",
      "description": "JSON schema for AlternativeID class",
      "type": "object",
      "properties": {
        "IncidentID": {
          "type": "array",
          "items":{"$ref": "#/definitions/IncidentID"},
          "minItems": 1},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"}},
      "required": ["IncidentID"],
      "additionalProperties": false},
    "RelatedActivity": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "IncidentID": {
          "type": "array",
          "items": {"$ref": "#/definitions/IncidentID"},
          "minItems": 1},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype"},
          "minItems": 1},
        "ThreatActor": {
          "type": "array",
          "items": {"$ref": "#/definitions/ThreatActor"},
          "minItems": 1},
        "Campaign": {
          "type": "array",
          "items": {"$ref": "#/definitions/Campaign"},
          "minItems": 1},
        "IndicatorID": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorID"},
          "minItems": 1},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "Description": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref": "#/definitions/ExtensionTypeList"}},
      "additionalProperties": false},
    "ThreatActor": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "ThreatActorID": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "URL": {
          "type":"array",
          "items":{"$ref":"#/definitions/URLtype"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false},
    "Campaign": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "CampaignID": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "URL": {
          "type":"array",
          "items":{"$ref":"#/definitions/URLtype"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, {
          "$ref":"#/definitions/ExtensionTypeList"}}},
    "Contact": {
      "type": "object",
      "properties": {
        "role": {
          "enum":["creator","reporter","admin","tech","provider","user",
                  "billing","legal","irt","abuse","cc","cc-irt","leo",
                  "vendor","vendor-support","victim","victim-notified",
          "enum":["creator", "reporter", "admin", "tech",
                  "provider", "user", "billing", "legal",
                  "irt", "abuse", "cc", "cc-irt", "leo",
                  "vendor", "vendor-support", "victim",
                  "victim-notified", "ext-value"]},
        "ext-role": {"type": "string"},
        "type": {"enum": ["person","organization","ext-value"]}, {
          "enum": ["person", "organization", "ext-value"]},
        "ext-type": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "ContactName": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "ContactTitle": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "RegistryHandle": {
          "type":"array",
          "items":{"$ref":"#/definitions/RegistryHandle"},
          "minItems": 1},
        "PostalAddress": {
          "type":"array",
          "items":{"$ref":"#/definitions/PostalAddress"},
          "minItems": 1},
        "Email": {
          "type": "array",
          "items": {"$ref": "#/definitions/Email"},
          "minItems": 1},
        "Telephone": {
          "type": "array",
          "items": {"$ref": "#/definitions/Telephone"},
          "minItems": 1},
        "Timezone": {"$ref": "#/definitions/TimeZonetype"},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["role","type"], ["role", "type"],
      "additionalProperties": false},
    "RegistryHandle": {
      "type": "object",
      "properties": {
        "handle": {"type": "string"},
        "registry": {
          "enum": ["internic","apnic","arin","lacnic","ripe","afrinic",
                   "local","ext-value"]}, ["internic", "apnic", "arin", "lacnic",
            "ripe", "afrinic", "local", "ext-value"]},
        "ext-registry": {"type": "string"}},
      "required": ["handle","registry"], ["handle", "registry"],
      "additionalProperties": false},
    "PostalAddress": {
      "type": "object",
      "properties": {
        "type": {
          "enum": ["street","mailing","ext-value"]}, ["street", "mailing", "ext-value"]},
        "ext-type": {"type": "string"},
        "PAddress": {"$ref": "#/definitions/PAddressType"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["PAddress"],
      "additionalProperties": false},
    "Email": {
      "type": "object",
      "properties": {
        "type": {
          "enum":["direct","hotline","ext-value"]},
          "enum":["direct", "hotline", "ext-value"]},
        "ext-type": {"type": "string"},
        "EmailTo": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["EmailTo"],
      "additionalProperties": false},
    "Telephone": {
      "type": "object",
      "properties": {
        "type": {
          "enum":["wired","mobile","fax","hotline","ext-value"]},
          "enum":["wired", "mobile", "fax", "hotline",
            "ext-value"]},
        "ext-type": {"type": "string"},
        "TelephoneNumber": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["TelephoneNumber"],
