CBOR/JSON binding of IODEF
draft-ietf-mile-jsoniodef-06
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8727.
|
|
---|---|---|---|
Authors | Takeshi Takahashi , Roman Danyliw , Mio Suzuki | ||
Last updated | 2018-11-03 | ||
Replaces | draft-takahashi-mile-jsoniodef | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Last Call review
(of
-09)
by Robert Sparks
Almost ready
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 8727 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-ietf-mile-jsoniodef-06
MILE T. Takahashi Internet-Draft NICT Intended status: Standards Track R. Danyliw Expires: May 7, 2019 CERT M. Suzuki NICT November 3, 2018 CBOR/JSON binding of IODEF draft-ietf-mile-jsoniodef-06 Abstract RFC7970 specified an information model and a corresponding XML data model for exchanging incident and indicator information. This draft provides an alternative data model implementation in CBOR/JSON. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 7, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Takahashi, et al. Expires May 7, 2019 [Page 1] Internet-Draft JSON-IODEF November 2018 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 5 2.2.2. Software and SoftwareReference . . . . . . . . . . . 6 2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 6 2.2.4. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 3.2. Mapping between CBOR/JSON and XML IODEF . . . . . . . . . 17 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 18 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 20 5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 24 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 42 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 8. Security Considerations . . . . . . . . . . . . . . . . . . . 43 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 9.1. Normative References . . . . . . . . . . . . . . . . . . 43 9.2. Informative References . . . . . . . . . . . . . . . . . 43 Appendix A. Data Types used in this document . . . . . . . . . . 43 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 76 1. Introduction [RFC7970] defines a data representation for security incident reports and indicators commonly exchanged by operational security teams. It facilitates the automated exchange of this information to enable mitigation and watch-and-warning. Section 3 of [RFC7970] defined an information model using Unified Modeling Language (UML) and a corresponding Extensible Markup Language (XML) schema data model in Section 8. This UML-based information model and XML-based data model are referred to as IODEF UML and IODEF XML, respectively in this document. This document defines an alternate implementation of the IODEF UML information model by specifying a JavaScript Object Notation (JSON) data model using CDDL and JSON Schema [jsonschema]. This JSON data model is referred to as IODEF JSON in this document. Takahashi, et al. Expires May 7, 2019 [Page 2] Internet-Draft JSON-IODEF November 2018 IODEF JSON provides all of the expressivity of IODEF XML. It gives implementers and operators an alternative format to exchange the same information. The normative IODEF JSON data model is found in Section 5. Section 2 and Section 3 describe the data types and elements of this data model. Section 4 provides examples. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. IODEF Data Types The abstract IODEF JSON implements the abstract data types specified in Section 2 of [RFC7970]. 2.1. Abstract Data Type to JSON Data Type Mapping IODEF JSON uses native and derived JSON data types. Figure 1 describes the mapping between the abstract data types in Section 2 of [RFC7970] and their corresponding implementations in IODEF JSON. Takahashi, et al. Expires May 7, 2019 [Page 3] Internet-Draft JSON-IODEF November 2018 +-----------------+-------------------+-------------------------------+ | IODEF Data Type | [RFC7970] | JSON Data Type | | | Reference | | +-----------------+-------------------+-------------------------------+ | INTEGER | Section 2.1 | "integer" per [jsonschema] | | REAL | Section 2.2 | "number" per [jsonschema] | | CHARACTER | Section 2.3 | "string" per [jsonschema] | | STRING | Section 2.3 | "string" per [jsonschema] | | ML_STRING | Section 2.4 | see Section 2.2.1 | | BYTE | Section 2.5.1 | "string" per [jsonschema] | | BYTE[] | Section 2.5.1 | "string" per [jsonschema] | | HEXBIN | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | | ENUM | Section 2.6 | "enum" array per [jsonschema] | | DATETIME | Section 2.7 | "string" per [jsonschema] | | TIMEZONE | Section 2.8 | "string" per [jsonschema] | | PORTLIST | Section 2.9 | "string" per [jsonschema] | | POSTAL | Section 2.10 | "string" per [jsonschema] | | | | / ML_STRING, Section 2.2.1 | | PHONE | Section 2.11 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] | | ID | Section 2.14 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] | | SOFTWARE | Section 2.15 | see Section 2.2.2 | | STRUCTURED | RFC 7213 | see Section 2.2.3 | | EXTENSION | Section 2.16 | see