rfc8727xml2.original.xml   rfc8727.xml 
<?xml version="1.0" encoding="US-ASCII"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- This template is for creating an Internet Draft using xml2rfc, <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.2119.xml">
<!ENTITY RFC3986 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.3986.xml">
<!ENTITY RFC4648 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.4648.xml">
<!ENTITY RFC7049 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7049.xml">
<!ENTITY RFC7203 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7203.xml">
<!ENTITY RFC7970 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.7970.xml">
<!ENTITY RFC8174 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8174.xml">
<!ENTITY RFC8259 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8259.xml">
<!ENTITY RFC8610 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC
.8610.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds
might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="std" docName="draft-ietf-mile-jsoniodef-14" ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic
ipr values: trust200902, noModificationTrust200902, noDerivativesTrust200902
,
or pre5378Trust200902
you can add the attributes updates="NNNN" and obsoletes="NNNN"
they will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** --> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category=" std" consensus="true" docName="draft-ietf-mile-jsoniodef-14" number="8727" ipr=" trust200902" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDepth="4 " symRefs="true" sortRefs="true" version="3">
<front> <front>
<!-- The abbreviated title is used in the page header - it is only necessary <title abbrev="JSON-IODEF">JSON Binding of the Incident Object Description Ex
if the change Format</title>
full title is longer than 39 characters --> <seriesInfo name="RFC" value="8727"/>
<author fullname="Takeshi Takahashi" initials="T." surname="Takahashi">
<organization abbrev="NICT"> National Institute of Information and Communi
cations Technology</organization>
<address>
<postal>
<extaddr></extaddr>
<street>4-2-1 Nukui-Kitamachi</street>
<region>Koganei, Tokyo</region>
<code>184-8795</code>
<country>Japan</country>
</postal>
<phone>+81 42 327 5862</phone>
<email>takeshi_takahashi@nict.go.jp</email>
</address>
</author>
<author fullname="Roman Danyliw" initials="R." surname="Danyliw">
<organization abbrev="CERT">CERT, Software Engineering Institute, Carnegie
Mellon University</organization>
<address>
<postal>
<street>4500 Fifth Avenue</street>
<city>Pittsburgh</city>
<region>PA</region>
<country>United States of America</country>
</postal>
<email>rdd@cert.org</email>
</address>
</author>
<author fullname="Mio Suzuki" initials="M." surname="Suzuki">
<organization abbrev="NICT"> National Institute of Information and Communi
cations Technology</organization>
<address>
<postal>
<extaddr></extaddr>
<street>4-2-1 Nukui-Kitamachi</street>
<region>Koganei, Tokyo</region>
<code>184-8795</code>
<country>Japan</country>
</postal>
<email>mio@nict.go.jp</email>
</address>
</author>
<date year="2020" month="August" />
<title abbrev="JSON-IODEF">JSON binding of IODEF</title> <area>Security</area>
<workgroup>MILE</workgroup>
<!-- add 'role="editor"' below for the editors if appropriate --> <keyword>CBOR</keyword>
<keyword>JSON</keyword>
<keyword>IODEF</keyword>
<!-- Another author who claims to be an editor --> <abstract>
<t>The Incident Object Description Exchange Format (IODEF) defined in RFC
7970 provides an information model and a corresponding XML data model for exchan
ging incident and indicator information. This document gives implementers and op
erators an alternative format to exchange the same information by defining an al
ternative data model implementation in JSON and its encoding in Concise Binary O
bject Representation (CBOR).</t>
</abstract>
</front>
<middle>
<section numbered="true" toc="default">
<name>Introduction</name>
<t><xref target="RFC7970" format="default">The Incident Object Description
Exchange Format (IODEF)</xref> defines a data representation for security incid
ent reports and indicators commonly exchanged by operational security teams. It
facilitates the automated exchange of this information to enable mitigation and
watch-and-warning. An information model using Unified Modeling Language (UML)
is defined in <xref target="RFC7970" sectionFormat="of" section="3"/> and a corr
esponding Extensible Markup Language (XML) schema data model is defined in <xref
target="RFC7970" sectionFormat="of" section="8"/>. This UML-based information
model and XML-based data model are referred to as IODEF UML and IODEF XML, respe
ctively, in this document.</t>
<author fullname="Takeshi Takahashi" initials="T.T." surname="Takahashi"> <t>IODEF documents are structured and thus suitable for machine processing
<organization abbrev="NICT"> National Institute of Information and Communic . They will streamline incident response operations.
ations Technology</organization> Another well-used and structured format that is suitable for machine processing
<address> is <xref target="RFC8259" format="default">JavaScript Object Notation (JSON)</xr
<postal> ef>.
<street>4-2-1 Nukui-Kitamachi</street> To facilitate the automation of incident response operations, IODEF documents an
<city>Koganei</city> d implementations should support JSON representation and its encoding in <xref t
<region>Tokyo</region> arget="RFC7049" format="default">Concise Binary Object Representation (CBOR)</xr
<code>184-8795</code> ef>.</t>
<country>Japan</country>
</postal>
<phone>+81 42 327 5862</phone> <t>This document defines an alternate implementation of the IODEF UML info rmation model by specifying a JSON data model using <xref target="RFC8610" forma t="default">Concise Data Definition Language (CDDL)</xref> and a JSON Schema <xr ef target="I-D.handrews-json-schema-validation" format="default"/>. This JSON d ata model is referred to as IODEF JSON in this document. IODEF JSON provides all of the expressivity of IODEF XML. It gives implementers and operators an alter native format to exchange the same information.</t>
<email>takeshi_takahashi@nict.go.jp</email> <t>The normative IODEF JSON data model is found in <xref target="cddlSecti
on" format="default"/>. Sections <xref target="dt" format="counter"/> and <xref
target="dm" format="counter"/> describe the data types and elements of this dat
a model. <xref target="examples" format="default"/> provides examples. </t>
<section numbered="true" toc="default">
<name>Requirements Language</name>
<t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
</section>
</section>
<section anchor="dt" numbered="true" toc="default">
<name>IODEF Data Types</name>
<t>IODEF JSON implements the abstract data types specified in <xref target
="RFC7970" sectionFormat="of" section="2"/>.</t>
<section numbered="true" toc="default">
<name>Abstract Data Type to JSON Data Type Mapping</name>
<t>IODEF JSON uses native and derived JSON data types. <xref target="dtm
ap" format="default"/> describes the mapping between the abstract data types in
<xref target="RFC7970" sectionFormat="of" section="2"/> and their corresponding
implementations in IODEF JSON.</t>
<!-- uri and facsimile elements may also be added --> <table anchor="dtmap" align="left">
</address> <name>JSON Data Types</name>
</author> <thead>
<author fullname="Roman Danyliw" initials="R.D." surname="Danyliw"> <tr>
<organization abbrev="CERT">CERT, Software Engineering Institute, Carnegie <th>IODEF Data Type</th>
Mellon University</organization> <th>Reference</th>
<address> <th>JSON Data Type</th>
<postal> </tr>
<street>4500 Fifth Avenue</street> </thead>
<city>Pittsburgh</city> <tbody>
<region>PA</region> <tr>
<country>USA</country> <td>INTEGER</td>
</postal> <td><xref target="RFC7970" sectionFormat="of" section="2.1"/></td>
<td>integer; see <xref target="integer"/></td>
</tr>
<tr>
<td>REAL</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.2"/></td>
<td>"number" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>CHARACTER</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.3"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>STRING</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.3"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>ML_STRING</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.4"/></td>
<td>see <xref target="ml_string"/></td>
</tr>
<tr>
<td>BYTE</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.5.1"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>BYTE[]</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.5.1"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>HEXBIN</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.5.2"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>HEXBIN[]</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.5.2"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>ENUM</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.6"/></td>
<td>see <xref target="enum"/></td>
</tr>
<tr>
<td>DATETIME</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.7"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>TIMEZONE</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.8"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>PORTLIST</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.9"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>POSTAL</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.10"/></td>
<td>ML_STRING; see <xref target="ml_string"/></td>
</tr>
<tr>
<td>PHONE</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.11"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>EMAIL</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.12"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>URL</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.13"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>ID</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.14"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>IDREF</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.14"/></td>
<td>"string" per <xref target="RFC8259"/></td>
</tr>
<tr>
<td>SOFTWARE</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.15"/></td>
<td>see <xref target="software"/></td>
</tr>
<tr>
<td>STRUCTUREDINFO</td>
<td><xref target="RFC7203" sectionFormat="of" section="4.4"/></td>
<td>see <xref target="STRUCTUREDINFO"/></td>
</tr>
<tr>
<td>EXTENSION</td>
<td><xref target="RFC7970" sectionFormat="of" section="2.16"/></td>
<td>see <xref target="extension"/></td>
</tr>
</tbody>
</table>
<email>rdd@cert.org</email> <table anchor="dtmap_cbor" align="left">
<name>CBOR Data Types</name>
<thead>
<tr>
<th>IODEF Data Type</th>
<th>CBOR Data Type</th>
<th>CDDL Prelude <xref target="RFC8610"/></th>
</tr>
</thead>
<tbody>
<tr>
<td>INTEGER</td>
<td> 0, 1, 6 tag 2, 6 tag 3</td>
<td>integer</td>
</tr>
<tr>
<td>REAL</td>
<td>7 bits 26</td>
<td>float32</td>
</tr>
<tr>
<td>CHARACTER</td>
<td>3</td>
<td>text</td>
</tr>
<tr>
<td>STRING</td>
<td>3</td>
<td>text</td>
</tr>
<tr>
<td>ML_STRING</td>
<td>5</td>
<td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of
"/>)</td>
</tr>
<tr>
<td>BYTE</td>
<td>6 tag 22</td>
<td>eb64legacy</td>
</tr>
<tr>
<td>BYTE[]</td>
<td>6 tag 22</td>
<td>eb64legacy</td>
</tr>
<tr>
<td>HEXBIN</td>
<td>6 tag 23</td>
<td>eb16</td>
</tr>
<tr>
<td>HEXBIN[]</td>
<td>6 tag 23</td>
<td>eb16</td>
</tr>
<tr>
<td>ENUM</td>
<td>-</td>
<td>Choices (<xref target="RFC8610" section="2.2.2" sectionFormat="of"/>)<
/td>
</tr>
<tr>
<td>DATETIME</td>
<td>6 tag 0</td>
<td>tdate</td>
</tr>
<tr>
<td>TIMEZONE</td>
<td>3</td>
<td>text</td>
</tr>
<tr>
<td>PORTLIST</td>
<td>3</td>
<td>text</td>
</tr>
<tr>
<td>POSTAL</td>
<td>3</td>
<td>ML_STRING (<xref target="ml_string"/>)</td>
</tr>
<tr>
<td>PHONE</td>
<td>3</td>
<td>text</td>
</tr>
<tr>
<td>EMAIL</td>
<td>3</td>
<td>text</td>
</tr>
<tr>
<td>URL</td>
<td>6 tag 32</td>
<td>uri</td>
</tr>
<tr>
<td>ID</td>
<td>3</td>
<td>text</td>
</tr>
<tr>
<td>IDREF</td>
<td>3</td>
<td>text</td>
</tr>
<tr>
<td>SOFTWARE</td>
<td>5</td>
<td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of
"/>)</td>
</tr>
<tr>
<td>STRUCTUREDINFO</td>
<td>5</td>
<td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of
"/>)</td>
</tr>
<tr>
<td>EXTENSION</td>
<td>5</td>
<td>Maps/Structs (<xref target="RFC8610" section="3.5.1" sectionFormat="of
"/>)</td>
</tr>
</tbody>
</table>
<!-- uri and facsimile elements may also be added --> </section>
</address> <section numbered="true" toc="default">
</author> <name>Complex JSON Types</name>
<author fullname="Mio Suzuki" initials="M.S." surname="Suzuki"> <section numbered="true" toc="default" anchor="integer">
<organization abbrev="NICT"> National Institute of Information and Communic <name>Integer</name>
ations Technology</organization> <t>An integer is a subset of the "number" type of JSON, which represen
<address> ts signed digits encoded in Base 10. The definition of this integer is "[ minus
<postal> ] int" per <xref target="RFC8259" sectionFormat="comma" section="6"/>.</t>
<street>4-2-1 Nukui-Kitamachi</street> </section>
<city>Koganei</city> <section numbered="true" toc="default" anchor="ml_string">
<region>Tokyo</region> <name>Multilingual Strings</name>
<code>184-8795</code> <t>A string that needs to be represented in a human-readable language
<country>Japan</country> different from the default encoding of the document is represented in the inform
</postal> ation model by the ML_STRING data type. This data type is implemented as either
an object with "value", "lang", and "translation-id" elements or a text string a
s defined in <xref target="cddlSection" format="default"/>. An example is shown
below.</t>
<sourcecode type=""><![CDATA[
"MLStringType": {
"value": "free-form text", # STRING
"lang": "en", # ENUM
"translation-id": "jp2en0023" # STRING
}
]]></sourcecode>
<t>Note that in figures throughout this document, some supplementary i
nformation follows "#", but these are not valid syntax in JSON; instead, they ar
e intended to facilitate reader understanding.</t>
</section>
<section numbered="true" toc="default" anchor="enum">
<name>Enum</name>
<t>Enum is an ordered list of acceptable string values. Each value has
a representative keyword. Within the data model, the enumerated type keywords
are used as attribute values.</t>
</section>
<section numbered="true" toc="default" anchor="software">
<name>Software and Software Reference</name>
<t>A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by using a refer
ence, <xref target="RFC3986" format="default">a Uniform Resource Locator (URL)</
xref>, or free-form text. The SOFTWARE data type is implemented as an object wit
h "SoftwareReference", "URL", and "Description" elements as defined in <xref tar
get="cddlSection" format="default"/>. Examples are shown below.</t>
<sourcecode type=""><![CDATA[
"SoftwareType": {
"SoftwareReference": {...}, # SoftwareReference
"Description": ["MS Windows"] # STRING
}
]]></sourcecode>
<t>SoftwareReference class is a reference to a particular version of s
oftware. Examples are shown below.</t>
<sourcecode type=""><![CDATA[
"SoftwareReference": {
"value": "cpe:/a:google:chrome:59.0.3071.115", # STRING
"spec-name": "cpe", # ENUM
"dtype": "string" # ENUM
}
]]></sourcecode>
</section>
<section anchor="STRUCTUREDINFO" numbered="true" toc="default">
<name>Structured Information</name>
<t>Information provided in the form of a structured string, such as an
ID, or structured information, such as XML documents, is represented in the inf
ormation model by the STRUCTUREDINFO data type. Note that this type was original
ly specified in <xref target="RFC7203" sectionFormat="of" section="4.4"/> as a b
asic structure of its extension classes. The STRUCTUREDINFO data type is impleme
nted as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", and "Refe
rence" elements. An example for embedding a structured ID is shown below.</t>
<sourcecode type=""><![CDATA[
"STRUCTUREDINFO": {
"SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM
"ContentID": "CWE-89" # STRING
}
]]></sourcecode>
<t>When embedding the raw data, it should be encoded as a BYTE type ob
ject, as shown below.</t>
<sourcecode type=""><![CDATA[
"STRUCTUREDINFO": {
"SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM
"RawData": "<<< encoded structured data >>>" # BYTE
}
]]></sourcecode>
<t>When embedding the raw data, base64 encoding defined in <xref targe
t="RFC4648" sectionFormat="of" section="4"/> <bcp14>MUST</bcp14> be used for JSO
N IODEF while binary representation <bcp14>MUST</bcp14> be used for CBOR IODEF.<
/t>
</section>
<section numbered="true" toc="default" anchor="extension">
<name>EXTENSION</name>
<t>Information not otherwise represented in the IODEF can be added usi
ng the EXTENSION data type. This data type is a generic extension mechanism. Th
e EXTENSION data type is implemented as an ExtensionType object with "value", "n
ame", "dtype", "ext-dtype", "meaning", "formatid", "restriction", "ext-restricti
on", and "observable-id" elements. An example for embedding a structured ID is s
hown below.</t>
<sourcecode type=""><![CDATA[
"ExtensionType": {
"value": "xxxxxxx", # STRING
"name": "Syslog", # STRING
"dtype": "string", # ENUM
"meaning": "Syslog from the security appliance X" # STRING
}
]]></sourcecode>
<t>Note that this data type is specified in <xref target="RFC7970" for
mat="default"/> as its generic extension mechanism. If a data item has internal
structure that is intended to be processed outside of the IODEF framework, one m
ay consider using the STRUCTUREDINFO data type mentioned in <xref target="STRUCT
UREDINFO" format="default"/>.</t>
</section>
</section>
</section>
<section anchor="dm" numbered="true" toc="default">
<name>IODEF JSON Data Model</name>
<section numbered="true" toc="default">
<name>Classes and Elements</name>
<t> The following table shows the list of IODEF classes and their elemen
ts and the corresponding sections in <xref target="RFC7970" format="default"/>.