      "additionalProperties": false},
    "Discovery": {
      "type": "object",
      "properties": {
        "source": {
          "enum":["nidps","hips","siem","av","third-party-monitoring",
                  "incident","os-log","application-log","device-log",
                  "network-flow","passive-dns","investigation","audit",
                  "internal-notification","external-notification","leo",
                  "partner","actor","unknown","ext-value"]},
          "enum":["nidps", "hips", "siem", "av",
            "third-party-monitoring", "incident", "os-log",
            "application-log", "device-log", "network-flow",
            "passive-dns", "investigation", "audit",
            "internal-notification", "external-notification",
            "leo", "partner", "actor", "unknown", "ext-value"]},
        "ext-source": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "DetectionPattern": {
          "type":"array",
          "items":{"$ref":"#/definitions/DetectionPattern"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "DetectionPattern": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "DetectionConfiguration": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1}},
      "allOf": [
        {"required": ["Application"]},
        {"oneOf": [
          {"required":["Description"]},
          {"required":["DetectionConfiguration"]}]}],
      "additionalProperties": false},
    "Method": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "AttackPattern": {
          "type":"array",
          "items":{"$ref":"#/definitions/StructuredInfo"},
          "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
          "minItems": 1},
        "Vulnerability": {
          "type":"array",
          "items":{"$ref":"#/definitions/StructuredInfo"},
          "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
          "minItems": 1},
        "Weakness": {
          "type":"array",
          "items":{"$ref":"#/definitions/StructuredInfo"},
          "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "Reference": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, {
          "$ref":"#/definitions/ReferenceName"},
        "URL":{
          "type":"array",
          "items":{"$ref":"#/definitions/URLtype"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "ReferenceName" : {
      "type": "object",
      "properties": {
        "specIndex": {"type": "number"},
        "ID": {"$ref":"#/definitions/IDtype"}},
      "required": ["specIndex","ID"], ["specIndex", "ID"],
      "additionalProperties": false},
    "Assessment": {
      "type": "object",
      "properties": {
        "occurrence": {"enum":["actual","potential"]}, {"enum":["actual", "potential"]},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "IncidentCategory": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Impact": {
         "type": "array",
         "items": {
           "properties": {
             "SystemImpact":{"$ref":"#/definitions/SystemImpact"},
             "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"},
             "SystemImpact":{
               "$ref":"#/definitions/SystemImpact"},
             "BusinessImpact":{
               "$ref":"#/definitions/BusinessImpact"},
             "TimeImpact":{"$ref":"#/definitions/TimeImpact"},
             "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"},
             "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}},
             "MonetaryImpact":{
               "$ref":"#/definitions/MonetaryImpact"},
             "IntendedImpact":{
               "$ref":"#/definitions/BusinessImpact"}},
           "additionalProperties":false},
         "minItems" : 1
        },
        "Counter": {
          "type": "array",
          "items": {"$ref": "#/definitions/Counter"},
          "minItems": 1},
        "MitigatingFactor": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Cause": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["Impact"],
      "additionalProperties": false},
    "SystemImpact": {
      "type": "object",
      "properties": {
        "severity": {"enum":["low","medium","high"]}, {"enum":["low", "medium", "high"]},
        "completion": {"enum":["failed","succeeded"]}, {"enum":["failed", "succeeded"]},
        "type": {
          "enum":["takeover-account","takeover-service",
            "takeover-system","cps-manipulation","cps-damage",
            "availability-data","availability-account",
            "availability-service","availability-system",
            "damaged-system","damaged-data","breach-proprietary",
            "breach-privacy","breach-credential",
            "breach-configuration","integrity-data",
            "integrity-configuration","integrity-hardware",
            "traffic-redirection","monitoring-traffic",
            "monitoring-host","policy","unknown","ext-value"]},
          "enum":["takeover-account", "takeover-service",
            "takeover-system", "cps-manipulation", "cps-damage",
            "availability-data", "availability-account",
            "availability-service", "availability-system",
            "damaged-system", "damaged-data",