Section 2.2.4 | +-----------------+-------------------+-------------------------------+ Figure 1: JSON Data Types Takahashi, et al. Expires May 7, 2019 [Page 4] Internet-Draft JSON-IODEF November 2018 +-----------------+------------------+---------------------------------+ | IODEF Data Type | CBOR Data Type | CDDL prelude | | | | [draft-ietf-cbor-cddl-05] | +-----------------+------------------+---------------------------------+ | INTEGER | 6 tag 2, 6 tag 3 | integer | | REAL | 7 bits 26 | float32 | | CHARACTER | 3 text string | text | | STRING | 3 text string | text | | ML_STRING | 5 map | Maps/Structs (Section 3.5.1) | | BYTE | 6 tag 22 | eb64legacy | | BYTE[] | 6 tag 22 | eb64legacy | | HEXBIN | 2 byte string | bytes | | HEXBIN[] | 2 byte string | bytes | | ENUM | - | Choices (Section 2.2.2) | | DATETIME | 6 tag 0 | tdate | | TIMEZONE | 3 text string | text | | PORTLIST | 3 text string | text | | POSTAL | 3 text string | text | | | | or Maps/Structs(Section 3.5.1) | | PHONE | 3 text string | text | | EMAIL | 3 text string | text | | URL | 6 tag 32 | uri | | ID | 3 text string | text | | IDREF | 3 text string | text | | SOFTWARE | 5 map | Maps/Structs (Section 3.5.1) | | STRUCTURED | 5 map | Maps/Structs (Section 3.5.1) | | EXTENSION | 5 map | Maps/Structs (Section 3.5.1) | +-----------------+------------------+---------------------------------+ Figure 2: CBOR Data Types 2.2. Complex JSON Types 2.2.1. Multilingual Strings A string that needs to be represented in a human-readable language different than the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as an object with "value", "lang", and "translation-id" elements as defined in Section 5. Examples are shown below. "MLStringType": { "value": "free-form text", //STRING "lang": "en", //ENUM "translation-id": "jp2en0023" //STRING } Takahashi, et al. Expires May 7, 2019 [Page 5] Internet-Draft JSON-IODEF November 2018 2.2.2. Software and SoftwareReference A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a URL, or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined in Section 5. Examples are shown below. "SoftwareType": { "SoftwareReference": {...}, //SoftwareReference "Description": ["MS Windows"] //STRING } SoftwareReference class is a reference to a particular version of software. Examples are shown below. "SoftwareReference": { "value": "cpe:/a:google:chrome:59.0.3071.115 ", //STRING "spec-name": "cpe", //ENUM "dtype": "string", //ENUM } 2.2.3. StructuredInfo Information provided in a form of structured string, such as ID, or structured information, such as XML documents, is represented in the information model by the StructuredInfo data type. Note that this type was originally specified in RFC7203. The StructuredInfo data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", "Reference" elements. An example for embedding a structured ID is shown below. "StructuredInformation": { "SpecID": "cve", //ENUM "ContentID": "CVE-2007-5000" //STRING } When embedding the raw data, base64 conversion should be used for encoding the data, as shown below. "StructuredInformation": { "SpecID": "oval", //ENUM "RawData": "<<<strings encoded with base64>>>" //BYTE } Takahashi, et al. Expires May 7, 2019 [Page 6] Internet-Draft JSON-IODEF November 2018 2.2.4. EXTENSION Information not otherwise represented in the IODEF can be added using the EXTENSION data type. This data type is a generic extension mechanism. The EXTENSION data type is implemented as an ExtensionType object with "value", "name", "dtype", "ext-dtype", "meaning", "formatid", "restriction", "ext-restriction", and "observable-id" elements. An example for embedding a structured ID is shown below. "ExtensionType": { "value": "xxxxxxx", //String "name": "Syslog", //String "dtype": "string", //String "meaning": "Syslog from the security appliance X", //String } 3. IODEF JSON Data Model 3.1. Classes and Elements The following table shows the list of IODEF Classes, their elements, and the corresponding section in [RFC7970]. Note that the complete JSON schema is defined in Section 5 usind CDDL. +-----------------------------+--------------------+---------------+ | IODEF Class | Class | Corresponding | | | Elements and | Section | | | Attribute | in [RFC7970] | +-----------------------------+--------------------+---------------+ | IODEF-Document | version | 3.1 | | | lang? | | | | format-id? | | | | private-enum-name? | | | | private-enum-id? | | | | Incident+ | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Incident | purpose | 3.2 | | | ext-purpose? | | | | status? | | | | ext-status? | | | | lang? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentID | | | | AlternativeID? | | Takahashi, et al. Expires May 7, 2019 [Page 7] Internet-Draft JSON-IODEF November 2018 | | RelatedActivity* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | GenerationTime | | | | Description* | | | | Discovery* | | | | Assessment* | | | | Method* | | | | Contact+ | | | | EventData* | | | | Indicator* | | | | History? | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | IncidentID | id | 3.4 | | | name | | | | instance? | | | | restriction? | | | | ext-restriction? | | +-----------------------------+--------------------+---------------+ | AlternativeID | restriction? | 3.5 | | | ext-restriction? | | | | IncidentID+ | | +-----------------------------+--------------------+---------------+ | RelatedActivity | restriction? | 3.6 | | | ext-restriction? | | | | IncidentID* | | | | URL* | | | | ThreatActor* | | | | Campaign* | | | | IndicatorID* | | | | Confidence? | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | ThreatActor | restriction? | 3.7 | | | ext-restriction? | | | | ThreatActorID* | | | | URL* | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Campaign | restriction? | | | | ext-restriction? | | | | CampaignID* | | Takahashi, et al. Expires May 7, 2019 [Page 8] Internet-Draft JSON-IODEF November 2018 | | URL* | | | | Description* | | | | AdditionalData* | 3.8 | +-----------------------------+--------------------+---------------+ | Contact | role | | | | ext-role? | | | | type | | | | ext-type? | | | | restriction? | | | | ext-restriction? | | | | ContactName*, | | | | ContactTitle* | | | | Description* | | | | RegistryHandle* | | | | PostalAddress* | | | | Email* | | | | Telephone* | | | | Timezone? | | | | Contact* | | | | AdditionalData* | 3.9 | +-----------------------------+--------------------+---------------+ | RegistryHandle | handle | | | | registry | | | | ext-registry? | 3.9.1 | +-----------------------------+--------------------+---------------+ | PostalAddress | type? | | | | ext-type? | | | | PAddress | | | | Description* | 3.9.2 | +-----------------------------+--------------------+---------------+ | Email | type? | | | | ext-type? | | | | EmailTo | | | | Description* | 3.9.3 | +-----------------------------+--------------------+---------------+ | Telephone | type? | | | | ext-type? | | | | TelephoneNumber | | | | Description* | 3.9.4 | +-----------------------------+--------------------+---------------+ | Discovery | source? | | | | ext-source? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | Contact* | | | | DetectionPattern* | 3.10 | +-----------------------------+--------------------+---------------+ Takahashi, et al. Expires May 7, 2019 [Page 9] Internet-Draft JSON-IODEF November 2018 | DetectionPattern | restriction? | 3.10.1 | | | ext-restriction? | | | | observable-id? | | | | Application | | | | Description* | | | | DetectionConfiguration* | | +-----------------------------+--------------------+---------------+ | Method | restriction? | | | | ext-restriction? | | | | Reference* | | | | Description* | | | | AttackPattern* | | | | Vulnerability* | | | | Weakness* | | | | AdditionalData* | 3.11 | +-----------------------------+--------------------+---------------+ | Reference | observable-id? | | | | ReferenceName? | | | | URL* | | | | Description* | 3.11.1 | +-----------------------------+--------------------+---------------+ | Assessment | occurence? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentCategory* | | | | SystemImpact* | | | | BusinessImpact* | | | | TimeImpact* | | | | MonetaryImpact* | | | | IntendedImpact* | | | | Counter* | | | | MitigatingFactor* | | | | Cause* | | | | Confidence? | | | | AdditionalData* | 3.12 | +-----------------------------+--------------------+---------------+ | SystemImpact | severity? | | | | completion? | | | | type | | | | ext-type? | | | | Description* | 3.12.1 | +-----------------------------+--------------------+---------------+ | BusinessImpact | severity? | | | | ext-severity? | | | | type | | | | ext-type? | | | | Description* | 3.12.2 | Takahashi, et al. Expires May 7, 2019 [Page 10] Internet-Draft JSON-IODEF November 2018 +-----------------------------+--------------------+---------------+ | TimeImpact | value | | | | severity? | | | | metric | | | | ext-metric? | | | | duration? | | | | ext-duration? | 3.12.3 | +-----------------------------+--------------------+---------------+ | MonetaryImpact | value | | | | severity? | | | | currency? | 3.12.4 | +-----------------------------+--------------------+---------------+ | Confidence | value | | | | rating | | | | ext-rating? | 3.12.5 | +-----------------------------+--------------------+---------------+ | History | restriction? | | | | ext-restriction? | | | | HistoryItem+ | 3.13 | +-----------------------------+--------------------+---------------+ | HistoryItem | action | | | | ext-action? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime | | | | IncidentID? | | | | Contact? | | | | Description* | | | | DefinedCOA* | | | | AdditionalData* | 3.13.1 | +-----------------------------+--------------------+---------------+ | EventData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | Contact* | | | | Discovery* | | | | Assessment? | | | | Method* | | | | System* | | | | Expectation* | | | | RecordData* | | Takahashi, et al. Expires May 7, 2019 [Page 11] Internet-Draft JSON-IODEF November 2018 | | EventData* | | | | AdditionalData* | 3.14 | +-----------------------------+--------------------+---------------+ | Expectation | action? | | | | ext-action? | | | | severity? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | DefinedCOA* | | | | StartTime? | | | | EndTime? | | | | Contact? | 3.15 | +-----------------------------+--------------------+---------------+ | System | category? | | | | ext-category? | | | | interface? | | | | spoofed? | | | | virtual? | | | | ownership? | | | | ext-ownership? | | | | restriction? | | | | ext-restriction? | | | | Node | | | | NodeRole* | | | | Service* | | | | OperatingSystem* | | | | Counter* | | | | AssetID* | | | | Description* | | | | AdditionalData* | 3.16 | +-----------------------------+--------------------+---------------+ | Node | DomainData* | | | | Address* | | | | PostalAddress? | | | | Location* | | | | Counter* | 3.17 | +-----------------------------+--------------------+---------------+ | Address | value | | | | category | | | | ext-category? | | | | vlan-name? | | | | vlan-num? | | | | observable-id? | 3.17.1 | +-----------------------------+--------------------+---------------+ | NodeRole | category | | | | ext-category? | | | | Description* | 3.17.2 | Takahashi, et al. Expires May 7, 2019 [Page 12] Internet-Draft JSON-IODEF November 2018 +-----------------------------+--------------------+---------------+ | Counter | value | | | | type | | | | ext-type? | | | | unit | | | | ext-unit? | | | | meaning? | | | | duration? | | | | ext-duration? | 3.17.3 | +-----------------------------+--------------------+---------------+ | DomainData | system-status | | | | ext-system-status? | | | | domain-status | | | | ext-domain-status? | | | | observable-id? | | | | Name | | | | DateDomainWasChecked?| | | | RegistrationDate? | | | | ExpirationDate? | | | | RelatedDNS* | | | | Nameservers* | | | | DomainContacts? | 3.18 | +-----------------------------+--------------------+---------------+ | Nameserver | Server | | | | Address* | 3.18.1 | +-----------------------------+--------------------+---------------+ | DomainContacts | SameDomainContact? | | | | Contact+ | 3.18.2 | +-----------------------------+--------------------+---------------+ | Service | ip-protocol? | | | | observable-id? | | | | ServiceName? | | | | Port? | | | | Portlist? | | | | ProtoCode? | | | | ProtoType? | | | | ProtoField? | | | | ApplicationHeaderField*| | | | EmailData? | | | | Application? | 3.19 | +-----------------------------+--------------------+---------------+ | ServiceName | IANAService? | | | | URL* | | | | Description* | 3.19.1 | +-----------------------------+--------------------+---------------+ | EmailData | observable-id? | | | | EmailTo* | | | | EmailFrom? | | Takahashi, et al. Expires May 7, 2019 [Page 13] Internet-Draft JSON-IODEF November 2018 | | EmailSubject? | | | | EmailX-Mailer? | | | | EmailHeaderField* | | | | EmailHeaders? | | | | EmailBody? | | | | EmailMessage? | | | | HashData* | | | | Signature* | 3.19.2 | +-----------------------------+--------------------+---------------+ | RecordData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime? | | | | Description* | | | | Application? | | | | RecordPattern* | | | | RecordItem* | | | | URL* | | | | FileData* | | | | WindowsRegistryKeysModified*| | | | CertificateData* | | | | AdditionalData* | 3.19.3 | +-----------------------------+--------------------+---------------+ | RecordPattern | type | | | | ext-type? | | | | offset? | | | | offsetunit? | | | | ext-offsetunit? | | | | instance? | | | | value | 3.19.4 | +-----------------------------+--------------------+---------------+ | WindowsRegistryKeysModified | observable-id? | 3.20 | | | Key+ | | +-----------------------------+--------------------+---------------+ | Key | registryaction? | | | | ext-registryaction?| | | | observable-id? | | | | KeyName | | | | KeyValue? | 3.20.1 | +-----------------------------+--------------------+---------------+ | CertificateData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Certificate+ | 3.21 | +-----------------------------+--------------------+---------------+ | Certificate | observable-id? | | | | X509Data | | | | Description* | 3.21.1 | Takahashi, et al. Expires May 7, 2019 [Page 14] Internet-Draft JSON-IODEF November 2018 +-----------------------------+--------------------+---------------+ | FileData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | File+ | 3.22 | +-----------------------------+--------------------+---------------+ | File | observable-id? | | | | FileName? | | | | FileSize? | | | | FileType? | | | | URL* | | | | HashData? | | | | Signature* | | | | AssociatedSoftware?| | | | FileProperties* | 3.22.1 | +-----------------------------+--------------------+---------------+ | HashData | scope | | | | HashTargetID? | | | | Hash* | | | | FuzzyHash* | 3.23 | +-----------------------------+--------------------+---------------+ | Hash | DigestMethod | | | | DigestValue | | | | CanonicalizationMethod?