Note that the complete JSON schema is defined in <xref target="cddlSection" form
at="default"/> using CDDL.</t>
<email>mio@nict.go.jp</email> <table anchor="iodef_classes" align="left">
<name>IODEF Classes</name>
<thead>
<tr>
<th>IODEF Class</th>
<th>Class, Element, and Attribute</th>
<th>Section in <xref target="RFC7970"/></th>
</tr>
</thead>
<tbody>
<tr>
<td>IODEF-Document</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>version</li>
<li>lang?</li>
<li>format-id?</li>
<li>private-enum-name?</li>
<li>private-enum-id?</li>
<li>Incident+</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.1"/></td>
</tr>
<!-- uri and facsimile elements may also be added --> <tr>
</address> <td>Incident</td>
</author> <td><ul bare="true" empty="true" spacing="compact">
<li>purpose</li>
<li>ext-purpose?</li>
<li>status?</li>
<li>ext-status?</li>
<li>lang?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>IncidentID</li>
<li>AlternativeID?</li>
<li>RelatedActivity*</li>
<li>DetectTime?</li>
<li>StartTime?</li>
<li>EndTime?</li>
<li>RecoveryTime?</li>
<li>ReportTime?</li>
<li>GenerationTime</li>
<li>Description*</li>
<li>Discovery*</li>
<li>Assessment*</li>
<li>Method*</li>
<li>Contact+</li>
<li>EventData*</li>
<li>Indicator*</li>
<li>History?</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.2"/></td>
</tr>
<date year="2020" /> <tr>
<td>IncidentID</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>id</li>
<li>name</li>
<li>instance?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.4"/></td>
</tr>
<tr>
<td>AlternativeID</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>IncidentID+</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.5"/></td>
</tr>
<tr>
<td>RelatedActivity</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>IncidentID*</li>
<li>URL*</li>
<li>ThreatActor*</li>
<li>Campaign*</li>
<li>IndicatorID*</li>
<li>Confidence?</li>
<li>Description*</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.6"/></td>
</tr>
<tr>
<td>ThreatActor</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>ThreatActorID*</li>
<li>URL*</li>
<li>Description*</li>
<li>AdditionalData*</li>
</ul></td>
<!-- If the month and year are both specified and are the current ones, xml2r <td><xref target="RFC7970" sectionFormat="bare" section="3.7"/></td>
fc will fill </tr>
in the current day for you. If only the current year is specified, xml2r <tr>
fc will fill <td>Campaign</td>
in the current day and month for you. If the year is not the current one <td><ul bare="true" empty="true" spacing="compact">
, it is <li>restriction?</li>
necessary to specify at least a month (xml2rfc assumes day="1" if not sp <li>ext-restriction?</li>
ecified for the <li>CampaignID*</li>
purpose of calculating the expiry date). With drafts it is normally suf <li>URL*</li>
ficient to <li>Description*</li>
specify just the year. --> <li>AdditionalData*</li>
</ul></td>
<!-- Meta-data Declarations --> <td><xref target="RFC7970" sectionFormat="bare" section="3.8"/></td>
</tr>
<tr>
<td>Contact</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>role</li>
<li>ext-role?</li>
<li>type</li>
<li>ext-type?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>ContactName*</li>
<li>ContactTitle*</li>
<li>Description*</li>
<li>RegistryHandle*</li>
<li>PostalAddress*</li>
<li>Email*</li>
<li>Telephone*</li>
<li>Timezone?</li>
<li>Contact*</li>
<li>AdditionalData*</li>
</ul></td>
<area>Security</area> <td><xref target="RFC7970" sectionFormat="bare" section="3.9"/></td>
</tr>
<tr>
<td>RegistryHandle</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>handle</li>
<li>registry</li>
<li>ext-registry?</li>
</ul></td>
<workgroup>MILE</workgroup> <td><xref target="RFC7970" sectionFormat="bare" section="3.9.1"/></td>
</tr>
<tr>
<td>PostalAddress</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type?</li>
<li>ext-type?</li>
<li>PAddress</li>
<li>Description*</li>
</ul></td>
<!-- WG name at the upperleft corner of the doc, <td><xref target="RFC7970" sectionFormat="bare" section="3.9.2"/></td>
IETF is fine for individual submissions. </tr>
If this element is not present, the default is "Network Working Group",
which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>CBOR, JSON, IODEF</keyword> <tr>
<td>Email</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type?</li>
<li>ext-type?</li>
<li>EmailTo</li>
<li>Description*</li>
</ul></td>
<!-- Keywords will be incorporated into HTML output <td><xref target="RFC7970" sectionFormat="bare" section="3.9.3"/></td>
files in a meta tag but they have no effect on text or nroff </tr>
output. If you submit your draft to the RFC Editor, the <tr>
keywords will be used for the search engine. --> <td>Telephone</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type?</li>
<li>ext-type?</li>
<li>TelephoneNumber</li>
<li>Description*</li>
</ul></td>
<abstract> <td><xref target="RFC7970" sectionFormat="bare" section="3.9.4"/></td>
<t>The Incident Object Description Exchange Format defined in RFC 7970 provid </tr>
es an information model and a corresponding XML data model for exchanging incide <tr>
nt and indicator information. This draft gives implementers and operators an alt <td>Discovery</td>
ernative format to exchange the same information by defining an alternative data <td><ul bare="true" empty="true" spacing="compact">
model implementation in JSON and its encoding in CBOR.</t> <li>source?</li>
</abstract> <li>ext-source?</li>
</front> <li>restriction?</li>
<li>ext-restriction?</li>
<li>Description*</li>
<li>Contact*</li>
<li>DetectionPattern*</li>
</ul></td>
<middle> <td><xref target="RFC7970" sectionFormat="bare" section="3.10"/></td>
<section title="Introduction"> </tr>
<t><xref target="RFC7970">The Incident Object Description Exchange Format (
IODEF)</xref> defines a data representation for security incident reports and in
dicators commonly exchanged by operational security teams. It facilitates the a
utomated exchange of this information to enable mitigation and watch-and-warning
. Section 3 of <xref target="RFC7970" /> defined an information model using Unif
ied Modeling Language (UML) and a corresponding Extensible Markup Language (XML)
schema data model in Section 8. This UML-based information model and XML-based
data model are referred to as IODEF UML and IODEF XML, respectively in this doc
ument.</t>
<t>IODEF documents are structured and thus suitable for machine processing. They <tr>
will streamline incident response operations. <td>DetectionPattern</td>
Another well-used and structured format that is suitable for machine processing <td><ul bare="true" empty="true" spacing="compact">
is <xref target="RFC8259">JavaScript Object Notation (JSON)</xref>. <li>restriction?</li>
To facilitate the automation of incident response operations, IODEF documents an <li>ext-restriction?</li>
d implementations should support JSON representation and it encoding in <xref ta <li>observable-id?</li>
rget="RFC7049">Concise Binary Object Representation (CBOR)</xref>.</t> <li>Application</li>
<li>Description*</li>
<li>DetectionConfiguration*</li>
</ul></td>
<t>This document defines an alternate implementation of the IODEF UML informatio <td><xref target="RFC7970" sectionFormat="bare" section="3.10.1"/></td>
n model by specifying a JavaScript Object Notation (JSON) data model using <xref </tr>
target="RFC8610">Concise Data Definition Language (CDDL)</xref> and JSON Schema <tr>
<xref target="I-D.handrews-json-schema-validation"/>. This JSON data model is <td>Method</td>
referred to as IODEF JSON in this document. IODEF JSON provides all of the expre <td><ul bare="true" empty="true" spacing="compact">
ssivity of IODEF XML. It gives implementers and operators an alternative format <li>restriction?</li>
to exchange the same information.</t> <li>ext-restriction?</li>
<li>Reference*</li>
<li>Description*</li>
<li>AttackPattern*</li>
<li>Vulnerability*</li>
<li>Weakness*</li>
<li>AdditionalData*</li>
</ul></td>
<t>The normative IODEF JSON data model is found in <xref target="cddlSection" /> <td><xref target="RFC7970" sectionFormat="bare" section="3.11"/></td>
. <xref target="dt" /> and <xref target="dm" /> describe the data types and ele </tr>
ments of this data model. <xref target="examples" /> provides examples. </t>
<section title="Requirements Language"> <tr>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", <td>Weakness</td>
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and <td><ul bare="true" empty="true" spacing="compact">
"OPTIONAL" in this document are to be interpreted as described in BCP <li>restriction?</li>
14 <xref target="RFC2119"/><xref target="RFC8174"/> when, and only <li>ext-restriction?</li>
when, they appear in all capitals, as shown here.</t> </ul></td>
</section> <td><xref target="RFC7203" sectionFormat="bare" section="4.5.5"/> in <xref
</section> target="RFC7203"/></td>
<section title="IODEF Data Types" anchor="dt"> </tr>
<tr>
<td>Reference</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>ReferenceName?</li>
<li>URL*</li>
<li>Description*</li>
</ul></td>
<t>IODEF JSON implements the abstract data types specified in Section 2 of <xref <td><xref target="RFC7970" sectionFormat="bare" section="3.11.1"/></td>
target="RFC7970" />.</t> </tr>
<tr>
<td>Assessment</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>occurrence?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>IncidentCategory*</li>
<li>SystemImpact*</li>
<li>BusinessImpact*</li>
<li>TimeImpact*</li>
<li>MonetaryImpact*</li>
<li>IntendedImpact*</li>
<li>Counter*</li>
<li>MitigatingFactor*</li>
<li>Cause*</li>
<li>Confidence?</li>
<li>AdditionalData*</li>
</ul></td>
<section title="Abstract Data Type to JSON Data Type Mapping"> <td><xref target="RFC7970" sectionFormat="bare" section="3.12"/></td>
</tr>
<tr>
<td>SystemImpact</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>severity?</li>
<li>completion?</li>
<li>type</li>
<li>ext-type?</li>
<li>Description*</li>
</ul></td>
<t>IODEF JSON uses native and derived JSON data types. <xref target="dtmap" /> d <td><xref target="RFC7970" sectionFormat="bare" section="3.12.1"/></td>
escribes the mapping between the abstract data types in Section 2 of <xref targe </tr>
t="RFC7970" /> and their corresponding implementations in IODEF JSON.</t> <tr>
<td>BusinessImpact</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>severity?</li>
<li>ext-severity?</li>
<li>type</li>
<li>ext-type?</li>
<li>Description*</li>
</ul></td>
<figure align="center" anchor="dtmap" title="JSON Data Types"><artwork align="le <td><xref target="RFC7970" sectionFormat="bare" section="3.12.2"/></td>
ft"><![CDATA[ </tr>
+-----------------+-------------------+-------------------------------+ <tr>
| IODEF Data Type | [RFC7970] | JSON Data Type | <td>TimeImpact</td>
| | Reference | | <td><ul bare="true" empty="true" spacing="compact">
+-----------------+-------------------+-------------------------------+ <li>value</li>
| INTEGER | Section 2.1 | integer, see Section 2.2.1 | <li>severity?</li>
| REAL | Section 2.2 | "number" per [RFC8259] | <li>metric</li>
| CHARACTER | Section 2.3 | "string" per [RFC8259] | <li>ext-metric?</li>
| STRING | Section 2.3 | "string" per [RFC8259] | <li>duration?</li>
| ML_STRING | Section 2.4 | see Section 2.2.2 | <li>ext-duration?</li>
| BYTE | Section 2.5.1 | "string" per [RFC8259] | </ul></td>
| BYTE[] | Section 2.5.1 | "string" per [RFC8259] |
| HEXBIN | Section 2.5.2 | "string" per [RFC8259] |
| HEXBIN[] | Section 2.5.2 | "string" per [RFC8259] |
| ENUM | Section 2.6 | see Section 2.2.3 |
| DATETIME | Section 2.7 | "string" per [RFC8259] |
| TIMEZONE | Section 2.8 | "string" per [RFC8259] |
| PORTLIST | Section 2.9 | "string" per [RFC8259] |
| POSTAL | Section 2.10 | ML_STRING, Section 2.2.2 |
| PHONE | Section 2.11 | "string" per [RFC8259] |
| EMAIL | Section 2.12 | "string" per [RFC8259] |
| URL | Section 2.13 | "string" per [RFC8259] |
| ID | Section 2.14 | "string" per [RFC8259] |
| IDREF | Section 2.14 | "string" per [RFC8259] |
| SOFTWARE | Section 2.15 | see Section 2.2.4 |
| STRUCTUREDINFO | [RFC 7203] | see Section 2.2.5 |
| EXTENSION | Section 2.16 | see Section 2.2.6 |
+-----------------+-------------------+-------------------------------+
]]></artwork></figure>
<figure align="center" anchor="dtmap_cbor" title="CBOR Data Types"><artwork alig <td><xref target="RFC7970" sectionFormat="bare" section="3.12.3"/></td>
n="left"><![CDATA[ </tr>
+-----------------+------------------+---------------------------------+ <tr>
| IODEF Data Type | CBOR Data Type | CDDL prelude | <td>MonetaryImpact</td>
| | | [RFC8610] | <td><ul bare="true" empty="true" spacing="compact">
+-----------------+------------------+---------------------------------+ <li>value</li>
| INTEGER | 0, 1, 6 tag 2, | integer | <li>severity?</li>
| | 6 tag 3 | | <li>currency?</li>
| REAL | 7 bits 26 | float32 | </ul></td>
| CHARACTER | 3 | text |
| STRING | 3 | text |
| ML_STRING | 5 | Maps/Structs (Section 3.5.1) |
| BYTE | 6 tag 22 | eb64legacy |
| BYTE[] | 6 tag 22 | eb64legacy |
| HEXBIN | 6 tag 23 | eb16 |
| HEXBIN[] | 6 tag 23 | eb16 |
| ENUM | - | Choices (Section 2.2.2) |
| DATETIME | 6 tag 0 | tdate |
| TIMEZONE | 3 | text |
| PORTLIST | 3 | text |
| POSTAL | 3 | ML_STRING (Section 2.2.1) |
| PHONE | 3 | text |
| EMAIL | 3 | text |
| URL | 6 tag 32 | uri |
| ID | 3 | text |
| IDREF | 3 | text |
| SOFTWARE | 5 | Maps/Structs (Section 3.5.1) |
| STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) |
| EXTENSION | 5 | Maps/Structs (Section 3.5.1) |
+-----------------+------------------+---------------------------------+
]]></artwork></figure>
</section> <td><xref target="RFC7970" sectionFormat="bare" section="3.12.4"/></td>
</tr>
<tr>
<td>Confidence</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>value</li>
<li>rating</li>
<li>ext-rating?</li>
</ul></td>
<section title="Complex JSON Types"> <td><xref target="RFC7970" sectionFormat="bare" section="3.12.5"/></td>
</tr>
<tr>
<td>History</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>HistoryItem+</li>
</ul></td>
<section title="Integer"> <td><xref target="RFC7970" sectionFormat="bare" section="3.13"/></td>
<t>An integer is a subset of "number" type of JSON, which represents signed digi </tr>
ts encoded in Base 10. The definition of this integer is "[ minus ] int" in <xre <tr>
f target="RFC8259"/> Section 6 manner.</t> <td>HistoryItem</td>
</section> <td><ul bare="true" empty="true" spacing="compact">
<li>action</li>
<li>ext-action?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>DateTime</li>
<li>IncidentID?</li>
<li>Contact?</li>
<li>Description*</li>
<li>DefinedCOA*</li>
<li>AdditionalData*</li>
</ul></td>
<section title="Multilingual Strings"> <td><xref target="RFC7970" sectionFormat="bare" section="3.13.1"/></td>
</tr>
<tr>
<td>EventData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>Description*</li>
<li>DetectTime?</li>
<li>StartTime?</li>
<li>EndTime?</li>
<li>RecoveryTime?</li>
<li>ReportTime?</li>
<li>Contact*</li>
<li>Discovery*</li>
<li>Assessment?</li>
<li>Method*</li>
<li>System*</li>
<li>Expectation*</li>
<li>RecordData*</li>
<li>EventData*</li>
<li>AdditionalData*</li>
</ul></td>
<t>A string that needs to be represented in a human-readable language different <td><xref target="RFC7970" sectionFormat="bare" section="3.14"/></td>
from the default encoding of the document is represented in the information mode </tr>
l by the ML_STRING data type. This data type is implemented as either an object <tr>
with "value", "lang", and "translation-id" elements or a text string as defined <td>Expectation</td>
in <xref target="cddlSection"/>. An example is shown below.</t> <td><ul bare="true" empty="true" spacing="compact">
<li>action?</li>
<li>ext-action?</li>
<li>severity?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>Description*</li>
<li>DefinedCOA*</li>
<li>StartTime?</li>
<li>EndTime?</li>
<li>Contact?</li>
</ul></td>
<figure align="center"><artwork align="left"><![CDATA[ <td><xref target="RFC7970" sectionFormat="bare" section="3.15"/></td>
"MLStringType": { </tr>
"value": "free-form text", # STRING <tr>
"lang": "en", # ENUM <td>System</td>
"translation-id": "jp2en0023" # STRING <td><ul bare="true" empty="true" spacing="compact">
} <li>category?</li>
]]></artwork></figure> <li>ext-category?</li>
<li>interface?</li>
<li>spoofed?</li>
<li>virtual?</li>
<li>ownership?</li>
<li>ext-ownership?</li>
<li>restriction?</li>
<li>ext-restriction?</li>
<li>Node</li>
<li>NodeRole*</li>
<li>Service*</li>
<li>OperatingSystem*</li>
<li>Counter*</li>
<li>AssetID*</li>
<li>Description*</li>
<li>AdditionalData*</li>
</ul></td>
<t>Note that in figures throughout this document, some supplementary information <td><xref target="RFC7970" sectionFormat="bare" section="3.17"/></td>
follows "#", but these are not valid syntax in JSON, but are intended to facili </tr>
tate reader understanding.</t> <tr>
<td>Node</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>DomainData*</li>
<li>Address*</li>
<li>PostalAddress?</li>
<li>Location*</li>
<li>Counter*</li>
</ul></td>
</section> <td><xref target="RFC7970" sectionFormat="bare" section="3.18"/></td>
</tr>
<tr>
<td>Address</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>value</li>
<li>category</li>
<li>ext-category?</li>
<li>vlan-name?</li>
<li>vlan-num?</li>
<li>observable-id?</li>
</ul></td>
<section title="Enum"> <td><xref target="RFC7970" sectionFormat="bare" section="3.18.1"/></td>
<t>Enum is an ordered list of acceptable string values. Each value has a represe </tr>
ntative keyword. Within the data model, the enumerated type keywords are used a <tr>
s attribute values.</t> <td>NodeRole</td>
</section> <td><ul bare="true" empty="true" spacing="compact">
<li>category</li>
<li>ext-category?</li>
<li>Description*</li>
</ul></td>
<section title="Software and Software Reference"> <td><xref target="RFC7970" sectionFormat="bare" section="3.18.2"/></td>
<t>A particular version of software is represented in the information model by t </tr>
he SOFTWARE data type. This software can be described by using a reference, <xre <tr>
f target="RFC3986">a Uniform Resource Locator (URL)</xref>, or with free-form te <td>Counter</td>
xt. The SOFTWARE data type is implemented as an object with "SoftwareReference", <td><ul bare="true" empty="true" spacing="compact">
"URL", and "Description" elements as defined in <xref target="cddlSection"/>. E <li>value</li>
xamples are shown below.</t> <li>type</li>
<li>ext-type?</li>
<li>unit</li>
<li>ext-unit?</li>
<li>meaning?</li>
<li>duration?</li>
<li>ext-duration?</li>
</ul></td>
<figure align="center"><artwork align="left"><![CDATA[ <td><xref target="RFC7970" sectionFormat="bare" section="3.18.3"/></td>
"SoftwareType": { </tr>
"SoftwareReference": {...}, # SoftwareReference <tr>
"Description": ["MS Windows"] # STRING <td>DomainData</td>
} <td><ul bare="true" empty="true" spacing="compact">
]]></artwork></figure> <li>system-status</li>
<li>ext-system-status?</li>
<li>domain-status</li>
<li>ext-domain-status?</li>
<li>observable-id?</li>
<li>Name</li>
<li>DateDomainWasChecked?</li>
<li>RegistrationDate?</li>
<li>ExpirationDate?</li>
<li>RelatedDNS*</li>
<li>Nameservers*</li>
<li>DomainContacts?</li>
</ul></td>
<t>SoftwareReference class is a reference to a particular version of software. E <td><xref target="RFC7970" sectionFormat="bare" section="3.19"/></td>
xamples are shown below.</t> </tr>
<tr>
<td>Nameservers</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>Server</li>
<li>Address*</li>
</ul></td>
<figure align="center"><artwork align="left"><![CDATA[ <td><xref target="RFC7970" sectionFormat="bare" section="3.19.1"/></td>
"SoftwareReference": { </tr>
"value": "cpe:/a:google:chrome:59.0.3071.115", # STRING <tr>
"spec-name": "cpe", # ENUM <td>DomainContacts</td>
"dtype": "string" # ENUM <td><ul bare="true" empty="true" spacing="compact">
} <li>SameDomainContact?</li>
]]></artwork></figure> <li>Contact+</li>
</section> </ul></td>
<section title="Structured Information" anchor="StructuredInfo"> <td><xref target="RFC7970" sectionFormat="bare" section="3.19.2"/></td>
<t>Information provided in a form of structured string, such as ID, or structure </tr>
d information, such as XML documents, is represented in the information model by
the STRUCTUREDINFO data type. Note that this type was originally specified in S
ection 4.4 of <xref target="RFC7203" /> as a basic structure of its extension cl
asses. The STRUCTUREDINFO data type is implemented as an object with "SpecID", "
ext-SpecID", "ContentID", "RawData", and "Reference" elements. An example for em
bedding a structured ID is shown below.</t>
<figure align="center"><artwork align="left"><![CDATA[ <tr>
"StructuredInfo": { <td>Service</td>
"SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM <td><ul bare="true" empty="true" spacing="compact">
"ContentID": "CWE-89" # STRING <li>ip-protocol?</li>
} <li>observable-id?</li>
]]></artwork></figure> <li>ServiceName?</li>
<li>Port?</li>
<li>Portlist?</li>
<li>ProtoCode?</li>
<li>ProtoType?</li>
<li>ProtoField?</li>
<li>ApplicationHeaderField*</li>
<li>EmailData?</li>
<li>Application?</li>
<t>When embedding the raw data, it should be encoded as a BYTE type object, as s hown below.</t> </ul></td>
<figure align="center"><artwork align="left"><![CDATA[ <td><xref target="RFC7970" sectionFormat="bare" section="3.20"/></td>
"StructuredInfo": { </tr>
"SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM <tr>
"RawData": "<<< encoded structured data >>>" # BYTE <td>ServiceName</td>
} <td><ul bare="true" empty="true" spacing="compact">
]]></artwork></figure> <li>IANAService?</li>
<li>URL*</li>
<li>Description*</li>
<t>When embedding the raw data, base64 encoding defined in Section 4 of <xref ta </ul></td>
rget="RFC4648"/> MUST be used for JSON IODEF while binary representation MUST be <td><xref target="RFC7970" sectionFormat="bare" section="3.20.1"/></td>
used for CBOR IODEF.</t> </tr>
<tr>
<td>EmailData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>EmailTo*</li>
<li>EmailFrom?</li>
<li>EmailSubject?</li>
<li>EmailX-Mailer?</li>
<li>EmailHeaderField*</li>
<li>EmailHeaders?</li>
<li>EmailBody?</li>
<li>EmailMessage?</li>
<li>HashData*</li>
<li>Signature*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.21"/></td>
</tr>
</section> <tr>
<td>RecordData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>DateTime?</li>
<li>Description*</li>
<li>Application?</li>
<li>RecordPattern*</li>
<li>RecordItem*</li>
<li>URL*</li>
<li>FileData*</li>
<li>WindowsRegistryKeysModified*</li>
<li>CertificateData*</li>
<li>AdditionalData*</li>
</ul></td>
<section title="EXTENSION"> <td><xref target="RFC7970" sectionFormat="bare" section="3.22.1"/></td>
<t>Information not otherwise represented in the IODEF can be added using the EXT </tr>
ENSION data type. This data type is a generic extension mechanism. The EXTENSIO
N data type is implemented as an ExtensionType object with "value", "name", "dty
pe", "ext-dtype", "meaning", "formatid", "restriction", "ext-restriction", and "
observable-id" elements. An example for embedding a structured ID is shown below
.</t>
<figure align="center"><artwork align="left"><![CDATA[ <tr>
"ExtensionType": { <td>RecordPattern</td>
"value": "xxxxxxx", # STRING <td><ul bare="true" empty="true" spacing="compact">
"name": "Syslog", # STRING <li>type</li>
"dtype": "string", # ENUM <li>ext-type?</li>
"meaning": "Syslog from the security appliance X" # STRING <li>offset?</li>
} <li>offsetunit?</li>
]]></artwork></figure> <li>ext-offsetunit?</li>
<li>instance?</li>
<li>value</li>
</ul></td>
<t>Note that this data type is specified in <xref target="RFC7970" /> as its gen <td><xref target="RFC7970" sectionFormat="bare" section="3.22.2"/></td>
eric extension mechanism. If a data item has internal structure that is intended </tr>
to be processed outside of the IODEF framework, one may consider using Structur <tr>
edInfo data type mentioned in <xref target="StructuredInfo"/>.</t> <td>WindowsRegistryKeysModified</td>
</section> <td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>Key+</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.23"/></td>
</tr>
<tr>
<td>Key</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>registryaction?</li>
<li>ext-registryaction?</li>
<li>observable-id?</li>
<li>KeyName</li>
<li>KeyValue?</li>
</ul></td>
</section> <td><xref target="RFC7970" sectionFormat="bare" section="3.23.1"/></td>
</section> </tr>
<section title="IODEF JSON Data Model" anchor="dm"> <tr>
<td>CertificateData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>Certificate+</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.24"/></td>
</tr>
<section title="Classes and Elements"> <tr>
<td>Certificate</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>observable-id?</li>
<li>X509Data</li>
<li>Description*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.24.1"/></td>
</tr>
<tr>
<td>FileData</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>observable-id?</li>
<li>File+</li>