            "breach-proprietary", "breach-privacy",
            "breach-credential", "breach-configuration",
            "integrity-data", "integrity-configuration",
            "integrity-hardware", "traffic-redirection",
            "monitoring-traffic", "monitoring-host",
            "policy", "unknown", "ext-value"]},
        "ext-type": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["type"],
      "additionalProperties": false},
    "BusinessImpact": {
      "type": "object",
      "properties": {
        "severity": {"enum":["none","low","medium","high","unknown",
                     "ext-value"],"default": {"enum":["none", "low", "medium", "high",
          "unknown", "ext-value"], "default": "unknown"},
        "ext-severity": {"type":"string"},
        "type": {"enum":["breach-proprietary","breach-privacy",
          "breach-credential","loss-of-integrity","loss-of-service",
          "theft-financial","theft-service","degraded-reputation",
          "asset-damage","asset-manipulation","legal","extortion",
          "unknown","ext-value"]}, {"enum":["breach-proprietary",
          "breach-privacy", "breach-credential",
          "loss-of-integrity", "loss-of-service",
          "theft-financial", "theft-service",
          "degraded-reputation", "asset-damage",
          "asset-manipulation", "legal", "extortion",
          "unknown", "ext-value"]},
        "ext-type": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["type"],
      "additionalProperties": false},
    "TimeImpact": {
      "type": "object",
      "properties": {
        "value": {"$ref": "#/definitions/PositiveFloatType"},
        "severity": {"enum": ["low","medium","high"]}, ["low", "medium", "high"]},
        "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, ["labor", "elapsed", "downtime",
          "ext-value"]},
        "ext-metric": {"type": "string"},
        "duration": {"$ref":"#/definitions/duration","default": {
          "$ref":"#/definitions/duration", "default": "hour"},
        "ext-duration": {"type": "string"}},
      "required": ["value","metric"], ["value", "metric"],
      "additionalProperties": false},
    "MonetaryImpact": {
      "type": "object",
      "properties": {
        "value": {"$ref": "#/definitions/PositiveFloatType"},
        "severity": {"enum":["low","medium","high"]}, {"enum":["low", "medium", "high"]},
        "currency": {"type": "string"}},
      "required": ["value"],
      "additionalProperties": false},
    "Confidence": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "rating": {"enum": ["low","medium","high","numeric","unknown", ["low", "medium", "high", "numeric",
                   "unknown", "ext-value"]},
        "ext-rating": {"type":"string"}},
      "required": ["value","rating"], ["value", "rating"],
      "additionalProperties": false},
    "History": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "HistoryItem": {
          "type": "array",
          "items": {"$ref": "#/definitions/HistoryItem"},
          "minItems": 1}},
      "required": ["HistoryItem"],
      "additionalProperties": false},
    "HistoryItem": {
      "type": "object",
      "properties": {
        "action": {"$ref": "#/definitions/action","default": {
          "$ref": "#/definitions/action", "default": "other"},
        "ext-action": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {"$ref": "#/definitions/DATETIME"},
        "IncidentID": {"$ref": "#/definitions/IncidentID"},
        "Contact": {"$ref": "#/definitions/Contact"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "DefinedCOA": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["DateTime","action"], ["DateTime", "action"],
      "additionalProperties": false},
    "EventData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Description": {"type": "array",
          "items": { "$ref":"#/definitions/MLStringType"}},
        "DetectTime": {"$ref": "#/definitions/DATETIME"},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
        "ReportTime": {"$ref": "#/definitions/DATETIME"},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "Discovery": {
          "type": "array",
          "items": {"$ref": "#/definitions/Discovery"},
          "minItems": 1},
        "Assessment": {"$ref": "#/definitions/Assessment"},
        "Method": {
          "type": "array",
          "items": {"$ref": "#/definitions/Method"},
          "minItems": 1},
        "System": {
          "type": "array",
          "items": {"$ref": "#/definitions/System"},
          "minItems": 1},
        "Expectation": {
          "type": "array",
          "items": {"$ref": "#/definitions/Expectation"},
          "minItems": 1},
        "RecordData": {
          "type": "array",
          "items": {"$ref": "#/definitions/RecordData"},
          "minItems": 1},
        "EventData": {
          "type": "array",
          "items": {"$ref": "#/definitions/EventData"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "Expectation": {
      "type": "object",
      "properties": {
        "action": {"$ref":"#/definitions/action","default": {
