JSON binding of IODEF
draft-ietf-mile-jsoniodef-01
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8727.
|
|
---|---|---|---|
Authors | Takeshi Takahashi , Mio Suzuki | ||
Last updated | 2017-11-11 | ||
Replaces | draft-takahashi-mile-jsoniodef | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Last Call review
(of
-09)
by Robert Sparks
Almost ready
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 8727 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-ietf-mile-jsoniodef-01
MILE T. Takahashi Internet-Draft M. Suzuki Intended status: Standards Track NICT Expires: May 14, 2018 November 10, 2017 JSON binding of IODEF draft-ietf-mile-jsoniodef-01 Abstract RFC 7970 [RFC7970] provides XML-based data representation on incident information, but the use of the IODEF data model is not limited to XML. JSON representation is sometimes preferred since it is easy to handle from certain programming environments. This draft represents the IODEF data model in JSON. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 14, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Takahashi & Suzuki Expires May 14, 2018 [Page 1] Internet-Draft JSON-IODEF November 2017 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 4 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 5 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 5 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 5 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 5 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 5 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 5 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 6 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 6 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 6 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 6 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 6 2.13. Uniform Resource Locator Strings . . . . . . . . . . . . 6 2.14. Identifiers and Identifier References . . . . . . . . . . 7 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 7 2.16. StructuredInfo . . . . . . . . . . . . . . . . . . . . . 7 3. The IODEF Information Model in JSON . . . . . . . . . . . . . 8 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 8 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 8 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 9 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 9 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 9 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 9 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 10 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 10 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 11 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 11 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 11 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 12 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 12 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 12 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 13 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 13 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 14 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 14 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 15 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 15 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 15 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 16 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 16 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 17 Takahashi & Suzuki Expires May 14, 2018 [Page 2] Internet-Draft JSON-IODEF November 2017 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 17 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 17 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 18 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 18 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 19 3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 19 3.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 20 3.17.1. Address Class . . . . . . . . . . . . . . . . . . . 20 3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 20 3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21 3.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 21 3.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 22 3.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 22 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 22 3.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 23 3.19.2. ApplicationHeader Class . . . . . . . . . . . . . . 23 3.20. EmailData Class . . . . . . . . . . . . . . . . . . . . . 23 3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 24 3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 24 3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 25 3.22. WindowsRegistryKeysModified Class . . . . . . . . . . . . 25 3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 25 3.23. CertificateData Class . . . . . . . . . . . . . . . . . . 26 3.23.1. Certificate Class . . . . . . . . . . . . . . . . . 26 3.24. FileData Class . . . . . . . . . . . . . . . . . . . . . 27 3.24.1. File Class . . . . . . . . . . . . . . . . . . . . . 27 3.25. HashData Class . . . . . . . . . . . . . . . . . . . . . 27 3.25.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 28 3.25.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 28 3.26. SignatureData Class . . . . . . . . . . . . . . . . . . . 28 3.27. Indicator Class . . . . . . . . . . . . . . . . . . . . . 29 3.27.1. IndicatorID Class . . . . . . . . . . . . . . . . . 30 3.27.2. AlternativeIndicatorID Class . . . . . . . . . . . . 30 3.27.3. Observable Class . . . . . . . . . . . . . . . . . . 30 3.27.4. BulkObservable Class . . . . . . . . . . . . . . . . 31 3.27.5. BulkObservableFormat Class . . . . . . . . . . . . . 31 3.27.6. IndicatorExpression Class . . . . . . . . . . . . . 32 3.27.7. ObservableReference Class . . . . . . . . . . . . . 32 3.27.8. IndicatorReference Class . . . . . . . . . . . . . . 32 3.27.9. AttackPhase Class . . . . . . . . . . . . . . . . . 33 4. Notable differences from RFC 7970 (to be deleted) . . . . . . 33 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33 5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 34 6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 36 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 55 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 55 9. Security Considerations . . . . . . . . . . . . . . . . . . . 55 Takahashi & Suzuki Expires May 14, 2018 [Page 3] Internet-Draft JSON-IODEF November 2017 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 55 10.1. Normative References . . . . . . . . . . . . . . . . . . 55 10.2. Informative References . . . . . . . . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 1. Introduction RFC 7970 [RFC7970] defines an data model for sharing incident information. It facilitates automated exchange of information among parties over networks. The data model can be implemented in a form of XML, but it is not always suitable for implementation. JSON-based representation is often useful. Therefore, in this document, we provide a means to represent IODEF data model in JSON. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. IODEF Data Types The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the JSON IODEF, with some syntax changes for some of the types. 2.1. Integers An integer is represented in the information model by the INTEGER data type. Integer data MUST be encoded in Base 10, and is implemented as an "integer" type per JSON schema [jsonschema]. 2.2. Real Numbers A real (floating-point) number is represented in the information model by the REAL data type. Real data MUST be encoded in Base 10, and is implemented in the data model as an "number" type per JSON schema [jsonschema]. 2.3. Characters and Strings A single character is represented in the information model by the CHARACTER data type. A string is represented by the STRING data type. Special characters MUST be encoded using entity references.The CHARACTER and STRING data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. Takahashi & Suzuki Expires May 14, 2018 [Page 4] Internet-Draft JSON-IODEF November 2017 2.4. Multilingual Strings A string that needs to be represented in a human-readable language different than the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as an object with "value", "lang", and "translation-id" elements as defined in Section 6. Examples are shown below. "MLStringType": { "value": "free-form text", //STRING "lang": "en", //ENUM "translation-id": "jp2en0023" //STRING } 2.5. Binary Strings 2.5.1. Base64 Bytes A binary octet encoded with base64 is represented in the information model by the BYTE data type. A sequence of these octets is of the BYTE[] data type. The BYTE and BYTE[] data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.5.2. Hexadecimal Bytes A binary octet encoded as a character tuple consistent of two hexadecimal digits is represented in the information model by the HEXBIN data type. A sequence of these octets is of the HEXBIN[] data type. The HEXBIN and HEXBIN[] data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.6. Enumerated Types An enumerated type is represented in the information model by the ENUM data type. It is an ordered list of acceptable string values. Each value has a representative keyword. The ENUM data type is implemented in the data model as values of an enum array per JSON schema [jsonschema]. 