<t> The following table shows the list of IODEF Classes, their elements, and the </ul></td>
corresponding section in <xref target="RFC7970" />. Note that the complete JSON <td><xref target="RFC7970" sectionFormat="bare" section="3.25"/></td>
schema is defined in <xref target="cddlSection"/> using CDDL.</t> </tr>
<tr>
<td>File</td>
<figure align="center" anchor="iodef_classes" title="IODEF Classes"><artwork ali <td><ul bare="true" empty="true" spacing="compact">
gn="left"><![CDATA[ <li>observable-id?</li>
+-----------------------------+--------------------+---------------+ <li>FileName?</li>
| IODEF Class | Class | Corresponding | <li>FileSize?</li>
| | Elements and | Section | <li>FileType?</li>
| | Attribute | in [RFC7970] | <li>URL*</li>
+-----------------------------+--------------------+---------------+ <li>HashData?</li>
| IODEF-Document | version | 3.1 | <li>Signature*</li>
| | lang? | | <li>AssociatedSoftware?</li>
| | format-id? | | <li>FileProperties*</li>
| | private-enum-name? | | </ul></td>
| | private-enum-id? | | <td><xref target="RFC7970" sectionFormat="bare" section="3.25.1"/></td>
| | Incident+ | | </tr>
| | AdditionalData* | | <tr>
+-----------------------------+--------------------+---------------+ <td>HashData</td>
| Incident | purpose | 3.2 |
| | ext-purpose? | |
| | status? | |
| | ext-status? | |
| | lang? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | IncidentID | |
| | AlternativeID? | |
| | RelatedActivity* | |
| | DetectTime? | |
| | StartTime? | |
| | EndTime? | |
| | RecoveryTime? | |
| | ReportTime? | |
| | GenerationTime | |
| | Description* | |
| | Discovery* | |
| | Assessment* | |
| | Method* | |
| | Contact+ | |
| | EventData* | |
| | Indicator* | |
| | History? | |
| | AdditionalData* | |
+-----------------------------+--------------------+---------------+
| IncidentID | id | 3.4 |
| | name | |
| | instance? | |
| | restriction? | |
| | ext-restriction? | |
+-----------------------------+--------------------+---------------+
| AlternativeID | restriction? | 3.5 |
| | ext-restriction? | |
| | IncidentID+ | |
+-----------------------------+--------------------+---------------+
| RelatedActivity | restriction? | 3.6 |
| | ext-restriction? | |
| | IncidentID* | |
| | URL* | |
| | ThreatActor* | |
| | Campaign* | |
| | IndicatorID* | |
| | Confidence? | |
| | Description* | |
| | AdditionalData* | |
+-----------------------------+--------------------+---------------+
| ThreatActor | restriction? | 3.7 |
| | ext-restriction? | |
| | ThreatActorID* | |
| | URL* | |
| | Description* | |
| | AdditionalData* | |
+-----------------------------+--------------------+---------------+
| Campaign | restriction? | |
| | ext-restriction? | |
| | CampaignID* | |
| | URL* | |
| | Description* | |
| | AdditionalData* | 3.8 |
+-----------------------------+--------------------+---------------+
| Contact | role | |
| | ext-role? | |
| | type | |
| | ext-type? | |
| | restriction? | |
| | ext-restriction? | |
| | ContactName*, | |
| | ContactTitle* | |
| | Description* | |
| | RegistryHandle* | |
| | PostalAddress* | |
| | Email* | |
| | Telephone* | |
| | Timezone? | |
| | Contact* | |
| | AdditionalData* | 3.9 |
+-----------------------------+--------------------+---------------+
| RegistryHandle | handle | |
| | registry | |
| | ext-registry? | 3.9.1 |
+-----------------------------+--------------------+---------------+
| PostalAddress | type? | |
| | ext-type? | |
| | PAddress | |
| | Description* | 3.9.2 |
+-----------------------------+--------------------+---------------+
| Email | type? | |
| | ext-type? | |
| | EmailTo | |
| | Description* | 3.9.3 |
+-----------------------------+--------------------+---------------+
| Telephone | type? | |
| | ext-type? | |
| | TelephoneNumber | |
| | Description* | 3.9.4 |
+-----------------------------+--------------------+---------------+
| Discovery | source? | |
| | ext-source? | |
| | restriction? | |
| | ext-restriction? | |
| | Description* | |
| | Contact* | |
| | DetectionPattern* | 3.10 |
+-----------------------------+--------------------+---------------+
| DetectionPattern | restriction? | 3.10.1 |
| | ext-restriction? | |
| | observable-id? | |
| | Application | |
| | Description* | |
| | DetectionConfiguration* | |
+-----------------------------+--------------------+---------------+
| Method | restriction? | |
| | ext-restriction? | |
| | Reference* | |
| | Description* | |
| | AttackPattern* | |
| | Vulnerability* | |
| | Weakness* | |
| | AdditionalData* | 3.11 |
+-----------------------------+--------------------+---------------+
| Weakness (TBD) | restriction? | |
| | ext-restriction? | |
+-----------------------------+--------------------+---------------+
| Reference | observable-id? | |
| | ReferenceName? | |
| | URL* | |
| | Description* | 3.11.1 |
+-----------------------------+--------------------+---------------+
| Assessment | occurence? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | IncidentCategory* | |
| | SystemImpact* | |
| | BusinessImpact* | |
| | TimeImpact* | |
| | MonetaryImpact* | |
| | IntendedImpact* | |
| | Counter* | |
| | MitigatingFactor* | |
| | Cause* | |
| | Confidence? | |
| | AdditionalData* | 3.12 |
+-----------------------------+--------------------+---------------+
| SystemImpact | severity? | |
| | completion? | |
| | type | |
| | ext-type? | |
| | Description* | 3.12.1 |
+-----------------------------+--------------------+---------------+
| BusinessImpact | severity? | |
| | ext-severity? | |
| | type | |
| | ext-type? | |
| | Description* | 3.12.2 |
+-----------------------------+--------------------+---------------+
| TimeImpact | value | |
| | severity? | |
| | metric | |
| | ext-metric? | |
| | duration? | |
| | ext-duration? | 3.12.3 |
+-----------------------------+--------------------+---------------+
| MonetaryImpact | value | |
| | severity? | |
| | currency? | 3.12.4 |
+-----------------------------+--------------------+---------------+
| Confidence | value | |
| | rating | |
| | ext-rating? | 3.12.5 |
+-----------------------------+--------------------+---------------+
| History | restriction? | |
| | ext-restriction? | |
| | HistoryItem+ | 3.13 |
+-----------------------------+--------------------+---------------+
| HistoryItem | action | |
| | ext-action? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | DateTime | |
| | IncidentID? | |
| | Contact? | |
| | Description* | |
| | DefinedCOA* | |
| | AdditionalData* | 3.13.1 |
+-----------------------------+--------------------+---------------+
| EventData | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | Description* | |
| | DetectTime? | |
| | StartTime? | |
| | EndTime? | |
| | RecoveryTime? | |
| | ReportTime? | |
| | Contact* | |
| | Discovery* | |
| | Assessment? | |
| | Method* | |
| | System* | |
| | Expectation* | |
| | RecordData* | |
| | EventData* | |
| | AdditionalData* | 3.14 |
+-----------------------------+--------------------+---------------+
| Expectation | action? | |
| | ext-action? | |
| | severity? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | Description* | |
| | DefinedCOA* | |
| | StartTime? | |
| | EndTime? | |
| | Contact? | 3.15 |
+-----------------------------+--------------------+---------------+
| System | category? | |
| | ext-category? | |
| | interface? | |
| | spoofed? | |
| | virtual? | |
| | ownership? | |
| | ext-ownership? | |
| | restriction? | |
| | ext-restriction? | |
| | Node | |
| | NodeRole* | |
| | Service* | |
| | OperatingSystem* | |
| | Counter* | |
| | AssetID* | |
| | Description* | |
| | AdditionalData* | 3.17 |
+-----------------------------+--------------------+---------------+
| Node | DomainData* | |
| | Address* | |
| | PostalAddress? | |
| | Location* | |
| | Counter* | 3.18 |
+-----------------------------+--------------------+---------------+
| Address | value | |
| | category | |
| | ext-category? | |
| | vlan-name? | |
| | vlan-num? | |
| | observable-id? | 3.18.1 |
+-----------------------------+--------------------+---------------+
| NodeRole | category | |
| | ext-category? | |
| | Description* | 3.18.2 |
+-----------------------------+--------------------+---------------+
| Counter | value | |
| | type | |
| | ext-type? | |
| | unit | |
| | ext-unit? | |
| | meaning? | |
| | duration? | |
| | ext-duration? | 3.18.3 |
+-----------------------------+--------------------+---------------+
| DomainData | system-status | |
| | ext-system-status? | |
| | domain-status | |
| | ext-domain-status? | |
| | observable-id? | |
| | Name | |
| | DateDomainWasChecked?| |
| | RegistrationDate? | |
| | ExpirationDate? | |
| | RelatedDNS* | |
| | Nameservers* | |
| | DomainContacts? | 3.19 |
+-----------------------------+--------------------+---------------+
| Nameserver | Server | |
| | Address* | 3.19.1 |
+-----------------------------+--------------------+---------------+
| DomainContacts | SameDomainContact? | |
| | Contact+ | 3.19.2 |
+-----------------------------+--------------------+---------------+
| Service | ip-protocol? | |
| | observable-id? | |
| | ServiceName? | |
| | Port? | |
| | Portlist? | |
| | ProtoCode? | |
| | ProtoType? | |
| | ProtoField? | |
| | ApplicationHeaderField*| |
| | EmailData? | |
| | Application? | 3.20 |
+-----------------------------+--------------------+---------------+
| ServiceName | IANAService? | |
| | URL* | |
| | Description* | 3.20.1 |
+-----------------------------+--------------------+---------------+
| EmailData | observable-id? | |
| | EmailTo* | |
| | EmailFrom? | |
| | EmailSubject? | |
| | EmailX-Mailer? | |
| | EmailHeaderField* | |
| | EmailHeaders? | |
| | EmailBody? | |
| | EmailMessage? | |
| | HashData* | |
| | Signature* | 3.21 |
+-----------------------------+--------------------+---------------+
| RecordData | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | DateTime? | |
| | Description* | |
| | Application? | |
| | RecordPattern* | |
| | RecordItem* | |
| | URL* | |
| | FileData* | |
| | WindowsRegistryKeysModified*| |
| | CertificateData* | |
| | AdditionalData* | 3.22.1 |
+-----------------------------+--------------------+---------------+
| RecordPattern | type | |
| | ext-type? | |
| | offset? | |
| | offsetunit? | |
| | ext-offsetunit? | |
| | instance? | |
| | value | 3.22.2 |
+-----------------------------+--------------------+---------------+
| WindowsRegistryKeysModified | observable-id? | 3.23 |
| | Key+ | |
+-----------------------------+--------------------+---------------+
| Key | registryaction? | |
| | ext-registryaction?| |
| | observable-id? | |
| | KeyName | |
| | KeyValue? | 3.23.1 |
+-----------------------------+--------------------+---------------+
| CertificateData | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | Certificate+ | 3.24 |
+-----------------------------+--------------------+---------------+
| Certificate | observable-id? | |
| | X509Data | |
| | Description* | 3.24.1 |
+-----------------------------+--------------------+---------------+
| FileData | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | File+ | 3.25 |
+-----------------------------+--------------------+---------------+
| File | observable-id? | |
| | FileName? | |
| | FileSize? | |
| | FileType? | |
| | URL* | |
| | HashData? | |
| | Signature* | |
| | AssociatedSoftware?| |
| | FileProperties* | 3.25.1 |
+-----------------------------+--------------------+---------------+
| HashData | scope | |
| | HashTargetID? | |
| | Hash* | |
| | FuzzyHash* | 3.26 |
+-----------------------------+--------------------+---------------+
| Hash | DigestMethod | |
| | DigestValue | |
| | CanonicalizationMethod?| |
| | Application? | 3.26.1 |
+-----------------------------+--------------------+---------------+
| FuzzyHash | FuzzyHashValue+ | |
| | Application? | |
| | AdditionalData* | 3.26.2 |
+-----------------------------+--------------------+---------------+
| Indicator | restriction? | |
| | ext-restriction? | |
| | IndicatorID | |
| | AlternativeIndicatorID*| |
| | Description* | |
| | StartTime? | |
| | EndTime? | |
| | Confidence? | |
| | Contact* | |
| | Observable? | |
| | uid-ref? | |
| | IndicatorExpression?| |
| | IndicatorReference?| |
| | NodeRole* | |
| | AttackPhase* | |
| | Reference* | |
| | AdditionalData* | 3.29 |
+-----------------------------+--------------------+---------------+
| IndicatorID | id | |
| | name | |
| | version | 3.29.1 |
+-----------------------------+--------------------+---------------+
| AlternativeIndicatorID | restriction? | |
| | ext-restriction? | |
| | IndicatorID+ | 3.29.2 |
+-----------------------------+--------------------+---------------+
| Observable | restriction? | |
| | ext-restriction? | |
| | System? | |
| | Address? | |
| | DomainData? | |
| | Service? | |
| | EmailData? | |
| | WindowsRegistryKeysModified?| |
| | FileData? | |
| | CertificateData? | |
| | RegistryHandle? | |
| | RecordData? | |
| | EventData? | |
| | Incident? | |
| | Expectation? | |
| | Reference? | |
| | Assessment? | |
| | DetectionPattern? | |
| | HistoryItem? | |
| | BulkObservable? | |
| | AdditionalData* | 3.29.3 |
+-----------------------------+--------------------+---------------+
| BulkObservable | type? | |
| | ext-type? | |
| | BulkObservableFormat?| |
| | BulkObservableList | |
| | AdditionalData* | 3.29.4 |
+-----------------------------+--------------------+---------------+
| BulkObservableFormat | Hash? | |
| | AdditionalData* | 3.29.5 |
+-----------------------------+--------------------+---------------+
| IndicatorExpression | operator? | |
| | ext-operator? | |
| | IndicatorExpression*| |
| | Observable* | |
| | uid-ref* | |
| | IndicatorReference*| |
| | Confidence? | |
| | AdditionalData* | 3.29.6 |
+-----------------------------+--------------------+---------------+
| IndicatorReference | uid-ref? | |
| | euid-ref? | |
| | version? | 3.29.7 |
+-----------------------------+--------------------+---------------+
| AttackPhase | AttackPhaseID* | |
| | URL* | |
| | Description* | |
| | AdditionalData* | 3.29.8 |
+-----------------------------+--------------------+---------------+
]]></artwork></figure>
</section> <td><ul bare="true" empty="true" spacing="compact">
<li>scope</li>
<li>HashTargetID?</li>
<li>Hash*</li>
<li>FuzzyHash*</li>
</ul></td>
<section title="Mapping between JSON and XML IODEF" anchor="mapping"> <td><xref target="RFC7970" sectionFormat="bare" section="3.26"/></td>
</tr>
<t> <tr>
<list style="symbols"> <td>Hash</td>
<t>Attributes and elements of each class in XML IODEF document are both presente <td><ul bare="true" empty="true" spacing="compact">
d as JSON attributes in JSON IODEF document, and the order of their appearances <li>DigestMethod</li>
is ignored.</t> <li>DigestValue</li>
<t>Flow class is deleted, and classes with its instances now directly have insta <li>CanonicalizationMethod?</li>
nces of EventData class that used to belong to the Flow class.</t> <li>Application?</li>
<t>ApplicationHeader class is deleted, and classes with its instances now direct </ul></td>
ly have instances of ApplicationHeaderField class that used to belong to the App <td><xref target="RFC7970" sectionFormat="bare" section="3.26.1"/></td>
licationHeader class.</t> </tr>
<t>SignatureData class is deleted, and classes with its instances now directly h
ave instance of Signature class that used to belong to the SignatureData class.<
/t>
<t>IndicatorData class is deleted, and classes with its instances now directly h
ave the instances of Indicator class that used to belong to the IndicatorData cl
ass.</t>
<t>ObservableReference class is deleted, and classes with its instances now dire
ctly have uid-ref as an element.</t>
<t>Record class is deleted, and classes with its instances now directly have the
instances of RecordData class that used to belong to the Record class.</t>
<t>The MLStringType were modified to support simple string by allowing the type
to have not only a predefined object type but also text type, in order to allow
simple descriptions of elements of the type. Implementations need to be capable
of parsing MLStringType that could take form of both text and object.</t>
<t>The elements of ML_STRING type in XML IODEF document are presented as either
STRING type or ML_STRING type in JSON IODEF document.
When converting from XML IODEF document to JSON one or vice versa, the informati
on contained in the original data of ML_STRING type must be preserved.
When STRING is used instead of ML_STRING, parsers can assume that its "xml:lang"
is set to "en".</t>
<t>Data models of the extension classes defined by <xref target="RFC7203" /> and
referenced by <xref target="RFC7970" /> are represented by StructuredInfo class
defined in this document.</t>
<t>Signature, X509Data, and RawData are encoded using base64 encoding for JSON I
ODEF and binary representation for CBOR IODEF to represent them as BYTE object.<
/t>
<t>EmailBody represents an whole message body including MIME structure in the sa
me manner defined in <xref target="RFC7970" />. In case of an email composed of
MIME multipart, the EmailBody contains multiple body parts separated by boundary
strings.</t>
<t>The "ipv6-net-mask" type attribute of BulkObservable class remains available
for the backward compatibility purpose, but the use of this attribute is not rec
ommended because IPV6 does not use netmask any more.</t>
<t>ENUM values in this document is extensible and is managed by IANA, as with <x
ref target="RFC7970" />. The values in the table are used both by <xref target="
RFC7970" /> implementations and by their JSON (and CBOR) bindings as specified b
y this document.</t>
<t>This document uses JSON's "number" type to represent integers that only has f
ull precision for integer values between -2**53 and 2**53. When dealing with int
egers outside the range, this issue needs to be considered.</t>
<t>Binaries are encoded in bytes. Note that XML IODEF in <xref target="RFC7970"
/> uses HEXBIN due to the incapability of XML for embedding binaries as they are
.</t>
</list>
</t>
</section> <tr>
</section> <td>FuzzyHash</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>FuzzyHashValue+</li>
<li>Application?</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.26.2"/></td>
</tr>
<section title="Examples" anchor="examples"> <tr>
<td>Indicator</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>IndicatorID</li>
<li>AlternativeIndicatorID*</li>
<li>Description*</li>
<li>StartTime?</li>
<li>EndTime?</li>
<li>Confidence?</li>
<li>Contact*</li>
<li>Observable?</li>
<li>uid-ref?</li>
<li>IndicatorExpression?</li>
<li>IndicatorReference?</li>
<li>NodeRole*</li>
<li>AttackPhase*</li>
<li>Reference*</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29"/></td>
</tr>
<t> <tr>
<td>IndicatorID</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>id</li>
<li>name</li>
<li>version</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29.1"/></td>
</tr>
<tr>
<td>AlternativeIndicatorID</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>IndicatorID+</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29.2"/></td>
</tr>
<tr>
<td>Observable</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>restriction?</li>
<li>ext-restriction?</li>
<li>System?</li>
<li>Address?</li>
<li>DomainData?</li>
<li>Service?</li>
<li>EmailData?</li>
<li>WindowsRegistryKeysModified?</li>
<li>FileData?</li>
<li>CertificateData?</li>
<li>RegistryHandle?</li>
<li>RecordData?</li>
<li>EventData?</li>
<li>Incident?</li>
<li>Expectation?</li>
<li>Reference?</li>
<li>Assessment?</li>
<li>DetectionPattern?</li>
<li>HistoryItem?</li>
<li>BulkObservable?</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29.3"/></td>
</tr>
<tr>
<td>BulkObservable</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>type?</li>
<li>ext-type?</li>
<li>BulkObservableFormat?</li>
<li>BulkObservableList</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29.3.1"/></td>
</tr>
<tr>
<td>BulkObservableFormat</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>Hash?</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29.3.1.1"/></td
>
</tr>
<tr>
<td>IndicatorExpression</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>operator?</li>
<li>ext-operator?</li>
<li>IndicatorExpression*</li>
<li>Observable*</li>
<li>uid-ref*</li>
<li>IndicatorReference*</li>
<li>Confidence?</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29.4"/></td>
</tr>
<tr>
<td>IndicatorReference</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>uid-ref?</li>
<li>euid-ref?</li>
<li>version?</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29.7"/></td>
</tr>
<tr>
<td>AttackPhase</td>
<td><ul bare="true" empty="true" spacing="compact">
<li>AttackPhaseID*</li>
<li>URL*</li>
<li>Description*</li>
<li>AdditionalData*</li>
</ul></td>
<td><xref target="RFC7970" sectionFormat="bare" section="3.29.8"/></td>
</tr>
</tbody>
</table>
</section>
<section anchor="mapping" numbered="true" toc="default">
<name>Mapping between JSON and XML IODEF</name>
<ul spacing="normal">
<li>Attributes and elements of each class in the XML IODEF document ar
e both presented as JSON attributes in the JSON IODEF document, and the order of
their appearances is ignored.</li>
<li>Flow class is deleted, and classes with its instances now directly
have instances of the EventData class that used to belong to the Flow class.</l
i>
<li>ApplicationHeader class is deleted, and classes with its instances
now directly have instances of the ApplicationHeaderField class that used to be
long to the ApplicationHeader class.</li>
<li>SignatureData class is deleted, and classes with its instances now
directly have instances of the Signature class that used to belong to the Signa
tureData class.</li>
<li>IndicatorData class is deleted, and classes with its instances now
directly have instances of the Indicator class that used to belong to the Indic
atorData class.</li>
<li>ObservableReference class is deleted, and classes with its instanc
es now directly have uid-ref as an element.</li>
<li>Record class is deleted, and classes with its instances now direct
ly have instances of the RecordData class that used to belong to the Record clas
s.</li>
<li>The MLStringType was modified to support simple string by allowing
the type to have not only a predefined object type but also a text type, in ord
er to allow simple descriptions of elements of the type. Implementations need to
be capable of parsing an MLStringType that could take the form of both text and
an object.</li>
<li>The elements of the ML_STRING type in the XML IODEF document are p
resented as either STRING type or ML_STRING type in the JSON IODEF document.
When converting from the XML IODEF document to the JSON IODEF document, or vice
versa, the information contained in the original data of the ML_STRING type must
be preserved.
When STRING is used instead of ML_STRING, parsers can assume that its "xml:lang"
is set to "en".</li>
<li>Data models of the extension classes defined by <xref target="RFC7
203" format="default"/> and referenced by <xref target="RFC7970" format="default
"/> are represented by the STRUCTUREDINFO class defined in this document.</li>
<li>Signature, X509Data, and RawData are encoded using base64 encoding
for JSON IODEF and binary representation for CBOR IODEF to represent them as BY
TE objects.</li>
<li>EmailBody represents a whole message body including MIME structure
in the same manner defined in <xref target="RFC7970" format="default"/>. In cas
e of an email composed of a MIME multipart, the EmailBody contains multiple body
parts separated by boundary strings.</li>
<li>The "ipv6-net-mask" type attribute of the BulkObservable class
remains available for the purpose of backward compatibility, but the us
e of this attribute is not recommended because IPv6 does not use netmask any mor
e.</li>
<li>ENUM values in this document are extensible and managed by IANA, w
hich is also the case in <xref target="RFC7970" format="default"/>. The values i
n the table are used both by <xref target="RFC7970" format="default"/> implement
ations and by their JSON (and CBOR) bindings as specified by this document.</li>
<li>This document uses JSON's "number" type to represent integers that
only have full precision for integer values between -2<sup>53</sup> and 2<sup>5
3</sup>. When dealing with integers outside the range, this issue needs to be co
nsidered.</li>
<li>Binaries are encoded in bytes. Note that XML IODEF in <xref target
="RFC7970" format="default"/> uses HEXBIN due to the incapability of XML for emb
edding binaries as they are.</li>
</ul>
</section>
</section>
<section anchor="examples" numbered="true" toc="default">
<name>Examples</name>
<t>
This section provides examples of IODEF documents. These examples do This section provides examples of IODEF documents. These examples do
not represent the full capabilities of the data model or the only not represent the full capabilities of the data model or the only
way to encode particular information. way to encode particular information.