          "$ref":"#/definitions/action", "default": "other"},
        "ext-action": {"type": "string"},
        "severity": {"enum": ["low","medium","high"]}, ["low", "medium", "high"]},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "default"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "DefinedCOA": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "Contact": {"$ref": "#/definitions/Contact"}},
      "required": [],
      "additionalProperties": false},
    "System": {
      "type": "object",
      "properties": {
        "category": {
          "enum": ["source","target","intermediate","sensor",
                   "infrastructure","ext-value"]}, ["source", "target", "intermediate", "sensor",
                   "infrastructure", "ext-value"]},
        "ext-category": {"type": "string"},
        "interface": {"type": "string"},
        "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, {
          "enum": ["unknown", "yes", "no"], "default":"unknown"},
        "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, {
          "enum": ["yes", "no", "unknown"], "default":"unknown"},
        "ownership": {
          "enum":["organization","personal","partner","customer",
                  "no-relationship","unknown","ext-value"]},
          "enum":["organization", "personal", "partner",
                  "customer", "no-relationship", "unknown",
                  "ext-value"]},
        "ext-ownership": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Node": {"$ref": "#/definitions/Node"},
        "NodeRole": {
          "type": "array",
          "items": {"$ref": "#/definitions/NodeRole"},
          "minItems": 1},
        "Service": {
          "type": "array",
          "items": {"$ref": "#/definitions/Service"},
          "minItems": 1},
        "OperatingSystem": {
          "type": "array",
          "items": {"$ref": "#/definitions/SoftwareType"},
          "minItems": 1},
        "Counter": {
          "type": "array",
          "items": {"$ref": "#/definitions/Counter"},
          "minItems": 1},
        "AssetID": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["Node"],
      "additionalProperties": false},
    "Node": {
      "type": "object",
      "properties": {
        "DomainData": {
          "type": "array",
          "items": {"$ref": "#/definitions/DomainData"},
          "minItems": 1},
        "Address": {
          "type": "array",
          "items": {"$ref": "#/definitions/Address"},
          "minItems": 1},
        "PostalAddress": {"$ref": {
          "$ref": "#/definitions/PostalAddress"},
        "Location": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Counter": {
          "type":"array",
          "items":{"$ref":"#/definitions/Counter"},
          "minItems": 1}},
      "anyOf": [
         {"required": ["DomainData"]},
         {"required": ["Address"]}
      ],
      "additionalProperties": false},
    "Address": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "category": {
          "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net",
            "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
            "ipv6-net-masked","mac","site-uri","ext-value"],
          "enum":["asn", "atm", "e-mail", "ipv4-addr", "ipv4-net",
            "ipv4-net-masked", "ipv4-net-mask", "ipv6-addr",
            "ipv6-net", "ipv6-net-masked", "mac", "site-uri",
            "ext-value"], "default": "ipv6-addr"},
        "ext-category": {"type": "string"},
        "vlan-name": {"type": "string"},
        "vlan-num": {"type": "number"},
        "observable-id": {"$ref": "#/definitions/IDtype"}},
      "required": ["value","category"], ["value", "category"],
      "additionalProperties": false},
    "NodeRole": {
      "type": "object",
      "properties": {
        "category": {
          "enum":["client","client-enterprise","client-partner",
            "client-remote","client-kiosk","client-mobile",
            "server-internal","server-public","www","mail","webmail",
            "messaging","streaming","voice","file","ftp","p2p","name",
            "directory","credential","print","application","database",
            "backup","dhcp","assessment","source-control",
            "config-management","monitoring","infra","infra-firewall",
            "infra-router","infra-switch","camera","proxy",
            "remote-access","log","virtualization","pos",
          "enum":["client", "client-enterprise",
            "client-partner", "client-remote", "client-kiosk",
            "client-mobile", "server-internal", "server-public",
            "www", "mail", "webmail", "messaging", "streaming",
            "voice", "file", "ftp", "p2p", "name", "directory",
            "credential", "print", "application", "database",
            "backup", "dhcp", "assessment", "source-control",
            "config-management", "monitoring", "infra",
            "infra-firewall", "infra-router", "infra-switch",
            "camera", "proxy", "remote-access", "log",
            "virtualization", "pos", "scada",
            "scada-supervisory","sinkhole","honeypot","anomyzation",
