Skip to main content

JSON binding of IODEF
draft-ietf-mile-jsoniodef-01

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 8727.
Authors Takeshi Takahashi , Mio Suzuki
Last updated 2017-11-11
Replaces draft-takahashi-mile-jsoniodef
RFC stream Internet Engineering Task Force (IETF)
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Became RFC 8727 (Proposed Standard)
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ietf-mile-jsoniodef-01
MILE                                                        T. Takahashi
Internet-Draft                                                 M. Suzuki
Intended status: Standards Track                                    NICT
Expires: May 14, 2018                                  November 10, 2017

                         JSON binding of IODEF
                      draft-ietf-mile-jsoniodef-01

Abstract

   RFC 7970 [RFC7970] provides XML-based data representation on incident
   information, but the use of the IODEF data model is not limited to
   XML.  JSON representation is sometimes preferred since it is easy to
   handle from certain programming environments.  This draft represents
   the IODEF data model in JSON.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 14, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Takahashi & Suzuki        Expires May 14, 2018                  [Page 1]
Internet-Draft                 JSON-IODEF                  November 2017

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  IODEF Data Types  . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  Integers  . . . . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Real Numbers  . . . . . . . . . . . . . . . . . . . . . .   4
     2.3.  Characters and Strings  . . . . . . . . . . . . . . . . .   4
     2.4.  Multilingual Strings  . . . . . . . . . . . . . . . . . .   5
     2.5.  Binary Strings  . . . . . . . . . . . . . . . . . . . . .   5
       2.5.1.  Base64 Bytes  . . . . . . . . . . . . . . . . . . . .   5
       2.5.2.  Hexadecimal Bytes . . . . . . . . . . . . . . . . . .   5
     2.6.  Enumerated Types  . . . . . . . . . . . . . . . . . . . .   5
     2.7.  Date-Time String  . . . . . . . . . . . . . . . . . . . .   5
     2.8.  Timezone String . . . . . . . . . . . . . . . . . . . . .   6
     2.9.  Port Lists  . . . . . . . . . . . . . . . . . . . . . . .   6
     2.10. Postal Address  . . . . . . . . . . . . . . . . . . . . .   6
     2.11. Telephone Number  . . . . . . . . . . . . . . . . . . . .   6
     2.12. Email String  . . . . . . . . . . . . . . . . . . . . . .   6
     2.13. Uniform Resource Locator Strings  . . . . . . . . . . . .   6
     2.14. Identifiers and Identifier References . . . . . . . . . .   7
     2.15. Software  . . . . . . . . . . . . . . . . . . . . . . . .   7
     2.16. StructuredInfo  . . . . . . . . . . . . . . . . . . . . .   7
   3.  The IODEF Information Model in JSON . . . . . . . . . . . . .   8
     3.1.  IODEF-Document Class  . . . . . . . . . . . . . . . . . .   8
     3.2.  Incident Class  . . . . . . . . . . . . . . . . . . . . .   8
     3.3.  Common Attributes . . . . . . . . . . . . . . . . . . . .   9
       3.3.1.  restriction Attribute . . . . . . . . . . . . . . . .   9
       3.3.2.  observable-id Attribute . . . . . . . . . . . . . . .   9
     3.4.  IncidentID Class  . . . . . . . . . . . . . . . . . . . .   9
     3.5.  AlternativeID Class . . . . . . . . . . . . . . . . . . .  10
     3.6.  RelatedActivity Class . . . . . . . . . . . . . . . . . .  10
     3.7.  ThreatActor Class . . . . . . . . . . . . . . . . . . . .  11
     3.8.  Campaign Class  . . . . . . . . . . . . . . . . . . . . .  11
     3.9.  Contact Class . . . . . . . . . . . . . . . . . . . . . .  11
       3.9.1.  RegistryHandle Class  . . . . . . . . . . . . . . . .  12
       3.9.2.  PostalAddress Class . . . . . . . . . . . . . . . . .  12
       3.9.3.  Email Class . . . . . . . . . . . . . . . . . . . . .  12
       3.9.4.  Telephone Class . . . . . . . . . . . . . . . . . . .  13
     3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . .  13
       3.10.1.  DetectionPattern Class . . . . . . . . . . . . . . .  14
     3.11. Method Class  . . . . . . . . . . . . . . . . . . . . . .  14
       3.11.1.  Reference Class  . . . . . . . . . . . . . . . . . .  15
     3.12. Assessment Class  . . . . . . . . . . . . . . . . . . . .  15
       3.12.1.  SystemImpact Class . . . . . . . . . . . . . . . . .  15
       3.12.2.  BusinessImpact Class . . . . . . . . . . . . . . . .  16
       3.12.3.  TimeImpact Class . . . . . . . . . . . . . . . . . .  16
       3.12.4.  MonetaryImpact Class . . . . . . . . . . . . . . . .  17

Takahashi & Suzuki        Expires May 14, 2018                  [Page 2]
Internet-Draft                 JSON-IODEF                  November 2017

       3.12.5.  Confidence Class . . . . . . . . . . . . . . . . . .  17
     3.13. History Class . . . . . . . . . . . . . . . . . . . . . .  17
       3.13.1.  HistoryItem Class  . . . . . . . . . . . . . . . . .  18
     3.14. EventData Class . . . . . . . . . . . . . . . . . . . . .  18
     3.15. Expectation Class . . . . . . . . . . . . . . . . . . . .  19
     3.16. System Class  . . . . . . . . . . . . . . . . . . . . . .  19
     3.17. Node Class  . . . . . . . . . . . . . . . . . . . . . . .  20
       3.17.1.  Address Class  . . . . . . . . . . . . . . . . . . .  20
       3.17.2.  NodeRole Class . . . . . . . . . . . . . . . . . . .  20
       3.17.3.  Counter Class  . . . . . . . . . . . . . . . . . . .  21
     3.18. DomainData Class  . . . . . . . . . . . . . . . . . . . .  21
       3.18.1.  Nameserver Class . . . . . . . . . . . . . . . . . .  22
       3.18.2.  DomainContacts Class . . . . . . . . . . . . . . . .  22
     3.19. Service Class . . . . . . . . . . . . . . . . . . . . . .  22
       3.19.1.  ServiceName Class  . . . . . . . . . . . . . . . . .  23
       3.19.2.  ApplicationHeader Class  . . . . . . . . . . . . . .  23
     3.20. EmailData Class . . . . . . . . . . . . . . . . . . . . .  23
     3.21. Record Class  . . . . . . . . . . . . . . . . . . . . . .  24
       3.21.1.  RecordData Class . . . . . . . . . . . . . . . . . .  24
       3.21.2.  RecordPattern Class  . . . . . . . . . . . . . . . .  25
     3.22. WindowsRegistryKeysModified Class . . . . . . . . . . . .  25
       3.22.1.  Key Class  . . . . . . . . . . . . . . . . . . . . .  25
     3.23. CertificateData Class . . . . . . . . . . . . . . . . . .  26
       3.23.1.  Certificate Class  . . . . . . . . . . . . . . . . .  26
     3.24. FileData Class  . . . . . . . . . . . . . . . . . . . . .  27
       3.24.1.  File Class . . . . . . . . . . . . . . . . . . . . .  27
     3.25. HashData Class  . . . . . . . . . . . . . . . . . . . . .  27
       3.25.1.  Hash Class . . . . . . . . . . . . . . . . . . . . .  28
       3.25.2.  FuzzyHash Class  . . . . . . . . . . . . . . . . . .  28
     3.26. SignatureData Class . . . . . . . . . . . . . . . . . . .  28
     3.27. Indicator Class . . . . . . . . . . . . . . . . . . . . .  29
       3.27.1.  IndicatorID Class  . . . . . . . . . . . . . . . . .  30
       3.27.2.  AlternativeIndicatorID Class . . . . . . . . . . . .  30
       3.27.3.  Observable Class . . . . . . . . . . . . . . . . . .  30
       3.27.4.  BulkObservable Class . . . . . . . . . . . . . . . .  31
       3.27.5.  BulkObservableFormat Class . . . . . . . . . . . . .  31
       3.27.6.  IndicatorExpression Class  . . . . . . . . . . . . .  32
       3.27.7.  ObservableReference Class  . . . . . . . . . . . . .  32
       3.27.8.  IndicatorReference Class . . . . . . . . . . . . . .  32
       3.27.9.  AttackPhase Class  . . . . . . . . . . . . . . . . .  33
   4.  Notable differences from RFC 7970 (to be deleted) . . . . . .  33
   5.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  33
     5.1.  Minimal Example . . . . . . . . . . . . . . . . . . . . .  33
     5.2.  Indicators from a Campaign  . . . . . . . . . . . . . . .  34
   6.  The IODEF Data Model (JSON Schema)  . . . . . . . . . . . . .  36
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  55
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  55
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  55

Takahashi & Suzuki        Expires May 14, 2018                  [Page 3]
Internet-Draft                 JSON-IODEF                  November 2017

   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  55
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  55
     10.2.  Informative References . . . . . . . . . . . . . . . . .  56
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  56

1.  Introduction

   RFC 7970 [RFC7970] defines an data model for sharing incident
   information.  It facilitates automated exchange of information among
   parties over networks.  The data model can be implemented in a form
   of XML, but it is not always suitable for implementation.  JSON-based
   representation is often useful.

   Therefore, in this document, we provide a means to represent IODEF
   data model in JSON.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  IODEF Data Types

   The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the
   JSON IODEF, with some syntax changes for some of the types.

2.1.  Integers

   An integer is represented in the information model by the INTEGER
   data type.  Integer data MUST be encoded in Base 10, and is
   implemented as an "integer" type per JSON schema [jsonschema].