| | | | Application? | 3.23.1 | +-----------------------------+--------------------+---------------+ | FuzzyHash | FuzzyHashValue+ | | | | Application? | | | | AdditionalData* | 3.23.2 | +-----------------------------+--------------------+---------------+ | Indicator | restriction? | | | | ext-restriction? | | | | IndicatorID | | | | AlternativeIndicatorID*| | | | Description* | | | | StartTime? | | | | EndTime? | | | | Confidence? | | | | Contact* | | | | Observable? | | | | uid-ref? | | | | IndicatorExpression?| | | | IndicatorReference?| | | | NodeRole* | | | | AttackPhase* | | | | Reference* | | | | AdditionalData* | 3.24 | +-----------------------------+--------------------+---------------+ Takahashi, et al. Expires May 7, 2019 [Page 15] Internet-Draft JSON-IODEF November 2018 | IndicatorID | id | | | | name | | | | version | 3.24.1 | +-----------------------------+--------------------+---------------+ | AlternativeIndicatorID | restriction? | | | | ext-restriction? | | | | IndicatorReference+| 3.24.2 | +-----------------------------+--------------------+---------------+ | Observable | restriction? | | | | ext-restriction? | | | | System? | | | | Address? | | | | DomainData? | | | | Service? | | | | EmailData? | | | | WindowsRegistryKeysModified?| | | | FileData? | | | | CertificateData? | | | | RegistryHandle? | | | | RecordData? | | | | EventData? | | | | Incident? | | | | Expectation? | | | | Reference? | | | | Assessment? | | | | DetectionPattern? | | | | HistoryItem? | | | | BulkObservable? | | | | AdditionalData* | 3.24.3 | +-----------------------------+--------------------+---------------+ | BulkObservable | type? | | | | ext-type? | | | | BulkObservableFormat?| | | | BulkObservableList | | | | AdditionalData* | 3.24.4 | +-----------------------------+--------------------+---------------+ | BulkObservableFormat | Hash? | | | | AdditionalData* | 3.24.5 | +-----------------------------+--------------------+---------------+ | IndicatorExpression | operator? | | | | ext-operator? | | | | IndicatorExpression*| | | | Observable* | | | | uid-ref* | | | | IndicatorReference*| | | | Confidence? | | | | AdditionalData* | 3.24.6 | +-----------------------------+--------------------+---------------+ Takahashi, et al. Expires May 7, 2019 [Page 16] Internet-Draft JSON-IODEF November 2018 | IndicatorReference | uid-ref? | | | | euid-ref? | | | | version? | 3.24.7 | +-----------------------------+--------------------+---------------+ | AttackPhase | AttackPhaseID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.24.8 | +-----------------------------+--------------------+---------------+ IODEF Classes 3.2. Mapping between CBOR/JSON and XML IODEF o This document treats attributes and elements of each class defined in [RFC7970] equally and is agnostic on the order of their appearances. o Flow class is deleted, and classes with its instances now directly have instances of EventData class that used to belong to the Flow classs. o ApplicationHeader class is deleted, and classes with its instances now directly have instances of ApplicationHeaderField class that used to belong to the ApplicationHeader class. o SignatureData class is deleted, and classes with its instances now directly have instance of Signature class that used to belong to the SignatureData class. o IndicatorData class is deleted, and classes with its instances now directly have the instances of Indicator class that used to belong to the IndicatorData class. o ObservableReference class is deleted, and classes with its instances now directly have uid-ref as an element. o Record class is replaced by RecordData class, and RecordData class is renamed to Record class. o Record class is deleted, and classes with its instances now directly have the instances of RecordData class that used to belong to the Record class. o The elements of ML_STRING type in XML IODEF document are presented as either STRING type or ML_STRING type in CBOR/JSON IODEF document. Takahashi, et al. Expires May 7, 2019 [Page 17] Internet-Draft JSON-IODEF November 2018 o The order of appearances of class elements were ignored in CBOR/ JSON version. 4. Examples This section provides example of IODEF documents. These examples do not represent the full capabilities of the data model or the the only way to encode particular information. 4.1. Minimal Example A document containing only the mandatory elements and attributes is shown below in JSON and CBOR, respectively. { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "reporting", "restriction": "private", "IncidentID": { "id": "492382", "name": "csirt.example.com" }, "GenerationTime": "2015-07-18T09:00:00-05:00", "Contact": [{ "type": "organization", "role": "creator", "Email": [{"EmailTo": "contact@csirt.example.com"}] }] }] } Figure 3: A Minimal Example in JSON A3 # map(3) 67 # text(7) 76657273696F6E # "version" 63 # text(3) 322E30 # "2.0" 64 # text(4) 6C616E67 # "lang" 62 # text(2) 656E # "en" 68 # text(8) 496E636964656E74 # "Incident" 81 # array(1) A5 # map(5) Takahashi, et al. Expires May 7, 2019 [Page 18] Internet-Draft JSON-IODEF November 2018 67 # text(7) 707572706F7365 # "purpose" 69 # text(9) 7265706F7274696E67 # "reporting" 6B # text(11) 7265737472696374696F6E # "restriction" 67 # text(7) 70726976617465 # "private" 6A # text(10) 496E636964656E744944 # "IncidentID" A2 # map(2) 62 # text(2) 6964 # "id" 66 # text(6) 343932333832 # "492382" 64 # text(4) 6E616D65 # "name" 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 6E # text(14) 47656E65726174696F6E54696D65 # "GenerationTime" C0 # tag(0) 78 19 # text(25) 323031352D30372D31385430393A30303A30302D30353A3030 # "2015-07-18T09:00:00-05:00" 67 # text(7) 436F6E74616374 # "Contact" 81 # array(1) A3 # map(3) 64 # text(4) 74797065 # "type" 6C # text(12) 6F7267616E697A6174696F6E # "organization" 64 # text(4) 726F6C65 # "role" 67 # text(7) 63726561746F72 # "creator" 65 # text(5) 456D61696C # "Email" 81 # array(1) A1 # map(1) 67 # text(7) 456D61696C546F # "EmailTo" 78 19 # text(25) 636F6E746163744063736972742E6578616D706C652E636F6D # "contact@csirt.example.com" Takahashi, et al. Expires May 7, 2019 [Page 19] Internet-Draft JSON-IODEF November 2018 Figure 4: A Minimal Example in CBOR 4.2. Indicators from a Campaign An example of C2 domains from a given campaign is shwon below in JSON and CBOR, respectively. { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "watch", "restriction": "green", "IncidentID": { "id": "897923", "name": "csirt.example.com" }, "RelatedActivity": [{ "ThreatActor": [{ "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], "Description": ["Aggressive Butterfly"]}], "Campaign": [{ "CampaignID": ["C-2015-59405"], "Description": ["Orange Giraffe"] }] }], "GenerationTime": "2015-10-02T11:18:00-05:00", "Description": ["Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."], "Assessment": [{ "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] }], "Contact": [{ "type": "organization", "role": "creator", "ContactName": ["CSIRT for example.com"], "Email": [{ "EmailTo": "contact@csirt.example.com" }] }], "Indicator": [{ "IndicatorID": { "id": "G90823490", "name": "csirt.example.com", "version": "1" }, "Description": ["C2 domains"], "StartTime": "2014-12-02T11:18:00-05:00", Takahashi, et al. Expires May 7, 2019 [Page 20] Internet-Draft JSON-IODEF November 2018 "Observable": { "BulkObservable": { "type": "ipv6-addr", "BulkObservableList": "kj290023j09r34.example.com"} } }] }] } Figure 5: Indicators from a Campaign in JSON A3 # map(3) 67 # text(7) 76657273696F6E # "version" 63 # text(3) 322E30 # "2.0" 64 # text(4) 6C616E67 # "lang" 62 # text(2) 656E # "en" 68 # text(8) 496E636964656E74 # "Incident" 81 # array(1) A9 # map(9) 67 # text(7) 707572706F7365 # "purpose" 65 # text(5) 7761746368 # "watch" 6B # text(11) 7265737472696374696F6E # "restriction" 65 # text(5) 677265656E # "green" 6A # text(10) 496E636964656E744944 # "IncidentID" A2 # map(2) 62 # text(2) 6964 # "id" 66 # text(6) 383937393233 # "897923" 64 # text(4) 6E616D65 # "name" 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 6F # text(15) 52656C617465644163746976697479 # "RelatedActivity" 81 # array(1) A2 # map(2) 6B # text(11) Takahashi, et al. Expires May 7, 2019 [Page 21] Internet-Draft JSON-IODEF November 2018 5468726561744163746F72 # "ThreatActor" 81 # array(1) A2 # map(2) 6D # text(13) 5468726561744163746F724944 # "ThreatActorID" 81 # array(1) 78 1A # text(26) 54412D31322D414747524553534956452D425554544552464 C59 # "TA-12-AGGRESSIVE-BUTTERFLY" 6B # text(11) 4465736372697074696F6E # "Description" 81 # array(1) 74 # text(20) 4167677265737369766520427574746572666C79 # "Aggressive Butterfly" 68 # text(8) 43616D706169676E # "Campaign" 81 # array(1) A2 # map(2) 6A # text(10) 43616D706169676E4944 # "CampaignID" 81 # array(1) 6C # text(12) 432D323031352D3539343035 # "C-2015-59405" 6B # text(11) 4465736372697074696F6E # "Description" 81 # array(1) 6E # text(14) 4F72616E67652047697261666665 # "Orange Giraffe" 6E # text(14) 47656E65726174696F6E54696D65 # "GenerationTime" C0 # tag(0) 78 19 # text(25) 323031352D31302D30325431313A31383A30302D30353A3030 # "2015-10-02T11:18:00-05:00" 6B # text(11) 4465736372697074696F6E # "Description" 81 # array(1) 78 6F # text(111) 53756D6D6172697A65732074686520496E64696361746F7273206F6620436 F6D70726F6D69736520666F7220746865204F72616E676520476972616666 652063616D706169676E206F6620746865204167677265737369766520427 574746572666C79206372696D652067616E672E # "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." 