            "c2-server","malware-distribution","drop-server",
            "hop-point","reflector","phishing-site",
            "spear-phishing-site","recruiting-site","fraudulent-site",
            "scada-supervisory", "sinkhole", "honeypot",
            "anomyzation", "c2-server", "malware-distribution",
            "drop-server", "hop-point", "reflector",
            "phishing-site", "spear-phishing-site",
            "recruiting-site", "fraudulent-site",
            "ext-value"]},
        "ext-category": {"type": "string"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["category"],
      "additionalProperties": false},
    "Counter": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "type": {"enum": ["count","peak","average","ext-value"]}, {
          "enum": ["count", "peak", "average", "ext-value"]},
        "ext-type": {"type": "string"},
        "unit":{"enum":["byte","mbit","packet","flow","session","alert",
          "message","event","host","site","organization","ext-value"]},
        "unit":{"enum":["byte", "mbit", "packet", "flow",
          "session", "alert", "message", "event", "host",
          "site", "organization", "ext-value"]},
        "ext-unit": {"type": "string"},
        "meaning": {"type": "string"},
        "duration": {"$ref":"#/definitions/duration","default": {
          "$ref":"#/definitions/duration", "default": "hour"},
        "ext-duration": {"type": "string"}},
      "required": ["value","type","unit"], ["value", "type", "unit"],
      "additionalProperties": false},
    "DomainData": {
      "type": "object",
      "properties": {
        "system-status": {
          "enum": ["spoofed","fraudulent","innocent-hacked",
                   "innocent-hijacked","unknown","ext-value"]}, ["spoofed", "fraudulent", "innocent-hacked",
            "innocent-hijacked", "unknown", "ext-value"]},
        "ext-system-status": {"type": "string"},
        "domain-status": {
          "enum": [ "reservedDelegation","assignedAndActive",
                    "assignedAndInactive","assignedAndOnHold","revoked",
                    "transferPending","registryLock","registrarLock",
                    "other","unknown","ext-value"]}, "reservedDelegation", "assignedAndActive",
                    "assignedAndInactive", "assignedAndOnHold",
                    "revoked", "transferPending",
                    "registryLock", "registrarLock",
                    "other", "unknown", "ext-value"]},
        "ext-domain-status": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Name": {"type": "string"},
        "DateDomainWasChecked": {"$ref": {
          "$ref": "#/definitions/DATETIME"},
        "RegistrationDate": {"$ref": {
          "$ref": "#/definitions/DATETIME"},
        "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
        "RelatedDNS": {
          "type": "array",
          "items": {"$ref": "#/definitions/ExtensionType"},
          "minItems": 1},
        "NameServers": {
          "type": "array",
          "items": {"$ref": "#/definitions/NameServers"},
          "minItems": 1},
        "DomainContacts": {"$ref": {
          "$ref": "#/definitions/DomainContacts"}},
      "required": ["Name","system-status","domain-status"], ["Name", "system-status", "domain-status"],
      "additionalProperties": false},
    "NameServers": {
      "type": "object",
      "properties": {
        "Server": {"type": "string"},
        "Address": {
          "type":"array",
          "items":{"$ref":"#/definitions/Address"},
          "minItems": 1}},
      "required": ["Server","Address"], ["Server", "Address"],
      "additionalProperties": false},
    "DomainContacts": {
      "type": "object",
      "properties": {
        "SameDomainContact": {"type": "string"},
        "Contact": {
          "type":"array",
          "items":{"$ref":"#/definitions/Contact"},
          "minItems": 1}},
      "oneOf": [
         {"required": ["SameDomainContact"]},
         {"required": ["Contact"]}],
      "additionalProperties": false},
    "Service": {
      "type": "object",
      "properties": {
        "ip-protocol": {"type": "number"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "ServiceName": {"$ref": "#/definitions/ServiceName"},
        "Port": {"type": "number"},
        "Portlist": {"$ref": "#/definitions/PortlistType"},
        "ProtoCode": {"type": "number"},
        "ProtoType": {"type": "number"},
        "ProtoField": {"type": "number"},
        "ApplicationHeaderField":{
          "$ref":"#/definitions/ExtensionTypeList"},
        "EmailData": {"$ref": "#/definitions/EmailData"},
        "Application": {"$ref": {
          "$ref": "#/definitions/SoftwareType"}},
      "required": [],
      "additionalProperties": false},
    "ServiceName": {
      "type": "object",
      "properties": {
        "IANAService": {"type": "string"},
        "URL": {
          "type": "array","items": {"$ref": "array", "items": {
            "$ref": "#/definitions/URLtype"}},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "EmailData": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "EmailTo": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "EmailFrom": {"type": "string"},