2.7. Date-Time String A date-time string that describes a particular instant in time is represented in the information model by the DATETIME data type. Ranges are not supported. The DATETIME data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. Takahashi & Suzuki Expires May 14, 2018 [Page 5] Internet-Draft JSON-IODEF November 2017 2.8. Timezone String A timezone offset from UTC is represented in the information model by the TIMEZONE data type. It is formatted according to the following regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". The TIMEZONE data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.9. Port Lists A list of network ports is represented in the information model by the PORTLIST data type. A PORTLIST consists of a comma-separated list of numbers and ranges (N-M means ports N through M, inclusive). It is formatted according to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, "2,5-15,30,32,40-50,55-60". The PORTLIST data type is implemented in the data model as an "string" type per JSON schema [jsonschema] 2.10. Postal Address A postal address is represented in the information model by the POSTAL data type. The format of the POSTAL data type is documented in Section 2.23 of [RFC4519] as a free-form multi-line string separated by the "$" character. The POSTAL data type is implemented in the data model as the aforementioned ML_STRING type. 2.11. Telephone Number A telephone number is represented in the information model by the PHONE data type. The format of the PHONE data type is documented in [E.164]. The PHONE data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.12. Email String An email address is represented in the information model by the EMAIL data type. The format of the EMAIL data type is documented in Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531]. The EMAIL data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.13. Uniform Resource Locator Strings A uniform resource locator (URL) is represented in the information model by the URL data type. The format of the URL data type is documented in [RFC3986]. Takahashi & Suzuki Expires May 14, 2018 [Page 6] Internet-Draft JSON-IODEF November 2017 The URL data type is implemented as an "string" type per JSON schema [jsonschema]. 2.14. Identifiers and Identifier References An identifier unique to the IODEF document is represented in the information model by the ID data type. A reference to this identifier is represented by the IDREF data type. These data types are implemented in the model as an "string" type per JSON schema [jsonschema]. 2.15. Software A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a URL, or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined in Section 6. Examples are shown below. "SoftwareType": { "SoftwareReference": {...}, //SoftwareReference "Description": {"value":"MS Windows"}, //ML_STRING } 2.16. StructuredInfo Information provided in a form of structured string, such as ID, or structured information, such as XML documents, is represented in the information model by the StructuredInfo data type. Note that this type was originally specified in RFC7203. The StructuredInfo data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", "Reference" elements. An example for embedding a structured ID is shown below. "StructuredInformation": { "SpecID": "cve", //ENUM "ContentID": "CVE-2007-5000", //STRING } When embedding the raw data, base64 conversion should be used for encoding the data, as shown below. "StructuredInformation": { "SpecID": "oval", //ENUM "RawData": "<<<strings encoded with base64>>>", //STRING } Takahashi & Suzuki Expires May 14, 2018 [Page 7] Internet-Draft JSON-IODEF November 2017 3. The IODEF Information Model in JSON The data model of IODEF is defined in RFC 7970 [RFC7970], and this section illustrates their representations in JSON. Note that the complete JSON schema is defined in Section 6. 3.1. IODEF-Document Class This class is the top level class in the IODEF data model. Its class elements and an example are shown below. See Section 3.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: version, lang?, format-id?, private-enum-name?, private-enum-id?, Incident+, AdditionalData* Example: "IODEF-Document": { "version": "2.1", //STRING "lang": "en", //ENUM "format-id": "RFC7970-json", //STRING "Incident": [ ... ] //Incident } 3.2. Incident Class The Incident class describes commonly exchanged information when reporting or sharing derived analysis from security incidents. Its class elements and an example are shown below. See Section 3.2 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: purpose, ext-purpose?, status?, ext-status?, lang?, restriction?, ext-restriction?, observable-id?, IncidentID, AlternativeID?, RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?, GenrationTime?, Description*, Discovery*, Assessment*, Method*, Contact+, EventData*, IndicatorData?, History?, AdditionalData* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 8] Internet-Draft JSON-IODEF November 2017 "Incident": { "purpose": "reporting", //ENUM "lang": "en", //STRING "restriction": "green", //ENUM "IncidentID": { ... }, //IncidentID Class "RelatedActivity": [ ... ], //RelatedActivity Class "GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime "Description": [{"value":"Incident in the HQ"}], //ML_STRING "Assessment": [ ... ], //Assessment "Method": [ ... ], //Method "Contact": [ ... ] //Contact "EventData": [ ... ], //EventData "IndicatorData": { ... } //IndicatorData "History": { ... }, //History "AdditionalData": [ ... ], //AdditionalData } 3.3. Common Attributes There are a number of recurring attributes used in the information model. They are documented in this section. 3.3.1. restriction Attribute RFC 7970 [RFC7970] defines the restriction Attribute as one of common attributes. It is defined as below: "restriction":{"enum": ["public", "partner", "need-to-know", "private", "default", "white", "green", "amber", "red", "ext-value"]} Note that you must use "ext-restriction" field (STRING type) when the value of "restriction" field is set to "ext-value". 3.3.2. observable-id Attribute RFC 7970 [RFC7970] defines the observable-id attribute as one of common attributes. The value of this attribute is a unique identifier, in string type, in the scope of the document.It is defined as below: 3.4. IncidentID Class The class elements and an example are shown below. See Section 3.4 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: id, name, instance?, restriction?, ext-restriction? Takahashi & Suzuki Expires May 14, 2018 [Page 9] Internet-Draft JSON-IODEF November 2017 Example: "IncidentID": { "id": "nict20150518-0001", // STRING "name": "NICT_cert", // STRING "instance": "cyberlab" // STRING "restriction": "ext-value" // ENUM "ext-restriction": "registration required" // STRING } 3.5. AlternativeID Class The class elements and an example are shown below. See Section 3.5 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, IncidentID+ Example: "AltervativeID": { "restriction": "private", //ENUM "IncidentID": [<<<omitted>>>] //IncidentID } 3.6. RelatedActivity Class The class elements and an example are shown below. See Section 3.6 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*, Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData* Example: "RelatedActivity": { "restriction": "private", //ENUM "ThreatActor": [{...}], //ThreatActor class "Campaign": [{...}] //Campaign class } Takahashi & Suzuki Expires May 14, 2018 [Page 10] Internet-Draft JSON-IODEF November 2017 3.7. ThreatActor Class The class elements and an example are shown below. See Section 3.7 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, ThreatActorID*, URL*, Description*, AdditionalData* Example: "ThreatActor": { "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING "Description": {"value":"Aggressive Butterfly"} //ML_STRING } 3.8. Campaign Class The class elements and an example are shown below. See Section 3.8 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, CampaignID*, URL*, Description*, AdditionalData* Example: "Campaign": { "CampaignID": "C-2015-59405", //STRING "Description": {"value":"Orange Giraffe"} //ML_STRING } 3.9. Contact Class The class elements and an example are shown below. See Section 3.9 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: role, ext-role?, type, ext-type?, restriction?, ext-restriction?, ContactName*, ContactTitle*, Description*, RegistryHandle*, PostalAddress*, Email*, Telephone*, Timezone?, Contact*, AdditionalData* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 11] Internet-Draft JSON-IODEF November 2017 "Contact": { "role": "creator", //ENUM "type": "organization", //ENUM "ContactName": {"value":"CSIRT for example.com"}, //ML_STRING "ContactTitle": {"value":"Senior Research Engineer"} //ML_STRING "email": {...