</t> </t>
<section numbered="true" toc="default">
<name>Minimal Example</name>
<t>A document containing only the mandatory elements and attributes is s
hown below in JSON and CBOR, respectively.</t>
<figure anchor="minimal_example_json">
<name>A Minimal Example in JSON</name>
<section title="Minimal Example"> <sourcecode type="json"><![CDATA[
<t>A document containing only the mandatory elements and attributes is shown bel
ow in JSON and CBOR, respectively.</t>
<figure align="center" anchor="minimal_example_json" title="A Minimal Example in
JSON">
<artwork align="left"><![CDATA[
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incident": [{ "Incident": [{
"purpose": "reporting", "purpose": "reporting",
"restriction": "private", "restriction": "private",
"IncidentID": { "IncidentID": {
"id": "492382", "id": "492382",
"name": "csirt.example.com" "name": "csirt.example.com"
}, },
"GenerationTime": "2015-07-18T09:00:00-05:00", "GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [{ "Contact": [{
"type": "organization", "type": "organization",
"role": "creator", "role": "creator",
"Email": [{"EmailTo": "contact@csirt.example.com"}] "Email": [{"EmailTo": "contact@csirt.example.com"}]
}] }]
}] }]
} }
]]></artwork> ]]></sourcecode>
</figure> </figure>
<figure anchor="minimal_example_cbor">
<figure align="center" anchor="minimal_example_cbor" title="A Minimal Example in <name>A Minimal Example in CBOR</name>
CBOR"> <sourcecode type="cbor"><![CDATA[
<artwork align="left"><![CDATA[ A3 # map(3)
A3 # map(3) 37 # negative(23)
37 # negative(23) 63 # text(3)
63 # text(3) 322E30 # "2.0"
322E30 # "2.0" 36 # negative(22)
36 # negative(22) 62 # text(2)
62 # text(2) 656E # "en"
656E # "en" 32 # negative(18)
32 # negative(18) 81 # array(1)
81 # array(1) A5 # map(5)
A5 # map(5) 21 # negative(1)
21 # negative(1) 69 # text(9)
69 # text(9) 7265706F7274696E67 # "reporting"
7265706F7274696E67 # "reporting" 29 # negative(9)
29 # negative(9) 67 # text(7)
67 # text(7) 70726976617465 # "private"
70726976617465 # "private" 02 # unsigned(2)
02 # unsigned(2) A2 # map(2)
A2 # map(2) 12 # unsigned(18)
12 # unsigned(18) 66 # text(6)
66 # text(6) 343932333832 # "492382"
343932333832 # "492382" 2E # negative(14)
2E # negative(14) 71 # text(17)
71 # text(17) 63736972742E6578616D706C652E636F6D
63736972742E6578616D706C652E636F6D # "csirt.example.com" # "csirt.example.com"
0A # unsigned(10) 0A # unsigned(10)
78 19 # text(25) 78 19 # text(25)
323031352D30372D31385430393A30303A30302D30353A3030 323031352D30372D31385430393A30303A30302D30353A3030
# "2015-07-18T09:00:00-05:00" # "2015-07-18T09:00:00
0E # unsigned(14) # -05:00"
81 # array(1) 0E # unsigned(14)
A3 # map(3) 81 # array(1)
18 1C # unsigned(28) A3 # map(3)
6C # text(12) 18 1C # unsigned(28)
6C # text(12)
6F7267616E697A6174696F6E # "organization" 6F7267616E697A6174696F6E # "organization"
18 1A # unsigned(26) 18 1A # unsigned(26)
67 # text(7) 67 # text(7)
63726561746F72 # "creator" 63726561746F72 # "creator"
18 22 # unsigned(34) 18 22 # unsigned(34)
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
18 29 # unsigned(41) 18 29 # unsigned(41)
78 19 # text(25) 78 19 # text(25)
636F6E746163744063736972742E6578616D706C652E636F6D 636F6E746163744063736972742E6578616D70
# "contact@csirt.example.com" 6C652E636F6D
]]></artwork> # "contact@csirt.example.com"
</figure> ]]></sourcecode>
</figure>
</section> </section>
<section numbered="true" toc="default">
<section title="Indicators from a Campaign"> <name>Indicators from a Campaign</name>
<t>An example of C2 domains from a given campaign is shown below in JSON
<t>An example of C2 domains from a given campaign is shown below in JSON and CBO and CBOR, respectively.</t>
R, respectively.</t> <figure anchor="campaign_example_json">
<name>Indicators from a Campaign in JSON</name>
<figure align="center" anchor="campaign_example_json" title="Indicators from a C <sourcecode type="json"><![CDATA[
ampaign in JSON">
<artwork align="left"><![CDATA[
{ {
"version": "2.0", "version": "2.0",
"lang": "en", "lang": "en",
"Incident": [{ "Incident": [{
"purpose": "watch", "purpose": "watch",
"restriction": "green", "restriction": "green",
"IncidentID": { "IncidentID": {
"id": "897923", "id": "897923",
"name": "csirt.example.com" "name": "csirt.example.com"
}, },
skipping to change at line 946 skipping to change at line 1394
"ThreatActor": [{ "ThreatActor": [{
"ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"],
"Description": ["Aggressive Butterfly"]}], "Description": ["Aggressive Butterfly"]}],
"Campaign": [{ "Campaign": [{
"CampaignID": ["C-2015-59405"], "CampaignID": ["C-2015-59405"],
"Description": ["Orange Giraffe"] "Description": ["Orange Giraffe"]
}] }]
}], }],
"GenerationTime": "2015-10-02T11:18:00-05:00", "GenerationTime": "2015-10-02T11:18:00-05:00",
"Description": ["Summarizes the Indicators of Compromise for the "Description": ["Summarizes the Indicators of Compromise for the
Orange Giraffe campaign of the Aggressive Butterfly crime gang."], Orange Giraffe campaign of the Aggressive Butterfly crime
gang."],
"Assessment": [{ "Assessment": [{
"Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}]
}], }],
"Contact": [{ "Contact": [{
"type": "organization", "type": "organization",
"role": "creator", "role": "creator",
"ContactName": ["CSIRT for example.com"], "ContactName": ["CSIRT for example.com"],
"Email": [{ "Email": [{
"EmailTo": "contact@csirt.example.com" "EmailTo": "contact@csirt.example.com"
}] }]
skipping to change at line 973 skipping to change at line 1422
}, },
"Description": ["C2 domains"], "Description": ["C2 domains"],
"StartTime": "2014-12-02T11:18:00-05:00", "StartTime": "2014-12-02T11:18:00-05:00",
"Observable": { "Observable": {
"BulkObservable": { "BulkObservable": {
"type": "domain-name", "type": "domain-name",
"BulkObservableList": "kj290023j09r34.example.com"} "BulkObservableList": "kj290023j09r34.example.com"}
} }
}] }]
}] }]
}]]></artwork> }]]></sourcecode>
</figure> </figure>
<figure anchor="campaign_example_cbor">
<figure align="center" anchor="campaign_example_cbor" title="Indicators from a C <name>Indicators from a Campaign in CBOR</name>
ampaign in CBOR"> <sourcecode type="cbor"><![CDATA[
<artwork align="left"><![CDATA[
A3 # map(3) A3 # map(3)
37 # negative(23) 37 # negative(23)
63 # text(3) 63 # text(3)
322E30 # "2.0" 322E30 # "2.0"
36 # negative(22) 36 # negative(22)
62 # text(2) 62 # text(2)
656E # "en" 656E # "en"
32 # negative(18) 32 # negative(18)
81 # array(1) 81 # array(1)
A9 # map(9) A9 # map(9)
skipping to change at line 1012 skipping to change at line 1461
# "csirt.example.com" # "csirt.example.com"
04 # unsigned(4) 04 # unsigned(4)
81 # array(1) 81 # array(1)
A2 # map(2) A2 # map(2)
14 # unsigned(20) 14 # unsigned(20)
81 # array(1) 81 # array(1)
A2 # map(2) A2 # map(2)
18 18 # unsigned(24) 18 18 # unsigned(24)
81 # array(1) 81 # array(1)
78 1A # text(26) 78 1A # text(26)
54412D31322D414747524553534956452D425554544552464C59 54412D31322D414747524553534956452D4
# "TA-12-AGGRESSIVE-BUTTERFLY" 25554544552464C59
# "TA-12-AGGRESSIVE
# -BUTTERFLY"
24 # negative(4) 24 # negative(4)
81 # array(1) 81 # array(1)
74 # text(20) 74 # text(20)
4167677265737369766520427574746572666C79 41676772657373697665204275747465726
66C79
# "Aggressive Butterfly" # "Aggressive Butterfly"
15 # unsigned(21) 15 # unsigned(21)
81 # array(1) 81 # array(1)
A2 # map(2) A2 # map(2)
18 19 # unsigned(25) 18 19 # unsigned(25)
81 # array(1) 81 # array(1)
6C # text(12) 6C # text(12)
432D323031352D3539343035 432D323031352D3539343035
# "C-2015-59405" # "C-2015-59405"
24 # negative(4) 24 # negative(4)
81 # array(1) 81 # array(1)
6E # text(14) 6E # text(14)
4F72616E67652047697261666665 4F72616E67652047697261666665
# "Orange Giraffe" # "Orange Giraffe"
0A # unsigned(10) 0A # unsigned(10)
78 19 # text(25) 78 19 # text(25)
323031352D31302D30325431313A31383A30302D30353A3030 323031352D31302D30325431313A31383A30302D30353A3030
# "2015-10-02T11:18:00-05:00" # "2015-10-02T11:18:00-05:00"
24 # negative(4) 24 # negative(4)
81 # array(1) 81 # array(1)
78 6F # text(111) 78 6F # text(111)
53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D7 53756D6D6172697A65732074686520496E64696361746F7
0726F6D69736520666F7220746865204F72616E676520476972616666652063616D706169676E206 273206F6620436F6D70726F6D69736520666F7220746865
F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E 204F72616E676520476972616666652063616D706169676
# "Summarizes the Indicators of E206F662074686520416767726573736976652042757474
# Compromise for the Orange Giraffe 6572666C79206372696D652067616E672E
# campaign of the Aggressive # "Summarizes the Indicators
# of Compromise for the
# Orange Giraffe campaign
# of the Aggressive
# Butterfly crime gang." # Butterfly crime gang."
0C # unsigned(12) 0C # unsigned(12)
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
18 3F # unsigned(63) 18 3F # unsigned(63)
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
18 41 # unsigned(65) 18 41 # unsigned(65)
A1 # map(1) A1 # map(1)
18 1C # unsigned(28) 18 1C # unsigned(28)
skipping to change at line 1076 skipping to change at line 1533
18 1E # unsigned(30) 18 1E # unsigned(30)
81 # array(1) 81 # array(1)
75 # text(21) 75 # text(21)
435349525420666F72206578616D706C652E636F6D 435349525420666F72206578616D706C652E636F6D
# "CSIRT for example.com" # "CSIRT for example.com"
18 22 # unsigned(34) 18 22 # unsigned(34)
81 # array(1) 81 # array(1)
A1 # map(1) A1 # map(1)
18 29 # unsigned(41) 18 29 # unsigned(41)
78 19 # text(25) 78 19 # text(25)
636F6E746163744063736972742E6578616D706C652E636F6D 636F6E746163744063736972742E6578616D70
# "contact@csirt.example.com" 6C652E636F6D
# "contact@csirt.example.com"
10 # unsigned(16) 10 # unsigned(16)
81 # array(1) 81 # array(1)
A4 # map(4) A4 # map(4)
16 # unsigned(22) 16 # unsigned(22)
A3 # map(3) A3 # map(3)
12 # unsigned(18) 12 # unsigned(18)
69 # text(9) 69 # text(9)
473930383233343930 # "G90823490" 473930383233343930 # "G90823490"
2E # negative(14) 2E # negative(14)
71 # text(17) 71 # text(17)
skipping to change at line 1100 skipping to change at line 1558
37 # negative(23) 37 # negative(23)
61 # text(1) 61 # text(1)
31 # "1" 31 # "1"
24 # negative(4) 24 # negative(4)
81 # array(1) 81 # array(1)
6A # text(10) 6A # text(10)
433220646F6D61696E73 # "C2 domains" 433220646F6D61696E73 # "C2 domains"
06 # unsigned(6) 06 # unsigned(6)
78 19 # text(25) 78 19 # text(25)
323031342D31322D30325431313A31383A30302D30353A3030 323031342D31322D30325431313A31383A30302D30353A3030
# "2014-12-02T11:18:00-05:00" # "2014-12-02T11:18:00-05:00"
18 AB # unsigned(171) 18 AB # unsigned(171)
A1 # map(1) A1 # map(1)
18 B0 # unsigned(176) 18 B0 # unsigned(176)
A2 # map(2) A2 # map(2)
18 1C # unsigned(28) 18 1C # unsigned(28)
6B # text(11) 6B # text(11)
646F6D61696E2D6E616D65 646F6D61696E2D6E616D65
# "domain-name" # "domain-name"
18 B2 # unsigned(178) 18 B2 # unsigned(178)
78 1A # text(26) 78 1A # text(26)
6B6A3239303032336A30397233342E6578616D706C652E636F6D 6B6A3239303032336A30397233342E6578616D
# "kj290023j09r34.example.com" 706C652E636F6D
]]></artwork> # "kj290023j09r34.example.com"
</figure> ]]></sourcecode>
</figure>
</section>
</section>
<section anchor="mapkeys" numbered="true" toc="default">
<name>Mapkeys</name>
<t>The mapkeys are provided in <xref target="fig_mapkeys" format="default"
/> for minimizing the CBOR size.</t>
</section> <table align="left" anchor="fig_mapkeys">
<name>Mapkeys</name>
<thead>
<tr>
<th>mapkey</th>
<th>cborkey</th>
</tr>
</thead>
<tbody>
<tr>
<td>iodef-version</td>
<td>-24</td>
</tr>
<tr>
<td>iodef-lang</td>
<td>-23</td>
</tr>
<tr>
<td>iodef-format-id</td>
<td>-22</td>
</tr>
<tr>
<td>iodef-private-enum-name</td>
<td>-21</td>
</tr>
<tr>
<td>iodef-private-enum-id</td>
<td>-20</td>
</tr>
<tr>
<td>iodef-Incident</td>
<td>-19</td>
</tr>
<tr>
<td>iodef-AdditionalData</td>
<td>-18</td>
</tr>
<tr>
<td>iodef-value</td>
<td>-17</td>
</tr>
<tr>
<td>iodef-translation-id</td>
<td>-16</td>
</tr>
<tr>
<td>iodef-name</td>
<td>-15</td>
</tr>
<tr>
<td>iodef-dtype</td>
<td>-14</td>
</tr>
<tr>
<td>iodef-ext-dtype</td>
<td>-13</td>
</tr>
<tr>
<td>iodef-meaning</td>
<td>-12</td>
</tr>
<tr>
<td>iodef-formatid</td>
<td>-11</td>
</tr>
<tr>
<td>iodef-restriction</td>
<td>-10</td>
</tr>
<tr>
<td>iodef-ext-restriction</td>
<td>-9</td>
</tr>
<tr>
<td>iodef-observable-id</td>
<td>-8</td>
</tr>
<tr>
<td>iodef-SoftwareReference</td>
<td>-7</td>
</tr>
<tr>
<td>iodef-URL</td>
<td>-6</td>
</tr>
<tr>
<td>iodef-Description</td>
<td>-5</td>
</tr>
<tr>
<td>iodef-spec-name</td>
<td>-4</td>
</tr>
<tr>
<td>iodef-ext-spec-name</td>
<td>-3</td>
</tr>
<tr>
<td>iodef-purpose</td>
<td>-2</td>
</tr>
<tr>
<td>iodef-ext-purpose</td>
<td>-1</td>
</tr>
<tr>
<td>iodef-status</td>
<td>0</td>
</tr>
<tr>
<td>iodef-ext-status</td>
<td>1</td>
</tr>
<tr>
<td>iodef-IncidentID</td>
<td>2</td>
</tr>
<tr>
<td>iodef-AlternativeID</td>
<td>3</td>
</tr>
<tr>
<td>iodef-RelatedActivity</td>
<td>4</td>
</tr>
<tr>
<td>iodef-DetectTime</td>
<td>5</td>
</tr>
<tr>
<td>iodef-StartTime</td>
<td>6</td>
</tr>
<tr>
<td>iodef-EndTime</td>
<td>7</td>
</tr>
<tr>
<td>iodef-RecoveryTime</td>
<td>8</td>
</tr>
<tr>
<td>iodef-ReportTime</td>
<td>9</td>
</tr>
<tr>
<td>iodef-GenerationTime</td>
<td>10</td>
</tr>
<tr>
<td>iodef-Discovery</td>
<td>11</td>
</tr>
<tr>
<td>iodef-Assessment</td>
<td>12</td>
</tr>
<tr>
<td>iodef-Method</td>
<td>13</td>
</tr>
<tr>
<td>iodef-Contact</td>
<td>14</td>
</tr>
<tr>
<td>iodef-EventData</td>
<td>15</td>
</tr>
<tr>
<td>iodef-Indicator</td>
<td>16</td>
</tr>
<tr>
<td>iodef-History</td>
<td>17</td>
</tr>
<tr>
<td>iodef-id</td>
<td>18</td>
</tr>
<tr>
<td>iodef-instance</td>
<td>19</td>
</tr>
<tr>
<td>iodef-ThreatActor</td>
<td>20</td>
</tr>
<tr>
<td>iodef-Campaign</td>
<td>21</td>
</tr>
<tr>
<td>iodef-IndicatorID</td>
<td>22</td>
</tr>
<tr>
<td>iodef-Confidence</td>
<td>23</td>
</tr>
<tr>
<td>iodef-ThreatActorID</td>
<td>24</td>
</tr>
<tr>
<td>iodef-CampaignID</td>
<td>25</td>
</tr>
<tr>
<td>iodef-role</td>
<td>26</td>
</tr>
<tr>
<td>iodef-ext-role</td>
<td>27</td>
</tr>
<tr>
<td>iodef-type</td>
<td>28</td>
</tr>
<tr>
<td>iodef-ext-type</td>
<td>29</td>
</tr>
<tr>
<td>iodef-ContactName</td>
<td>30</td>
</tr>
<tr>
<td>iodef-ContactTitle</td>
<td>31</td>
</tr>
<tr>
<td>iodef-RegistryHandle</td>
<td>32</td>
</tr>
<tr>
<td>iodef-PostalAddress</td>
<td>33</td>
</tr>
<tr>
<td>iodef-Email</td>
<td>34</td>
</tr>
<tr>
<td>iodef-Telephone</td>
<td>35</td>
</tr>
<tr>
<td>iodef-Timezone</td>
<td>36</td>
</tr>
<tr>
<td>iodef-handle</td>
<td>37</td>
</tr>
<tr>
<td>iodef-registry</td>
<td>38</td>
</tr>
<tr>
<td>iodef-ext-registry</td>
<td>39</td>
</tr>
<tr>
<td>iodef-PAddress</td>
<td>40</td>
</tr>
<tr>
<td>iodef-EmailTo</td>
<td>41</td>
</tr>
<tr>
<td>iodef-TelephoneNumber</td>
<td>42</td>
</tr>
<tr>
<td>iodef-source</td>
<td>43</td>
</tr>
<tr>
<td>iodef-ext-source</td>
<td>44</td>
</tr>
<tr>
<td>iodef-DetectionPattern</td>
<td>45</td>
</tr>
<tr>
<td>iodef-DetectionConfiguration</td>
<td>46</td>
</tr>
<tr>
<td>iodef-Application</td>
<td>47</td>
</tr>
<tr>
<td>iodef-Reference</td>
<td>48</td>
</tr>
<tr>
<td>iodef-AttackPattern</td>
<td>49</td>
</tr>
<tr>
<td>iodef-Vulnerability</td>
<td>50</td>
</tr>
<tr>
<td>iodef-Weakness</td>
<td>51</td>
</tr>
<tr>
<td>iodef-SpecID</td>
<td>52</td>
</tr>
<tr>
<td>iodef-ext-SpecID</td>
<td>53</td>
</tr>
<tr>
<td>iodef-ContentID</td>
<td>54</td>
</tr>
<tr>
<td>iodef-RawData</td>
<td>55</td>
</tr>
<tr>
<td>iodef-Platform</td>
<td>56</td>
</tr>
<tr>
<td>iodef-Scoring</td>
<td>57</td>
</tr>
<tr>
<td>iodef-ReferenceName</td>
<td>58</td>
</tr>
<tr>
<td>iodef-specIndex</td>
<td>59</td>
</tr>
<tr>
<td>iodef-ID</td>
<td>60</td>
</tr>
<tr>
<td>iodef-occurrence</td>
<td>61</td>
</tr>
<tr>
<td>iodef-IncidentCategory</td>
<td>62</td>
</tr>
<tr>
<td>iodef-Impact</td>
<td>63</td>
</tr>
<tr>
<td>iodef-SystemImpact</td>
<td>64</td>
</tr>
<tr>
<td>iodef-BusinessImpact</td>
<td>65</td>
</tr>
<tr>
<td>iodef-TimeImpact</td>
<td>66</td>
</tr>
<tr>
<td>iodef-MonetaryImpact</td>
<td>67</td>
</tr>
<tr>
<td>iodef-IntendedImpact</td>
<td>68</td>
</tr>
<tr>
<td>iodef-Counter</td>
<td>69</td>
</tr>
<tr>
<td>iodef-MitigatingFactor</td>
<td>70</td>
</tr>
<tr>
<td>iodef-Cause</td>
<td>71</td>
</tr>
<tr>
<td>iodef-severity</td>
<td>72</td>
</tr>
<tr>
<td>iodef-completion</td>
<td>73</td>
</tr>
<tr>
<td>iodef-ext-severity</td>
<td>74</td>
</tr>
<tr>
<td>iodef-metric</td>
<td>75</td>
</tr>
<tr>
<td>iodef-ext-metric</td>
<td>76</td>
</tr>
<tr>
<td>iodef-duration</td>
<td>77</td>
</tr>
</section> <tr>
<td>iodef-ext-duration</td>
<td>78</td>
</tr>
<section title="Mapkeys" anchor="mapkeys"> <tr>
<td>iodef-currency</td>
<td>79</td>
</tr>
<t>The mapkeys are provided in Table <xref target="fig_mapkeys"/> for minimizing <tr>
the CBOR size.</t> <td>iodef-rating</td>
<td>80</td>
</tr>
<figure align="center" anchor="fig_mapkeys" title="Mapkeys"> <tr>
<artwork align="left"><![CDATA[ <td>iodef-ext-rating</td>
+-----------------------------------+-------+ <td>81</td>
|mapkey |cborkey| </tr>
+-----------------------------------+-------+
| iodef-version | -24 |
| iodef-lang | -23 |
| iodef-format-id | -22 |
| iodef-private-enum-name | -21 |
| iodef-private-enum-id | -20 |
| iodef-Incident | -19 |
| iodef-AdditionalData | -18 |
| iodef-value | -17 |
| iodef-translation-id | -16 |
| iodef-name | -15 |
| iodef-dtype | -14 |
| iodef-ext-dtype | -13 |
| iodef-meaning | -12 |
| iodef-formatid | -11 |
| iodef-restriction | -10 |
| iodef-ext-restriction | -9 |
| iodef-observable-id | -8 |
| iodef-SoftwareReference | -7 |
| iodef-URL | -6 |
| iodef-Description | -5 |
| iodef-spec-name | -4 |
| iodef-ext-spec-name | -3 |
| iodef-purpose | -2 |
| iodef-ext-purpose | -1 |
| iodef-status | 0 |
| iodef-ext-status | 1 |
| iodef-IncidentID | 2 |
| iodef-AlternativeID | 3 |
| iodef-RelatedActivity | 4 |
| iodef-DetectTime | 5 |
| iodef-StartTime | 6 |
| iodef-EndTime | 7 |
| iodef-RecoveryTime | 8 |
| iodef-ReportTime | 9 |
| iodef-GenerationTime | 10 |
| iodef-Discovery | 11 |
| iodef-Assessment | 12 |
| iodef-Method | 13 |
| iodef-Contact | 14 |
| iodef-EventData | 15 |
| iodef-Indicator | 16 |
| iodef-History | 17 |
| iodef-id | 18 |
| iodef-instance | 19 |
| iodef-ThreatActor | 20 |
| iodef-Campaign | 21 |
| iodef-IndicatorID | 22 |
| iodef-Confidence | 23 |
| iodef-ThreatActorID | 24 |
| iodef-CampaignID | 25 |
| iodef-role | 26 |
| iodef-ext-role | 27 |
| iodef-type | 28 |
| iodef-ext-type | 29 |
| iodef-ContactName | 30 |
| iodef-ContactTitle | 31 |
| iodef-RegistryHandle | 32 |
| iodef-PostalAddress | 33 |
| iodef-Email | 34 |
| iodef-Telephone | 35 |
| iodef-Timezone | 36 |
| iodef-handle | 37 |
| iodef-registry | 38 |
| iodef-ext-registry | 39 |
| iodef-PAddress | 40 |
| iodef-EmailTo | 41 |
| iodef-TelephoneNumber | 42 |
| iodef-source | 43 |
| iodef-ext-source | 44 |