2.2.  Real Numbers

   A real (floating-point) number is represented in the information
   model by the REAL data type.  Real data MUST be encoded in Base 10,
   and is implemented in the data model as an "number" type per JSON
   schema [jsonschema].

2.3.  Characters and Strings

   A single character is represented in the information model by the
   CHARACTER data type.  A string is represented by the STRING data
   type.  Special characters MUST be encoded using entity references.The
   CHARACTER and STRING data types are implemented in the data model as
   an "string" type per JSON schema [jsonschema].

Takahashi & Suzuki        Expires May 14, 2018                  [Page 4]
Internet-Draft                 JSON-IODEF                  November 2017

2.4.  Multilingual Strings

   A string that needs to be represented in a human-readable language
   different than the default encoding of the document is represented in
   the information model by the ML_STRING data type.  This data type is
   implemented as an object with "value", "lang", and "translation-id"
   elements as defined in Section 6.  Examples are shown below.

   "MLStringType": {
     "value": "free-form text",                              //STRING
     "lang": "en",                                             //ENUM
     "translation-id": "jp2en0023"                           //STRING
   }

2.5.  Binary Strings

2.5.1.  Base64 Bytes

   A binary octet encoded with base64 is represented in the information
   model by the BYTE data type.  A sequence of these octets is of the
   BYTE[] data type.  The BYTE and BYTE[] data types are implemented in
   the data model as an "string" type per JSON schema [jsonschema].

2.5.2.  Hexadecimal Bytes

   A binary octet encoded as a character tuple consistent of two
   hexadecimal digits is represented in the information model by the
   HEXBIN data type.  A sequence of these octets is of the HEXBIN[] data
   type.  The HEXBIN and HEXBIN[] data types are implemented in the data
   model as an "string" type per JSON schema [jsonschema].

2.6.  Enumerated Types

   An enumerated type is represented in the information model by the
   ENUM data type.  It is an ordered list of acceptable string values.
   Each value has a representative keyword.  The ENUM data type is
   implemented in the data model as values of an enum array per JSON
   schema [jsonschema].

2.7.  Date-Time String

   A date-time string that describes a particular instant in time is
   represented in the information model by the DATETIME data type.
   Ranges are not supported.  The DATETIME data type is implemented in
   the data model as an "string" type per JSON schema [jsonschema].

Takahashi & Suzuki        Expires May 14, 2018                  [Page 5]
Internet-Draft                 JSON-IODEF                  November 2017

2.8.  Timezone String

   A timezone offset from UTC is represented in the information model by
   the TIMEZONE data type.  It is formatted according to the following
   regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".  The
   TIMEZONE data type is implemented in the data model as an "string"
   type per JSON schema [jsonschema].

2.9.  Port Lists

   A list of network ports is represented in the information model by
   the PORTLIST data type.  A PORTLIST consists of a comma-separated
   list of numbers and ranges (N-M means ports N through M, inclusive).
   It is formatted according to the following regular expression:
   "\d+(\-\d+)?(,\d+(\-\d+)?)*".  For example,
   "2,5-15,30,32,40-50,55-60".  The PORTLIST data type is implemented in
   the data model as an "string" type per JSON schema [jsonschema]

2.10.  Postal Address

   A postal address is represented in the information model by the
   POSTAL data type.  The format of the POSTAL data type is documented
   in Section 2.23 of [RFC4519] as a free-form multi-line string
   separated by the "$" character.  The POSTAL data type is implemented
   in the data model as the aforementioned ML_STRING type.

2.11.  Telephone Number

   A telephone number is represented in the information model by the
   PHONE data type.  The format of the PHONE data type is documented in
   [E.164].  The PHONE data type is implemented in the data model as an
   "string" type per JSON schema [jsonschema].

2.12.  Email String

   An email address is represented in the information model by the EMAIL
   data type.  The format of the EMAIL data type is documented in
   Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531].  The EMAIL
   data type is implemented in the data model as an "string" type per
   JSON schema [jsonschema].

2.13.  Uniform Resource Locator Strings

   A uniform resource locator (URL) is represented in the information
   model by the URL data type.  The format of the URL data type is
   documented in [RFC3986].

Takahashi & Suzuki        Expires May 14, 2018                  [Page 6]
Internet-Draft                 JSON-IODEF                  November 2017

   The URL data type is implemented as an "string" type per JSON schema
   [jsonschema].

2.14.  Identifiers and Identifier References

   An identifier unique to the IODEF document is represented in the
   information model by the ID data type.  A reference to this
   identifier is represented by the IDREF data type.  These data types
   are implemented in the model as an "string" type per JSON schema
   [jsonschema].

2.15.  Software

   A particular version of software is represented in the information
   model by the SOFTWARE data type.  This software can be described by
   using a reference, a URL, or with free-form text.  The SOFTWARE data
   type is implemented as an object with "SoftwareReference", "URL", and
   "Description" elements as defined in Section 6.  Examples are shown
   below.

   "SoftwareType": {
     "SoftwareReference": {...},                  //SoftwareReference
     "Description": {"value":"MS Windows"},       //ML_STRING
   }

2.16.  StructuredInfo

   Information provided in a form of structured string, such as ID, or
   structured information, such as XML documents, is represented in the
   information model by the StructuredInfo data type.  Note that this
   type was originally specified in RFC7203.  The StructuredInfo data
   type is implemented as an object with "SpecID", "ext-SpecID",
   "ContentID", "RawData", "Reference" elements.  An example for
   embedding a structured ID is shown below.

   "StructuredInformation": {
     "SpecID": "cve",                                          //ENUM
     "ContentID": "CVE-2007-5000",                           //STRING
   }

   When embedding the raw data, base64 conversion should be used for
   encoding the data, as shown below.

   "StructuredInformation": {
     "SpecID": "oval",                                         //ENUM
     "RawData": "<<<strings encoded with base64>>>",         //STRING
   }

Takahashi & Suzuki        Expires May 14, 2018                  [Page 7]
Internet-Draft                 JSON-IODEF                  November 2017

3.  The IODEF Information Model in JSON

   The data model of IODEF is defined in RFC 7970 [RFC7970], and this
   section illustrates their representations in JSON.  Note that the
   complete JSON schema is defined in Section 6.

3.1.  IODEF-Document Class

   This class is the top level class in the IODEF data model.  Its class
   elements and an example are shown below.  See Section 3.1 of RFC 7970
   [RFC7970] for the intended meanings of these elements.

   Class elements:

   version, lang?, format-id?, private-enum-name?, private-enum-id?,
   Incident+, AdditionalData*

   Example:

 "IODEF-Document": {
   "version": "2.1",                                       //STRING
   "lang": "en",                                             //ENUM
   "format-id": "RFC7970-json",                                 //STRING
   "Incident": [ ... ]                                   //Incident
 }

3.2.  Incident Class

   The Incident class describes commonly exchanged information when
   reporting or sharing derived analysis from security incidents.  Its
   class elements and an example are shown below.  See Section 3.2 of
   RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   purpose, ext-purpose?, status?, ext-status?, lang?, restriction?,
   ext-restriction?, observable-id?, IncidentID, AlternativeID?,
   RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?,
   ReportTime?, GenrationTime?, Description*, Discovery*, Assessment*,
   Method*, Contact+, EventData*, IndicatorData?, History?,
   AdditionalData*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                  [Page 8]
Internet-Draft                 JSON-IODEF                  November 2017

   "Incident": {
     "purpose": "reporting",                                   //ENUM
     "lang": "en",                                           //STRING
     "restriction": "green",                                   //ENUM
     "IncidentID": { ... },                        //IncidentID Class
     "RelatedActivity": [ ... ],              //RelatedActivity Class
     "GenerationTime": "2015-10-02T11:18:00-05:00",        //DateTime
     "Description": [{"value":"Incident in the HQ"}],     //ML_STRING
     "Assessment": [ ... ],                              //Assessment
     "Method": [ ... ],                                      //Method
     "Contact": [ ... ]                                     //Contact
     "EventData": [ ... ],                                //EventData
     "IndicatorData": { ... }                         //IndicatorData
     "History": { ... },                                    //History
     "AdditionalData": [ ... ],                      //AdditionalData
   }

3.3.  Common Attributes

   There are a number of recurring attributes used in the information
   model.  They are documented in this section.

3.3.1.  restriction Attribute

   RFC 7970 [RFC7970] defines the restriction Attribute as one of common
   attributes.  It is defined as below:

"restriction":{"enum": ["public", "partner", "need-to-know", "private",
              "default", "white", "green", "amber", "red", "ext-value"]}

   Note that you must use "ext-restriction" field (STRING type) when the
   value of "restriction" field is set to "ext-value".

3.3.2.  observable-id Attribute

   RFC 7970 [RFC7970] defines the observable-id attribute as one of
   common attributes.  The value of this attribute is a unique
   identifier, in string type, in the scope of the document.It is
   defined as below:

3.4.  IncidentID Class

   The class elements and an example are shown below.  See Section 3.4
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   id, name, instance?, restriction?, ext-restriction?