}, //Email Class "Telephone": {...}, //Telephone Class "Timezone": "+09:00" //TIMEZONE } 3.9.1. RegistryHandle Class The class elements and an example are shown below. See Section 3.9.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: handle, registry, ext-registry? Example: "RegistryHandle": { "handle": "MyAPNIC", //STRING "registry": "apnic", //ENUM } 3.9.2. PostalAddress Class The class elements and an example are shown below. See Section 3.9.2 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: type?, ext-type?, PAddress, Description* Example: "PostalAddress": { "type": "mailing", //ENUM "PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan", //POSTAL "Description": {"value":"Office address"} //ML_STRING }, 3.9.3. Email Class The class elements and an example are shown below. See Section 3.9.3 of RFC 7970 [RFC7970] for the intended meanings of these elements. Takahashi & Suzuki Expires May 14, 2018 [Page 12] Internet-Draft JSON-IODEF November 2017 Class elements: type?, ext-type?, EmailTo, Description* Example: "Email": { "type": "direct", //ENUM "emailTo": "contact@csirt.example.com", //EMAIL "Description": {"value":"Administrator's address"} //ML_STRING }, 3.9.4. Telephone Class The class elements and an example are shown below. See Section 3.9.4 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: type?, ext-type?, TelephoneNumber, Description* Example: "Telephone": { "type": "wired", //ENUM "TelephoneNumber": "+818012345678", //PHONE "Description": {"value":"Admin's moble"} //ML_STRING }, 3.10. Discovery Class The class elements and an example are shown below. See Section 3.10 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: source?, ext-source?, restriction?, ext-restriction?, Description*, Contact*, DetectionPattern* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 13] Internet-Draft JSON-IODEF November 2017 "Discovery": { "source": "nidps", //ENUM "restriction": "need-to-know" //ENUM "Contact": {...}, //Contact class "DetectionPattern": {...}, //DetectionPattern class "Description":{"value":"IDS provided an alert"} //ML_STRING } } 3.10.1. DetectionPattern Class The class elements and an example are shown below. See Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, observable-id?, Application, Description*, DetectionConfiguration* Example: "DetectionPattern": { "Application": {...}, //SOFTWARE "Description": {"value":"The specified application needs to be reviewed"}, //ML_STRING } } 3.11. Method Class The class elements and an example are shown below. See Section 3.11 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, Reference*, Description*, AttackPattern*, Vulnerability*, Weakness* Example: "Method": { "AttackPattern": {...} //StructuredInfo "Vulnerability": {...} //StructuredInfo } Takahashi & Suzuki Expires May 14, 2018 [Page 14] Internet-Draft JSON-IODEF November 2017 3.11.1. Reference Class The class elements and an example are shown below. See Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: observable-id?, ReferenceName?, URL*, Description* Example: "Reference":{ "URL":"http://www.nict.go.jp" //URL } 3.12. Assessment Class The class elements and an example are shown below. See Section 3.12 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: occurence?, restriction?, ext-restriction?, observable-id?, IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*, MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*, Cause*, Confidence?, AdditionalData* Example: "Assessment": { "SystemImpact": {...}, //SystemImpact class "BusinessImpact": {...}, //BusinessImpact class "TimeImpact": {...}, //TimeImpact class "MonetaryImpact": {...}, //MonetaryImpact class "IntendedImpact": {...}, //IntendedImpact class "Counter": "5", //Counter class "MitigationFactor": {"value":"Rebooting is required"}//ML_STRING "Cause": {"value":"Malware Infection"} //ML_STRING } } 3.12.1. SystemImpact Class The class elements and an example are shown below. See Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Takahashi & Suzuki Expires May 14, 2018 [Page 15] Internet-Draft JSON-IODEF November 2017 Class elements: severity?, completion?, type, ext-type?, Description* Example: "SystemImpact":{ "severity":"high", //ENUM "completion": "successful" //ENUM "type":"integrity-data" //ENUM "Description":{"value":"The web page was falsified"} //ML_STRING }, 3.12.2. BusinessImpact Class The class elements and an example are shown below. See Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: severity?, ext-severity?, type, ext-type?, Description* Example: "BusinessImpact": { "severity":"medium", //ENUM "completion": "successful" //ENUM "type": "degraded-reputation" //ENUM "Description":{"value":"The web page was falsified"} //ML_STRING } 3.12.3. TimeImpact Class The class elements and an example are shown below. See Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, severity?, metric, ext-metric?, duration?, ext-duration? Example: Takahashi & Suzuki Expires May 14, 2018 [Page 16] Internet-Draft JSON-IODEF November 2017 "TimeImpact":{ "time": "240" //REAL "metric": "elapsed" //ENUM "duration": "minutes" //ENUM } 3.12.4. MonetaryImpact Class The class elements and an example are shown below. See Section 3.12.4 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, severity?, currency? Example: "MonetaryImpact":{ "money": "10000", //REAL "severity": "medium", //ENUM "currency": "USD", //STRING } 3.12.5. Confidence Class The class elements and an example are shown below. See Section 3.12.5 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, rating, ext-rating? Example: "Confidence": { "value": "5" //REAL "rating": "medium" //ENUM } 3.13. History Class The class elements and an example are shown below. See Section 3.13 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: Takahashi & Suzuki Expires May 14, 2018 [Page 17] Internet-Draft JSON-IODEF November 2017 restriction?, ext-restriction?, HistoryItem+ Example: "History": { "restriction": "need-to-know" //ENUM "HistoryItem": { ... } //HistoryItem class }, 3.13.1. HistoryItem Class The class elements and an example are shown below. See Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: action, ext-action?, restriction?, ext-restriction?, observable-id?, DateTime, IncidentID?, Contact?, Description*, DefinedCOA*, AdditionalData* Example: "HistoryItem": { "action": "investigate" //ENUM "restriction": "need-to-know" //ENUM "DateTime": "2015-10-15T11:18:00-05:00", //DateTime "IncidentID" { ...}, //IncidentID class } 3.14. EventData Class The class elements and an example are shown below. See Section 3.14 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, observable-id?, Description*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?, Contact*, Discovery*, Assessment?, Method*, Flow*, Expectation*, Record?, EventData*, AdditionalData* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 18] Internet-Draft JSON-IODEF November 2017 "EventData": { "ReportTime": "2016-06-01 18:05:33", "Contact": { ...}, //Contact class "Assessment": { ...}, //Assessment class "Method": { ...}, //Method class "System": { ... }, //System class "Expectation": { ...}, //Expectation class 3.15. Expectation Class The class elements and an example are shown below. See Section 3.15 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: action?, ext-action?, severity?, restriction?, ext-restriction?, Description*, DefinedCOA*, StartTime?, EndTime?, Contact? Example: "Expectation": { "action": "investigate" //ENUM "severity": "medium" //ENUM "restriction": "need-to-know" //ENUM }, 3.16. System Class The class elements and an example are shown below. See Section 3.17 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: category?, ext-category?, interface?, spoofed?, virtual?, ownership?, ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*, Service*, OperatingSystem*, Counter*, AssetID*, Description*, AdditionalData* Example: "System": { "category": "source", //ENUM "Node": { ... }, //Node class "Service": { ... }, //Service class }, Takahashi & Suzuki Expires May 14, 2018 [Page 19] Internet-Draft JSON-IODEF November 2017 3.17. Node Class The class elements and an example are shown below. See Section 3.18 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: DomainData*, Address*, PostalAddress?, Location*, Counter* Example: "Node": { "Address": { ... }, //Address class "Location": {"value":"OrgID=7"} //ML_STRING } 3.17.1. Address Class The class elements and an example are shown below. See Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, category, ext-category?, vlan-name?, vlan-num?, observable-id? Example: "Address": { "value": """192.228.139.118", //STRING "category": "ipv4-addr", //ENUM }, 3.17.2. NodeRole Class The class elements and an example are shown below. See Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: category, ext-category?, Description* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 20] Internet-Draft JSON-IODEF November 2017 "NodeRole": { "category": "client" //ENUM "Description": {"value":"The computer at room A"} //ML_STRING }, 3.17.3. Counter Class The class elements and an example are shown below. See Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, type, ext-type?, unit, ext-unit?, meaning?, duration?, ext- duration? Example: "Counter": { "value": "3", //REAL "type": "count", //ENUM "unit": "packet" //ENUM "meaning": {"value":"The number of scan packets are counted"}, //ML_STRING } 3.18. DomainData Class The class elements and an example are shown below. See Section 3.19 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: system-status, ext-system-status?, domain-status, ext-domain-status?, observable-id?, Name, DateDomainWasChecked?, RegistrationDate?, ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts? Example: "DomainData": { "system-status": "innocent-hacked", //ENUM "domain-status": "assignedAndInactive", //STRING "Name": "temp1.nict.go.jp" //STRING }, Takahashi & Suzuki Expires May 14, 2018 [Page 21] Internet-Draft JSON-IODEF November 2017 3.18.1. Nameserver Class This class is defined in Section 3.19.