| iodef-DetectionPattern | 45 |
| iodef-DetectionConfiguration | 46 |
| iodef-Application | 47 |
| iodef-Reference | 48 |
| iodef-AttackPattern | 49 |
| iodef-Vulnerability | 50 |
| iodef-Weakness | 51 |
| iodef-SpecID | 52 |
| iodef-ext-SpecID | 53 |
| iodef-ContentID | 54 |
| iodef-RawData | 55 |
| iodef-Platform | 56 |
| iodef-Scoring | 57 |
| iodef-ReferenceName | 58 |
| iodef-specIndex | 59 |
| iodef-ID | 60 |
| iodef-occurrence | 61 |
| iodef-IncidentCategory | 62 |
| iodef-Impact | 63 |
| iodef-SystemImpact | 64 |
| iodef-BusinessImpact | 65 |
| iodef-TimeImpact | 66 |
| iodef-MonetaryImpact | 67 |
| iodef-IntendedImpact | 68 |
| iodef-Counter | 69 |
| iodef-MitigatingFactor | 70 |
| iodef-Cause | 71 |
| iodef-severity | 72 |
| iodef-completion | 73 |
| iodef-ext-severity | 74 |
| iodef-metric | 75 |
| iodef-ext-metric | 76 |
| iodef-duration | 77 |
| iodef-ext-duration | 78 |
| iodef-currency | 79 |
| iodef-rating | 80 |
| iodef-ext-rating | 81 |
| iodef-HistoryItem | 82 |
| iodef-action | 83 |
| iodef-ext-action | 84 |
| iodef-DateTime | 85 |
| iodef-DefinedCOA | 86 |
| iodef-System | 87 |
| iodef-Expectation | 88 |
| iodef-RecordData | 89 |
| iodef-category | 90 |
| iodef-ext-category | 91 |
| iodef-interface | 92 |
| iodef-spoofed | 93 |
| iodef-virtual | 94 |
| iodef-ownership | 95 |
| iodef-ext-ownership | 96 |
| iodef-Node | 97 |
| iodef-NodeRole | 98 |
| iodef-Service | 99 |
| iodef-OperatingSystem | 100 |
| iodef-AssetID | 101 |
| iodef-DomainData | 102 |
| iodef-Address | 103 |
| iodef-Location | 104 |
| iodef-vlan-name | 105 |
| iodef-vlan-num | 106 |
| iodef-unit | 107 |
| iodef-ext-unit | 108 |
| iodef-system-status | 109 |
| iodef-ext-system-status | 110 |
| iodef-domain-status | 111 |
| iodef-ext-domain-status | 112 |
| iodef-Name | 113 |
| iodef-DateDomainWasChecked | 114 |
| iodef-RegistrationDate | 115 |
| iodef-ExpirationDate | 116 |
| iodef-RelatedDNS | 117 |
| iodef-NameServers | 118 |
| iodef-DomainContacts | 119 |
| iodef-Server | 120 |
| iodef-SameDomainContact | 121 |
| iodef-ip-protocol | 122 |
| iodef-ServiceName | 123 |
| iodef-Port | 124 |
| iodef-Portlist | 125 |
| iodef-ProtoCode | 126 |
| iodef-ProtoType | 127 |
| iodef-ProtoField | 128 |
| iodef-ApplicationHeaderField | 129 |
| iodef-EmailData | 130 |
| iodef-IANAService | 131 |
| iodef-EmailFrom | 132 |
| iodef-EmailSubject | 133 |
| iodef-EmailX-Mailer | 134 |
| iodef-EmailHeaderField | 135 |
| iodef-EmailHeaders | 136 |
| iodef-EmailBody | 137 |
| iodef-EmailMessage | 138 |
| iodef-HashData | 139 |
| iodef-Signature | 140 |
| iodef-RecordPattern | 141 |
| iodef-RecordItem | 142 |
| iodef-FileData | 143 |
| iodef-WindowsRegistryKeysModified | 169 |
| iodef-CertificateData | 145 |
| iodef-offset | 146 |
| iodef-offsetunit | 147 |
| iodef-ext-offsetunit | 148 |
| iodef-Key | 149 |
| iodef-registryaction | 150 |
| iodef-ext-registryaction | 151 |
| iodef-KeyName | 152 |
| iodef-KeyValue | 153 |
| iodef-Certificate | 154 |
| iodef-X509Data | 155 |
| iodef-File | 156 |
| iodef-FileName | 157 |
| iodef-FileSize | 158 |
| iodef-FileType | 159 |
| iodef-AssociatedSoftware | 160 |
| iodef-FileProperties | 161 |
| iodef-scope | 162 |
| iodef-HashTargetID | 163 |
| iodef-Hash | 164 |
| iodef-FuzzyHash | 165 |
| iodef-DigestMethod | 166 |
| iodef-DigestValue | 167 |
| iodef-CanonicalizationMethod | 168 |
| iodef-FuzzyHashValue | 169 |
| iodef-AlternativeIndicatorID | 170 |
| iodef-Observable | 171 |
| iodef-uid-ref | 172 |
| iodef-IndicatorExpression | 173 |
| iodef-IndicatorReference | 174 |
| iodef-AttackPhase | 175 |
| iodef-BulkObservable | 176 |
| iodef-BulkObservableFormat | 177 |
| iodef-BulkObservableList | 178 |
| iodef-operator | 179 |
| iodef-ext-operator | 180 |
| iodef-euid-ref | 181 |
| iodef-AttackPhaseID | 182 |
+-----------------------------------+-------+
]]></artwork>
</figure>
</section> <tr>
<td>iodef-HistoryItem</td>
<td>82</td>
</tr>
<section title="The IODEF Data Model (CDDL)" anchor="cddlSection"> <tr>
<td>iodef-action</td>
<td>83</td>
</tr>
<t>This section provides the IODEF data model. <tr>
<td>iodef-ext-action</td>
<td>84</td>
</tr>
<tr>
<td>iodef-DateTime</td>
<td>85</td>
</tr>
<tr>
<td>iodef-DefinedCOA</td>
<td>86</td>
</tr>
<tr>
<td>iodef-System</td>
<td>87</td>
</tr>
<tr>
<td>iodef-Expectation</td>
<td>88</td>
</tr>
<tr>
<td>iodef-RecordData</td>
<td>89</td>
</tr>
<tr>
<td>iodef-category</td>
<td>90</td>
</tr>
<tr>
<td>iodef-ext-category</td>
<td>91</td>
</tr>
<tr>
<td>iodef-interface</td>
<td>92</td>
</tr>
<tr>
<td>iodef-spoofed</td>
<td>93</td>
</tr>
<tr>
<td>iodef-virtual</td>
<td>94</td>
</tr>
<tr>
<td>iodef-ownership</td>
<td>95</td>
</tr>
<tr>
<td>iodef-ext-ownership</td>
<td>96</td>
</tr>
<tr>
<td>iodef-Node</td>
<td>97</td>
</tr>
<tr>
<td>iodef-NodeRole</td>
<td>98</td>
</tr>
<tr>
<td>iodef-Service</td>
<td>99</td>
</tr>
<tr>
<td>iodef-OperatingSystem</td>
<td>100</td>
</tr>
<tr>
<td>iodef-AssetID</td>
<td>101</td>
</tr>
<tr>
<td>iodef-DomainData</td>
<td>102</td>
</tr>
<tr>
<td>iodef-Address</td>
<td>103</td>
</tr>
<tr>
<td>iodef-Location</td>
<td>104</td>
</tr>
<tr>
<td>iodef-vlan-name</td>
<td>105</td>
</tr>
<tr>
<td>iodef-vlan-num</td>
<td>106</td>
</tr>
<tr>
<td>iodef-unit</td>
<td>107</td>
</tr>
<tr>
<td>iodef-ext-unit</td>
<td>108</td>
</tr>
<tr>
<td>iodef-system-status</td>
<td>109</td>
</tr>
<tr>
<td>iodef-ext-system-status</td>
<td>110</td>
</tr>
<tr>
<td>iodef-domain-status</td>
<td>111</td>
</tr>
<tr>
<td>iodef-ext-domain-status</td>
<td>112</td>
</tr>
<tr>
<td>iodef-Name</td>
<td>113</td>
</tr>
<tr>
<td>iodef-DateDomainWasChecked</td>
<td>114</td>
</tr>
<tr>
<td>iodef-RegistrationDate</td>
<td>115</td>
</tr>
<tr>
<td>iodef-ExpirationDate</td>
<td>116</td>
</tr>
<tr>
<td>iodef-RelatedDNS</td>
<td>117</td>
</tr>
<tr>
<td>iodef-NameServers</td>
<td>118</td>
</tr>
<tr>
<td>iodef-DomainContacts</td>
<td>119</td>
</tr>
<tr>
<td>iodef-Server</td>
<td>120</td>
</tr>
<tr>
<td>iodef-SameDomainContact</td>
<td>121</td>
</tr>
<tr>
<td>iodef-ip-protocol</td>
<td>122</td>
</tr>
<tr>
<td>iodef-ServiceName</td>
<td>123</td>
</tr>
<tr>
<td>iodef-Port</td>
<td>124</td>
</tr>
<tr>
<td>iodef-Portlist</td>
<td>125</td>
</tr>
<tr>
<td>iodef-ProtoCode</td>
<td>126</td>
</tr>
<tr>
<td>iodef-ProtoType</td>
<td>127</td>
</tr>
<tr>
<td>iodef-ProtoField</td>
<td>128</td>
</tr>
<tr>
<td>iodef-ApplicationHeaderField</td>
<td>129</td>
</tr>
<tr>
<td>iodef-EmailData</td>
<td>130</td>
</tr>
<tr>
<td>iodef-IANAService</td>
<td>131</td>
</tr>
<tr>
<td>iodef-EmailFrom</td>
<td>132</td>
</tr>
<tr>
<td>iodef-EmailSubject</td>
<td>133</td>
</tr>
<tr>
<td>iodef-EmailX-Mailer</td>
<td>134</td>
</tr>
<tr>
<td>iodef-EmailHeaderField</td>
<td>135</td>
</tr>
<tr>
<td>iodef-EmailHeaders</td>
<td>136</td>
</tr>
<tr>
<td>iodef-EmailBody</td>
<td>137</td>
</tr>
<tr>
<td>iodef-EmailMessage</td>
<td>138</td>
</tr>
<tr>
<td>iodef-HashData</td>
<td>139</td>
</tr>
<tr>
<td>iodef-Signature</td>
<td>140</td>
</tr>
<tr>
<td>iodef-RecordPattern</td>
<td>141</td>
</tr>
<tr>
<td>iodef-RecordItem</td>
<td>142</td>
</tr>
<tr>
<td>iodef-FileData</td>
<td>143</td>
</tr>
<tr>
<td>iodef-WindowsRegistryKeysModified</td>
<td>144</td>
</tr>
<tr>
<td>iodef-CertificateData</td>
<td>145</td>
</tr>
<tr>
<td>iodef-offset</td>
<td>146</td>
</tr>
<tr>
<td>iodef-offsetunit</td>
<td>147</td>
</tr>
<tr>
<td>iodef-ext-offsetunit</td>
<td>148</td>
</tr>
<tr>
<td>iodef-Key</td>
<td>149</td>
</tr>
<tr>
<td>iodef-registryaction</td>
<td>150</td>
</tr>
<tr>
<td>iodef-ext-registryaction</td>
<td>151</td>
</tr>
<tr>
<td>iodef-KeyName</td>
<td>152</td>
</tr>
<tr>
<td>iodef-KeyValue</td>
<td>153</td>
</tr>
<tr>
<td>iodef-Certificate</td>
<td>154</td>
</tr>
<tr>
<td>iodef-X509Data</td>
<td>155</td>
</tr>
<tr>
<td>iodef-File</td>
<td>156</td>
</tr>
<tr>
<td>iodef-FileName</td>
<td>157</td>
</tr>
<tr>
<td>iodef-FileSize</td>
<td>158</td>
</tr>
<tr>
<td>iodef-FileType</td>
<td>159</td>
</tr>
<tr>
<td>iodef-AssociatedSoftware</td>
<td>160</td>
</tr>
<tr>
<td>iodef-FileProperties</td>
<td>161</td>
</tr>
<tr>
<td>iodef-scope</td>
<td>162</td>
</tr>
<tr>
<td>iodef-HashTargetID</td>
<td>163</td>
</tr>
<tr>
<td>iodef-Hash</td>
<td>164</td>
</tr>
<tr>
<td>iodef-FuzzyHash</td>
<td>165</td>
</tr>
<tr>
<td>iodef-DigestMethod</td>
<td>166</td>
</tr>
<tr>
<td>iodef-DigestValue</td>
<td>167</td>
</tr>
<tr>
<td>iodef-CanonicalizationMethod</td>
<td>168</td>
</tr>
<tr>
<td>iodef-FuzzyHashValue</td>
<td>169</td>
</tr>
<tr>
<td>iodef-AlternativeIndicatorID</td>
<td>170</td>
</tr>
<tr>
<td>iodef-Observable</td>
<td>171</td>
</tr>
<tr>
<td>iodef-uid-ref</td>
<td>172</td>
</tr>
<tr>
<td>iodef-IndicatorExpression</td>
<td>173</td>
</tr>
<tr>
<td>iodef-IndicatorReference</td>
<td>174</td>
</tr>
<tr>
<td>iodef-AttackPhase</td>
<td>175</td>
</tr>
<tr>
<td>iodef-BulkObservable</td>
<td>176</td>
</tr>
<tr>
<td>iodef-BulkObservableFormat</td>
<td>177</td>
</tr>
<tr>
<td>iodef-BulkObservableList</td>
<td>178</td>
</tr>
<tr>
<td>iodef-operator</td>
<td>179</td>
</tr>
<tr>
<td>iodef-ext-operator</td>
<td>180</td>
</tr>
<tr>
<td>iodef-euid-ref</td>
<td>181</td>
</tr>
<tr>
<td>iodef-AttackPhaseID</td>
<td>182</td>
</tr>
</tbody>
</table>
</section>
<section anchor="cddlSection" numbered="true" toc="default">
<name>The IODEF Data Model (CDDL)</name>
<t keepWithNext="true">This section provides the IODEF data model.
Note that mapkeys are described at the beginning of the CDDL data model for bett er readability.</t> Note that mapkeys are described at the beginning of the CDDL data model for bett er readability.</t>
<figure align="center" anchor="cddl" title="Data Model in CDDL"> <!--Note: per the author's note in the datatracker, "? iodef-Indicator
<artwork align="left"><![CDATA[ f=> [+ Indicator]," was updated to be "? iodef-Indicator => [+
Indicator]," in the figure below.
-->
<figure anchor="cddl">
<name>Data Model in CDDL</name>
<sourcecode type="cddl"><![CDATA[
start = iodef start = iodef
;;; iodef.json: IODEF-Document ;;; iodef.json: IODEF-Document
iodef-version = -24 iodef-version = -24
iodef-lang = -23 iodef-lang = -23
iodef-format-id = -22 iodef-format-id = -22
iodef-private-enum-name = -21 iodef-private-enum-name = -21
iodef-private-enum-id = -20 iodef-private-enum-id = -20
iodef-Incident = -19 iodef-Incident = -19
skipping to change at line 1521 skipping to change at line 2649
iodef-EmailX-Mailer = 134 iodef-EmailX-Mailer = 134
iodef-EmailHeaderField = 135 iodef-EmailHeaderField = 135
iodef-EmailHeaders = 136 iodef-EmailHeaders = 136
iodef-EmailBody = 137 iodef-EmailBody = 137
iodef-EmailMessage = 138 iodef-EmailMessage = 138
iodef-HashData = 139 iodef-HashData = 139
iodef-Signature = 140 iodef-Signature = 140
iodef-RecordPattern = 141 iodef-RecordPattern = 141
iodef-RecordItem = 142 iodef-RecordItem = 142
iodef-FileData = 143 iodef-FileData = 143
iodef-WindowsRegistryKeysModified = 169 iodef-WindowsRegistryKeysModified = 144
iodef-CertificateData = 145 iodef-CertificateData = 145
iodef-offset = 146 iodef-offset = 146
iodef-offsetunit = 147 iodef-offsetunit = 147
iodef-ext-offsetunit = 148 iodef-ext-offsetunit = 148
iodef-Key = 149 iodef-Key = 149
iodef-registryaction = 150 iodef-registryaction = 150
iodef-ext-registryaction = 151 iodef-ext-registryaction = 151
iodef-KeyName = 152 iodef-KeyName = 152
iodef-KeyValue = 153 iodef-KeyValue = 153
iodef-Certificate = 154 iodef-Certificate = 154
skipping to change at line 1571 skipping to change at line 2699
iodef = { iodef = {
iodef-version => text, iodef-version => text,
? iodef-lang => lang, ? iodef-lang => lang,
? iodef-format-id => text ? iodef-format-id => text
? iodef-private-enum-name => text, ? iodef-private-enum-name => text,
? iodef-private-enum-id => text, ? iodef-private-enum-id => text,
iodef-Incident => [+ Incident], iodef-Incident => [+ Incident],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / duration = "second" / "minute" / "hour" / "day" / "month" /
"year" / "ext-value" "quarter" / "year" / "ext-value"
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
restriction = "public" / "partner" / "need-to-know" / "private" / restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" / "default" / "white" / "green" / "amber" / "red" /
"ext-value" "ext-value"
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype IDREFType = IDtype
URLtype = uri URLtype = uri
TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]" TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*" PortlistType = text .regexp
"[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
action = "nothing" / "contact-source-site" / "contact-target-site" / action = "nothing" / "contact-source-site" / "contact-target-site" /
"contact-sender" / "investigate" / "block-host" / "contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" / "block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" / "honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" / "harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" / "status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value" "defined-coa" / "other" / "ext-value"
DATETIME = tdate DATETIME = tdate
skipping to change at line 1610 skipping to change at line 2739
? iodef-translation-id => text ? iodef-translation-id => text
} / text } / text
PositiveFloatType = float32 .gt 0 PositiveFloatType = float32 .gt 0
PAddressType = MLStringType PAddressType = MLStringType
ExtensionType = { ExtensionType = {
iodef-value => text, iodef-value => text,
? iodef-name => text, ? iodef-name => text,
iodef-dtype => "boolean" / "byte" / "bytes" / "character" / "date-time" / iodef-dtype => "boolean" / "byte" / "bytes" / "character" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" / "date-time" / "ntpstamp" / "integer" / "portlist" / "real" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" / "json" / "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" "json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" /
"ext-value"
.default "string" .default "string"
? iodef-ext-dtype => text, ? iodef-ext-dtype => text,
? iodef-meaning => text, ? iodef-meaning => text,
? iodef-formatid => text, ? iodef-formatid => text,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
} }
SoftwareType = { SoftwareType = {
skipping to change at line 1639 skipping to change at line 2769
SoftwareReference = { SoftwareReference = {
? iodef-value => text, ? iodef-value => text,
iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value", iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
? iodef-ext-spec-name => text, ? iodef-ext-spec-name => text,
? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" / ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" /
"ext-value" .default "string", "ext-value" .default "string",
? iodef-ext-dtype => text ? iodef-ext-dtype => text
} }
Incident = { Incident = {
iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" / iodef-purpose => "traceback" / "mitigation" / "reporting" /
"other" / "ext-value", "watch" / "other" / "ext-value",
? iodef-ext-purpose => text, ? iodef-ext-purpose => text,
? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" / ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" /
"future" / "ext-value", "future" / "ext-value",
? iodef-ext-status => text, ? iodef-ext-status => text,
? iodef-lang => lang, ? iodef-lang => lang,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
iodef-IncidentID => IncidentID, iodef-IncidentID => IncidentID,
? iodef-AlternativeID => AlternativeID, ? iodef-AlternativeID => AlternativeID,
skipping to change at line 1664 skipping to change at line 2794
? iodef-EndTime => DATETIME, ? iodef-EndTime => DATETIME,
? iodef-RecoveryTime => DATETIME, ? iodef-RecoveryTime => DATETIME,
? iodef-ReportTime => DATETIME, ? iodef-ReportTime => DATETIME,
iodef-GenerationTime => DATETIME, iodef-GenerationTime => DATETIME,
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-Discovery => [+ Discovery], ? iodef-Discovery => [+ Discovery],
? iodef-Assessment => [+ Assessment], ? iodef-Assessment => [+ Assessment],
? iodef-Method => [+ Method], ? iodef-Method => [+ Method],
iodef-Contact => [+ Contact], iodef-Contact => [+ Contact],
? iodef-EventData => [+ EventData], ? iodef-EventData => [+ EventData],
? iodef-Indicator f=> [+ Indicator], ? iodef-Indicator => [+ Indicator],
? iodef-History => History, ? iodef-History => History,
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
IncidentID = { IncidentID = {
iodef-id => text, iodef-id => text,
iodef-name => text, iodef-name => text,
? iodef-instance => text, ? iodef-instance => text,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text ? iodef-ext-restriction => text
skipping to change at line 1715 skipping to change at line 2845
Campaign = { Campaign = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-CampaignID => [+ text], ? iodef-CampaignID => [+ text],
? iodef-URL => [+ URLtype], ? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Contact = { Contact = {
iodef-role => "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / iodef-role => "creator" / "reporter" / "admin" / "tech" /
, "provider" / "user" / "billing" / "legal" / "irt" / "abuse" /
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" /
"vendor" / "vendor-support" / "victim" / "victim-notified" / "victim" / "victim-notified" / "ext-value",
"ext-value",
? iodef-ext-role => text, ? iodef-ext-role => text,
iodef-type => "person" / "organization" / "ext-value", iodef-type => "person" / "organization" / "ext-value",
? iodef-ext-type => text, ? iodef-ext-type => text,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-ContactName => [+ MLStringType], ? iodef-ContactName => [+ MLStringType],
? iodef-ContactTitle => [+ MLStringType], ? iodef-ContactTitle => [+ MLStringType],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-RegistryHandle => [+ RegistryHandle], ? iodef-RegistryHandle => [+ RegistryHandle],
? iodef-PostalAddress => [+ PostalAddress], ? iodef-PostalAddress => [+ PostalAddress],
? iodef-Email => [+ Email], ? iodef-Email => [+ Email],
? iodef-Telephone => [+ Telephone], ? iodef-Telephone => [+ Telephone],
? iodef-Timezone => TimeZonetype, ? iodef-Timezone => TimeZonetype,
? iodef-Contact => [+ Contact], ? iodef-Contact => [+ Contact],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
RegistryHandle = { RegistryHandle = {
iodef-handle => text, iodef-handle => text,
iodef-registry => "internic" / "apnic" / "arin" / "lacnic" / "ripe" / iodef-registry => "internic" / "apnic" / "arin" / "lacnic" /
"afrinic" / "local" / "ext-value", "ripe" / "afrinic" / "local" / "ext-value",
? iodef-ext-registry => text ? iodef-ext-registry => text
} }
PostalAddress = { PostalAddress = {
? iodef-type => "street" / "mailing" / "ext-value", ? iodef-type => "street" / "mailing" / "ext-value",
? iodef-ext-type => text, ? iodef-ext-type => text,