Takahashi & Suzuki        Expires May 14, 2018                  [Page 9]
Internet-Draft                 JSON-IODEF                  November 2017

   Example:

   "IncidentID": {
     "id": "nict20150518-0001",                             // STRING
     "name": "NICT_cert",                                   // STRING
     "instance": "cyberlab"                                 // STRING
     "restriction": "ext-value"                               // ENUM
     "ext-restriction": "registration required"             // STRING
   }

3.5.  AlternativeID Class

   The class elements and an example are shown below.  See Section 3.5
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, IncidentID+

   Example:

   "AltervativeID": {
     "restriction": "private",                                 //ENUM
     "IncidentID": [<<<omitted>>>]                       //IncidentID
   }

3.6.  RelatedActivity Class

   The class elements and an example are shown below.  See Section 3.6
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*,
   Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData*

   Example:

   "RelatedActivity": {
     "restriction": "private",                                 //ENUM
     "ThreatActor": [{...}],                      //ThreatActor class
     "Campaign": [{...}]                             //Campaign class
   }

Takahashi & Suzuki        Expires May 14, 2018                 [Page 10]
Internet-Draft                 JSON-IODEF                  November 2017

3.7.  ThreatActor Class

   The class elements and an example are shown below.  See Section 3.7
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, ThreatActorID*, URL*, Description*,
   AdditionalData*

   Example:

   "ThreatActor": {
     "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY",          //STRING
     "Description": {"value":"Aggressive Butterfly"}      //ML_STRING
   }

3.8.  Campaign Class

   The class elements and an example are shown below.  See Section 3.8
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, CampaignID*, URL*, Description*,
   AdditionalData*

   Example:

   "Campaign": {
     "CampaignID": "C-2015-59405",                           //STRING
     "Description": {"value":"Orange Giraffe"}            //ML_STRING
   }

3.9.  Contact Class

   The class elements and an example are shown below.  See Section 3.9
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   role, ext-role?, type, ext-type?, restriction?, ext-restriction?,
   ContactName*, ContactTitle*, Description*, RegistryHandle*,
   PostalAddress*, Email*, Telephone*, Timezone?, Contact*,
   AdditionalData*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 11]
Internet-Draft                 JSON-IODEF                  November 2017

   "Contact": {
     "role": "creator",                                        //ENUM
     "type": "organization",                                   //ENUM
     "ContactName": {"value":"CSIRT for example.com"},    //ML_STRING
     "ContactTitle": {"value":"Senior Research Engineer"} //ML_STRING
     "email": {...},                                    //Email Class
     "Telephone": {...},                            //Telephone Class
     "Timezone": "+09:00"                                  //TIMEZONE
   }

3.9.1.  RegistryHandle Class

   The class elements and an example are shown below.  See Section 3.9.1
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   handle, registry, ext-registry?

   Example:

   "RegistryHandle": {
     "handle": "MyAPNIC",                                    //STRING
     "registry": "apnic",                                      //ENUM
   }

3.9.2.  PostalAddress Class

   The class elements and an example are shown below.  See Section 3.9.2
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   type?, ext-type?, PAddress, Description*

   Example:

   "PostalAddress": {
     "type": "mailing",                                        //ENUM
     "PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan",     //POSTAL
     "Description": {"value":"Office address"}            //ML_STRING
   },

3.9.3.  Email Class

   The class elements and an example are shown below.  See Section 3.9.3
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

Takahashi & Suzuki        Expires May 14, 2018                 [Page 12]
Internet-Draft                 JSON-IODEF                  November 2017

   Class elements:

   type?, ext-type?, EmailTo, Description*

   Example:

   "Email": {
     "type": "direct",                                         //ENUM
     "emailTo": "contact@csirt.example.com",                  //EMAIL
     "Description": {"value":"Administrator's address"}   //ML_STRING
   },

3.9.4.  Telephone Class

   The class elements and an example are shown below.  See Section 3.9.4
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   type?, ext-type?, TelephoneNumber, Description*

   Example:

   "Telephone": {
     "type": "wired",                                          //ENUM
     "TelephoneNumber": "+818012345678",                      //PHONE
     "Description": {"value":"Admin's moble"}             //ML_STRING
   },

3.10.  Discovery Class

   The class elements and an example are shown below.  See Section 3.10
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   source?, ext-source?, restriction?, ext-restriction?, Description*,
   Contact*, DetectionPattern*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 13]
Internet-Draft                 JSON-IODEF                  November 2017

   "Discovery": {
     "source": "nidps",                                        //ENUM
     "restriction": "need-to-know"                             //ENUM
     "Contact": {...},                                //Contact class
     "DetectionPattern": {...},              //DetectionPattern class
     "Description":{"value":"IDS provided an alert"}      //ML_STRING
     }
   }

3.10.1.  DetectionPattern Class

   The class elements and an example are shown below.  See
   Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   restriction?, ext-restriction?, observable-id?, Application,
   Description*, DetectionConfiguration*

   Example:

   "DetectionPattern": {
     "Application": {...},                                 //SOFTWARE
     "Description": {"value":"The specified application
                    needs to be reviewed"},               //ML_STRING
     }
   }

3.11.  Method Class

   The class elements and an example are shown below.  See Section 3.11
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, Reference*, Description*,
   AttackPattern*, Vulnerability*, Weakness*

   Example:

   "Method": {
     "AttackPattern": {...}                          //StructuredInfo
     "Vulnerability": {...}                          //StructuredInfo
   }

Takahashi & Suzuki        Expires May 14, 2018                 [Page 14]
Internet-Draft                 JSON-IODEF                  November 2017

3.11.1.  Reference Class

   The class elements and an example are shown below.  See
   Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   observable-id?, ReferenceName?, URL*, Description*

   Example:

   "Reference":{
     "URL":"http://www.nict.go.jp"                              //URL
   }

3.12.  Assessment Class

   The class elements and an example are shown below.  See Section 3.12
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   occurence?, restriction?, ext-restriction?, observable-id?,
   IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*,
   MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*,
   Cause*, Confidence?, AdditionalData*

   Example:

   "Assessment": {
     "SystemImpact": {...},                      //SystemImpact class
     "BusinessImpact": {...},                  //BusinessImpact class
     "TimeImpact": {...},                          //TimeImpact class
     "MonetaryImpact": {...},                  //MonetaryImpact class
     "IntendedImpact": {...},                  //IntendedImpact class
     "Counter": "5",                                  //Counter class
     "MitigationFactor": {"value":"Rebooting is required"}//ML_STRING
     "Cause": {"value":"Malware Infection"}               //ML_STRING
     }
   }

3.12.1.  SystemImpact Class

   The class elements and an example are shown below.  See
   Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

Takahashi & Suzuki        Expires May 14, 2018                 [Page 15]
Internet-Draft                 JSON-IODEF                  November 2017

   Class elements:

   severity?, completion?, type, ext-type?, Description*

   Example:

   "SystemImpact":{
     "severity":"high",                                        //ENUM
     "completion": "successful"                                //ENUM
     "type":"integrity-data"                                   //ENUM
     "Description":{"value":"The web page was falsified"} //ML_STRING
   },

3.12.2.  BusinessImpact Class

   The class elements and an example are shown below.  See
   Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   severity?, ext-severity?, type, ext-type?, Description*

   Example:

   "BusinessImpact": {
     "severity":"medium",                                      //ENUM
     "completion": "successful"                                //ENUM
     "type": "degraded-reputation"                             //ENUM
     "Description":{"value":"The web page was falsified"} //ML_STRING
   }

3.12.3.  TimeImpact Class

   The class elements and an example are shown below.  See
   Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, severity?, metric, ext-metric?, duration?, ext-duration?

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 16]
Internet-Draft                 JSON-IODEF                  November 2017

   "TimeImpact":{
     "time": "240"                                             //REAL
     "metric": "elapsed"                                       //ENUM
     "duration": "minutes"                                     //ENUM
   }

3.12.4.  MonetaryImpact Class

   The class elements and an example are shown below.  See
   Section 3.12.4 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, severity?, currency?

   Example:

   "MonetaryImpact":{
     "money": "10000",                                         //REAL
     "severity": "medium",                                     //ENUM
     "currency": "USD",                                      //STRING
   }

3.12.5.  Confidence Class

   The class elements and an example are shown below.  See
   Section 3.12.5 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, rating, ext-rating?

   Example:

   "Confidence": {
     "value": "5"                                              //REAL
     "rating": "medium"                                        //ENUM
   }

3.13.  History Class

   The class elements and an example are shown below.  See Section 3.13
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 17]
Internet-Draft                 JSON-IODEF                  November 2017

   restriction?, ext-restriction?, HistoryItem+

   Example:

   "History": {
     "restriction": "need-to-know"                             //ENUM
     "HistoryItem": { ... }                       //HistoryItem class
   },

3.13.1.  HistoryItem Class

   The class elements and an example are shown below.  See
   Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   action, ext-action?, restriction?, ext-restriction?, observable-id?,
   DateTime, IncidentID?, Contact?, Description*, DefinedCOA*,
   AdditionalData*

   Example:

   "HistoryItem": {
     "action": "investigate"                                   //ENUM
     "restriction": "need-to-know"                             //ENUM
     "DateTime": "2015-10-15T11:18:00-05:00",              //DateTime
     "IncidentID" { ...},                          //IncidentID class
   }

3.14.  EventData Class

   The class elements and an example are shown below.  See Section 3.14
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   restriction?, ext-restriction?, observable-id?, Description*,
   DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?,
   Contact*, Discovery*, Assessment?, Method*, Flow*, Expectation*,
   Record?, EventData*, AdditionalData*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 18]
Internet-Draft                 JSON-IODEF                  November 2017

   "EventData": {
     "ReportTime": "2016-06-01 18:05:33",
     "Contact": { ...},                               //Contact class
     "Assessment": { ...},                         //Assessment class
     "Method": { ...},                                 //Method class
     "System": { ... },                                //System class
     "Expectation": { ...},                       //Expectation class

3.15.  Expectation Class

   The class elements and an example are shown below.  See Section 3.15
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   action?, ext-action?, severity?, restriction?, ext-restriction?,
   Description*, DefinedCOA*, StartTime?, EndTime?, Contact?