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Server, Address* Example: "NameServers": { "Server": "vgw.nict.go.jp", //STRING "Address": { "AddressValue": "133.243.18.5", //STRING "category": "ipv4-addr" //ENUM } } 3.18.2. DomainContacts Class This class is defined in Section 3.19.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: SameDomainContact?, Contact+ Example: "DomainContacts": { "Contact": { "role": "user", //ENUM "type": "organization" //ENUM } } 3.19. Service Class This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?, ProtoCode?, ProtoType?, ProtoField?, ApplicationHeader?, EmailData?, Application? Takahashi & Suzuki Expires May 14, 2018 [Page 22] Internet-Draft JSON-IODEF November 2017 Example: "Service": { "ServiceName": { "Description": "It seems to be a scan from an infected machine." }, "ip-protocol": 6, //INTEGER "Port": 49183 //INTEGER } 3.19.1. ServiceName Class This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: IANAService?, URL*, Description* Example: "ServiceName": { "IANAService": "telnet" //STRING "URL": "https://en.wikipedia.org/wiki/Telnet" //STRING "Description": "It seems to be a scan from an infected machine." //STRING }, 3.19.2. ApplicationHeader Class This class is defined in Section 3.20.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: ApplicationHeaderField+ Example: "ApplicationHeader": { "ApplicationHeaderField": {} } 3.20. EmailData Class This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Takahashi & Suzuki Expires May 14, 2018 [Page 23] Internet-Draft JSON-IODEF November 2017 observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?, EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?, HashData*, SignatureData* Example: "EmailData":{ "EmailTo": "user1@example.org" //EMAIL "EmailFrom": "user2@example.com" //EMAIL "EmailSubject": "example email" //STRING "EmailX-Mailer": "example mailer v1.1.0" //STRING "EmailBody": "example email" //STRING } 3.21. Record Class This class is defined in Section 3.22 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, RecordData+ Example: "Record": { "RecordData": { "RecordPattern": { "type": "regex", //ENUM "value": "[0-9][A-Z]" } }, "RecordItem": {} }, 3.21.1. RecordData Class This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, observable-id?, DateTime?, Description*, Application?, RecordPattern*, RecordItem*, URL*, FileData*, WindowsRegistryKeysModified*, CertificateData*, AdditionalData* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 24] Internet-Draft JSON-IODEF November 2017 "RecordData": { "RecordPattern": { "type": "regex", "value": "[0-9][A-Z]" } }, 3.21.2. RecordPattern Class This class is defined in Section 3.22.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?, value Example: "RecordPattern": { "type": "regex", "value": "[0-9][A-Z]" }, 3.22. WindowsRegistryKeysModified Class This class is defined in Section 3.23 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: observable-id?, Key+ Example: "WindowsRegistryKeysModified": { "Key": { "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING } } 3.22.1. Key Class This class is defined in Section 3.23.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Takahashi & Suzuki Expires May 14, 2018 [Page 25] Internet-Draft JSON-IODEF November 2017 registryaction?, ext-registryaction?, observable-id?, KeyName, KeyValue? Example: "Key": { "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING } 3.23. CertificateData Class This class is defined in Section 3.24 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, observable-id?, Certificate+ Example: "CertificateData": { "Certificate": { "X509Data": "xxxxxxxx" //STRING } } 3.23.1. Certificate Class This class is defined in Section 3.24.1 of RFC 7970 [RFC7970]. The X509Data class contains base64 encoded form of X.509 certificate or chain as described in Section 4.4.4 of [W3C.XMLSIG]. The example below represents how to describe this class in JSON. Class elements: observable-id?, X509Data, Description* Example: "Certificate": { "X509Data": "xxxxxxxx" //STRING } Takahashi & Suzuki Expires May 14, 2018 [Page 26] Internet-Draft JSON-IODEF November 2017 3.24. FileData Class This class is defined in Section 3.25 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, observable-id?, File+ Example: "FileData": { "File": { "FileName": "dummy.exe" //STRING } }, 3.24.1. File Class This class is defined in Section 3.25.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?, SignatureData?, AssociatedSoftware?, FileProperties* Example: "File": { "FileName": "dummy.exe" //STRING } 3.25. HashData Class This class is defined in Section 3.26 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: scope, HashTargetID?, Hash*, FuzzyHash* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 27] Internet-Draft JSON-IODEF November 2017 "HashData": { "scope": "file-contents", //ENUM "Hash": { "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestValue": "xxxxxxxxxxx" //STRING } } 3.25.1. Hash Class This class is defined in Section 3.26.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: DigestMethod, DigestValue, CanonicalizationMethod?, Application? Example: "Hash": { "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestValue": "xxxxxxxxxxx" //STRING } 3.25.2. FuzzyHash Class This class is defined in Section 3.26.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: FuzzyHashValue+, Application?, AdditionalData? Example: "FuzzyHash": { "FuzzyHashValue": {} } 3.26. SignatureData Class This class is defined in Section 3.27 of RFC 7970 [RFC7970]. The Signature class contains base64 encoded form of signature as described in Section 4.2 of [W3C.XMLSIG]. The example below represents how to describe this class in JSON. Class elements: Takahashi & Suzuki Expires May 14, 2018 [Page 28] Internet-Draft JSON-IODEF November 2017 Signature+ Example: "SignatureData": { "Signature": "xxxxxxxx" //STRING } 3.27. Indicator Class This class is defined in Section 3.29 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*, Description*, StartTime?, EndTime?, Confidence?, Contact*, Observable?, ObservableReference?, IndicatorExpression?, IndicatorReference?, NodeRole*, AttackPhase*, Reference*, AdditionalData* Example: "Indicator": { "IndicatorID": { "id": "G90823490", //STRING "name": "csirt.example.com", //STRING "version": "1" //STRING }, "Description": "C2 domains", //ML_STRING "StartTime": "2014-12-02T11:18:00-05:00", //Datetime "Observable": { "BulkObservable": { "type": "fqdn" //ENUM }, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org" //STRIN ] } } Takahashi & Suzuki Expires May 14, 2018 [Page 29] Internet-Draft JSON-IODEF November 2017 3.27.1. IndicatorID Class This class is defined in Section 3.29.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: id, name, version Example: "IndicatorID": { "id": "G90823490", //STRING "name": "csirt.example.com", //STRING "version": "1" //STRING } 3.27.2. AlternativeIndicatorID Class This class is defined in Section 3.29.