        "EmailSubject": {"type": "string"},
        "EmailX-Mailer": {"type": "string"},
        "EmailHeaderField": {
          "type": "array",
          "items": {"$ref": "#/definitions/ExtensionType"},
          "minItems": 1},
        "EmailHeaders": {"type": "string"},
        "EmailBody": {"type": "string"},
        "EmailMessage": {"type": "string"},
        "HashData": {
          "type": "array",
          "items": {"$ref": "#/definitions/HashData"},
          "minItems": 1},
        "Signature": {
          "type": "array",
          "items": {"$ref": "#/definitions/BYTE"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "RecordData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {"$ref": "#/definitions/DATETIME"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "RecordPattern": {
          "type": "array",
          "items": {"$ref": "#/definitions/RecordPattern"},
          "minItems": 1},
        "RecordItem": {
          "type": "array",
          "items": {"$ref": "#/definitions/ExtensionType"},
          "minItems": 1},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype"},
          "minItems": 1},
        "FileData": {
          "type": "array",
          "items": {"$ref": "#/definitions/FileData"},
          "minItems": 1},
        "WindowsRegistryKeysModified": {
          "type": "array",
          "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, {
            "$ref":"#/definitions/WindowsRegistryKeysModified"},
          "minItems": 1},
        "CertificateData": {
          "type":"array",
          "items":{"$ref":"#/definitions/CertificateData"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "RecordPattern": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "type": {"enum": ["regex","binary","xpath","ext-value"], {
          "enum": ["regex", "binary", "xpath", "ext-value"],
          "default": "regex"},
        "ext-type": {"type": "string"},
        "offset": {"type": "number"},
        "offsetunit": {"enum":["line","byte","ext-value"] {"enum":["line", "byte", "ext-value"] ,
                       "default": "line"},
        "ext-offsetunit": {"type": "string"},
        "instance": {"type": "number"}},
      "required": ["value","type"], ["value", "type"],
      "additionalProperties": false},
    "WindowsRegistryKeysModified": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Key": {
          "type": "array",
          "items": {"$ref": "#/definitions/Key"},
          "minItems": 1}},
      "required": ["Key"],
      "additionalProperties": false},
    "Key": {
      "type": "object",
      "properties": {
        "registryaction": {"enum": ["add-key","add-value","delete-key",
                          "delete-value","modify-key","modify-value", ["add-key", "add-value",
                          "delete-key", "delete-value",
                          "modify-key", "modify-value",
                          "ext-value"]},
        "ext-registryaction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "KeyName": {"type":"string"},
        "KeyValue": {"type": "string"}},
      "required": ["KeyName"],
      "additionalProperties": false},
    "CertificateData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Certificate": {
          "type": "array",
          "items": {"$ref": "#/definitions/Certificate"},
          "minItems": 1}},
      "required": ["Certificate"],
      "additionalProperties": false},
    "Certificate": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "X509Data": {"$ref": "#/definitions/BYTE"},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1}},
      "required": ["X509Data"],
      "additionalProperties": false},
    "FileData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "File": {
          "type": "array",
          "items": {"$ref": "#/definitions/File"},
          "minItems": 1}},
      "required": ["File"],
      "additionalProperties": false},
    "File": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "FileName": {"type": "string"},
        "FileSize": {"type": "number"},
        "FileType": {"type": "string"},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype"},
          "minItems": 1},
        "HashData": {"$ref": "#/definitions/HashData"},
        "Signature": {
          "type": "array",
          "items": {"$ref": "#/definitions/BYTE"},
          "minItems": 1},
        "AssociatedSoftware": {"$ref": {
          "$ref": "#/definitions/SoftwareType"},
        "FileProperties": {
          "type":"array",
          "items":{"$ref":"#/definitions/ExtensionType"},
          "minItems": 1}},
      "required": [],
      "additionalProperties": false},
    "HashData": {
      "type": "object",
      "properties": {
        "scope": {"enum": ["file-contents","file-pe-section",
          "file-pe-iat","file-pe-resource","file-pdf-object",
          "email-hash","email-headers-hash","email-body-hash", ["file-contents", "file-pe-section",
          "file-pe-iat", "file-pe-resource", "file-pdf-object",
          "email-hash", "email-headers-hash", "email-body-hash",