   Example:

   "Expectation": {
     "action": "investigate"                                   //ENUM
     "severity": "medium"                                      //ENUM
     "restriction": "need-to-know"                             //ENUM
   },

3.16.  System Class

   The class elements and an example are shown below.  See Section 3.17
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   category?, ext-category?, interface?, spoofed?, virtual?, ownership?,
   ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*,
   Service*, OperatingSystem*, Counter*, AssetID*, Description*,
   AdditionalData*

   Example:

   "System": {
     "category": "source",                                     //ENUM
     "Node": { ... },                                    //Node class
     "Service": { ... },                              //Service class
   },

Takahashi & Suzuki        Expires May 14, 2018                 [Page 19]
Internet-Draft                 JSON-IODEF                  November 2017

3.17.  Node Class

   The class elements and an example are shown below.  See Section 3.18
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   DomainData*, Address*, PostalAddress?, Location*, Counter*

   Example:

   "Node": {
     "Address": { ... },                              //Address class
     "Location": {"value":"OrgID=7"}                      //ML_STRING
   }

3.17.1.  Address Class

   The class elements and an example are shown below.  See
   Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, category, ext-category?, vlan-name?, vlan-num?, observable-id?

   Example:

   "Address": {
     "value": """192.228.139.118",                           //STRING
     "category": "ipv4-addr",                                  //ENUM
   },

3.17.2.  NodeRole Class

   The class elements and an example are shown below.  See
   Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   category, ext-category?, Description*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 20]
Internet-Draft                 JSON-IODEF                  November 2017

   "NodeRole": {
     "category": "client"                                      //ENUM
     "Description": {"value":"The computer at room A"}    //ML_STRING
   },

3.17.3.  Counter Class

   The class elements and an example are shown below.  See
   Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of
   these elements.

   Class elements:

   value, type, ext-type?, unit, ext-unit?, meaning?, duration?, ext-
   duration?

   Example:

   "Counter": {
     "value": "3",                                             //REAL
     "type": "count",                                          //ENUM
     "unit": "packet"                                          //ENUM
     "meaning": {"value":"The number of scan packets
                 are counted"},                           //ML_STRING
   }

3.18.  DomainData Class

   The class elements and an example are shown below.  See Section 3.19
   of RFC 7970 [RFC7970] for the intended meanings of these elements.

   Class elements:

   system-status, ext-system-status?, domain-status, ext-domain-status?,
   observable-id?, Name, DateDomainWasChecked?, RegistrationDate?,
   ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts?

   Example:

   "DomainData": {
     "system-status": "innocent-hacked",                       //ENUM
     "domain-status": "assignedAndInactive",                 //STRING
     "Name": "temp1.nict.go.jp"                              //STRING
   },

Takahashi & Suzuki        Expires May 14, 2018                 [Page 21]
Internet-Draft                 JSON-IODEF                  November 2017

3.18.1.  Nameserver Class

   This class is defined in Section 3.19.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   Server, Address*

   Example:

   "NameServers": {
     "Server": "vgw.nict.go.jp",                             //STRING
     "Address": {
       "AddressValue": "133.243.18.5",                       //STRING
       "category": "ipv4-addr"                                 //ENUM
     }
   }

3.18.2.  DomainContacts Class

   This class is defined in Section 3.19.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   SameDomainContact?, Contact+

   Example:

   "DomainContacts": {
     "Contact": {
       "role": "user",                                         //ENUM
       "type": "organization"                                  //ENUM
     }
   }

3.19.  Service Class

   This class is defined in Section 3.20 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?,
   ProtoCode?, ProtoType?, ProtoField?, ApplicationHeader?, EmailData?,
   Application?

Takahashi & Suzuki        Expires May 14, 2018                 [Page 22]
Internet-Draft                 JSON-IODEF                  November 2017

   Example:

   "Service": {
     "ServiceName": {
       "Description": "It seems to be a scan from an infected machine."
     },
     "ip-protocol": 6,                                      //INTEGER
     "Port": 49183                                          //INTEGER
   }

3.19.1.  ServiceName Class

   This class is defined in Section 3.20.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   IANAService?, URL*, Description*

   Example:

"ServiceName": {
  "IANAService": "telnet"                                          //STRING
  "URL": "https://en.wikipedia.org/wiki/Telnet"                    //STRING
  "Description": "It seems to be a scan from an infected machine." //STRING
},

3.19.2.  ApplicationHeader Class

   This class is defined in Section 3.20.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   ApplicationHeaderField+

   Example:

   "ApplicationHeader": {
     "ApplicationHeaderField": {}
   }

3.20.  EmailData Class

   This class is defined in Section 3.21 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 23]
Internet-Draft                 JSON-IODEF                  November 2017

   observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?,
   EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?,
   HashData*, SignatureData*

   Example:

"EmailData":{
  "EmailTo": "user1@example.org"                                 //EMAIL
  "EmailFrom": "user2@example.com"                               //EMAIL
  "EmailSubject": "example email"                               //STRING
  "EmailX-Mailer": "example mailer v1.1.0"                      //STRING
  "EmailBody": "example email"                                  //STRING
}

3.21.  Record Class

   This class is defined in Section 3.22 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, RecordData+

   Example:

"Record": {
  "RecordData": {
    "RecordPattern": {
      "type": "regex",                                            //ENUM
      "value": "[0-9][A-Z]"
    }
  },
  "RecordItem": {}
},

3.21.1.  RecordData Class

   This class is defined in Section 3.22.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, observable-id?, DateTime?,
   Description*, Application?, RecordPattern*, RecordItem*, URL*,
   FileData*, WindowsRegistryKeysModified*, CertificateData*,
   AdditionalData*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 24]
Internet-Draft                 JSON-IODEF                  November 2017

   "RecordData": {
     "RecordPattern": {
       "type": "regex",
       "value": "[0-9][A-Z]"
     }
   },

3.21.2.  RecordPattern Class

   This class is defined in Section 3.22.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?,
   value

   Example:

   "RecordPattern": {
     "type": "regex",
     "value": "[0-9][A-Z]"
   },

3.22.  WindowsRegistryKeysModified Class

   This class is defined in Section 3.23 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   observable-id?, Key+

   Example:

"WindowsRegistryKeysModified": {
  "Key": {
    "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx",                      //STRING
    "KeyName":"HKEY_LOCAL_MACHINExxxxxxx",                      //STRING
  }
}

3.22.1.  Key Class

   This class is defined in Section 3.23.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 25]
Internet-Draft                 JSON-IODEF                  November 2017

   registryaction?, ext-registryaction?, observable-id?, KeyName,
   KeyValue?

   Example:

   "Key": {
     "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx",              //STRING
     "KeyName":"HKEY_LOCAL_MACHINExxxxxxx",              //STRING
   }

3.23.  CertificateData Class

   This class is defined in Section 3.24 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, observable-id?, Certificate+

   Example:

   "CertificateData": {
     "Certificate": {
       "X509Data": "xxxxxxxx"                          //STRING
     }
   }

3.23.1.  Certificate Class

   This class is defined in Section 3.24.1 of RFC 7970 [RFC7970].  The
   X509Data class contains base64 encoded form of X.509 certificate or
   chain as described in Section 4.4.4 of [W3C.XMLSIG].  The example
   below represents how to describe this class in JSON.

   Class elements:

   observable-id?, X509Data, Description*

   Example:

   "Certificate": {
     "X509Data": "xxxxxxxx"                          //STRING
   }

Takahashi & Suzuki        Expires May 14, 2018                 [Page 26]
Internet-Draft                 JSON-IODEF                  November 2017

3.24.  FileData Class

   This class is defined in Section 3.25 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, observable-id?, File+

   Example:

   "FileData": {
     "File": {
       "FileName": "dummy.exe"                         //STRING
     }
   },

3.24.1.  File Class

   This class is defined in Section 3.25.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?,
   SignatureData?, AssociatedSoftware?, FileProperties*

   Example:

   "File": {
     "FileName": "dummy.exe"                         //STRING
   }

3.25.  HashData Class

   This class is defined in Section 3.26 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   scope, HashTargetID?, Hash*, FuzzyHash*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 27]
Internet-Draft                 JSON-IODEF                  November 2017

  "HashData": {
    "scope": "file-contents",                       //ENUM
    "Hash": {
      "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
      "DigestValue": "xxxxxxxxxxx"                //STRING
    }
  }

3.25.1.  Hash Class

   This class is defined in Section 3.26.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   DigestMethod, DigestValue, CanonicalizationMethod?, Application?

   Example:

   "Hash": {
     "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
     "DigestValue": "xxxxxxxxxxx"                //STRING
   }

3.25.2.  FuzzyHash Class

   This class is defined in Section 3.26.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   FuzzyHashValue+, Application?, AdditionalData?

   Example:

   "FuzzyHash": {
     "FuzzyHashValue": {}
   }

3.26.  SignatureData Class

   This class is defined in Section 3.27 of RFC 7970 [RFC7970].  The
   Signature class contains base64 encoded form of signature as
   described in Section 4.2 of [W3C.XMLSIG].  The example below
   represents how to describe this class in JSON.