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, IndicatorReference+ Example: "AlternativeIndicatorID": { "IndicatorReference": { "uid-ref": "xxxxx" } }, 3.27.3. Observable Class This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, System?, Address?, DomainData?, Service?, EmailData?, WindowsRegistryKeysModified?, FileData?, CertificateData?, RegistryHandle?, RecordData?, EventData?, Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?, HistoryItem?, BulkObservable?, AdditionalData* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 30] Internet-Draft JSON-IODEF November 2017 "Observable": { "BulkObservable": { "type": "fqdn" //ENUM }, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org" //STRING ] } 3.27.4. BulkObservable Class This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: type?, ext-type?, BulkObservableFormat?, BulkObservableList, AdditionalData* Example: "BulkObservable": { "type": "fqdn" //ENUM }, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org" //STRING ] 3.27.5. BulkObservableFormat Class This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Hash?, AdditionalData* Example: Takahashi & Suzuki Expires May 14, 2018 [Page 31] Internet-Draft JSON-IODEF November 2017 "BulkObservableFormat": { "Hash": { "DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestValue": "xxxxxxxxxxx" //STRING } } 3.27.6. IndicatorExpression Class This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: operator?, ext-operator?, IndicatorExpression*, Observable*, ObservableReference*, IndicatorReference*, Confidence?, AdditionalData* Example: "IndicatorExpression": { "ObservableReference": { "uid-ref": "xxxxx" } } 3.27.7. ObservableReference Class This class is defined in Section 3.29.6 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: uid-ref Example: "ObservableReference": { "uid-ref": "xxxxx" }, 3.27.8. IndicatorReference Class This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Takahashi & Suzuki Expires May 14, 2018 [Page 32] Internet-Draft JSON-IODEF November 2017 uid-ref?, euid-ref?, version? Example: "IndicatorReference": { "uid-ref": "xxxxx" } 3.27.9. AttackPhase Class This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: AttackPhaseID*, URL*, Description*, AdditionalData* Example: "AttackPhase": { "Description": "Currently, the infected host is scanning arbitrary hosts to find next targets." //ML_STRING } 4. Notable differences from RFC 7970 (to be deleted) o This document treats attributes and elements of each class defined in RFC 7970 [RFC7970] equally and is agnostic on the order of their appearances. o Flow class is deleted, and EventData class now has the instance of System class. o Record class is deleted, and the link to the Record class are directly connected to RecordData class, which is then renamed to Record class. 5. Examples This section provides example of IODEF documents. These examples do not represent the full capabilities of the data model or the the only way to encode particular information. 5.1. Minimal Example A document containing only the mandatory elements and attributes. Takahashi & Suzuki Expires May 14, 2018 [Page 33] Internet-Draft JSON-IODEF November 2017 { "version": "2.0", "lang": "en", "Incident": [ { "purpose": "reporting", "restriction": "private", "IncidentID": { "id": 492382, "name": "csirt.example.com" }, "GenerationTime": "2015-07-18T09:00:00-05:00", "Contact": [ { "type": "organization", "role": "creator", "email": { "emailTo": "contact@csirt.example.com" } } ] } ] } 5.2. Indicators from a Campaign An example of C2 domains from a given campaign. { "version": "2.0", "lang": "en", "Incidents": [ { "purpose": "watch", "restriction": "green", "IncidentID": { "id": "897923", "name": "csirt.example.com" }, "RelatedActivity": [ { "ThreatActor": [ { "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", "Description": "Aggressive Butterfly" } ], Takahashi & Suzuki Expires May 14, 2018 [Page 34] Internet-Draft JSON-IODEF November 2017 "Campaign": [ { "CampaignID": "C-2015-59405", "Description": "Orange Giraffe" } ] } ], "GenerationTime": "2015-10-02T11:18:00-05:00", "Description": [ "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." ], "Assessment": [ { "BusinessImpact": { "type": "breach-proprietary" } } ], "Contacts": [ { "type": "organization", "role": "creator", "ContactName": "CSIRT for example.com", "Email": { "emailTo": "contact@csirt.example.com" } } ], "IndicatorList": [ { "IndicatorID": { "id": "G90823490", "name": "csirt.example.com", "version": "1" }, "Description": "C2 domains", "StartTime": "2014-12-02T11:18:00-05:00", "Observable": { "BulkObservable": { "type": "fqdn" }, "BulkObservableList": [ "kj290023j09r34.example.com", "09ijk23jfj0k8.example.net", "klknjwfjiowjefr923.example.org", "oimireik79msd.example.org" ] Takahashi & Suzuki Expires May 14, 2018 [Page 35] Internet-Draft JSON-IODEF November 2017 } } ] } ] } 6. The IODEF Data Model (JSON Schema) { "$schema": "http://json-schema.org/draft-04/schema#", "definitions": { "action": {"enum": ["nothing","contact-source-site","contact-target-site", "contact-sender", "investigate","block-host","block-network", "block-port","rate-limit-host","rate-limit-network", "rate-limit-port","redirect-traffic","honeypot", "upgrade-software","rebuild-asset","harden-asset", "remediate-other","status-triage","status-new-info", "watch-and-report","training","defined-coa","ext-value"]}, "duration": {"enum": ["second","minute","hour","day","month","quarter", "year","ext-value"]}, "lang": {"enum": ["en","jp"]}, "purpose": {"enum": ["traceback","mitigation","reporting","watch","other", "ext-value"]}, "restriction": {"enum": ["public","partner","need-to-know","private", "default","white","green","amber","red","ext-value"]}, "status": {"enum": ["new","in-progress","forwarded","resolved","future", "ext-value"]}, "DATETIME": {"type": "string"}, "PORTLIST": {"type": "string"}, "URLtype": {"type": "string"}, "IDtype": {"type": "string"}, "ExtensionType": { "type": "object", "properties": { "name": {"type": "string"}, "dtype": {"enum": ["boolean","byte","bytes","character","date-time", "ntpstamp","integer","portlist","real","string","file", "path","frame","packet","ipv4-packet","ipv6-packet","url", "csv","winreg","xml","ext-value"]}, "ext-dtype": {"type": "string"}, "meaning": {"type": "string"}, "formatid": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}}}, "ExtensionTypeList": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}}, Takahashi & Suzuki Expires May 14, 2018 [Page 36] Internet-Draft JSON-IODEF November 2017 "SoftwareType": { "type": "object", "properties": { "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, "URL": {"$ref": "#/definitions/URLtype"}, "Description": {"type": "string"}}, "required": [], "additionalProperties": false}, "SoftwareReference": { "type": "object", "properties": { "value": {"type": "string"}, "spec-name": {"type": "string"}, "ext-spec-name": {"type": "string"}, "dtype": {"type": "string"}, "ext-dtype": {"type": "string"}}, "required": ["spec-name"], "additionalProperties": false}, "StructuredInfo": { "type": "object", "properties": { "specID": {"type": "string"}, "ext-specID": {"type": "string"}, "contentID": {"type": "string"}, "RawData": {"type": "string"}, "URL": {"$ref": "#/definitions/URLtype"}}, "required": ["specID"], "additionalProperties": false}, "Incident": { "title": "Incident", "description": "JSON schema for Incident class", "type": "object", "properties": { "purpose": {"$ref": "#/definitions/purpose"}, "ext-purpose": {"type": "string"}, "status": {"$ref": "#/definitions/status"}, "ext-status": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "RelatedActivity": { "type": "array","items": {"$ref": "#/definitions/RelatedActivity"}}, "DetectTime": {"type": "string"}, "StartTime": {"type": "string"}, "EndTime": {"type": "string"}, Takahashi & Suzuki Expires May 14, 2018 [Page 37] Internet-Draft JSON-IODEF November 2017 "RecoveryTime": {"type": "string"}, "ReportTime": {"type": "string"}, "GenerationTime": {"type": "string"}, "Description": {"type": "array","items": {"type": "string"}}, "Discovery": { "type": "array","items": {"$ref": "#/definitions/Discovery"}}, "Assessment": { "type": "array","items": {"$ref": "#/definitions/Assessment"}}, "Methods": { "type": "array","items": {"$ref": "#/definitions/Method"}}, "Contacts": { "type": "array","items": {"$ref": "#/definitions/Contact"}}, "EventData": { "type": "array","items": {"$ref": "#/definitions/EventData"}}, "IndicatorList": { "type": "array","items": {"$ref": "#/definitions/Indicator"}}, "History": {"$ref": "#/definitions/History"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IncidentID","GenerationTime","Contacts","purpose"], "additionalProperties": false}, "IncidentID": { "title": "IncidentID", "description": "JSON schema for IncidentID class", "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "instance": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}}, "required": ["name"], "additionalProperties": false}, "AlternativeID": { "title": "AlternativeID", "description": "JSON schema for AlternativeID class", "type": "object", "properties": { "IncidentID": { "type": "array","items":{"$ref": "#/definitions/IncidentID"}}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}}, "required": ["IncidentID"], "additionalProperties": false}, "RelatedActivity": { "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "IncidentID": { Takahashi & Suzuki Expires May 14, 2018 [Page 38] Internet-Draft JSON-IODEF November 2017 "type": "array","items": {"$ref": "#/definitions/IncidentID"}}, "URL": { "type": "array","items": {"$ref": "#/definitions/URLtype"}}, "ThreatActor": { "type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, "Campaign": { "type": "array","items": {"$ref": "#/definitions/Campaign"}}, "IndicatorID": { "type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Description": { "type": "array","items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "ThreatActor": { "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "ThreatActorID": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "Campaign": { "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "CampaignID": {"type": "array", "items": {"type": "string"}}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "Description": {"type": "array", "items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "Contact": { "type": "object", "properties": { "role": { "enum": ["creator","reporter","admin","tech","provider","user", "billing","legal","irt","abuse","cc","cc-irt","leo", "vendor","vendor-support","victim","victim-notified", "ext-value"]}, "ext-role": {"type": "string"}, "type": {"enum": ["person","organization","ext-value"]}, "ext-type": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "ContactName": {"type": "array", "items": {"type": "string"}}, "ContactTitle": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}}, "RegistryHandle": { "type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}}, Takahashi & Suzuki Expires May 14, 2018 [Page 39] Internet-Draft JSON-IODEF November 2017 "PostalAddress": { "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}}, "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, "Telephone": { "type": "array", "items": {"$ref": "#/definitions/Telephone"}}, "Timezone": {"type": "string"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["role","type"], "additionalProperties": false}, "RegistryHandle": { "type": "object", "properties": { "handle": {"type": "string"}, "registry": { "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local", "ext-value"]}, "ext-registry": {"type": "string"}}, "required": ["registry"], "additionalProperties": false}, "PostalAddress": { "type": "object", "properties": { "type": {"type": "string"}, "ext-type": {"type": "string"}, "PAddress": {"type": "string"}, "Description": {"type": "array", "items": {"type": "string"}}}, "required": ["PAddress"], "additionalProperties": false}, "Email": { "type": "object", "properties": { "type": { "enum":["direct","hotline","ext-value"]}, "ext-type": {"type": "string"}, "EmailTo": {"type": "string"}, "Description": {"type": "array", "items": {"type": "string"}}}, "required": ["EmailTo"], "additionalProperties": false}, "Telephone": { "type": "object", "properties": { "type": { "enum":["wired","mobile","fax","hotline","ext-value"]}, "ext-type": {"type": "string"}, "TelephoneNumber": {"type": "string"}, "Description": {"type": "array", "items": {"type": "string"}}}, Takahashi & Suzuki Expires May 14, 2018 [Page 40] Internet-Draft JSON-IODEF November 2017 "required": ["TelephoneNumber"], "additionalProperties": false}, "Discovery": { "type": "object", "properties": { "source": { "enum":["nidps","hips","siem","av","third-party-monitoring", "incident","os-log","application-log","device-log", "network-flow","passive-dns","investigation","audit", "internal-notification","external-notification","leo", "partner","actor","unknown","ext-value"]}, "ext-source": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "Description": {"type": "array", "items": {"type": "string"}}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}}, "DetectionPattern": { "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}}, "required": [], "additionalProperties": false}, "DetectionPattern": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Application": {"$ref": "#/definitions/SoftwareType"}, "Description": {"type": "array", "items": {"type": "string"}}, "DetectionConfiguration": { "type": "array", "items": {"type": "string"}}}, "required": ["Application"], "additionalProperties": false}, "Method": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "References": { "type": "array","items": {"$ref": "#/definitions/Reference"}}, "Description": {"type": "array", "items": {"type": "string"}}, "AttackPattern": { "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "Vulnerability": { "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "Weakness": { "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, Takahashi & Suzuki Expires May 14, 2018 [Page 41] Internet-Draft JSON-IODEF November 2017 "required": [], "additionalProperties": false}, "Reference": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "ReferenceName": {"type": "string"}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "Description": {"type": "array", "items": {"type": "string"}}}, "required": [], "additionalProperties": false}, "Assessment": { "type": "object", "properties": { "occurrence": {"enum":["actual","potential"]}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentCategory": {"type": "array", "items": {"type": "string"}}, "SystemImpact": { "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, "BusinessImpact": { "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, "TimeImpact": { "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, "MonetaryImpact": { "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}}, "IntendedImpact": { "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}}, "MitigatingFactor": { "type": "array", "items": {"$type": "string"}}, "Cause": {"type": "array", "items": {"$type": "string"}}, "Confidence": {"$ref": "#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "SystemImpact": { "type": "object", "properties": { "severity": { "enum":["low","medium","high"]}, "completion": {"enum":["failed","succeeded"]}, "type": { "enum":["takeover-account","takeover-service","takeover-system", "cps-manipulation","cps-damage","availability-data", "availability-account","availability-service", Takahashi & Suzuki Expires May 14, 2018 [Page 42] Internet-Draft JSON-IODEF November 2017 "availability-system","damaged-system","damaged-data", "breach-proprietary","breach-privacy","breach-credential", "breach-configuration","integrity-data", "integrity-configuration","integrity-hardware", "traffic-redirection","monitoring-traffic","monitoring-host", "policy","unknown","ext-value"]}, "ext-type": {"type": "string"}, "Description": {"type": "array","items": {"type": "string"}}}, "required": ["type"], "additionalProperties": false}, "BusinessImpact": { "type": "object", "properties": { "severity": { "enum":["none","low","medium","high","unknown","ext-value"]}, "ext-severity": {"type":"string"}, "type": { "enum":["breach-proprietary","breach-privacy","breach-credential", "loss-of-integrity","loss-of-service","theft-financial", "theft-service","degraded-reputation","asset-damage", "asset-manipulation","legal","extortion","unknown", "ext-value"]}, "ext-type": {"type": "string"}, "Description": {"type": "array","items": {"type": "string"}}}, "required": ["type"], "additionalProperties": false}, "TimeImpact": { "type": "object", "properties": { "value": {"type": "number"}, "severity": {"enum": ["low","medium","high"]}, "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "ext-metric": {"type": "string"}, "duration": {"$ref":"#/definitions/duration"}, "ext-duration": {"type": "string"}}, "required": ["metric"], "additionalProperties": false}, "MonetaryImpact": { "type": "object", "properties": { "value": {"type": "number"}, "severity": {"enum":["low","medium","high"]}, "currency": {"type": "string"}}, "required": [], "additionalProperties": false}, "Confidence": { "type": "object", "properties": { Takahashi & Suzuki Expires May 14, 2018 [Page 43] Internet-Draft JSON-IODEF November 2017 "value": {"type": "number"}, "rating": { "enum": ["low","medium","high","numeric","unknown","ext-value"]}, "ext-rating": {"type":"string"}}, "required": ["rating"], "additionalProperties": false}, "History": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "HistoryItem": { "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, "required": ["HistoryItem"], "additionalProperties": false}, "HistoryItem": { "type": "object", "properties": { "action": {"$ref": "#/definitions/action"}, "ext-action": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "Contact": {"$ref": "#/definitions/Contact"}, "Description": {"type": "array","items": {"type": "string"}}, "DefinedCOA": {"type": "array","items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["DateTime","action"], "additionalProperties": false}, "EventData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": {"type": "array","items": {"type": "string"}}, "DetectTime": {"type": "string"}, "StartTime": {"type": "string"}, "EndTime": {"type": "string"}, "RecoveryTime": {"type": "string"}, "ReportTime": {"type": "string"}, "Contact": { "type": "array","items": {"$ref": "#/definitions/Contact"}}, "Discovery": { "type": "array","items": {"$ref": "#/definitions/Discovery"}}, "Assessment": {"$ref": "#/definitions/Assessment"}, Takahashi & Suzuki Expires May 14, 2018 [Page 44] Internet-Draft JSON-IODEF November 2017 "Method": { "type": "array","items": {"$ref": "#/definitions/Method"}}, "System": { "type": "array","items": {"$ref": "#/definitions/System"}}, "Expectation": { "type": "array","items": {"$ref": "#/definitions/Expectation"}}, "Record": {"$ref": "#/definitions/Record"}, "EventData": { "type": "array","items": {"$ref": "#/definitions/EventData"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["ReportTime"], "additionalProperties": false}, "Expectation": { "type": "object", "properties": { "action": {"$ref":"#/definitions/action"}, "ext-action": {"type": "string"}, "severity": {"enum": ["low","medium","high"]}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": {"type": "array","items": {"type": "string"}}, "DefinedCOA": {"type": "array","items": {"type": "string"}}, "StartTime": {"type": "string"}, "EndTime": {"type": "string"}, "Contact": {"$ref": "#/definitions/Contact"}}, "required": [], "additionalProperties": false}, "System": { "type": "object", "properties": { "category": { "enum": ["source","target","intermediate","sensor","infrastructure", "ext-value"]}, "ext-category": {"type": "string"}, "interface": {"type": "string"}, "spoofed": {"enum": ["unknown","yes","no"]}, "virtual": {"enum": ["yes","no","unknown"]}, "ownership": { "enum":["organization","personal","partner","customer", "no-relationship","unknown","ext-value"]}, "ext-ownership": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Node": {"$ref": "#/definitions/Node"}, "NodeRole": { "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, Takahashi & Suzuki Expires May 14, 2018 [Page 45] Internet-Draft JSON-IODEF November 2017 "Service": { "type": "array","items": {"$ref": "#/definitions/Service"}}, "OperatingSystem": { "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, "Counter": { "type": "array","items": {"$ref": "#/definitions/Counter"}}, "AssetID": {"type": "array","items": {"type": "string"}}, "Description": {"type": "array","items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Node"], "additionalProperties": false}, "Node": { "type": "object", "properties": { "DomainData": { "type": "array","items": {"$ref": "#/definitions/DomainData"}}, "Address": { "type": "array","items": {"$ref": "#/definitions/Address"}}, "PostalAddress": {"type": "string"}, "Location": {"type": "array","items": {"type": "string"}}, "Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}}, "required": [], "additionalProperties": false}, "Address": { "type": "object", "properties": { "value": {"type": "string"}, "category": { "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv6-net-masked","mac","site-url","ext-value"]}, "ext-category": {"type": "string"}, "vlan-name": {"type": "string"}, "vlan-num": {"type": "integer"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required": ["category"], "additionalProperties": false}, "NodeRole": { "type": "object", "properties": { "category": { "enum":["client","client-enterprise","clent-partner","client-remote", "client-kiosk","client-mobile","server-internal", "server-public","www","mail","webmail","messaging", "streaming","voice","file","ftp","p2p","name","directory", "credential","print","application","database","backup", "dhcp","assessment","source-control","config-management", "monitoring","infra","infra-firewall","infra-router", Takahashi & Suzuki Expires May 14, 2018 [Page 46] Internet-Draft JSON-IODEF November 2017 "infra-switch","camera","proxy","remote-access","log", "virtualization","pos", "scada", "scada-supervisory", "sinkhole","honeypot","anomyzation","c2-server", "malware-distribution","drop-server","hot-point","reflector", "phishing-site","spear-phishing-site","recruiting-site", "fraudulent-site","ext-value"]}, "ext-category": {"type": "string"}, "Description": {"type": "array","items": {"type": "string"}}}, "required": ["category"], "additionalProperties": false}, "Counter": { "type": "object", "properties": { "value": {"type": "string"}, "type": {"enum": ["count","peak","average","ext-value"]}, "ext-type": {"type": "string"}, "unit": {"enum": ["byte","mbit","packet","flow","session","alert", "message","event","host","site","organization","ext-value"]}, "ext-unit": {"type": "string"}, "meaning": {"type": "string"}, "duration": {"$ref":"#/definitions/duration"}, "ext-duration": {"type": "string"}}, "required": ["type","unit"], "additionalProperties": false}, "DomainData": { "type": "object", "properties": { "system-status": { "enum": ["spoofed","fraudulent","innocent-hacked", "innocent-hijacked","unknown","ext-value"]}, "ext-system-status": {"type": "string"}, "domain-status": { "enum": [ "reservedDelegation","assignedAndActive","assignedAndInactive", "assignedAndOnHold","revoked","transferPending","registryLock", "registrarLock","other","unknown","ext-value"]}, "ext-domain-status": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Name": {"type": "string"}, "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "RelatedDNS": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "NameServers": { "type": "array","items": {"$ref": "#/definitions/NameServers"}}, "DomainContacts": { "type": "array","items": {"$ref": "#/definitions/DomainContacts"}}}, Takahashi & Suzuki Expires May 14, 2018 [Page 47] Internet-Draft JSON-IODEF November 2017 "required": ["Name","system-status","domain-status"], "additionalProperties": false}, "NameServers": { "type": "object", "properties": { "Server": {"type": "string"}, "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}}, "required": ["Server","Address"], "additionalProperties": false}, "DomainContacts": { "type": "object", "properties": { "SameDomainContact": {"type": "string"}, "Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}}, "required": ["Contact"], "additionalProperties": false}, "Service": { "type": "object", "properties": { "ip-protocol": {"type": "integer"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "ServiceName": {"$ref": "#/definitions/ServiceName"}, "Port": {"type": "integer"}, "Portlist": {"$ref": "#/definitions/PORTLIST"}, "ProtoCode": {"type": "integer"}, "ProtoType": {"type": "integer"}, "ProtoField": {"type": "integer"}, "ApplicationHeader": {"$ref": "#/definitions/ApplicationHeader"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": [], "additionalProperties": false}, "ServiceName": { "type": "object", "properties": { "IANAService": {"type": "string"}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "Description": {"type": "array","items": {"type": "string"}}}, "required": [], "additionalProperties": false}, "ApplicationHeader": { "type": "object", "properties": { "ApplicationHeaderField": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, "required": ["ApplicationHeaderField"], "additionalProperties": false}, "EmailData": { Takahashi & Suzuki Expires May 14, 2018 [Page 48] Internet-Draft JSON-IODEF November 2017 "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "EmailTo": {"type": "array","items": {"type": "string"}}, "EmailFrom": {"type": "string"}, "EmailSubject": {"type": "string"}, "EmailX-Mailer": {"type": "string"}, "EmailHeaderField": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "EmailHeaders": {"type": "string"}, "EmailBody": {"type": "string"}, "EmailMessage": {"type": "string"}, "HashData": { "type": "array","items": {"$ref": "#/definitions/HashData"}}, "SignatureData": { "type": "array","items": {"$ref": "#/definitions/SignatureData"}}}, "required": [], "additionalProperties": false}, "Record":{ "type": "object", "properties":{ "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "RecordData": { "type": "array","items": {"$ref": "#/definitions/RecordData"}}}, "required":["RecordData"], "additionalProperties": false}, "RecordData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "Description": {"type": "array","items": {"type": "string"}}, "Applicadtion": {"$ref": "#/definitions/SoftwareType"}, "RecordPattern": { "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, "RecordItem": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "URL": { "type": "array","items": {"$ref": "#/definitions/URLtype"}}, "FileData": { "type": "array","items": {"$ref": "#/definitions/FileData"}}, "WindowsRegistryKeysModified": { "type": "array", "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, "CertificateData": { Takahashi & Suzuki Expires May 14, 2018 [Page 49] Internet-Draft JSON-IODEF November 2017 "type": "array","items": {"$ref": "#/definitions/CertificateData"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false }, "RecordPattern": { "type": "object", "properties": { "value": {"type": "string"}, "type": {"enum": ["regex","binary","xpath","ext-value"]}, "ext-type": {"type": "string"}, "offset": {"type": "integer"}, "offsetunit": {"enum":["line","byte","ext-value"]}, "ext-offsetunit": {"type": "string"}, "instance": {"type": "integer"}}, "required": ["type"], "additionalProperties": false}, "WindowsRegistryKeysModified": { "type": "object", "properties": { "observabile-id": {"$ref": "#/definitions/IDtype"}, "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, "required": ["Key"], "additionalProperties": false}, "Key": { "type": "object", "properties": { "registryaction": {"enum": ["add-key","add-value","delete-key", "delete-value","modify-key","modify-value", "ext-value"]}, "ext-registryaction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "KeyName": {"type":"string"}, "KeyValue": {"type": "string"}}, "required": ["KeyName"], "additionalProperties": false}, "CertificateData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Certificate": { "type": "array","items": {"$ref": "#/definitions/Certificate"}}}, "required": ["Certificate"], "additionalProperties": false}, "Certificate": { "type": "object", Takahashi & Suzuki Expires May 14, 2018 [Page 50] Internet-Draft JSON-IODEF November 2017 "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "X509Data": {type: "string"}, "Description": {"type": "array","items": {"type": "string"}}}, "required": ["X509Data"], "additionalProperties": false}, "FileData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, "required": ["File"], "additionalProperties": false}, "File": { "type": "object", "properties": { "FileName": {"type": "string"}, "FileSize": {"type": "integer"}, "FileType": {"type": "string"}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "HashData": {"$ref": "#/definitions/HashData"}, "SignatureData": {"$ref": "#/definitions/SignatureData"}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "FileProperties": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, "required": [], "additionalProperties": false}, "HashData": { "type": "object", "properties": { "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", "file-pe-resource","file-pdf-object","email-hash", "email-hash-header","email-hash-body"]}, "HashTargetID": {"type": "string"}, "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, "FuzzyHash": { "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, "required": ["scope"], "additionalProperties": false}, "Hash": { "type": "object", "properties": { "DigestMethod": {"type": "string"}, "DigestValue": {"type": "string"}, "CanonicalizationMethod": {}, "Application": {"$ref": "#/definitions/SoftwareType"}}, Takahashi & Suzuki Expires May 14, 2018 [Page 51] Internet-Draft JSON-IODEF November 2017 "required": ["DigestMethod","DigestValue"], "additionalProperties": false}, "FuzzyHash": { "type": "object", "properties": { "FuzzyHashValue": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "Application": {"$ref": "#/definitions/SoftwareType"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["FuzzyHashValue"], "additionalProperties": false}, "SignatureData": { "type": "object", "properties": { "Signature": {"type": "array","items": {"type": "string"}}}, "required": ["Signature"], "additionalProperties": false}, "Indicator": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "AlternativeIndicatorID": { "type": "array", "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, "Description": {"type": "array","items": {"type": "string"}}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Contact": { "type": "array","items": {"$ref": "#/definitions/Contact"}}, "Observable": {"$ref": "#/definitions/Observable"}, "ObservableReference": {"$ref": "#/definitions/ObservableReference"}, "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"}, "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, "NodeRole": { "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "AttackPhase": { "type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, "Reference": { "type": "array","items": {"$ref": "#/definitions/Reference"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IndicatorID"], "additionalProperties": false}, "IndicatorID": { "type": "object", "properties": { Takahashi & Suzuki Expires May 14, 2018 [Page 52] Internet-Draft JSON-IODEF November 2017 "id": {"type": "string"}, "name": {"type": "string"}, "version": {"type": "string"}}, "required": ["name","version"], "additionalProperties": false}, "AlternativeIndicatorID": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "IndicatorReference": { "type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}}}, "required": ["IndicatorReference"], "additionalProperties": false}, "Observable": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "System": {"$ref": "#/definitions/System"}, "Address": {"$ref": "#/definitions/Address"}, "DomainData": {"$ref": "#/definitions/DomainData"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Service": {"$ref": "#/definitions/Service"}, "WindowsRegistryKeysModified": { "$ref": "#/definitions/WindowsRegistryKeysModified"}, "FileData": {"$ref": "#/definitions/FileData"}, "CertificateData": {"$ref": "#/definitions/CertificateData"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "Record": {"$ref": "#/definitions/Record"}, "EventData": {"$ref": "#/definitions/EventData"}, "Incident": {"$ref": "#/definitions/Incident"}, "Expectation": {"$ref": "#/definitions/Expectation"}, "Reference": {"$ref": "#/definitions/Reference"}, "Assessment": {"$ref": "#/definitions/Assessment"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "BulkObservable": {"type": "string"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "BulkObservable": { "type": "object", "properties": { "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac", "site-url","domain-name","domain-to-ipv4","domain-to-ipv6", Takahashi & Suzuki Expires May 14, 2018 [Page 53] Internet-Draft JSON-IODEF November 2017 "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp", "ipv4-port","ipv6-port","windows-reg-key","file-hash", "email-x-mailer","email-subject","http-user-agent", "http-request-url","mutex","file-path","user-name", "ext-value"]}, "ext-type": {"type": "string"}, "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableList": {"type": "string"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "BulkObservableFormat": { "type": "object", "properties": { "Hash": {"$ref": "#/definitions/Hash"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorExpression": { "type": "object", "properties": { "operator": {"enum": ["not","and","or","xor"]}, "ext-operator": {"type": "string"}, "IndicatorExpression": { "type": "array", "items": {"$ref": "#/definitions/IndicatorExpression"}}, "Observable": { "type": "array","items": {"$ref": "#/definitions/Observable"}}, "ObservableReference": { "type": "array", "items": {"$ref": "#/definitions/ObservableReference"}}, "IndicatorReference": { "type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "ObservableReference": { "type": "object", "properties": {"uid-ref": {"type": "string"}}, "required": ["uid-ref"], "additionalProperties": false}, "IndicatorReference": { "type": "object", "properties": { "uid-ref": {"type": "string"}, "euid-ref": {"type": "string"}, "version": {"type": "string"}}, Takahashi & Suzuki Expires May 14, 2018 [Page 54] Internet-Draft JSON-IODEF November 2017 "required": [], "additionalProperties": false}, "AttackPhase": { "type": "object", "properties": { "AttackPhaseID": {"type": "array","items": {"type": "string"}}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "Description": {"type": "array","items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}}, "title": "IODEF-Document", "description": "JSON schema for IODEF-Document class", "type": "object", "properties": { "version": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "format-id": {"type": "string"}, "private-enum-name": {"type": "string"}, "private-enum-id": {"type": "string"}, "Incident": { "type": "array","items": {"$ref": "#/definitions/Incident"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["version","Incident"], "additionalProperties": false} Figure 1: JSON schema 7. Acknowledgements TBD. 8. IANA Considerations This memo includes no request to IANA. 9. Security Considerations This memo does not provide any further security considerations than the one described in RFC 7970 [RFC7970]. 10. References 10.1. Normative References [jsonschema] "JSON Schema", 2006. Takahashi & Suzuki Expires May 14, 2018 [Page 55] Internet-Draft JSON-IODEF November 2017 http://json-schema.org/ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, <https://www.rfc-editor.org/info/rfc7970>. 10.2. Informative References [DOMINATION] Mad Dominators, Inc., "Ultimate Plan for Taking Over the World", 1984, <http://www.example.com/dominator.html>. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, DOI 10.17487/RFC2629, June 1999, <https://www.rfc-editor.org/info/rfc2629>. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, <https://www.rfc-editor.org/info/rfc3552>. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 5226, DOI 10.17487/RFC5226, May 2008, <https://www.rfc-editor.org/info/rfc5226>. Authors' Addresses Takeshi Takahashi NICT 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Phone: +81 42 327 5862 Email: takeshi_takahashi@nict.go.jp Takahashi & Suzuki Expires May 14, 2018 [Page 56] Internet-Draft JSON-IODEF November 2017 Mio Suzuki NICT 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Email: mio@nict.go.jp Takahashi & Suzuki Expires May 14, 2018 [Page 57]