          "ext-value"]},
        "HashTargetID": {"type": "string"},
        "Hash": {
          "type": "array",
          "items": {"$ref": "#/definitions/Hash"},
          "minItems": 1},
        "FuzzyHash": {
          "type": "array",
          "items": {"$ref": "#/definitions/FuzzyHash"},
          "minItems": 1}},
      "required": ["scope"],
      "additionalProperties": false},
    "Hash": {
      "type": "object",
      "properties": {
        "DigestMethod": {"$ref": "#/definitions/BYTE"},
        "DigestValue": {"$ref": "#/definitions/BYTE"},
        "CanonicalizationMethod": {"$ref": {
          "$ref": "#/definitions/BYTE"},
        "Application": {"$ref": {
          "$ref": "#/definitions/SoftwareType"}},
      "required": ["DigestMethod","DigestValue"], ["DigestMethod", "DigestValue"],
      "additionalProperties": false},
    "FuzzyHash": {
      "type": "object",
      "properties": {
        "FuzzyHashValue": {
          "type": "array",
          "items": {"$ref": "#/definitions/ExtensionType"},
          "minItems": 1},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["FuzzyHashValue"],
      "additionalProperties": false},
    "Indicator": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
        "AlternativeIndicatorID": {
          "type": "array",
          "items": {"$ref": {
            "$ref": "#/definitions/AlternativeIndicatorID"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "Contact": {
          "type": "array",
          "items": {"$ref": "#/definitions/Contact"},
          "minItems": 1},
        "Observable": {"$ref": "#/definitions/Observable"},
        "uid-ref": {"$ref": "#/definitions/IDREFType"},
        "IndicatorExpression":{
         "$ref":"#/definitions/IndicatorExpression"},
        "IndicatorReference":{
         "$ref": "#/definitions/IndicatorReference"},
        "NodeRole": {
          "type": "array",
          "items": {"$ref": "#/definitions/NodeRole"},
          "minItems": 1},
        "AttackPhase": {
          "type": "array",
          "items": {"$ref": "#/definitions/AttackPhase"},
          "minItems": 1},
        "Reference": {
          "type": "array",
          "items": {"$ref": "#/definitions/Reference"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "allOf": [
        {"required": ["IndicatorID"]},
        {"oneOf": [
          {"required":["Observable"]},
          {"required":["uid-ref"]},
          {"required":["IndicatorExpression"]},
          {"required":["IndicatorReference"]}]}],
      "additionalProperties": false},
    "IndicatorID": {
      "type": "object",
      "properties": {
        "id": {"type": "string"},
        "name": {"type": "string"},
        "version": {"type": "string"}},
      "required": ["id","name","version"], ["id", "name", "version"],
      "additionalProperties": false},
    "AlternativeIndicatorID": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
          "default": "private"},
        "ext-restriction": {"type": "string"},
        "IndicatorID": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorID"},
          "minItems": 1}},
      "required": ["IndicatorID"],
      "additionalProperties": false},
    "Observable": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction",
                        "default": "private"},
        "ext-restriction": {"type": "string"},
        "System": {"$ref": "#/definitions/System"},
        "Address": {"$ref": "#/definitions/Address"},
        "DomainData": {"$ref": "#/definitions/DomainData"},
        "EmailData": {"$ref": "#/definitions/EmailData"},
        "Service": {"$ref": "#/definitions/Service"},
        "WindowsRegistryKeysModified": {
          "$ref": "#/definitions/WindowsRegistryKeysModified"},
        "FileData": {"$ref": "#/definitions/FileData"},
        "CertificateData": {"$ref": {
          "$ref": "#/definitions/CertificateData"},
        "RegistryHandle": {"$ref": {
          "$ref": "#/definitions/RegistryHandle"},
        "RecordData":  {"$ref": "#/definitions/RecordData"},
        "EventData": {"$ref": "#/definitions/EventData"},
        "Incident": {"$ref": "#/definitions/Incident"},
        "Expectation": {"$ref": "#/definitions/Expectation"},
        "Reference": {"$ref": "#/definitions/Reference"},
        "Assessment": {"$ref": "#/definitions/Assessment"},
        "DetectionPattern": {"$ref": {
          "$ref": "#/definitions/DetectionPattern"},
        "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
        "BulkObservable": {"$ref": {
          "$ref": "#/definitions/BulkObservable"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
        "oneOf": [
          {"required":["System"]},
          {"required":["Address"]},
          {"required":["DomainData"]},
          {"required":["EmailData"]},
          {"required":["Service"]},
          {"required":["WindowsRegistryKeysModified"]},
          {"required":["FileData"]},
          {"required":["CertificateData"]},
          {"required":["RegistryHandle"]},
          {"required":["RecordData"]},
          {"required":["EventData"]},