   Class elements:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 28]
Internet-Draft                 JSON-IODEF                  November 2017

   Signature+

   Example:

   "SignatureData": {
     "Signature": "xxxxxxxx"                       //STRING
   }

3.27.  Indicator Class

   This class is defined in Section 3.29 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*,
   Description*, StartTime?, EndTime?, Confidence?, Contact*,
   Observable?, ObservableReference?, IndicatorExpression?,
   IndicatorReference?, NodeRole*, AttackPhase*, Reference*,
   AdditionalData*

   Example:

   "Indicator": {
     "IndicatorID": {
       "id": "G90823490",                                    //STRING
       "name": "csirt.example.com",                          //STRING
       "version": "1"                                        //STRING
     },
     "Description": "C2 domains",                         //ML_STRING
     "StartTime": "2014-12-02T11:18:00-05:00",             //Datetime
     "Observable": {
       "BulkObservable": {
         "type": "fqdn"                                        //ENUM
       },
       "BulkObservableList": [
         "kj290023j09r34.example.com",                       //STRING
         "09ijk23jfj0k8.example.net",                        //STRING
         "klknjwfjiowjefr923.example.org",                   //STRING
         "oimireik79msd.example.org"                         //STRIN
       ]
     }
   }

Takahashi & Suzuki        Expires May 14, 2018                 [Page 29]
Internet-Draft                 JSON-IODEF                  November 2017

3.27.1.  IndicatorID Class

   This class is defined in Section 3.29.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   id, name, version

   Example:

   "IndicatorID": {
     "id": "G90823490",                                    //STRING
     "name": "csirt.example.com",                          //STRING
     "version": "1"                                        //STRING
   }

3.27.2.  AlternativeIndicatorID Class

   This class is defined in Section 3.29.2 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, IndicatorReference+

   Example:

   "AlternativeIndicatorID": {
     "IndicatorReference": {
       "uid-ref": "xxxxx"
     }
   },

3.27.3.  Observable Class

   This class is defined in Section 3.29.3 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   restriction?, ext-restriction?, System?, Address?, DomainData?,
   Service?, EmailData?, WindowsRegistryKeysModified?, FileData?,
   CertificateData?, RegistryHandle?, RecordData?, EventData?,
   Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?,
   HistoryItem?, BulkObservable?, AdditionalData*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 30]
Internet-Draft                 JSON-IODEF                  November 2017

   "Observable": {
     "BulkObservable": {
       "type": "fqdn"                                        //ENUM
     },
     "BulkObservableList": [
       "kj290023j09r34.example.com",                       //STRING
       "09ijk23jfj0k8.example.net",                        //STRING
       "klknjwfjiowjefr923.example.org",                   //STRING
       "oimireik79msd.example.org"                         //STRING
     ]
   }

3.27.4.  BulkObservable Class

   This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   type?, ext-type?, BulkObservableFormat?, BulkObservableList,
   AdditionalData*

   Example:

   "BulkObservable": {
     "type": "fqdn"                                        //ENUM
   },
   "BulkObservableList": [
     "kj290023j09r34.example.com",                       //STRING
     "09ijk23jfj0k8.example.net",                        //STRING
     "klknjwfjiowjefr923.example.org",                   //STRING
     "oimireik79msd.example.org"                         //STRING
   ]

3.27.5.  BulkObservableFormat Class

   This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970].
   The example below represents how to describe this class in JSON.

   Class elements:

   Hash?, AdditionalData*

   Example:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 31]
Internet-Draft                 JSON-IODEF                  November 2017

  "BulkObservableFormat": {
    "Hash": {
      "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING
      "DigestValue": "xxxxxxxxxxx"                  //STRING
    }
  }

3.27.6.  IndicatorExpression Class

   This class is defined in Section 3.29.4 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   operator?, ext-operator?, IndicatorExpression*, Observable*,
   ObservableReference*, IndicatorReference*, Confidence?,
   AdditionalData*

   Example:

   "IndicatorExpression": {
     "ObservableReference": {
       "uid-ref": "xxxxx"
     }
   }

3.27.7.  ObservableReference Class

   This class is defined in Section 3.29.6 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   uid-ref

   Example:

   "ObservableReference": {
     "uid-ref": "xxxxx"
   },

3.27.8.  IndicatorReference Class

   This class is defined in Section 3.29.7 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

Takahashi & Suzuki        Expires May 14, 2018                 [Page 32]
Internet-Draft                 JSON-IODEF                  November 2017

   uid-ref?, euid-ref?, version?

   Example:

   "IndicatorReference": {
     "uid-ref": "xxxxx"
   }

3.27.9.  AttackPhase Class

   This class is defined in Section 3.29.8 of RFC 7970 [RFC7970].  The
   example below represents how to describe this class in JSON.

   Class elements:

   AttackPhaseID*, URL*, Description*, AdditionalData*

   Example:

"AttackPhase": {
  "Description": "Currently, the infected host is scanning arbitrary hosts to find next targets." //ML_STRING
}

4.  Notable differences from RFC 7970 (to be deleted)

   o  This document treats attributes and elements of each class defined
      in RFC 7970 [RFC7970] equally and is agnostic on the order of
      their appearances.

   o  Flow class is deleted, and EventData class now has the instance of
      System class.

   o  Record class is deleted, and the link to the Record class are
      directly connected to RecordData class, which is then renamed to
      Record class.

5.  Examples

   This section provides example of IODEF documents.  These examples do
   not represent the full capabilities of the data model or the the only
   way to encode particular information.

5.1.  Minimal Example

   A document containing only the mandatory elements and attributes.

Takahashi & Suzuki        Expires May 14, 2018                 [Page 33]
Internet-Draft                 JSON-IODEF                  November 2017

   {
     "version": "2.0",
     "lang": "en",
     "Incident": [
       {
         "purpose": "reporting",
         "restriction": "private",
         "IncidentID": {
           "id": 492382,
           "name": "csirt.example.com"
         },
         "GenerationTime": "2015-07-18T09:00:00-05:00",
         "Contact": [
           {
             "type": "organization",
             "role": "creator",
             "email": {
               "emailTo": "contact@csirt.example.com"
             }
           }
         ]
       }
     ]
   }

5.2.  Indicators from a Campaign

   An example of C2 domains from a given campaign.

{
  "version": "2.0",
  "lang": "en",
  "Incidents": [
    {
      "purpose": "watch",
      "restriction": "green",
      "IncidentID": {
        "id": "897923",
        "name": "csirt.example.com"
      },
      "RelatedActivity": [
        {
          "ThreatActor": [
            {
              "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY",
              "Description": "Aggressive Butterfly"
            }
          ],

Takahashi & Suzuki        Expires May 14, 2018                 [Page 34]
Internet-Draft                 JSON-IODEF                  November 2017

          "Campaign": [
            {
              "CampaignID": "C-2015-59405",
              "Description": "Orange Giraffe"
            }
          ]
        }
      ],
      "GenerationTime": "2015-10-02T11:18:00-05:00",
      "Description": [
        "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."
      ],
      "Assessment": [
        {
          "BusinessImpact": {
            "type": "breach-proprietary"
          }
        }
      ],
      "Contacts": [
        {
          "type": "organization",
          "role": "creator",
          "ContactName": "CSIRT for example.com",
          "Email": {
            "emailTo": "contact@csirt.example.com"
          }
        }
      ],
      "IndicatorList": [
        {
          "IndicatorID": {
            "id": "G90823490",
            "name": "csirt.example.com",
            "version": "1"
          },
          "Description": "C2 domains",
          "StartTime": "2014-12-02T11:18:00-05:00",
          "Observable": {
            "BulkObservable": {
              "type": "fqdn"
            },
            "BulkObservableList": [
              "kj290023j09r34.example.com",
              "09ijk23jfj0k8.example.net",
              "klknjwfjiowjefr923.example.org",
              "oimireik79msd.example.org"
            ]

Takahashi & Suzuki        Expires May 14, 2018                 [Page 35]
Internet-Draft                 JSON-IODEF                  November 2017

          }
        }
      ]
    }
  ]
}

6.  The IODEF Data Model (JSON Schema)

{ "$schema": "http://json-schema.org/draft-04/schema#",
  "definitions": {
    "action": {"enum": ["nothing","contact-source-site","contact-target-site",
               "contact-sender", "investigate","block-host","block-network",
               "block-port","rate-limit-host","rate-limit-network",
               "rate-limit-port","redirect-traffic","honeypot",
               "upgrade-software","rebuild-asset","harden-asset",
               "remediate-other","status-triage","status-new-info",
               "watch-and-report","training","defined-coa","ext-value"]},
    "duration": {"enum": ["second","minute","hour","day","month","quarter",
                 "year","ext-value"]},
    "lang": {"enum": ["en","jp"]},
    "purpose": {"enum": ["traceback","mitigation","reporting","watch","other",
               "ext-value"]},
    "restriction": {"enum": ["public","partner","need-to-know","private",
                   "default","white","green","amber","red","ext-value"]},
    "status": {"enum": ["new","in-progress","forwarded","resolved","future",
              "ext-value"]},
    "DATETIME": {"type": "string"},
    "PORTLIST": {"type": "string"},
    "URLtype": {"type": "string"},
    "IDtype": {"type": "string"},
    "ExtensionType": {
      "type": "object",
      "properties": {
        "name": {"type": "string"},
        "dtype": {"enum": ["boolean","byte","bytes","character","date-time",
                  "ntpstamp","integer","portlist","real","string","file",
                  "path","frame","packet","ipv4-packet","ipv6-packet","url",
                  "csv","winreg","xml","ext-value"]},
        "ext-dtype": {"type": "string"},
        "meaning": {"type": "string"},
        "formatid": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"}}},
    "ExtensionTypeList": {
      "type": "array",
      "items": {"$ref": "#/definitions/ExtensionType"}},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 36]
Internet-Draft                 JSON-IODEF                  November 2017

    "SoftwareType": {
      "type": "object",
      "properties": {
        "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"},
        "URL": {"$ref": "#/definitions/URLtype"},
        "Description": {"type": "string"}},
      "required": [],
      "additionalProperties": false},
    "SoftwareReference": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "spec-name": {"type": "string"},
        "ext-spec-name": {"type": "string"},
        "dtype": {"type": "string"},
        "ext-dtype": {"type": "string"}},
      "required": ["spec-name"],
      "additionalProperties": false},
    "StructuredInfo": {
      "type": "object",
      "properties": {
        "specID": {"type": "string"},
        "ext-specID": {"type": "string"},
        "contentID": {"type": "string"},
        "RawData": {"type": "string"},
        "URL": {"$ref": "#/definitions/URLtype"}},
      "required": ["specID"],
      "additionalProperties": false},
    "Incident": {
      "title": "Incident",
      "description": "JSON schema for Incident class",
      "type": "object",
      "properties": {
        "purpose": {"$ref": "#/definitions/purpose"},
        "ext-purpose": {"type": "string"},
        "status": {"$ref": "#/definitions/status"},
        "ext-status": {"type": "string"},
        "lang": {"$ref": "#/definitions/lang"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "IncidentID": {"$ref": "#/definitions/IncidentID"},
        "AlternativeID": {"$ref": "#/definitions/AlternativeID"},
        "RelatedActivity": {
          "type": "array","items": {"$ref": "#/definitions/RelatedActivity"}},
        "DetectTime": {"type": "string"},
        "StartTime": {"type": "string"},
        "EndTime": {"type": "string"},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 37]
Internet-Draft                 JSON-IODEF                  November 2017