iodef-PAddress => PAddressType, iodef-PAddress => PAddressType,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Email = { Email = {
? iodef-type => "direct" / "hotline" / "ext-value", ? iodef-type => "direct" / "hotline" / "ext-value",
? iodef-ext-type => text, ? iodef-ext-type => text,
iodef-EmailTo => text, iodef-EmailTo => text,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Telephone = { Telephone = {
? iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value", ? iodef-type => "wired" / "mobile" / "fax" / "hotline" /
"ext-value",
? iodef-ext-type => text, ? iodef-ext-type => text,
iodef-TelephoneNumber => text, iodef-TelephoneNumber => text,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Discovery = { Discovery = {
? iodef-source => "nidps" /"hips" /"siem" /"av" /"third-party-monitoring" / ? iodef-source => "nidps" / "hips" / "siem" / "av" /
"incident" / "os-log" / "application-log" / "device-log" / "third-party-monitoring" / "incident" / "os-log" /
"network-flow" / "passive-dns" / "investigation" / "audit" / "application-log" / "device-log" / "network-flow" /
"passive-dns" / "investigation" / "audit" /
"internal-notification" / "external-notification" / "internal-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value", "leo" / "partner" / "actor" / "unknown" / "ext-value",
? iodef-ext-source => text, ? iodef-ext-source => text,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-Contact => [+ Contact], ? iodef-Contact => [+ Contact],
? iodef-DetectionPattern => [+ DetectionPattern] ? iodef-DetectionPattern => [+ DetectionPattern]
} }
DetectionPattern = { DetectionPattern = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
(iodef-Description => [+ MLStringType] // iodef-DetectionConfiguration => [+ te (iodef-Description => [+ MLStringType] //
xt]), iodef-DetectionConfiguration => [+ text]),
iodef-Application => SoftwareType iodef-Application => SoftwareType
} }
Method = { Method = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-Reference => [+ Reference], ? iodef-Reference => [+ Reference],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-AttackPattern => [+ StructuredInfo], ? iodef-AttackPattern => [+ STRUCTUREDINFO],
? iodef-Vulnerability => [+ StructuredInfo], ? iodef-Vulnerability => [+ STRUCTUREDINFO],
? iodef-Weakness => [+ StructuredInfo], ? iodef-Weakness => [+ STRUCTUREDINFO],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
StructuredInfo = { STRUCTUREDINFO = {
iodef-SpecID => SpecID, iodef-SpecID => SpecID,
? iodef-ext-SpecID => text, ? iodef-ext-SpecID => text,
? iodef-ContentID => text, ? iodef-ContentID => text,
? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]), ? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]),
? iodef-Platform => [+ Platform], ? iodef-Platform => [+ Platform],
? iodef-Scoring => [+ Scoring] ? iodef-Scoring => [+ Scoring]
} }
Platform = { Platform = {
iodef-SpecID => SpecID, iodef-SpecID => SpecID,
skipping to change at line 1853 skipping to change at line 2986
? iodef-Counter => [+ Counter], ? iodef-Counter => [+ Counter],
? iodef-MitigatingFactor => [+ MLStringType], ? iodef-MitigatingFactor => [+ MLStringType],
? iodef-Cause => [+ MLStringType], ? iodef-Cause => [+ MLStringType],
? iodef-Confidence => Confidence, ? iodef-Confidence => Confidence,
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
SystemImpact = { SystemImpact = {
? iodef-severity => "low" / "medium" / "high", ? iodef-severity => "low" / "medium" / "high",
? iodef-completion => "failed" / "succeeded", ? iodef-completion => "failed" / "succeeded",
iodef-type => "takeover-account" / "takeover-service" / "takeover-system" / iodef-type => "takeover-account" / "takeover-service" /
"cps-manipulation" / "cps-damage" / "availability-data" / "takeover-system" / "cps-manipulation" / "cps-damage" /
"availability-account" / "availability-service" / "availability-data" / "availability-account" /
"availability-system" / "damaged-system" / "damaged-data" / "availability-service" / "availability-system" / "damaged-system" /
"breach-proprietary" / "breach-privacy" / "breach-credential" / "damaged-data" / "breach-proprietary" / "breach-privacy" /
"breach-configuration" / "integrity-data" / "breach-credential" / "breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" / "integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" / "traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown", "policy" / "unknown" / "ext-value" .default "unknown",
? iodef-ext-type => text, ? iodef-ext-type => text,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
BusinessImpact = { BusinessImpact = {
? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" / ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" /
"ext-value" .default "unknown", "ext-value" .default "unknown",
skipping to change at line 1896 skipping to change at line 3029
} }
MonetaryImpact = { MonetaryImpact = {
iodef-value => PositiveFloatType, iodef-value => PositiveFloatType,
? iodef-severity => "low" / "medium" / "high", ? iodef-severity => "low" / "medium" / "high",
? iodef-currency => text ? iodef-currency => text
} }
Confidence = { Confidence = {
iodef-value => float32, iodef-value => float32,
iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" /
, "ext-value",
? iodef-ext-rating => text ? iodef-ext-rating => text
} }
History = { History = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
iodef-HistoryItem => [+ HistoryItem] iodef-HistoryItem => [+ HistoryItem]
} }
HistoryItem = { HistoryItem = {
skipping to change at line 1956 skipping to change at line 3090
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-DefinedCOA => [+ text], ? iodef-DefinedCOA => [+ text],
? iodef-StartTime => DATETIME, ? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME, ? iodef-EndTime => DATETIME,
? iodef-Contact => Contact ? iodef-Contact => Contact
} }
System = { System = {
? iodef-category => "source" / "target" / "intermediate" / "sensor" / ? iodef-category => "source" / "target" / "intermediate" /
"infrastructure" / "ext-value", "sensor" / "infrastructure" / "ext-value",
? iodef-ext-category => text, ? iodef-ext-category => text,
? iodef-interface => text, ? iodef-interface => text,
? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown", ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown",
? iodef-virtual => "yes" / "no" / "unknown" .default "unknown", ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown",
? iodef-ownership => "organization" / "personal" / "partner" / "customer" / ? iodef-ownership => "organization" / "personal" / "partner" /
"no-relationship" / "unknown" / "ext-value", "customer" / "no-relationship" / "unknown" / "ext-value",
? iodef-ext-ownership => text, ? iodef-ext-ownership => text,
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
iodef-Node => Node, iodef-Node => Node,
? iodef-NodeRole => [+ NodeRole], ? iodef-NodeRole => [+ NodeRole],
? iodef-Service => [+ Service], ? iodef-Service => [+ Service],
? iodef-OperatingSystem => [+ SoftwareType], ? iodef-OperatingSystem => [+ SoftwareType],
? iodef-Counter => [+ Counter], ? iodef-Counter => [+ Counter],
? iodef-AssetID => [+ text], ? iodef-AssetID => [+ text],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Node = { Node = {
(iodef-DomainData => [+ DomainData] // iodef-Address => [+ Address]), (iodef-DomainData => [+ DomainData] //
iodef-Address => [+ Address]),
? iodef-PostalAddress => PostalAddress, ? iodef-PostalAddress => PostalAddress,
? iodef-Location => [+ MLStringType], ? iodef-Location => [+ MLStringType],
? iodef-Counter => [+ Counter] ? iodef-Counter => [+ Counter]
} }
Address = { Address = {
iodef-value => text, iodef-value => text,
iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
"ext-value" .default "ipv6-addr", "ext-value" .default "ipv6-addr",
? iodef-ext-category => text, ? iodef-ext-category => text,
? iodef-vlan-name => text, ? iodef-vlan-name => text,
? iodef-vlan-num => integer, ? iodef-vlan-num => integer,
? iodef-observable-id => IDtype ? iodef-observable-id => IDtype
} }
NodeRole = { NodeRole = {
iodef-category => "client" / "client-enterprise" / "client-partner" / iodef-category => "client" / "client-enterprise" /
"client-remote" / "client-kiosk" / "client-mobile" / "client-partner" / "client-remote" / "client-kiosk" /
"server-internal" / "server-public" / "www" / "mail" / "client-mobile" / "server-internal" / "server-public" /
"webmail" / "messaging" / "streaming" / "voice" / "file" / "www" / "mail" / "webmail" / "messaging" / "streaming" /
"ftp" / "p2p" / "name" / "directory" / "credential" / "voice" / "file" / "ftp" / "p2p" / "name" / "directory" /
"print" / "application" / "database" / "backup" / "dhcp" / "credential" / "print" / "application" / "database" /
"assessment" / "source-control" / "config-management" / "backup" / "dhcp" / "assessment" / "source-control" /
"monitoring" / "infra" / "infra-firewall" / "infra-router" / "config-management" / "monitoring" / "infra" / "infra-firewall" /
"infra-switch" / "camera" / "proxy" / "remote-access" / "infra-router" / "infra-switch" / "camera" / "proxy" /
"log" / "virtualization" / "pos" / "scada" / "remote-access" / "log" / "virtualization" / "pos" / "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" / "scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" / "anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hop-point" / "reflector" / "drop-server" / "hop-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" / "phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value", "fraudulent-site" / "ext-value",
? iodef-ext-category => text, ? iodef-ext-category => text,
? iodef-Description => [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Counter = { Counter = {
iodef-value => float32, iodef-value => float32,
iodef-type => "count" / "peak" / "average" / "ext-value", iodef-type => "count" / "peak" / "average" / "ext-value",
? iodef-ext-type => text, ? iodef-ext-type => text,
iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" /
"message" / "event" / "host" / "site" / "organization" / "alert" / "message" / "event" / "host" / "site" / "organization" /
"ext-value", "ext-value",
? iodef-ext-unit => text, ? iodef-ext-unit => text,
? iodef-meaning => text, ? iodef-meaning => text,
? iodef-duration => duration .default "hour", ? iodef-duration => duration .default "hour",
? iodef-ext-duration => text ? iodef-ext-duration => text
} }
DomainData = { DomainData = {
iodef-system-status => "spoofed" / "fraudulent" / "innocent-hacked" / iodef-system-status => "spoofed" / "fraudulent" /
"innocent-hijacked" / "unknown" / "ext-value", "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value",
? iodef-ext-system-status => text, ? iodef-ext-system-status => text,
iodef-domain-status => "reservedDelegation" / "assignedAndActive" / iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" / "assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" / "revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value", "registrarLock" / "other" / "unknown" / "ext-value",
? iodef-ext-domain-status => text, ? iodef-ext-domain-status => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
iodef-Name => text, iodef-Name => text,
? iodef-DateDomainWasChecked => DATETIME, ? iodef-DateDomainWasChecked => DATETIME,
? iodef-RegistrationDate => DATETIME, ? iodef-RegistrationDate => DATETIME,
skipping to change at line 2103 skipping to change at line 3238
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
? iodef-DateTime => DATETIME, ? iodef-DateTime => DATETIME,
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-Application => SoftwareType, ? iodef-Application => SoftwareType,
? iodef-RecordPattern => [+ RecordPattern], ? iodef-RecordPattern => [+ RecordPattern],
? iodef-RecordItem => [+ ExtensionType], ? iodef-RecordItem => [+ ExtensionType],
? iodef-URL => [+ URLtype], ? iodef-URL => [+ URLtype],
? iodef-FileData => [+ FileData], ? iodef-FileData => [+ FileData],
? iodef-WindowsRegistryKeysModified => [+ WindowsRegistryKeysModified], ? iodef-WindowsRegistryKeysModified =>
[+ WindowsRegistryKeysModified],
? iodef-CertificateData => [+ CertificateData], ? iodef-CertificateData => [+ CertificateData],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
RecordPattern = { RecordPattern = {
iodef-value => text, iodef-value => text,
iodef-type => "regex" / "binary" / "xpath" / "ext-value" .default "regex", iodef-type => "regex" / "binary" / "xpath" /
"ext-value" .default "regex",
? iodef-ext-type => text, ? iodef-ext-type => text,
? iodef-offset => integer, ? iodef-offset => integer,
? iodef-offsetunit => "line" / "byte" / "ext-value" .default "line", ? iodef-offsetunit => "line" / "byte" /
"ext-value" .default "line",
? iodef-ext-offsetunit => text, ? iodef-ext-offsetunit => text,
? iodef-instance => integer ? iodef-instance => integer
} }
WindowsRegistryKeysModified = { WindowsRegistryKeysModified = {
? iodef-observable-id => IDtype, ? iodef-observable-id => IDtype,
iodef-Key => [+ Key] iodef-Key => [+ Key]
} }
Key = { Key = {
skipping to change at line 2166 skipping to change at line 3304
? iodef-FileSize => integer, ? iodef-FileSize => integer,
? iodef-FileType => text, ? iodef-FileType => text,
? iodef-URL => [+ URLtype], ? iodef-URL => [+ URLtype],
? iodef-HashData => HashData, ? iodef-HashData => HashData,
? iodef-Signature => [+ BYTE], ? iodef-Signature => [+ BYTE],
? iodef-AssociatedSoftware => SoftwareType, ? iodef-AssociatedSoftware => SoftwareType,
? iodef-FileProperties => [+ ExtensionType] ? iodef-FileProperties => [+ ExtensionType]
} }
HashData = { HashData = {
iodef-scope => "file-contents" / "file-pe-section" / "file-pe-iat" / iodef-scope => "file-contents" / "file-pe-section" /
"file-pe-resource" / "file-pdf-object" / "email-hash" / "file-pe-iat" / "file-pe-resource" / "file-pdf-object" /
"email-headers-hash" / "email-body-hash" / "ext-value", "email-hash" / "email-headers-hash" / "email-body-hash" /
"ext-value",
? iodef-HashTargetID => text, ? iodef-HashTargetID => text,
? iodef-Hash => [+ Hash], ? iodef-Hash => [+ Hash],
? iodef-FuzzyHash => [+ FuzzyHash] ? iodef-FuzzyHash => [+ FuzzyHash]
} }
Hash = { Hash = {
iodef-DigestMethod => BYTE, iodef-DigestMethod => BYTE,
iodef-DigestValue => BYTE, iodef-DigestValue => BYTE,
? iodef-CanonicalizationMethod => BYTE, ? iodef-CanonicalizationMethod => BYTE,
? iodef-Application => SoftwareType ? iodef-Application => SoftwareType
skipping to change at line 2222 skipping to change at line 3361
AlternativeIndicatorID = { AlternativeIndicatorID = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
iodef-IndicatorID => [+ IndicatorID] iodef-IndicatorID => [+ IndicatorID]
} }
Observable = { Observable = {
? iodef-restriction => restriction .default "private", ? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text, ? iodef-ext-restriction => text,
? (iodef-System => System // iodef-Address => Address // ? (iodef-System => System // iodef-Address => Address //
iodef-DomainData => DomainData // iodef-EmailData => EmailData // iodef-DomainData => DomainData //
iodef-EmailData => EmailData //
iodef-Service => Service // iodef-Service => Service //
iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified // iodef-WindowsRegistryKeysModified =>
iodef-FileData => FileData //iodef-CertificateData => CertificateData // WindowsRegistryKeysModified //
iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>RecordData // iodef-FileData => FileData //iodef-CertificateData =>
CertificateData //
iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>
RecordData //
iodef-EventData => EventData // iodef-Incident => Incident // iodef-EventData => EventData // iodef-Incident => Incident //
iodef-Expectation => Expectation // iodef-Reference => Reference // iodef-Expectation => Expectation // iodef-Reference =>
Reference //
iodef-Assessment => Assessment // iodef-Assessment => Assessment //
iodef-DetectionPattern => DetectionPattern // iodef-DetectionPattern => DetectionPattern //
iodef-HistoryItem => HistoryItem // iodef-HistoryItem => HistoryItem //
iodef-BulkObservable => BulkObservable // iodef-BulkObservable => BulkObservable //
iodef-AdditionalData => [+ ExtensionType]) iodef-AdditionalData => [+ ExtensionType])
} }
BulkObservable = { BulkObservable = {
? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" /
"mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / "ipv6-net-mask" / "mac" / "site-uri" / "domain-name" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv4" / "domain-to-ipv6" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" /
"windows-reg-key" / "file-hash" / "email-x-mailer" / "ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" /
"email-subject" / "http-user-agent" / "http-request-uri" / "email-x-mailer" / "email-subject" / "http-user-agent" /
"mutex" / "file-path" / "user-name" / "ext-value", "http-request-uri" / "mutex" / "file-path" / "user-name" /
"ext-value",
? iodef-ext-type => text, ? iodef-ext-type => text,
? iodef-BulkObservableFormat => BulkObservableFormat, ? iodef-BulkObservableFormat => BulkObservableFormat,
iodef-BulkObservableList => text, iodef-BulkObservableList => text,
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
BulkObservableFormat = { BulkObservableFormat = {
(iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType]) (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType])
} }
skipping to change at line 2277 skipping to change at line 3422
(iodef-uid-ref => IDREFType // iodef-euid-ref => text), (iodef-uid-ref => IDREFType // iodef-euid-ref => text),
? iodef-version => text ? iodef-version => text
} }
AttackPhase = { AttackPhase = {
? iodef-AttackPhaseID => [+ text], ? iodef-AttackPhaseID => [+ text],
? iodef-URL => [+ URLtype], ? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType], ? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
]]></artwork> ]]></sourcecode>
</figure> </figure>
</section>
</section> <section anchor="IANA" numbered="true" toc="default">
<name>IANA Considerations</name>
<section anchor="IANA" title="IANA Considerations"> <t>This document has no IANA actions.</t>
<t>This document does not require any IANA actions.</t> </section>
</section> <section anchor="Security" numbered="true" toc="default">
<name>Security Considerations</name>
<section anchor="Security" title="Security Considerations"> <t>This document provides a mapping from XML IODEF defined in <xref target
<t>This document provides a mapping from XML IODEF defined in <xref target= ="RFC7970" format="default"/> to JSON, and <xref target="mapping" format="defaul
"RFC7970" /> to JSON, and <xref target="mapping" /> describes several issues tha t"/> describes several issues that arise when converting XML IODEF and JSON IODE
t arise when converting XML IODEF and JSON IODEF. F.