          {"required":["Incident"]},
          {"required":["Expectation"]},
          {"required":["Reference"]},
          {"required":["Assessment"]},
          {"required":["DetectionPattern"]},
          {"required":["HistoryItem"]},
          {"required":["BulkObservable"]},
          {"required":["AdditionalData"]}],
      "additionalProperties": false},
    "BulkObservable": {
      "type": "object",
      "properties": {
        "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
          "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask",
          "mac","site-uri","domain-name","domain-to-ipv4",
          "domain-to-ipv6","domain-to-ipv4-timestamp",
          "domain-to-ipv6-timestamp","ipv4-port","ipv6-port",
          "windows-reg-key","file-hash","email-x-mailer",
          "email-subject","http-user-agent","http-request-url",
          "mutex","file-path","user-name","ext-value"]}, ["asn", "atm", "e-mail", "ipv4-addr",
          "ipv4-net", "ipv4-net-mask", "ipv6-addr", "ipv6-net",
          "ipv6-net-mask", "mac", "site-uri", "domain-name",
          "domain-to-ipv4", "domain-to-ipv6",
          "domain-to-ipv4-timestamp",
          "domain-to-ipv6-timestamp", "ipv4-port", "ipv6-port",
          "windows-reg-key", "file-hash", "email-x-mailer",
          "email-subject", "http-user-agent",
          "http-request-url", "mutex", "file-path", "user-name",
          "ext-value"]},
        "ext-type": {"type": "string"},
        "BulkObservableFormat":{
          "$ref": "#/definitions/BulkObservableFormat"},
        "BulkObservableList": {"type": "string"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["BulkObservableList"],
      "additionalProperties": false},
    "BulkObservableFormat": {
      "type": "object",
      "properties": {
        "Hash": {"$ref": "#/definitions/Hash"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "oneOf": [
         {"required": ["Hash"]},
         {"required": ["AdditionalData"]}
      ],
      "additionalProperties": false},
    "IndicatorExpression": {
      "type": "object",
      "properties": {
        "operator": {"enum": ["not","and","or","xor"],"default": {
          "enum": ["not", "and", "or", "xor"], "default": "and"},
        "ext-operator": {"type": "string"},
        "IndicatorExpression": {
          "type": "array",
          "items": {"$ref": {
            "$ref": "#/definitions/IndicatorExpression"},
          "minItems": 1},
        "Observable": {
          "type": "array",
          "items": {"$ref": "#/definitions/Observable"},
          "minItems": 1},
        "uid-ref": {
          "type": "array",
          "items": {"$ref": "#/definitions/IDREFType"},
          "minItems": 1},
        "IndicatorReference": {
          "type": "array",
          "items": {"$ref": {
            "$ref": "#/definitions/IndicatorReference"},
          "minItems": 1},
        "Confidence": {"$ref":"#/definitions/Confidence"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "IndicatorReference": {
      "type": "object",
      "properties": {
        "uid-ref": {"$ref":"#/definitions/IDREFType"},
        "euid-ref": {"type": "string"},
        "version": {"type": "string"}},
      "oneOf": [
         {"required": ["uid-ref"]},
         {"required": ["euid-ref"]}
      ],
      "additionalProperties": false},
    "AttackPhase": {
      "type": "object",
      "properties": {
        "AttackPhaseID": {
          "type": "array",
          "items": {"type": "string"},
          "minItems": 1},
        "URL": {
          "type": "array",
          "items": {"$ref": "#/definitions/URLtype"},
          "minItems": 1},
        "Description": {
          "type": "array",
          "items": {"$ref": "#/definitions/MLStringType"},
          "minItems": 1},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
          "$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false}},
  "title": "IODEF-Document",
  "description": "JSON schema for IODEF-Document class",
  "type": "object",
  "properties": {
    "version": {"type": "string"},
    "lang": {"$ref": "#/definitions/lang"},
    "format-id": {"type": "string"},
    "private-enum-name": {"type": "string"},
    "private-enum-id": {"type": "string"},
    "Incident": {
      "type": "array",
      "items": {"$ref": "#/definitions/Incident"},
      "minItems": 1},
    "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, {
      "$ref":"#/definitions/ExtensionTypeList"}},
  "required": ["version","Incident"], ["version", "Incident"],
  "additionalProperties": false}
]]></artwork>
]]></sourcecode>
      </figure>
    </section>

<section anchor="Acknowledgments" numbered="false" toc="default">
      <name>Acknowledgments</name>

      <t>We would like to thank <contact fullname="Henk Birkholz"/>, <contact
      fullname="Carsten Bormann"/>, <contact fullname="Benjamin Kaduk"/>,
      <contact fullname="Alexey Melnikov"/>, <contact fullname="Yasuaki
      Morita"/>, and <contact fullname="Takahiko Nagata"/> for their
      insightful comments on this document and CDDL.</t>
    </section>

  </back>
</rfc>