        "RecoveryTime": {"type": "string"},
        "ReportTime": {"type": "string"},
        "GenerationTime": {"type": "string"},
        "Description": {"type": "array","items": {"type": "string"}},
        "Discovery": {
          "type": "array","items": {"$ref": "#/definitions/Discovery"}},
        "Assessment": {
          "type": "array","items": {"$ref": "#/definitions/Assessment"}},
        "Methods": {
          "type": "array","items": {"$ref": "#/definitions/Method"}},
        "Contacts": {
          "type": "array","items": {"$ref": "#/definitions/Contact"}},
        "EventData": {
          "type": "array","items": {"$ref": "#/definitions/EventData"}},
        "IndicatorList": {
          "type": "array","items": {"$ref": "#/definitions/Indicator"}},
        "History": {"$ref": "#/definitions/History"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["IncidentID","GenerationTime","Contacts","purpose"],
      "additionalProperties": false},
    "IncidentID": {
      "title": "IncidentID",
      "description": "JSON schema for IncidentID class",
      "type": "object",
      "properties": {
        "id": {"type": "string"},
        "name": {"type": "string"},
        "instance": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"}},
      "required": ["name"],
      "additionalProperties": false},
    "AlternativeID": {
      "title": "AlternativeID",
      "description": "JSON schema for AlternativeID class",
      "type": "object",
      "properties": {
        "IncidentID": {
          "type": "array","items":{"$ref": "#/definitions/IncidentID"}},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"}},
      "required": ["IncidentID"],
      "additionalProperties": false},
    "RelatedActivity": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "IncidentID": {

Takahashi & Suzuki        Expires May 14, 2018                 [Page 38]
Internet-Draft                 JSON-IODEF                  November 2017

          "type": "array","items": {"$ref": "#/definitions/IncidentID"}},
        "URL": {
          "type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "ThreatActor": {
          "type": "array","items": {"$ref": "#/definitions/ThreatActor"}},
        "Campaign": {
          "type": "array","items": {"$ref": "#/definitions/Campaign"}},
        "IndicatorID": {
          "type": "array","items": {"$ref": "#/definitions/IndicatorID"}},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "Description": { "type": "array","items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false},
    "ThreatActor": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "ThreatActorID": {"type": "array", "items": {"type": "string"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false},
    "Campaign": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "CampaignID": {"type": "array", "items": {"type": "string"}},
        "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
    "Contact": {
      "type": "object",
      "properties": {
        "role": {
          "enum": ["creator","reporter","admin","tech","provider","user",
                   "billing","legal","irt","abuse","cc","cc-irt","leo",
                   "vendor","vendor-support","victim","victim-notified",
                   "ext-value"]},
        "ext-role": {"type": "string"},
        "type": {"enum": ["person","organization","ext-value"]},
        "ext-type": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "ContactName": {"type": "array", "items": {"type": "string"}},
        "ContactTitle": {"type": "array", "items": {"type": "string"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "RegistryHandle": {
          "type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 39]
Internet-Draft                 JSON-IODEF                  November 2017

        "PostalAddress": {
          "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}},
        "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}},
        "Telephone": {
          "type": "array", "items": {"$ref": "#/definitions/Telephone"}},
        "Timezone": {"type": "string"},
        "Contact": {
          "type": "array", "items": {"$ref": "#/definitions/Contact"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["role","type"],
      "additionalProperties": false},
    "RegistryHandle": {
      "type": "object",
      "properties": {
        "handle": {"type": "string"},
        "registry": {
          "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local",
                   "ext-value"]},
        "ext-registry": {"type": "string"}},
      "required": ["registry"],
      "additionalProperties": false},
    "PostalAddress": {
      "type": "object",
      "properties": {
        "type": {"type": "string"},
        "ext-type": {"type": "string"},
        "PAddress": {"type": "string"},
        "Description": {"type": "array", "items": {"type": "string"}}},
      "required": ["PAddress"],
      "additionalProperties": false},
    "Email": {
      "type": "object",
      "properties": {
        "type": {
          "enum":["direct","hotline","ext-value"]},
        "ext-type": {"type": "string"},
        "EmailTo": {"type": "string"},
        "Description": {"type": "array", "items": {"type": "string"}}},
      "required": ["EmailTo"],
      "additionalProperties": false},
    "Telephone": {
      "type": "object",
      "properties": {
        "type": {
          "enum":["wired","mobile","fax","hotline","ext-value"]},
        "ext-type": {"type": "string"},
        "TelephoneNumber": {"type": "string"},
        "Description": {"type": "array", "items": {"type": "string"}}},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 40]
Internet-Draft                 JSON-IODEF                  November 2017

      "required": ["TelephoneNumber"],
      "additionalProperties": false},
    "Discovery": {
      "type": "object",
      "properties": {
        "source": {
          "enum":["nidps","hips","siem","av","third-party-monitoring",
                  "incident","os-log","application-log","device-log",
                  "network-flow","passive-dns","investigation","audit",
                  "internal-notification","external-notification","leo",
                  "partner","actor","unknown","ext-value"]},
        "ext-source": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "Description": {"type": "array", "items": {"type": "string"}},
        "Contact": {
          "type": "array", "items": {"$ref": "#/definitions/Contact"}},
        "DetectionPattern": {
          "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}},
      "required": [],
      "additionalProperties": false},
    "DetectionPattern": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "Description": {"type": "array", "items": {"type": "string"}},
        "DetectionConfiguration": {
          "type": "array", "items": {"type": "string"}}},
      "required": ["Application"],
      "additionalProperties": false},
    "Method": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "References": {
          "type": "array","items": {"$ref": "#/definitions/Reference"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "AttackPattern": {
          "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "Vulnerability": {
          "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "Weakness": {
          "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 41]
Internet-Draft                 JSON-IODEF                  November 2017

      "required": [],
      "additionalProperties": false},
    "Reference": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "ReferenceName": {"type": "string"},
        "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
        "Description": {"type": "array", "items": {"type": "string"}}},
      "required": [],
      "additionalProperties": false},
    "Assessment": {
      "type": "object",
      "properties": {
        "occurrence": {"enum":["actual","potential"]},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "IncidentCategory": {"type": "array", "items": {"type": "string"}},
        "SystemImpact": {
          "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}},
        "BusinessImpact": {
          "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}},
        "TimeImpact": {
          "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}},
        "MonetaryImpact": {
          "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}},
        "IntendedImpact": {
          "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}},
        "Counter": {
          "type": "array", "items": {"$ref": "#/definitions/Counter"}},
        "MitigatingFactor": {
          "type": "array", "items": {"$type": "string"}},
        "Cause": {"type": "array", "items": {"$type": "string"}},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "SystemImpact": {
      "type": "object",
      "properties": {
        "severity": {
          "enum":["low","medium","high"]},
        "completion": {"enum":["failed","succeeded"]},
        "type": {
          "enum":["takeover-account","takeover-service","takeover-system",
                  "cps-manipulation","cps-damage","availability-data",
                  "availability-account","availability-service",

Takahashi & Suzuki        Expires May 14, 2018                 [Page 42]
Internet-Draft                 JSON-IODEF                  November 2017

                  "availability-system","damaged-system","damaged-data",
                  "breach-proprietary","breach-privacy","breach-credential",
                  "breach-configuration","integrity-data",
                  "integrity-configuration","integrity-hardware",
                  "traffic-redirection","monitoring-traffic","monitoring-host",
                  "policy","unknown","ext-value"]},
        "ext-type": {"type": "string"},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": ["type"],
      "additionalProperties": false},
    "BusinessImpact": {
      "type": "object",
      "properties": {
        "severity": {
          "enum":["none","low","medium","high","unknown","ext-value"]},
        "ext-severity": {"type":"string"},
        "type": {
          "enum":["breach-proprietary","breach-privacy","breach-credential",
                  "loss-of-integrity","loss-of-service","theft-financial",
                  "theft-service","degraded-reputation","asset-damage",
                  "asset-manipulation","legal","extortion","unknown",
                  "ext-value"]},
        "ext-type": {"type": "string"},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": ["type"],
      "additionalProperties": false},
    "TimeImpact": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "severity": {"enum": ["low","medium","high"]},
        "metric": {"enum": ["labor","elapsed","downtime","ext-value"]},
        "ext-metric": {"type": "string"},
        "duration": {"$ref":"#/definitions/duration"},
        "ext-duration": {"type": "string"}},
      "required": ["metric"],
      "additionalProperties": false},
    "MonetaryImpact": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "severity": {"enum":["low","medium","high"]},
        "currency": {"type": "string"}},
      "required": [],
      "additionalProperties": false},
    "Confidence": {
      "type": "object",
      "properties": {

Takahashi & Suzuki        Expires May 14, 2018                 [Page 43]
Internet-Draft                 JSON-IODEF                  November 2017