Though it does not provide any further security considerations than the one desc Though it does not provide any further security considerations other than the on
ribed in <xref target="RFC7970" />, impelementers of this document should be awa e described in <xref target="RFC7970" format="default"/>, implementers of this d
re of those issues to avoid any unintended outcome.</t> ocument should be aware of those issues to avoid any unintended outcome.</t>
</section> </section>
<section anchor="Acknowledgments" title="Acknowledgments">
<t>We would like to thank Henk Birkholz, Carsten Bormann, Benjamin Kaduk, A
lexey Melnikov, Yasuaki Morita, and Takahiko Nagata for their insightful comment
s on this document and CDDL.</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
</middle>
<back> <back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries
:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (
as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml
"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.x
ml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included fil
es in the same
directory as the including file. You can also define the XML_LIBRARY environ
ment variable
with a value containing a set of directories to search. These can be either
in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2
119.xml"?-->
&RFC2119;
&RFC3986;
&RFC4648;
&RFC7049;
&RFC7203;
&RFC7970;
&RFC8174;
&RFC8259;
&RFC8610;
<!--
<reference anchor="jsonschema">
<front> <displayreference target="I-D.handrews-json-schema-validation" to="JSON-SCHEMA"/
<title>JSON Schema</title> >
<author> <references>
<organization></organization> <name>References</name>
</author> <references>
<name>Normative References</name>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.3986.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.4648.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7049.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7203.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.7970.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.8259.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refer
ence.RFC.8610.xml"/>
<date year="2006" />
</front>
<annotation>http://json-schema.org/</annotation>
</reference>
</references> </references>
<references>
<name>Informative References</name>
<references title="Informative References"> <!--draft-handrews-json-schema-validation-02; expired-->
<!-- Here we use entities that we defined at the beginning. --> <xi:include href="https://www.rfc-editor.org/refs/bibxml3/reference.I-D.han
drews-json-schema-validation.xml"/>
<?rfc include="reference.I-D.handrews-json-schema-validation.xml"?>
<!-- A reference written by by an organization not a person. -->
</references> </references>
</references>
<section anchor="supportedCborDataType" numbered="true" toc="default">
<name>Data Types Used in This Document</name>
<t>The CDDL prelude used in this document is mapped to JSON as shown in th
e table below.</t>
<section title="Data Types used in this document" anchor="supportedCborDataType" <table anchor="cborDataType" align="left">
> <name>CDDL Prelude Mapping in JSON</name>
<thead>
<t>The CDDL prelude used in this document is mapped to JSON as shown in the tabl <tr>
e below.</t> <th>CDDL Prelude</th>
<th>Use of JSON</th>
<figure align="center" anchor="cborDataType" title="CDDL Prelude mapping in JSON <th>Instance</th>
"><artwork align="left"><![CDATA[ <th>Validation</th>
+-----------------+-------------------+----------------------------+ </tr>
| CDDL Prelude | Use of JSON | Instance | Validation | </thead>
+-----------------+-------------------+----------------------------+ <tbody>
| bytes | n/a | string | tool available | <tr>
| text | string | string | unnecessary | <td>bytes</td>
| tdate | n/a | string | 7.3.1 date-time | <td>n/a</td>
| integer | n/a | number | integer | <td>string</td>
| eb64legacy | n/a | string | tool available | <td>tool available</td>
| uri | n/a | string | 7.3.6 uri | </tr>
| float32 | float32 | number | unnecessary | <tr>
+-----------------+-------------------+----------------------------+ <td>text</td>
]]></artwork></figure> <td>string</td>
<td>string</td>
</section> <td>unnecessary</td>
</tr>
<section title="The IODEF Data Model (JSON Schema)" anchor="jsonSchemaSection"> <tr>
<td>tdate</td>
<td>n/a</td>
<td>string</td>
<td>date-time per <xref target="I-D.handrews-json-schema-validation" secti
onFormat="of" section="7.3.1"/></td>
</tr>
<tr>
<td>integer</td>
<td>n/a</td>
<td>number</td>
<td>integer</td>
</tr>
<tr>
<td>eb64legacy</td>
<td>n/a</td>
<td>string</td>
<td>tool available</td>
</tr>
<tr>
<td>uri</td>
<td>n/a</td>
<td>string</td>
<td>uri per <xref target="I-D.handrews-json-schema-validation" sectionForm
at="of" section="7.3.6"/></td>
</tr>
<tr>
<td>float32</td>
<td>float32</td>
<td>number</td>
<td>unnecessary</td>
</tr>
</tbody>
</table>
<t>This section provides a <xref target="I-D.handrews-json-schema-validation">JS </section>
ON schema</xref> that defines the IODEF Data Model defined in this draft. Note t <section anchor="jsonSchemaSection" numbered="true" toc="default">
hat this section is Informative.</t> <name>The IODEF Data Model (JSON Schema)</name>
<t keepWithNext="true">This section provides a <xref target="I-D.handrews-
json-schema-validation" format="default">JSON schema</xref> that defines the IOD
EF data model defined in this document. Note that this section is informative.</
t>
<figure align="center" anchor="jsonSchema" title="JSON schema"> <figure anchor="jsonSchema">
<artwork align="left"><![CDATA[ <name>JSON Schema</name>
{ "$schema": "http://json-schema.org/draft-04/schema#", <sourcecode type="json"><![CDATA[
{ "$schema": "https://json-schema.org/draft-04/schema#",
"definitions": { "definitions": {
"action": {"enum": ["nothing","contact-source-site", "action": {"enum": ["nothing", "contact-source-site",
"contact-target-site","contact-sender","investigate", "contact-target-site", "contact-sender", "investigate",
"block-host","block-network","block-port","rate-limit-host", "block-host", "block-network", "block-port",
"rate-limit-network","rate-limit-port","redirect-traffic", "rate-limit-host", "rate-limit-network",
"honeypot","upgrade-software","rebuild-asset","harden-asset", "rate-limit-port", "redirect-traffic", "honeypot",
"remediate-other","status-triage","status-new-info", "upgrade-software", "rebuild-asset", "harden-asset",
"watch-and-report","training","defined-coa","other", "remediate-other", "status-triage", "status-new-info",
"watch-and-report", "training", "defined-coa", "other",
"ext-value"]}, "ext-value"]},
"duration":{"enum":["second","minute","hour","day","month", "duration":{"enum":["second", "minute", "hour", "day",
"quarter","year","ext-value"]}, "month", "quarter", "year", "ext-value"]},
"SpecID":{ "SpecID":{
"enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2",
"private"]},
"lang": { "lang": {
"type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, "type":"string", "pattern":
"purpose": {"enum": ["traceback","mitigation","reporting","watch", "^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
"other","ext-value"]}, "purpose": {"enum": ["traceback", "mitigation",
"restriction":{"enum":["public","partner","need-to-know","private", "reporting", "watch", "other", "ext-value"]},
"default","white","green","amber","red","ext-value"]}, "restriction":{"enum": ["public", "partner",
"status": {"enum": ["new","in-progress","forwarded","resolved", "need-to-know", "private", "default", "white", "green",
"future","ext-value"]}, "amber", "red", "ext-value"]},
"DATETIME": {"type": "string","format": "date-time"}, "status": {"enum": ["new", "in-progress", "forwarded",
"resolved", "future", "ext-value"]},
"DATETIME": {"type": "string", "format": "date-time"},
"BYTE": {"type": "string"}, "BYTE": {"type": "string"},
"PortlistType": { "PortlistType": {
"type": "string","pattern": "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"}, "type": "string", "pattern":
"[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"},
"TimeZonetype": { "TimeZonetype": {
"type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, "type":"string", "pattern":
"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
"URLtype": { "URLtype": {
"type": "string", "type": "string",
"pattern": "pattern":
"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))
"IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, ?(#(.*))?"},
"IDtype": {"type": "string", "pattern":
"[a-zA-Z_][a-zA-Z0-9_.-]*"},
"IDREFType": {"$ref": "#/definitions/IDtype"}, "IDREFType": {"$ref": "#/definitions/IDtype"},
"MLStringType": { "MLStringType": {
"oneOf": [{"type": "string"}, "oneOf": [{"type": "string"},
{"type": "object", {"type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"translation-id": {"type": "string"}}, "translation-id": {"type": "string"}},
"required": ["value"], "required": ["value"],
"additionalProperties":false}]}, "additionalProperties":false}]},
"PositiveFloatType": {"type": "number","minimum": 0}, "PositiveFloatType": {"type": "number", "minimum": 0},
"PAddressType": {"$ref": "#/definitions/MLStringType"}, "PAddressType": {"$ref": "#/definitions/MLStringType"},
"ExtensionType": { "ExtensionType": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"name": {"type": "string"}, "name": {"type": "string"},
"dtype":{"enum":["boolean","byte","bytes","character", "json", "dtype":{"enum":["boolean", "byte", "bytes",
"date-time","ntpstamp","integer","portlist","real","string", "character", "json", "date-time", "ntpstamp",
"file","path","frame","packet","ipv4-packet","ipv6-packet", "integer", "portlist", "real", "string", "file",
"url", "csv","winreg","xml","ext-value"],"default": "string"}, "path", "frame", "packet", "ipv4-packet",
"ipv6-packet", "url", "csv", "winreg",
"xml", "ext-value"], "default": "string"},
"ext-dtype": {"type": "string"}, "ext-dtype": {"type": "string"},
"meaning": {"type": "string"}, "meaning": {"type": "string"},
"formatid": {"type": "string"}, "formatid": {"type": "string"},
"restriction": { "restriction": {
"$ref": "#/definitions/restriction","default": "private"}, "$ref": "#/definitions/restriction", "default":
"private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}}, "observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["value","dtype"], "required": ["value", "dtype"],
"additionalProperties":false}, "additionalProperties":false},
"ExtensionTypeList": { "ExtensionTypeList": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"}, "items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1}, "minItems": 1},
"SoftwareType": { "SoftwareType": {
"type": "object", "type": "object",
"properties": { "properties": {
"SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, "SoftwareReference":{
"$ref":"#/definitions/SoftwareReference"},
"URL": { "URL": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/URLtype", "items": {"$ref": "#/definitions/URLtype",
"minItems": 1}}, "minItems": 1}},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1 }}, "minItems": 1 }},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"SoftwareReference": { "SoftwareReference": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, "spec-name": {"enum": ["custom", "cpe", "swid",
"ext-value"]},
"ext-spec-name": {"type": "string"}, "ext-spec-name": {"type": "string"},
"dtype": {"enum": ["bytes","integer","real","string","xml", "dtype": {"enum": ["bytes", "integer", "real", "string",
"ext-value"] , "default": "string"}, "xml", "ext-value"], "default": "string"},
"ext-dtype": {"type": "string"}}, "ext-dtype": {"type": "string"}},
"required": ["spec-name"], "required": ["spec-name"],
"additionalProperties": false}, "additionalProperties": false},
"StructuredInfo": { "STRUCTUREDINFO": {
"type": "object", "type": "object",
"properties": { "properties": {
"SpecID": {"$ref":"#/definitions/SpecID"}, "SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"}, "ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"}, "ContentID": {"type": "string"},
"RawData": { "RawData": {
"type": "array", "type": "array",
"items": {"$ref":"#/definitions/BYTE"}, "items": {"$ref":"#/definitions/BYTE"},
"minItems": 1 "minItems": 1
}, },
skipping to change at line 2551 skipping to change at line 3718
"purpose": {"$ref": "#/definitions/purpose"}, "purpose": {"$ref": "#/definitions/purpose"},
"ext-purpose": {"type": "string"}, "ext-purpose": {"type": "string"},
"status": {"$ref": "#/definitions/status"}, "status": {"$ref": "#/definitions/status"},
"ext-status": {"type": "string"}, "ext-status": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentID": {"$ref": "#/definitions/IncidentID"}, "IncidentID": {"$ref": "#/definitions/IncidentID"},
"AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "AlternativeID": {
"$ref":"#/definitions/AlternativeID"},
"RelatedActivity": { "RelatedActivity": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/RelatedActivity"}, "items": {"$ref": "#/definitions/RelatedActivity"},
"minItems": 1}, "minItems": 1},
"DetectTime": {"$ref": "#/definitions/DATETIME"}, "DetectTime": {"$ref": "#/definitions/DATETIME"},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"},
"GenerationTime": {"$ref": "#/definitions/DATETIME"}, "GenerationTime": {"$ref": "#/definitions/DATETIME"},
skipping to change at line 2591 skipping to change at line 3759
"minItems": 1}, "minItems": 1},
"EventData": { "EventData": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/EventData"}, "items": {"$ref": "#/definitions/EventData"},
"minItems": 1}, "minItems": 1},
"Indicator": { "Indicator": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Indicator"}, "items": {"$ref": "#/definitions/Indicator"},
"minItems": 1}, "minItems": 1},
"History": {"$ref": "#/definitions/History"}, "History": {"$ref": "#/definitions/History"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"required": ["IncidentID","GenerationTime","Contact","purpose"], "$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IncidentID", "GenerationTime", "Contact",
"purpose"],
"additionalProperties": false}, "additionalProperties": false},
"IncidentID": { "IncidentID": {
"title": "IncidentID", "title": "IncidentID",
"description": "JSON schema for IncidentID class", "description": "JSON schema for IncidentID class",
"type": "object", "type": "object",
"properties": { "properties": {
"id": {"type": "string"}, "id": {"type": "string"},
"name": {"type": "string"}, "name": {"type": "string"},
"instance": {"type": "string"}, "instance": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}}, "ext-restriction": {"type": "string"}},
"required": ["id","name"], "required": ["id", "name"],
"additionalProperties": false}, "additionalProperties": false},
"AlternativeID": { "AlternativeID": {
"title": "AlternativeID", "title": "AlternativeID",
"description": "JSON schema for AlternativeID class", "description": "JSON schema for AlternativeID class",
"type": "object", "type": "object",
"properties": { "properties": {
"IncidentID": { "IncidentID": {
"type": "array", "type": "array",
"items":{"$ref": "#/definitions/IncidentID"}, "items":{"$ref": "#/definitions/IncidentID"},
"minItems": 1}, "minItems": 1},
skipping to change at line 2651 skipping to change at line 3821
"minItems": 1}, "minItems": 1},
"IndicatorID": { "IndicatorID": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorID"}, "items": {"$ref": "#/definitions/IndicatorID"},
"minItems": 1}, "minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref": "#/definitions/ExtensionTypeList"}},
"additionalProperties": false}, "additionalProperties": false},
"ThreatActor": { "ThreatActor": {
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"ThreatActorID": { "ThreatActorID": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"URL": { "URL": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/URLtype"}, "items":{"$ref":"#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false}, "additionalProperties": false},
"Campaign": { "Campaign": {
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"CampaignID": { "CampaignID": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"URL": { "URL": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/URLtype"}, "items":{"$ref":"#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}}},
"Contact": { "Contact": {
"type": "object", "type": "object",
"properties": { "properties": {
"role": { "role": {
"enum":["creator","reporter","admin","tech","provider","user", "enum":["creator", "reporter", "admin", "tech",
"billing","legal","irt","abuse","cc","cc-irt","leo", "provider", "user", "billing", "legal",
"vendor","vendor-support","victim","victim-notified", "irt", "abuse", "cc", "cc-irt", "leo",
"ext-value"]}, "vendor", "vendor-support", "victim",
"victim-notified", "ext-value"]},
"ext-role": {"type": "string"}, "ext-role": {"type": "string"},
"type": {"enum": ["person","organization","ext-value"]}, "type": {
"enum": ["person", "organization", "ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"ContactName": { "ContactName": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"ContactTitle": { "ContactTitle": {
"type": "array", "type": "array",
skipping to change at line 2737 skipping to change at line 3912
"minItems": 1}, "minItems": 1},
"Telephone": { "Telephone": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Telephone"}, "items": {"$ref": "#/definitions/Telephone"},
"minItems": 1}, "minItems": 1},
"Timezone": {"$ref": "#/definitions/TimeZonetype"}, "Timezone": {"$ref": "#/definitions/TimeZonetype"},
"Contact": { "Contact": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Contact"}, "items": {"$ref": "#/definitions/Contact"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"required": ["role","type"], "$ref":"#/definitions/ExtensionTypeList"}},
"required": ["role", "type"],
"additionalProperties": false}, "additionalProperties": false},
"RegistryHandle": { "RegistryHandle": {
"type": "object", "type": "object",
"properties": { "properties": {
"handle": {"type": "string"}, "handle": {"type": "string"},
"registry": { "registry": {
"enum": ["internic","apnic","arin","lacnic","ripe","afrinic", "enum": ["internic", "apnic", "arin", "lacnic",
"local","ext-value"]}, "ripe", "afrinic", "local", "ext-value"]},
"ext-registry": {"type": "string"}}, "ext-registry": {"type": "string"}},
"required": ["handle","registry"], "required": ["handle", "registry"],
"additionalProperties": false}, "additionalProperties": false},
"PostalAddress": { "PostalAddress": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": { "type": {
"enum": ["street","mailing","ext-value"]}, "enum": ["street", "mailing", "ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"PAddress": {"$ref": "#/definitions/PAddressType"}, "PAddress": {"$ref": "#/definitions/PAddressType"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}}, "minItems": 1}},
"required": ["PAddress"], "required": ["PAddress"],
"additionalProperties": false}, "additionalProperties": false},
"Email": { "Email": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": { "type": {
"enum":["direct","hotline","ext-value"]}, "enum":["direct", "hotline", "ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"EmailTo": {"type": "string"}, "EmailTo": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}}, "minItems": 1}},
"required": ["EmailTo"], "required": ["EmailTo"],
"additionalProperties": false}, "additionalProperties": false},
"Telephone": { "Telephone": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": { "type": {
"enum":["wired","mobile","fax","hotline","ext-value"]}, "enum":["wired", "mobile", "fax", "hotline",
"ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"TelephoneNumber": {"type": "string"}, "TelephoneNumber": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}}, "minItems": 1}},
"required": ["TelephoneNumber"], "required": ["TelephoneNumber"],
"additionalProperties": false}, "additionalProperties": false},
"Discovery": { "Discovery": {
"type": "object", "type": "object",
"properties": { "properties": {
"source": { "source": {
"enum":["nidps","hips","siem","av","third-party-monitoring", "enum":["nidps", "hips", "siem", "av",
"incident","os-log","application-log","device-log", "third-party-monitoring", "incident", "os-log",
"network-flow","passive-dns","investigation","audit", "application-log", "device-log", "network-flow",
"internal-notification","external-notification","leo", "passive-dns", "investigation", "audit",
"partner","actor","unknown","ext-value"]}, "internal-notification", "external-notification",
"leo", "partner", "actor", "unknown", "ext-value"]},
"ext-source": {"type": "string"}, "ext-source": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"Contact": { "Contact": {
"type": "array", "type": "array",
skipping to change at line 2854 skipping to change at line 4032
"Reference": { "Reference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Reference"}, "items": {"$ref": "#/definitions/Reference"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"AttackPattern": { "AttackPattern": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/StructuredInfo"}, "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1}, "minItems": 1},
"Vulnerability": { "Vulnerability": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/StructuredInfo"}, "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1}, "minItems": 1},
"Weakness": { "Weakness": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/StructuredInfo"}, "items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Reference": { "Reference": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ReferenceName": {"$ref":"#/definitions/ReferenceName"}, "ReferenceName": {
"$ref":"#/definitions/ReferenceName"},
"URL":{ "URL":{
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/URLtype"}, "items":{"$ref":"#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}}, "minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ReferenceName" : { "ReferenceName" : {
"type": "object", "type": "object",
"properties": { "properties": {
"specIndex": {"type": "number"}, "specIndex": {"type": "number"},
"ID": {"$ref":"#/definitions/IDtype"}}, "ID": {"$ref":"#/definitions/IDtype"}},
"required": ["specIndex","ID"], "required": ["specIndex", "ID"],
"additionalProperties": false}, "additionalProperties": false},
"Assessment": { "Assessment": {
"type": "object", "type": "object",
"properties": { "properties": {
"occurrence": {"enum":["actual","potential"]}, "occurrence": {"enum":["actual", "potential"]},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentCategory": { "IncidentCategory": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"Impact": { "Impact": {
"type": "array", "type": "array",
"items": { "items": {
"properties": { "properties": {
"SystemImpact":{"$ref":"#/definitions/SystemImpact"}, "SystemImpact":{
"BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, "$ref":"#/definitions/SystemImpact"},
"BusinessImpact":{
"$ref":"#/definitions/BusinessImpact"},
"TimeImpact":{"$ref":"#/definitions/TimeImpact"}, "TimeImpact":{"$ref":"#/definitions/TimeImpact"},
"MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, "MonetaryImpact":{
"IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, "$ref":"#/definitions/MonetaryImpact"},
"IntendedImpact":{
"$ref":"#/definitions/BusinessImpact"}},
"additionalProperties":false}, "additionalProperties":false},
"minItems" : 1 "minItems" : 1
}, },
"Counter": { "Counter": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Counter"}, "items": {"$ref": "#/definitions/Counter"},
"minItems": 1}, "minItems": 1},
"MitigatingFactor": { "MitigatingFactor": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"Cause": { "Cause": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Impact"], "required": ["Impact"],
"additionalProperties": false}, "additionalProperties": false},
"SystemImpact": { "SystemImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"severity": {"enum":["low","medium","high"]}, "severity": {"enum":["low", "medium", "high"]},
"completion": {"enum":["failed","succeeded"]}, "completion": {"enum":["failed", "succeeded"]},
"type": { "type": {
"enum":["takeover-account","takeover-service", "enum":["takeover-account", "takeover-service",
"takeover-system","cps-manipulation","cps-damage", "takeover-system", "cps-manipulation", "cps-damage",
"availability-data","availability-account", "availability-data", "availability-account",
"availability-service","availability-system", "availability-service", "availability-system",
"damaged-system","damaged-data","breach-proprietary", "damaged-system", "damaged-data",
"breach-privacy","breach-credential", "breach-proprietary", "breach-privacy",
"breach-configuration","integrity-data", "breach-credential", "breach-configuration",
"integrity-configuration","integrity-hardware", "integrity-data", "integrity-configuration",
"traffic-redirection","monitoring-traffic", "integrity-hardware", "traffic-redirection",
"monitoring-host","policy","unknown","ext-value"]}, "monitoring-traffic", "monitoring-host",
"policy", "unknown", "ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}}, "minItems": 1}},
"required": ["type"], "required": ["type"],
"additionalProperties": false}, "additionalProperties": false},
"BusinessImpact": { "BusinessImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"severity": {"enum":["none","low","medium","high","unknown", "severity": {"enum":["none", "low", "medium", "high",
"ext-value"],"default": "unknown"}, "unknown", "ext-value"], "default": "unknown"},
"ext-severity": {"type":"string"}, "ext-severity": {"type":"string"},
"type": {"enum":["breach-proprietary","breach-privacy", "type": {"enum":["breach-proprietary",
"breach-credential","loss-of-integrity","loss-of-service", "breach-privacy", "breach-credential",
"theft-financial","theft-service","degraded-reputation", "loss-of-integrity", "loss-of-service",
"asset-damage","asset-manipulation","legal","extortion", "theft-financial", "theft-service",
"unknown","ext-value"]}, "degraded-reputation", "asset-damage",
"asset-manipulation", "legal", "extortion",
"unknown", "ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}}, "minItems": 1}},
"required": ["type"], "required": ["type"],
"additionalProperties": false}, "additionalProperties": false},
"TimeImpact": { "TimeImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"}, "value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum": ["low","medium","high"]}, "severity": {"enum": ["low", "medium", "high"]},
"metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "metric": {"enum": ["labor", "elapsed", "downtime",
"ext-value"]},
"ext-metric": {"type": "string"}, "ext-metric": {"type": "string"},
"duration": {"$ref":"#/definitions/duration","default": "hour"}, "duration": {
"$ref":"#/definitions/duration", "default": "hour"},
"ext-duration": {"type": "string"}}, "ext-duration": {"type": "string"}},
"required": ["value","metric"], "required": ["value", "metric"],
"additionalProperties": false}, "additionalProperties": false},
"MonetaryImpact": { "MonetaryImpact": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"}, "value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum":["low","medium","high"]}, "severity": {"enum":["low", "medium", "high"]},
"currency": {"type": "string"}}, "currency": {"type": "string"}},
"required": ["value"], "required": ["value"],
"additionalProperties": false}, "additionalProperties": false},
"Confidence": { "Confidence": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "number"}, "value": {"type": "number"},
"rating": {"enum": ["low","medium","high","numeric","unknown", "rating": {"enum": ["low", "medium", "high", "numeric",
"ext-value"]}, "unknown", "ext-value"]},
"ext-rating": {"type":"string"}}, "ext-rating": {"type":"string"}},
"required": ["value","rating"], "required": ["value", "rating"],
"additionalProperties": false}, "additionalProperties": false},
"History": { "History": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"HistoryItem": { "HistoryItem": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/HistoryItem"}, "items": {"$ref": "#/definitions/HistoryItem"},
"minItems": 1}}, "minItems": 1}},
"required": ["HistoryItem"], "required": ["HistoryItem"],
"additionalProperties": false}, "additionalProperties": false},
"HistoryItem": { "HistoryItem": {
"type": "object", "type": "object",
"properties": { "properties": {
"action": {"$ref": "#/definitions/action","default": "other"}, "action": {
"$ref": "#/definitions/action", "default": "other"},
"ext-action": {"type": "string"}, "ext-action": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"}, "DateTime": {"$ref": "#/definitions/DATETIME"},
"IncidentID": {"$ref": "#/definitions/IncidentID"}, "IncidentID": {"$ref": "#/definitions/IncidentID"},
"Contact": {"$ref": "#/definitions/Contact"}, "Contact": {"$ref": "#/definitions/Contact"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"DefinedCOA": { "DefinedCOA": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"required": ["DateTime","action"], "$ref":"#/definitions/ExtensionTypeList"}},
"required": ["DateTime", "action"],
"additionalProperties": false}, "additionalProperties": false},
"EventData": { "EventData": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array", "Description": {"type": "array",