        "value": {"type": "number"},
        "rating": {
          "enum": ["low","medium","high","numeric","unknown","ext-value"]},
        "ext-rating": {"type":"string"}},
      "required": ["rating"],
      "additionalProperties": false},
    "History": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "HistoryItem": {
          "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}},
      "required": ["HistoryItem"],
      "additionalProperties": false},
    "HistoryItem": {
      "type": "object",
      "properties": {
        "action": {"$ref": "#/definitions/action"},
        "ext-action": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {"$ref": "#/definitions/DATETIME"},
        "IncidentID": {"$ref": "#/definitions/IncidentID"},
        "Contact": {"$ref": "#/definitions/Contact"},
        "Description": {"type": "array","items": {"type": "string"}},
        "DefinedCOA": {"type": "array","items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["DateTime","action"],
      "additionalProperties": false},
    "EventData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Description": {"type": "array","items": {"type": "string"}},
        "DetectTime": {"type": "string"},
        "StartTime": {"type": "string"},
        "EndTime": {"type": "string"},
        "RecoveryTime": {"type": "string"},
        "ReportTime": {"type": "string"},
        "Contact": {
          "type": "array","items": {"$ref": "#/definitions/Contact"}},
        "Discovery": {
          "type": "array","items": {"$ref": "#/definitions/Discovery"}},
        "Assessment": {"$ref": "#/definitions/Assessment"},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 44]
Internet-Draft                 JSON-IODEF                  November 2017

        "Method": {
          "type": "array","items": {"$ref": "#/definitions/Method"}},
        "System": {
          "type": "array","items": {"$ref": "#/definitions/System"}},
        "Expectation": {
          "type": "array","items": {"$ref": "#/definitions/Expectation"}},
        "Record": {"$ref": "#/definitions/Record"},
        "EventData": {
          "type": "array","items": {"$ref": "#/definitions/EventData"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["ReportTime"],
      "additionalProperties": false},
    "Expectation": {
      "type": "object",
      "properties": {
        "action": {"$ref":"#/definitions/action"},
        "ext-action": {"type": "string"},
        "severity": {"enum": ["low","medium","high"]},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Description": {"type": "array","items": {"type": "string"}},
        "DefinedCOA": {"type": "array","items": {"type": "string"}},
        "StartTime": {"type": "string"},
        "EndTime": {"type": "string"},
        "Contact": {"$ref": "#/definitions/Contact"}},
      "required": [],
      "additionalProperties": false},
    "System": {
      "type": "object",
      "properties": {
        "category": {
          "enum": ["source","target","intermediate","sensor","infrastructure",
                   "ext-value"]},
        "ext-category": {"type": "string"},
        "interface": {"type": "string"},
        "spoofed": {"enum": ["unknown","yes","no"]},
        "virtual": {"enum": ["yes","no","unknown"]},
        "ownership": {
          "enum":["organization","personal","partner","customer",
                  "no-relationship","unknown","ext-value"]},
        "ext-ownership": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Node": {"$ref": "#/definitions/Node"},
        "NodeRole": {
          "type": "array","items": {"$ref": "#/definitions/NodeRole"}},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 45]
Internet-Draft                 JSON-IODEF                  November 2017

        "Service": {
          "type": "array","items": {"$ref": "#/definitions/Service"}},
        "OperatingSystem": {
          "type": "array","items": {"$ref": "#/definitions/SoftwareType"}},
        "Counter": {
          "type": "array","items": {"$ref": "#/definitions/Counter"}},
        "AssetID": {"type": "array","items": {"type": "string"}},
        "Description": {"type": "array","items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["Node"],
      "additionalProperties": false},
    "Node": {
      "type": "object",
      "properties": {
        "DomainData": {
          "type": "array","items": {"$ref": "#/definitions/DomainData"}},
        "Address": {
          "type": "array","items": {"$ref": "#/definitions/Address"}},
        "PostalAddress": {"type": "string"},
        "Location": {"type": "array","items": {"type": "string"}},
        "Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}},
      "required": [],
      "additionalProperties": false},
    "Address": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "category": {
           "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
                    "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
                    "ipv6-net-masked","mac","site-url","ext-value"]},
        "ext-category": {"type": "string"},
        "vlan-name": {"type": "string"},
        "vlan-num": {"type": "integer"},
        "observable-id": {"$ref": "#/definitions/IDtype"}},
      "required": ["category"],
      "additionalProperties": false},
    "NodeRole": {
      "type": "object",
      "properties": {
        "category": {
          "enum":["client","client-enterprise","clent-partner","client-remote",
                  "client-kiosk","client-mobile","server-internal",
                  "server-public","www","mail","webmail","messaging",
                  "streaming","voice","file","ftp","p2p","name","directory",
                  "credential","print","application","database","backup",
                  "dhcp","assessment","source-control","config-management",
                  "monitoring","infra","infra-firewall","infra-router",

Takahashi & Suzuki        Expires May 14, 2018                 [Page 46]
Internet-Draft                 JSON-IODEF                  November 2017

                  "infra-switch","camera","proxy","remote-access","log",
                  "virtualization","pos", "scada", "scada-supervisory",
                  "sinkhole","honeypot","anomyzation","c2-server",
                  "malware-distribution","drop-server","hot-point","reflector",
                  "phishing-site","spear-phishing-site","recruiting-site",
                  "fraudulent-site","ext-value"]},
        "ext-category": {"type": "string"},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": ["category"],
      "additionalProperties": false},
    "Counter": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "type": {"enum": ["count","peak","average","ext-value"]},
        "ext-type": {"type": "string"},
        "unit": {"enum": ["byte","mbit","packet","flow","session","alert",
                 "message","event","host","site","organization","ext-value"]},
        "ext-unit": {"type": "string"},
        "meaning": {"type": "string"},
        "duration": {"$ref":"#/definitions/duration"},
        "ext-duration": {"type": "string"}},
      "required": ["type","unit"],
      "additionalProperties": false},
    "DomainData": {
      "type": "object",
      "properties": {
        "system-status": {
          "enum": ["spoofed","fraudulent","innocent-hacked",
                   "innocent-hijacked","unknown","ext-value"]},
        "ext-system-status": {"type": "string"},
        "domain-status": {
          "enum": [
            "reservedDelegation","assignedAndActive","assignedAndInactive",
            "assignedAndOnHold","revoked","transferPending","registryLock",
            "registrarLock","other","unknown","ext-value"]},
        "ext-domain-status": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Name": {"type": "string"},
        "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"},
        "RegistrationDate": {"$ref": "#/definitions/DATETIME"},
        "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
        "RelatedDNS": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "NameServers": {
          "type": "array","items": {"$ref": "#/definitions/NameServers"}},
        "DomainContacts": {
          "type": "array","items": {"$ref": "#/definitions/DomainContacts"}}},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 47]
Internet-Draft                 JSON-IODEF                  November 2017

      "required": ["Name","system-status","domain-status"],
      "additionalProperties": false},
    "NameServers": {
      "type": "object",
      "properties": {
        "Server": {"type": "string"},
        "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}},
      "required": ["Server","Address"],
      "additionalProperties": false},
    "DomainContacts": {
      "type": "object",
      "properties": {
        "SameDomainContact": {"type": "string"},
        "Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}},
      "required": ["Contact"],
      "additionalProperties": false},
    "Service": {
      "type": "object",
      "properties": {
        "ip-protocol": {"type": "integer"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "ServiceName": {"$ref": "#/definitions/ServiceName"},
        "Port": {"type": "integer"},
        "Portlist": {"$ref": "#/definitions/PORTLIST"},
        "ProtoCode": {"type": "integer"},
        "ProtoType": {"type": "integer"},
        "ProtoField": {"type": "integer"},
        "ApplicationHeader": {"$ref": "#/definitions/ApplicationHeader"},
        "EmailData": {"$ref": "#/definitions/EmailData"},
        "Application": {"$ref": "#/definitions/SoftwareType"}},
      "required": [],
      "additionalProperties": false},
    "ServiceName": {
      "type": "object",
      "properties": {
        "IANAService": {"type": "string"},
        "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": [],
      "additionalProperties": false},
    "ApplicationHeader": {
      "type": "object",
      "properties": {
        "ApplicationHeaderField": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
      "required": ["ApplicationHeaderField"],
      "additionalProperties": false},
    "EmailData": {

Takahashi & Suzuki        Expires May 14, 2018                 [Page 48]
Internet-Draft                 JSON-IODEF                  November 2017

      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "EmailTo": {"type": "array","items": {"type": "string"}},
        "EmailFrom": {"type": "string"},
        "EmailSubject": {"type": "string"},
        "EmailX-Mailer": {"type": "string"},
        "EmailHeaderField": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "EmailHeaders": {"type": "string"},
        "EmailBody": {"type": "string"},
        "EmailMessage": {"type": "string"},
        "HashData": {
          "type": "array","items": {"$ref": "#/definitions/HashData"}},
        "SignatureData": {
          "type": "array","items": {"$ref": "#/definitions/SignatureData"}}},
      "required": [],
      "additionalProperties": false},
    "Record":{
      "type": "object",
      "properties":{
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "RecordData": {
          "type": "array","items": {"$ref": "#/definitions/RecordData"}}},
      "required":["RecordData"],
      "additionalProperties": false},
    "RecordData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {"$ref": "#/definitions/DATETIME"},
        "Description": {"type": "array","items": {"type": "string"}},
        "Applicadtion": {"$ref": "#/definitions/SoftwareType"},
        "RecordPattern": {
          "type": "array","items": {"$ref": "#/definitions/RecordPattern"}},
        "RecordItem": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "URL": {
          "type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "FileData": {
          "type": "array","items": {"$ref": "#/definitions/FileData"}},
        "WindowsRegistryKeysModified": {
          "type": "array",
          "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}},
        "CertificateData": {

Takahashi & Suzuki        Expires May 14, 2018                 [Page 49]
Internet-Draft                 JSON-IODEF                  November 2017