"items": { "$ref":"#/definitions/MLStringType"}}, "items": { "$ref":"#/definitions/MLStringType"}},
skipping to change at line 3076 skipping to change at line 4268
"items": {"$ref": "#/definitions/Expectation"}, "items": {"$ref": "#/definitions/Expectation"},
"minItems": 1}, "minItems": 1},
"RecordData": { "RecordData": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/RecordData"}, "items": {"$ref": "#/definitions/RecordData"},
"minItems": 1}, "minItems": 1},
"EventData": { "EventData": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/EventData"}, "items": {"$ref": "#/definitions/EventData"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"Expectation": { "Expectation": {
"type": "object", "type": "object",
"properties": { "properties": {
"action": {"$ref":"#/definitions/action","default": "other"}, "action": {
"$ref":"#/definitions/action", "default": "other"},
"ext-action": {"type": "string"}, "ext-action": {"type": "string"},
"severity": {"enum": ["low","medium","high"]}, "severity": {"enum": ["low", "medium", "high"]},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "default"}, "default": "default"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"DefinedCOA": { "DefinedCOA": {
"type": "array", "type": "array",
skipping to change at line 3106 skipping to change at line 4300
"minItems": 1}, "minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"Contact": {"$ref": "#/definitions/Contact"}}, "Contact": {"$ref": "#/definitions/Contact"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"System": { "System": {
"type": "object", "type": "object",
"properties": { "properties": {
"category": { "category": {
"enum": ["source","target","intermediate","sensor", "enum": ["source", "target", "intermediate", "sensor",
"infrastructure","ext-value"]}, "infrastructure", "ext-value"]},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"interface": {"type": "string"}, "interface": {"type": "string"},
"spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, "spoofed": {
"virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, "enum": ["unknown", "yes", "no"], "default":"unknown"},
"virtual": {
"enum": ["yes", "no", "unknown"], "default":"unknown"},
"ownership": { "ownership": {
"enum":["organization","personal","partner","customer", "enum":["organization", "personal", "partner",
"no-relationship","unknown","ext-value"]}, "customer", "no-relationship", "unknown",
"ext-value"]},
"ext-ownership": {"type": "string"}, "ext-ownership": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Node": {"$ref": "#/definitions/Node"}, "Node": {"$ref": "#/definitions/Node"},
"NodeRole": { "NodeRole": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/NodeRole"}, "items": {"$ref": "#/definitions/NodeRole"},
"minItems": 1}, "minItems": 1},
skipping to change at line 3145 skipping to change at line 4342
"items": {"$ref": "#/definitions/Counter"}, "items": {"$ref": "#/definitions/Counter"},
"minItems": 1}, "minItems": 1},
"AssetID": { "AssetID": {
"type": "array", "type": "array",
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Node"], "required": ["Node"],
"additionalProperties": false}, "additionalProperties": false},
"Node": { "Node": {
"type": "object", "type": "object",
"properties": { "properties": {
"DomainData": { "DomainData": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/DomainData"}, "items": {"$ref": "#/definitions/DomainData"},
"minItems": 1}, "minItems": 1},
"Address": { "Address": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Address"}, "items": {"$ref": "#/definitions/Address"},
"minItems": 1}, "minItems": 1},
"PostalAddress": {"$ref": "#/definitions/PostalAddress"}, "PostalAddress": {
"$ref": "#/definitions/PostalAddress"},
"Location": { "Location": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"Counter": { "Counter": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/Counter"}, "items":{"$ref":"#/definitions/Counter"},
"minItems": 1}}, "minItems": 1}},
"anyOf": [ "anyOf": [
{"required": ["DomainData"]}, {"required": ["DomainData"]},
{"required": ["Address"]} {"required": ["Address"]}
], ],
"additionalProperties": false}, "additionalProperties": false},
"Address": { "Address": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"category": { "category": {
"enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "enum":["asn", "atm", "e-mail", "ipv4-addr", "ipv4-net",
"ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv4-net-masked", "ipv4-net-mask", "ipv6-addr",
"ipv6-net-masked","mac","site-uri","ext-value"], "ipv6-net", "ipv6-net-masked", "mac", "site-uri",
"default": "ipv6-addr"}, "ext-value"], "default": "ipv6-addr"},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"vlan-name": {"type": "string"}, "vlan-name": {"type": "string"},
"vlan-num": {"type": "number"}, "vlan-num": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"}}, "observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["value","category"], "required": ["value", "category"],
"additionalProperties": false}, "additionalProperties": false},
"NodeRole": { "NodeRole": {
"type": "object", "type": "object",
"properties": { "properties": {
"category": { "category": {
"enum":["client","client-enterprise","client-partner", "enum":["client", "client-enterprise",
"client-remote","client-kiosk","client-mobile", "client-partner", "client-remote", "client-kiosk",
"server-internal","server-public","www","mail","webmail", "client-mobile", "server-internal", "server-public",
"messaging","streaming","voice","file","ftp","p2p","name", "www", "mail", "webmail", "messaging", "streaming",
"directory","credential","print","application","database", "voice", "file", "ftp", "p2p", "name", "directory",
"backup","dhcp","assessment","source-control", "credential", "print", "application", "database",
"config-management","monitoring","infra","infra-firewall", "backup", "dhcp", "assessment", "source-control",
"infra-router","infra-switch","camera","proxy", "config-management", "monitoring", "infra",
"remote-access","log","virtualization","pos", "scada", "infra-firewall", "infra-router", "infra-switch",
"scada-supervisory","sinkhole","honeypot","anomyzation", "camera", "proxy", "remote-access", "log",
"c2-server","malware-distribution","drop-server", "virtualization", "pos", "scada",
"hop-point","reflector","phishing-site", "scada-supervisory", "sinkhole", "honeypot",
"spear-phishing-site","recruiting-site","fraudulent-site", "anomyzation", "c2-server", "malware-distribution",
"drop-server", "hop-point", "reflector",
"phishing-site", "spear-phishing-site",
"recruiting-site", "fraudulent-site",
"ext-value"]}, "ext-value"]},
"ext-category": {"type": "string"}, "ext-category": {"type": "string"},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}}, "minItems": 1}},
"required": ["category"], "required": ["category"],
"additionalProperties": false}, "additionalProperties": false},
"Counter": { "Counter": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "number"}, "value": {"type": "number"},
"type": {"enum": ["count","peak","average","ext-value"]}, "type": {
"enum": ["count", "peak", "average", "ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"unit":{"enum":["byte","mbit","packet","flow","session","alert", "unit":{"enum":["byte", "mbit", "packet", "flow",
"message","event","host","site","organization","ext-value"]}, "session", "alert", "message", "event", "host",
"site", "organization", "ext-value"]},
"ext-unit": {"type": "string"}, "ext-unit": {"type": "string"},
"meaning": {"type": "string"}, "meaning": {"type": "string"},
"duration": {"$ref":"#/definitions/duration","default": "hour"}, "duration": {
"$ref":"#/definitions/duration", "default": "hour"},
"ext-duration": {"type": "string"}}, "ext-duration": {"type": "string"}},
"required": ["value","type","unit"], "required": ["value", "type", "unit"],
"additionalProperties": false}, "additionalProperties": false},
"DomainData": { "DomainData": {
"type": "object", "type": "object",
"properties": { "properties": {
"system-status": { "system-status": {
"enum": ["spoofed","fraudulent","innocent-hacked", "enum": ["spoofed", "fraudulent", "innocent-hacked",
"innocent-hijacked","unknown","ext-value"]}, "innocent-hijacked", "unknown", "ext-value"]},
"ext-system-status": {"type": "string"}, "ext-system-status": {"type": "string"},
"domain-status": { "domain-status": {
"enum": [ "reservedDelegation","assignedAndActive", "enum": [ "reservedDelegation", "assignedAndActive",
"assignedAndInactive","assignedAndOnHold","revoked", "assignedAndInactive", "assignedAndOnHold",
"transferPending","registryLock","registrarLock", "revoked", "transferPending",
"other","unknown","ext-value"]}, "registryLock", "registrarLock",
"other", "unknown", "ext-value"]},
"ext-domain-status": {"type": "string"}, "ext-domain-status": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Name": {"type": "string"}, "Name": {"type": "string"},
"DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "DateDomainWasChecked": {
"RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "$ref": "#/definitions/DATETIME"},
"RegistrationDate": {
"$ref": "#/definitions/DATETIME"},
"ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
"RelatedDNS": { "RelatedDNS": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"}, "items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1}, "minItems": 1},
"NameServers": { "NameServers": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/NameServers"}, "items": {"$ref": "#/definitions/NameServers"},
"minItems": 1}, "minItems": 1},
"DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, "DomainContacts": {
"required": ["Name","system-status","domain-status"], "$ref": "#/definitions/DomainContacts"}},
"required": ["Name", "system-status", "domain-status"],
"additionalProperties": false}, "additionalProperties": false},
"NameServers": { "NameServers": {
"type": "object", "type": "object",
"properties": { "properties": {
"Server": {"type": "string"}, "Server": {"type": "string"},
"Address": { "Address": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/Address"}, "items":{"$ref":"#/definitions/Address"},
"minItems": 1}}, "minItems": 1}},
"required": ["Server","Address"], "required": ["Server", "Address"],
"additionalProperties": false}, "additionalProperties": false},
"DomainContacts": { "DomainContacts": {
"type": "object", "type": "object",
"properties": { "properties": {
"SameDomainContact": {"type": "string"}, "SameDomainContact": {"type": "string"},
"Contact": { "Contact": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/Contact"}, "items":{"$ref":"#/definitions/Contact"},
"minItems": 1}}, "minItems": 1}},
"oneOf": [ "oneOf": [
skipping to change at line 3292 skipping to change at line 4501
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"ServiceName": {"$ref": "#/definitions/ServiceName"}, "ServiceName": {"$ref": "#/definitions/ServiceName"},
"Port": {"type": "number"}, "Port": {"type": "number"},
"Portlist": {"$ref": "#/definitions/PortlistType"}, "Portlist": {"$ref": "#/definitions/PortlistType"},
"ProtoCode": {"type": "number"}, "ProtoCode": {"type": "number"},
"ProtoType": {"type": "number"}, "ProtoType": {"type": "number"},
"ProtoField": {"type": "number"}, "ProtoField": {"type": "number"},
"ApplicationHeaderField":{ "ApplicationHeaderField":{
"$ref":"#/definitions/ExtensionTypeList"}, "$ref":"#/definitions/ExtensionTypeList"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Application": {"$ref": "#/definitions/SoftwareType"}}, "Application": {
"$ref": "#/definitions/SoftwareType"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"ServiceName": { "ServiceName": {
"type": "object", "type": "object",
"properties": { "properties": {
"IANAService": {"type": "string"}, "IANAService": {"type": "string"},
"URL": { "URL": {
"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "type": "array", "items": {
"$ref": "#/definitions/URLtype"}},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}}, "minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"EmailData": { "EmailData": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
skipping to change at line 3366 skipping to change at line 4577
"URL": { "URL": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/URLtype"}, "items": {"$ref": "#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"FileData": { "FileData": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/FileData"}, "items": {"$ref": "#/definitions/FileData"},
"minItems": 1}, "minItems": 1},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"type": "array", "type": "array",
"items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, "items": {
"$ref":"#/definitions/WindowsRegistryKeysModified"},
"minItems": 1}, "minItems": 1},
"CertificateData": { "CertificateData": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/CertificateData"}, "items":{"$ref":"#/definitions/CertificateData"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"RecordPattern": { "RecordPattern": {
"type": "object", "type": "object",
"properties": { "properties": {
"value": {"type": "string"}, "value": {"type": "string"},
"type": {"enum": ["regex","binary","xpath","ext-value"], "type": {
"default": "regex"}, "enum": ["regex", "binary", "xpath", "ext-value"],
"default": "regex"},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"offset": {"type": "number"}, "offset": {"type": "number"},
"offsetunit": {"enum":["line","byte","ext-value"] , "offsetunit": {"enum":["line", "byte", "ext-value"] ,
"default": "line"}, "default": "line"},
"ext-offsetunit": {"type": "string"}, "ext-offsetunit": {"type": "string"},
"instance": {"type": "number"}}, "instance": {"type": "number"}},
"required": ["value","type"], "required": ["value", "type"],
"additionalProperties": false}, "additionalProperties": false},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"type": "object", "type": "object",
"properties": { "properties": {
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"Key": { "Key": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Key"}, "items": {"$ref": "#/definitions/Key"},
"minItems": 1}}, "minItems": 1}},
"required": ["Key"], "required": ["Key"],
"additionalProperties": false}, "additionalProperties": false},
"Key": { "Key": {
"type": "object", "type": "object",
"properties": { "properties": {
"registryaction": {"enum": ["add-key","add-value","delete-key", "registryaction": {"enum": ["add-key", "add-value",
"delete-value","modify-key","modify-value", "delete-key", "delete-value",
"modify-key", "modify-value",
"ext-value"]}, "ext-value"]},
"ext-registryaction": {"type": "string"}, "ext-registryaction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}, "observable-id": {"$ref": "#/definitions/IDtype"},
"KeyName": {"type":"string"}, "KeyName": {"type":"string"},
"KeyValue": {"type": "string"}}, "KeyValue": {"type": "string"}},
"required": ["KeyName"], "required": ["KeyName"],
"additionalProperties": false}, "additionalProperties": false},
"CertificateData": { "CertificateData": {
"type": "object", "type": "object",
"properties": { "properties": {
skipping to change at line 3463 skipping to change at line 4678
"FileType": {"type": "string"}, "FileType": {"type": "string"},
"URL": { "URL": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/URLtype"}, "items": {"$ref": "#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"HashData": {"$ref": "#/definitions/HashData"}, "HashData": {"$ref": "#/definitions/HashData"},
"Signature": { "Signature": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/BYTE"}, "items": {"$ref": "#/definitions/BYTE"},
"minItems": 1}, "minItems": 1},
"AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "AssociatedSoftware": {
"$ref": "#/definitions/SoftwareType"},
"FileProperties": { "FileProperties": {
"type":"array", "type":"array",
"items":{"$ref":"#/definitions/ExtensionType"}, "items":{"$ref":"#/definitions/ExtensionType"},
"minItems": 1}}, "minItems": 1}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"HashData": { "HashData": {
"type": "object", "type": "object",
"properties": { "properties": {
"scope": {"enum": ["file-contents","file-pe-section", "scope": {"enum": ["file-contents", "file-pe-section",
"file-pe-iat","file-pe-resource","file-pdf-object", "file-pe-iat", "file-pe-resource", "file-pdf-object",
"email-hash","email-headers-hash","email-body-hash", "email-hash", "email-headers-hash", "email-body-hash",
"ext-value"]}, "ext-value"]},
"HashTargetID": {"type": "string"}, "HashTargetID": {"type": "string"},
"Hash": { "Hash": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Hash"}, "items": {"$ref": "#/definitions/Hash"},
"minItems": 1}, "minItems": 1},
"FuzzyHash": { "FuzzyHash": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/FuzzyHash"}, "items": {"$ref": "#/definitions/FuzzyHash"},
"minItems": 1}}, "minItems": 1}},
"required": ["scope"], "required": ["scope"],
"additionalProperties": false}, "additionalProperties": false},
"Hash": { "Hash": {
"type": "object", "type": "object",
"properties": { "properties": {
"DigestMethod": {"$ref": "#/definitions/BYTE"}, "DigestMethod": {"$ref": "#/definitions/BYTE"},
"DigestValue": {"$ref": "#/definitions/BYTE"}, "DigestValue": {"$ref": "#/definitions/BYTE"},
"CanonicalizationMethod": {"$ref": "#/definitions/BYTE"}, "CanonicalizationMethod": {
"Application": {"$ref": "#/definitions/SoftwareType"}}, "$ref": "#/definitions/BYTE"},
"required": ["DigestMethod","DigestValue"], "Application": {
"$ref": "#/definitions/SoftwareType"}},
"required": ["DigestMethod", "DigestValue"],
"additionalProperties": false}, "additionalProperties": false},
"FuzzyHash": { "FuzzyHash": {
"type": "object", "type": "object",
"properties": { "properties": {
"FuzzyHashValue": { "FuzzyHashValue": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/ExtensionType"}, "items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1}, "minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"}, "Application": {"$ref": "#/definitions/SoftwareType"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["FuzzyHashValue"], "required": ["FuzzyHashValue"],
"additionalProperties": false}, "additionalProperties": false},
"Indicator": { "Indicator": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
"AlternativeIndicatorID": { "AlternativeIndicatorID": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/AlternativeIndicatorID"}, "items": {
"$ref": "#/definitions/AlternativeIndicatorID"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"},
"Confidence": {"$ref": "#/definitions/Confidence"}, "Confidence": {"$ref": "#/definitions/Confidence"},
"Contact": { "Contact": {
"type": "array", "type": "array",
skipping to change at line 3548 skipping to change at line 4768
"items": {"$ref": "#/definitions/NodeRole"}, "items": {"$ref": "#/definitions/NodeRole"},
"minItems": 1}, "minItems": 1},
"AttackPhase": { "AttackPhase": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/AttackPhase"}, "items": {"$ref": "#/definitions/AttackPhase"},
"minItems": 1}, "minItems": 1},
"Reference": { "Reference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Reference"}, "items": {"$ref": "#/definitions/Reference"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"allOf": [ "allOf": [
{"required": ["IndicatorID"]}, {"required": ["IndicatorID"]},
{"oneOf": [ {"oneOf": [
{"required":["Observable"]}, {"required":["Observable"]},
{"required":["uid-ref"]}, {"required":["uid-ref"]},
{"required":["IndicatorExpression"]}, {"required":["IndicatorExpression"]},
{"required":["IndicatorReference"]}]}], {"required":["IndicatorReference"]}]}],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorID": { "IndicatorID": {
"type": "object", "type": "object",
"properties": { "properties": {
"id": {"type": "string"}, "id": {"type": "string"},
"name": {"type": "string"}, "name": {"type": "string"},
"version": {"type": "string"}}, "version": {"type": "string"}},
"required": ["id","name","version"], "required": ["id", "name", "version"],
"additionalProperties": false}, "additionalProperties": false},
"AlternativeIndicatorID": { "AlternativeIndicatorID": {
"type": "object", "type": "object",
"properties": { "properties": {
"restriction": {"$ref": "#/definitions/restriction", "restriction": {"$ref": "#/definitions/restriction",
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"IndicatorID": { "IndicatorID": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorID"}, "items": {"$ref": "#/definitions/IndicatorID"},
skipping to change at line 3591 skipping to change at line 4812
"default": "private"}, "default": "private"},
"ext-restriction": {"type": "string"}, "ext-restriction": {"type": "string"},
"System": {"$ref": "#/definitions/System"}, "System": {"$ref": "#/definitions/System"},
"Address": {"$ref": "#/definitions/Address"}, "Address": {"$ref": "#/definitions/Address"},
"DomainData": {"$ref": "#/definitions/DomainData"}, "DomainData": {"$ref": "#/definitions/DomainData"},
"EmailData": {"$ref": "#/definitions/EmailData"}, "EmailData": {"$ref": "#/definitions/EmailData"},
"Service": {"$ref": "#/definitions/Service"}, "Service": {"$ref": "#/definitions/Service"},
"WindowsRegistryKeysModified": { "WindowsRegistryKeysModified": {
"$ref": "#/definitions/WindowsRegistryKeysModified"}, "$ref": "#/definitions/WindowsRegistryKeysModified"},
"FileData": {"$ref": "#/definitions/FileData"}, "FileData": {"$ref": "#/definitions/FileData"},
"CertificateData": {"$ref": "#/definitions/CertificateData"}, "CertificateData": {
"RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "$ref": "#/definitions/CertificateData"},
"RegistryHandle": {
"$ref": "#/definitions/RegistryHandle"},
"RecordData": {"$ref": "#/definitions/RecordData"}, "RecordData": {"$ref": "#/definitions/RecordData"},
"EventData": {"$ref": "#/definitions/EventData"}, "EventData": {"$ref": "#/definitions/EventData"},
"Incident": {"$ref": "#/definitions/Incident"}, "Incident": {"$ref": "#/definitions/Incident"},
"Expectation": {"$ref": "#/definitions/Expectation"}, "Expectation": {"$ref": "#/definitions/Expectation"},
"Reference": {"$ref": "#/definitions/Reference"}, "Reference": {"$ref": "#/definitions/Reference"},
"Assessment": {"$ref": "#/definitions/Assessment"}, "Assessment": {"$ref": "#/definitions/Assessment"},
"DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "DetectionPattern": {
"$ref": "#/definitions/DetectionPattern"},
"HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "BulkObservable": {
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "$ref": "#/definitions/BulkObservable"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"oneOf": [ "oneOf": [
{"required":["System"]}, {"required":["System"]},
{"required":["Address"]}, {"required":["Address"]},
{"required":["DomainData"]}, {"required":["DomainData"]},
{"required":["EmailData"]}, {"required":["EmailData"]},
{"required":["Service"]}, {"required":["Service"]},
{"required":["WindowsRegistryKeysModified"]}, {"required":["WindowsRegistryKeysModified"]},
{"required":["FileData"]}, {"required":["FileData"]},
{"required":["CertificateData"]}, {"required":["CertificateData"]},
{"required":["RegistryHandle"]}, {"required":["RegistryHandle"]},
skipping to change at line 3627 skipping to change at line 4853
{"required":["Reference"]}, {"required":["Reference"]},
{"required":["Assessment"]}, {"required":["Assessment"]},
{"required":["DetectionPattern"]}, {"required":["DetectionPattern"]},
{"required":["HistoryItem"]}, {"required":["HistoryItem"]},
{"required":["BulkObservable"]}, {"required":["BulkObservable"]},
{"required":["AdditionalData"]}], {"required":["AdditionalData"]}],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservable": { "BulkObservable": {
"type": "object", "type": "object",
"properties": { "properties": {
"type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "type": {"enum": ["asn", "atm", "e-mail", "ipv4-addr",
"ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", "ipv4-net", "ipv4-net-mask", "ipv6-addr", "ipv6-net",
"mac","site-uri","domain-name","domain-to-ipv4", "ipv6-net-mask", "mac", "site-uri", "domain-name",
"domain-to-ipv6","domain-to-ipv4-timestamp", "domain-to-ipv4", "domain-to-ipv6",
"domain-to-ipv6-timestamp","ipv4-port","ipv6-port", "domain-to-ipv4-timestamp",
"windows-reg-key","file-hash","email-x-mailer", "domain-to-ipv6-timestamp", "ipv4-port", "ipv6-port",
"email-subject","http-user-agent","http-request-url", "windows-reg-key", "file-hash", "email-x-mailer",
"mutex","file-path","user-name","ext-value"]}, "email-subject", "http-user-agent",
"http-request-url", "mutex", "file-path", "user-name",
"ext-value"]},
"ext-type": {"type": "string"}, "ext-type": {"type": "string"},
"BulkObservableFormat":{ "BulkObservableFormat":{
"$ref": "#/definitions/BulkObservableFormat"}, "$ref": "#/definitions/BulkObservableFormat"},
"BulkObservableList": {"type": "string"}, "BulkObservableList": {"type": "string"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["BulkObservableList"], "required": ["BulkObservableList"],
"additionalProperties": false}, "additionalProperties": false},
"BulkObservableFormat": { "BulkObservableFormat": {
"type": "object", "type": "object",
"properties": { "properties": {
"Hash": {"$ref": "#/definitions/Hash"}, "Hash": {"$ref": "#/definitions/Hash"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"oneOf": [ "oneOf": [
{"required": ["Hash"]}, {"required": ["Hash"]},
{"required": ["AdditionalData"]} {"required": ["AdditionalData"]}
], ],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorExpression": { "IndicatorExpression": {
"type": "object", "type": "object",
"properties": { "properties": {
"operator": {"enum": ["not","and","or","xor"],"default": "and"}, "operator": {
"enum": ["not", "and", "or", "xor"], "default": "and"},
"ext-operator": {"type": "string"}, "ext-operator": {"type": "string"},
"IndicatorExpression": { "IndicatorExpression": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorExpression"}, "items": {
"$ref": "#/definitions/IndicatorExpression"},
"minItems": 1}, "minItems": 1},
"Observable": { "Observable": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Observable"}, "items": {"$ref": "#/definitions/Observable"},
"minItems": 1}, "minItems": 1},
"uid-ref": { "uid-ref": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IDREFType"}, "items": {"$ref": "#/definitions/IDREFType"},
"minItems": 1}, "minItems": 1},
"IndicatorReference": { "IndicatorReference": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/IndicatorReference"}, "items": {
"$ref": "#/definitions/IndicatorReference"},
"minItems": 1}, "minItems": 1},
"Confidence": {"$ref":"#/definitions/Confidence"}, "Confidence": {"$ref":"#/definitions/Confidence"},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}, "additionalProperties": false},
"IndicatorReference": { "IndicatorReference": {
"type": "object", "type": "object",
"properties": { "properties": {
"uid-ref": {"$ref":"#/definitions/IDREFType"}, "uid-ref": {"$ref":"#/definitions/IDREFType"},
"euid-ref": {"type": "string"}, "euid-ref": {"type": "string"},
"version": {"type": "string"}}, "version": {"type": "string"}},
"oneOf": [ "oneOf": [
{"required": ["uid-ref"]}, {"required": ["uid-ref"]},
skipping to change at line 3703 skipping to change at line 4937
"items": {"type": "string"}, "items": {"type": "string"},
"minItems": 1}, "minItems": 1},
"URL": { "URL": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/URLtype"}, "items": {"$ref": "#/definitions/URLtype"},
"minItems": 1}, "minItems": 1},
"Description": { "Description": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/MLStringType"}, "items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [], "required": [],
"additionalProperties": false}}, "additionalProperties": false}},
"title": "IODEF-Document", "title": "IODEF-Document",
"description": "JSON schema for IODEF-Document class", "description": "JSON schema for IODEF-Document class",
"type": "object", "type": "object",
"properties": { "properties": {
"version": {"type": "string"}, "version": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"}, "lang": {"$ref": "#/definitions/lang"},
"format-id": {"type": "string"}, "format-id": {"type": "string"},
"private-enum-name": {"type": "string"}, "private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"}, "private-enum-id": {"type": "string"},
"Incident": { "Incident": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Incident"}, "items": {"$ref": "#/definitions/Incident"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {
"required": ["version","Incident"], "$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version", "Incident"],
"additionalProperties": false} "additionalProperties": false}
]]></artwork> ]]></sourcecode>
</figure> </figure>
</section> </section>
</back> <section anchor="Acknowledgments" numbered="false" toc="default">
<name>Acknowledgments</name>
<t>We would like to thank <contact fullname="Henk Birkholz"/>, <contact
fullname="Carsten Bormann"/>, <contact fullname="Benjamin Kaduk"/>,
<contact fullname="Alexey Melnikov"/>, <contact fullname="Yasuaki
Morita"/>, and <contact fullname="Takahiko Nagata"/> for their
insightful comments on this document and CDDL.</t>
</section>
</back>
</rfc> </rfc>
 End of changes. 235 change blocks. 
1579 lines changed or deleted 2821 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/