          "type": "array","items": {"$ref": "#/definitions/CertificateData"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
    },
    "RecordPattern": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "type": {"enum": ["regex","binary","xpath","ext-value"]},
        "ext-type": {"type": "string"},
        "offset": {"type": "integer"},
        "offsetunit": {"enum":["line","byte","ext-value"]},
        "ext-offsetunit": {"type": "string"},
        "instance": {"type": "integer"}},
      "required": ["type"],
      "additionalProperties": false},
    "WindowsRegistryKeysModified": {
      "type": "object",
      "properties": {
        "observabile-id": {"$ref": "#/definitions/IDtype"},
        "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}},
      "required": ["Key"],
      "additionalProperties": false},
    "Key": {
      "type": "object",
      "properties": {
        "registryaction": {"enum": ["add-key","add-value","delete-key",
                          "delete-value","modify-key","modify-value",
                          "ext-value"]},
        "ext-registryaction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "KeyName": {"type":"string"},
        "KeyValue": {"type": "string"}},
      "required": ["KeyName"],
      "additionalProperties": false},
    "CertificateData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Certificate": {
          "type": "array","items": {"$ref": "#/definitions/Certificate"}}},
      "required": ["Certificate"],
      "additionalProperties": false},
    "Certificate": {
      "type": "object",

Takahashi & Suzuki        Expires May 14, 2018                 [Page 50]
Internet-Draft                 JSON-IODEF                  November 2017

      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "X509Data": {type: "string"},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": ["X509Data"],
      "additionalProperties": false},
    "FileData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "File": {"type": "array","items": {"$ref": "#/definitions/File"}}},
      "required": ["File"],
      "additionalProperties": false},
    "File": {
      "type": "object",
      "properties": {
        "FileName": {"type": "string"},
        "FileSize": {"type": "integer"},
        "FileType": {"type": "string"},
        "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "HashData": {"$ref": "#/definitions/HashData"},
        "SignatureData": {"$ref": "#/definitions/SignatureData"},
        "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
        "FileProperties": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
      "required": [],
      "additionalProperties": false},
    "HashData": {
      "type": "object",
      "properties": {
        "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat",
                 "file-pe-resource","file-pdf-object","email-hash",
                 "email-hash-header","email-hash-body"]},
        "HashTargetID": {"type": "string"},
        "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}},
        "FuzzyHash": {
          "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}},
      "required": ["scope"],
      "additionalProperties": false},
    "Hash": {
      "type": "object",
      "properties": {
        "DigestMethod": {"type": "string"},
        "DigestValue": {"type": "string"},
        "CanonicalizationMethod": {},
        "Application": {"$ref": "#/definitions/SoftwareType"}},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 51]
Internet-Draft                 JSON-IODEF                  November 2017

      "required": ["DigestMethod","DigestValue"],
      "additionalProperties": false},
    "FuzzyHash": {
      "type": "object",
      "properties": {
        "FuzzyHashValue": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["FuzzyHashValue"],
      "additionalProperties": false},
    "SignatureData": {
      "type": "object",
      "properties": {
        "Signature": {"type": "array","items": {"type": "string"}}},
      "required": ["Signature"],
      "additionalProperties": false},
    "Indicator": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
        "AlternativeIndicatorID": {
          "type": "array",
          "items": {"$ref": "#/definitions/AlternativeIndicatorID"}},
        "Description": {"type": "array","items": {"type": "string"}},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "Contact": {
          "type": "array","items": {"$ref": "#/definitions/Contact"}},
        "Observable": {"$ref": "#/definitions/Observable"},
        "ObservableReference": {"$ref": "#/definitions/ObservableReference"},
        "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"},
        "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"},
        "NodeRole": {
          "type": "array","items": {"$ref": "#/definitions/NodeRole"}},
        "AttackPhase": {
          "type": "array","items": {"$ref": "#/definitions/AttackPhase"}},
        "Reference": {
          "type": "array","items": {"$ref": "#/definitions/Reference"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["IndicatorID"],
      "additionalProperties": false},
    "IndicatorID": {
      "type": "object",
      "properties": {

Takahashi & Suzuki        Expires May 14, 2018                 [Page 52]
Internet-Draft                 JSON-IODEF                  November 2017

        "id": {"type": "string"},
        "name": {"type": "string"},
        "version": {"type": "string"}},
      "required": ["name","version"],
      "additionalProperties": false},
    "AlternativeIndicatorID": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "IndicatorReference": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorReference"}}},
      "required": ["IndicatorReference"],
      "additionalProperties": false},
    "Observable": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "System": {"$ref": "#/definitions/System"},
        "Address": {"$ref": "#/definitions/Address"},
        "DomainData": {"$ref": "#/definitions/DomainData"},
        "EmailData": {"$ref": "#/definitions/EmailData"},
        "Service": {"$ref": "#/definitions/Service"},
        "WindowsRegistryKeysModified": {
          "$ref": "#/definitions/WindowsRegistryKeysModified"},
        "FileData": {"$ref": "#/definitions/FileData"},
        "CertificateData": {"$ref": "#/definitions/CertificateData"},
        "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"},
        "Record": {"$ref": "#/definitions/Record"},
        "EventData": {"$ref": "#/definitions/EventData"},
        "Incident": {"$ref": "#/definitions/Incident"},
        "Expectation": {"$ref": "#/definitions/Expectation"},
        "Reference": {"$ref": "#/definitions/Reference"},
        "Assessment": {"$ref": "#/definitions/Assessment"},
        "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
        "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
        "BulkObservable": {"type": "string"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "BulkObservable": {
      "type": "object",
      "properties": {
        "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
                 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac",
                 "site-url","domain-name","domain-to-ipv4","domain-to-ipv6",

Takahashi & Suzuki        Expires May 14, 2018                 [Page 53]
Internet-Draft                 JSON-IODEF                  November 2017

                 "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp",
                 "ipv4-port","ipv6-port","windows-reg-key","file-hash",
                 "email-x-mailer","email-subject","http-user-agent",
                 "http-request-url","mutex","file-path","user-name",
                 "ext-value"]},
        "ext-type": {"type": "string"},
        "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"},
        "BulkObservableList": {"type": "string"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "BulkObservableFormat": {
      "type": "object",
      "properties": {
        "Hash": {"$ref": "#/definitions/Hash"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "IndicatorExpression": {
      "type": "object",
      "properties": {
        "operator": {"enum": ["not","and","or","xor"]},
        "ext-operator": {"type": "string"},
        "IndicatorExpression": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorExpression"}},
        "Observable": {
          "type": "array","items": {"$ref": "#/definitions/Observable"}},
        "ObservableReference": {
          "type": "array",
          "items": {"$ref": "#/definitions/ObservableReference"}},
        "IndicatorReference": {
          "type": "array",
         "items": {"$ref": "#/definitions/IndicatorReference"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "ObservableReference": {
      "type": "object",
      "properties": {"uid-ref": {"type": "string"}},
      "required": ["uid-ref"],
      "additionalProperties": false},
    "IndicatorReference": {
      "type": "object",
      "properties": {
        "uid-ref": {"type": "string"},
        "euid-ref": {"type": "string"},
        "version": {"type": "string"}},

Takahashi & Suzuki        Expires May 14, 2018                 [Page 54]
Internet-Draft                 JSON-IODEF                  November 2017

      "required": [],
      "additionalProperties": false},
    "AttackPhase": {
      "type": "object",
      "properties": {
        "AttackPhaseID": {"type": "array","items": {"type": "string"}},
        "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "Description": {"type": "array","items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false}},
  "title": "IODEF-Document",
  "description": "JSON schema for IODEF-Document class",
  "type": "object",
  "properties": {
    "version": {"type": "string"},
    "lang": {"$ref": "#/definitions/lang"},
    "format-id": {"type": "string"},
    "private-enum-name": {"type": "string"},
    "private-enum-id": {"type": "string"},
    "Incident": {
      "type": "array","items": {"$ref": "#/definitions/Incident"}},
      "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
  "required": ["version","Incident"],
  "additionalProperties": false}

                           Figure 1: JSON schema

7.  Acknowledgements

   TBD.

8.  IANA Considerations

   This memo includes no request to IANA.

9.  Security Considerations

   This memo does not provide any further security considerations than
   the one described in RFC 7970 [RFC7970].

10.  References

10.1.  Normative References

   [jsonschema]
              "JSON Schema", 2006.

Takahashi & Suzuki        Expires May 14, 2018                 [Page 55]
Internet-Draft                 JSON-IODEF                  November 2017

              http://json-schema.org/

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7970]  Danyliw, R., "The Incident Object Description Exchange
              Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
              November 2016, <https://www.rfc-editor.org/info/rfc7970>.

10.2.  Informative References

   [DOMINATION]
              Mad Dominators, Inc., "Ultimate Plan for Taking Over the
              World", 1984, <http://www.example.com/dominator.html>.

   [RFC2629]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
              DOI 10.17487/RFC2629, June 1999,
              <https://www.rfc-editor.org/info/rfc2629>.

   [RFC3552]  Rescorla, E. and B. Korver, "Guidelines for Writing RFC
              Text on Security Considerations", BCP 72, RFC 3552,
              DOI 10.17487/RFC3552, July 2003,
              <https://www.rfc-editor.org/info/rfc3552>.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <https://www.rfc-editor.org/info/rfc5226>.

Authors' Addresses

   Takeshi Takahashi
   NICT
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Phone: +81 42 327 5862
   Email: takeshi_takahashi@nict.go.jp

Takahashi & Suzuki        Expires May 14, 2018                 [Page 56]
Internet-Draft                 JSON-IODEF                  November 2017

   Mio Suzuki
   NICT
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Email: mio@nict.go.jp

Takahashi & Suzuki        Expires May 14, 2018                 [Page 57]