6A # text(10) 4173736573736D656E74 # "Assessment" 81 # array(1) Takahashi, et al. Expires May 7, 2019 [Page 22] Internet-Draft JSON-IODEF November 2018 A1 # map(1) 66 # text(6) 496D70616374 # "Impact" 81 # array(1) A1 # map(1) 6E # text(14) 427573696E657373496D70616374 # "BusinessImpact" A1 # map(1) 64 # text(4) 74797065 # "type" 72 # text(18) 6272656163682D70726F7072696574617279 # "breach-proprietary" 67 # text(7) 436F6E74616374 # "Contact" 81 # array(1) A4 # map(4) 64 # text(4) 74797065 # "type" 6C # text(12) 6F7267616E697A6174696F6E # "organization" 64 # text(4) 726F6C65 # "role" 67 # text(7) 63726561746F72 # "creator" 6B # text(11) 436F6E746163744E616D65 # "ContactName" 81 # array(1) 75 # text(21) 435349525420666F72206578616D706C652E636F6D # "CSIRT for example.com" 65 # text(5) 456D61696C # "Email" 81 # array(1) A1 # map(1) 67 # text(7) 456D61696C546F # "EmailTo" 78 19 # text(25) 636F6E746163744063736972742E6578616D706C652E636F6D # "contact@csirt.example.com" 69 # text(9) 496E64696361746F72 # "Indicator" 81 # array(1) A4 # map(4) 6B # text(11) 496E64696361746F724944 # "IndicatorID" A3 # map(3) 62 # text(2) Takahashi, et al. Expires May 7, 2019 [Page 23] Internet-Draft JSON-IODEF November 2018 6964 # "id" 69 # text(9) 473930383233343930 # "G90823490" 64 # text(4) 6E616D65 # "name" 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 67 # text(7) 76657273696F6E # "version" 61 # text(1) 31 # "1" 6B # text(11) 4465736372697074696F6E # "Description" 81 # array(1) 6A # text(10) 433220646F6D61696E73 # "C2 domains" 69 # text(9) 537461727454696D65 # "StartTime" C0 # tag(0) 78 19 # text(25) 323031342D31322D30325431313A31383A30302D30353A3030 # "2014-12-02T11:18:00-05:00" 6A # text(10) 4F627365727661626C65 # "Observable" A1 # map(1) 6E # text(14) 42756C6B4F627365727661626C65 # "BulkObservable" A2 # map(2) 64 # text(4) 74797065 # "type" 69 # text(9) 697076362D61646472 # "ipv6-addr" 72 # text(18) 42756C6B4F627365727661626C654C697374 # "BulkObservableList" 78 1A # text(26) 6B6A3239303032336A30397233342E6578616D706C652E636F6D # "kj290023j09r34.example.com" Figure 6: Indicators from a Campaign in CBOR 5. The IODEF Data Model (CDDL) start = iodef ;;; iodef.json: IODEF-Document Takahashi, et al. Expires May 7, 2019 [Page 24] Internet-Draft JSON-IODEF November 2018 iodef = { version: text ? lang: lang ? format-id: text ? private-enum-name: text ? private-enum-id: text Incident: [+ Incident] ? AdditionalData: [+ ExtensionType] } duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / "year" / "ext-value" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" restriction = "public" / "partner" / "need-to-know" / "private" / "default" / "white" / "green" / "amber" / "red" / "ext-value" SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" IDREFType = IDtype URLtype = uri TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]" PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*" action = "nothing" / "contact-source-site" / "contact-target-site" / "contact-sender" / "investigate" / "block-host" / "block-network" / "block-port" / "rate-limit-host" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "honeypot" / "upgrade-software" / "rebuild-asset" / "harden-asset" / "remediate-other" / "status-triage" / "status-new-info" / "watch-and-report" / "training" / "defined-coa" / "other" / "ext-value" DATETIME = tdate MLStringType = { value: text ? lang: lang ? translation-id: text } PositiveFloatType = float32 .gt 0 PAddressType = MLStringType ExtensionType = { ? ssvalue: text ? name: text dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / Takahashi, et al. Expires May 7, 2019 [Page 25] Internet-Draft JSON-IODEF November 2018 "ntpstamp" / "integer" / "portlist" / "real" / "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string" ? ext-dtype: text ? meaning: text ? formatid: text ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype } SoftwareType = { ? SoftwareReference: SoftwareReference ? URL: [+ URLtype] ? Description: [+ text / MLStringType] } SoftwareReference = { ? value: text spec-name: "custom" / "cpe" / "swid" / "ext-value" ? ext-spec-name: text ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string" ? ext-dtype: text } Incident = { purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / "ext-value" ? ext-purpose: text ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / "ext-value" ? ext-status: text ? lang: lang ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype IncidentID: IncidentID ? AlternativeID: AlternativeID ? RelatedActivity: [+ RelatedActivity] ? DetectTime: DATETIME ? StartTime: DATETIME ? EndTime: DATETIME ? RecoveryTime: DATETIME ? ReportTime: DATETIME GenerationTime: DATETIME ? Description: [+ text / MLStringType] Takahashi, et al. Expires May 7, 2019 [Page 26] Internet-Draft JSON-IODEF November 2018 ? Discovery: [+ Discovery] ? Assessment: [+ Assessment] ? Method: [+ Method] Contact: [+ Contact] ? EventData: [+ EventData] ? Indicator: [+ Indicator] ? History: History ? AdditionalData: [+ ExtensionType] } IncidentID = { id: text name: text ? instance: text ? restriction: restriction .default "private" ? ext-restriction: text } AlternativeID = { ? restriction: restriction .default "private" ? ext-restriction: text IncidentID: [+ IncidentID] } RelatedActivity = { ? restriction: restriction .default "private" ? ext-restriction: text ? IncidentID: [+ IncidentID] ? URL: [+ URLtype] ? ThreatActor: [+ ThreatActor] ? Campaign: [+ Campaign] ? IndicatorID: [+ IndicatorID] ? Confidence: Confidence ? Description: [+ text] ? AdditionalData: [+ ExtensionType] } ThreatActor = { ? restriction: restriction .default "private" ? ext-restriction: text ? ThreatActorID: [+ text] ? URL: [+ URLtype] ? Description: [+ text / MLStringType] ? AdditionalData: [+ ExtensionType] } Campaign = { ? restriction: restriction .default "private" Takahashi, et al. Expires May 7, 2019 [Page 27] Internet-Draft JSON-IODEF November 2018 ? ext-restriction: text ? CampaignID: [+ text] ? URL: [+ URLtype] ? Description: [+ text / MLStringType] ? AdditionalData: [+ ExtensionType] } Contact = { role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" / "victim" / "victim-notified" / "ext-value" ? ext-role: text type: "person" / "organization" / "ext-value" ? ext-type: text ? restriction: restriction .default "private" ? ext-restriction: text ? ContactName: [+ text / MLStringType] ? ContactTitle: [+ text / MLStringType] ? Description: [+ text / MLStringType] ? RegistryHandle: [+ RegistryHandle] ? PostalAddress: [+ PostalAddress] ? Email: [+ Email] ? Telephone: [+ Telephone] ? Timezone: TimeZonetype ? Contact: [+ Contact] ? AdditionalData: [+ ExtensionType] } RegistryHandle = { handle: text registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / "local" / "ext-value" ? ext-registry: text } PostalAddress = { ? type: text ? ext-type: text PAddress: PAddressType ? Description: [+ text / MLStringType] } Email = { ? type: "direct" / "hotline" / "ext-value" ? ext-type: text EmailTo: text ? Description: [+ text / MLStringType] Takahashi, et al. Expires May 7, 2019 [Page 28] Internet-Draft JSON-IODEF November 2018 } Telephone = { ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? ext-type: text TelephoneNumber: text ? Description: [+ text / MLStringType] } Discovery = { ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / "incident" / "os-log" / "application-log" / "device-log" / "network-flow" / "passive-dns" / "investigation" / "audit" / "internal-notification" / "external-notification" / "leo" / "partner" / "actor" / "unknown" / "ext-value" ? ext-source: text ? restriction: restriction .default "private" ? ext-restriction: text ? Description: [+ text / MLStringType] ? Contact: [+ Contact] ? DetectionPattern: [+ DetectionPattern] } DetectionPattern = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype Application: SoftwareType ? Description: [+ text / MLStringType] ? DetectionConfiguration: [+ text] } Method = { ? restriction: restriction .default "private" ? ext-restriction: text ? Reference: [+ Reference] ? Description: [+ text / MLStringType] ? AttackPattern: [+ StructuredInformation] ? Vulnerability: [+ StructuredInformation] ? Weakness: [+ StructuredInformation] ? AdditionalData: [+ ExtensionType] } StructuredInformation = { SpecID: SpecID ? ext-SpecID: text ? ContentID: text ? RawData: [+ ExtensionType] Takahashi, et al. Expires May 7, 2019 [Page 29] Internet-Draft JSON-IODEF November 2018 ? Reference:[+ Reference] ? Platform:[+ Platform] ? Scoring:[+ Scoring] } Platform = { SpecID: SpecID ? ext-SpecID: text ? ContentID: text ? RawData: [+ ExtensionType] ? Reference: [+ Reference] } Scoring = { SpecID: SpecID ? ext-SpecID: text ? ContentID: text ? RawData: [+ ExtensionType] ? Reference: [+ Reference] } Reference = { ? observable-id: IDtype ? ReferenceName: ReferenceName ? URL: [+ URLtype] ? Description: [+ text / MLStringType] } ReferenceName = { specIndex: integer ID: IDtype } Assessment = { ? occurrence: "actual" / "potential" ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype ? IncidentCategory: [+ text / MLStringType] Impact: [+ {SystemImpact: SystemImpact} / {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / {MonetaryImpact: MonetaryImpact} / {IntendedImpact: BusinessImpact}] ? Counter: [+ Counter] ? MitigatingFactor: [+ text / MLStringType] ? Cause: [+ text / MLStringType] ? Confidence: Confidence ? AdditionalData: [+ ExtensionType] } SystemImpact = { Takahashi, et al. Expires May 7, 2019 [Page 30] Internet-Draft JSON-IODEF November 2018 ? severity: "low" / "medium" / "high" ? completion: "failed" / "succeeded" type: "takeover-account" / "takeover-service" / "takeover-system" / "cps-manipulation" / "cps-damage" / "availability-data" / "availability-account" / "availability-service" / "availability-system" / "damaged-system" / "damaged-data" / "breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-configuration" / "integrity-data" / "integrity-configuration" / "integrity-hardware" / "traffic-redirection"/"monitoring-traffic"/"monitoring-host"/ "policy" / "unknown" / "ext-value" .default "unknown" ? ext-type: text ? Description: [+ text / MLStringType] } BusinessImpact = { ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown" ? ext-severity: text type: "breach-proprietary" / "breach-privacy" / "breach-credential" / "loss-of-integrity" / "loss-of-service" / "theft-financial" / "theft-service" / "degraded-reputation" / "asset-damage" / "asset-manipulation" / "legal" / "extortion" / "unknown" / "ext-value" .default "unknown" ? ext-type: text ? Description: [+ text / MLStringType] } TimeImpact = { value: PositiveFloatType ? severity: "low" / "medium" / "high" metric: "labor" / "elapsed" / "downtime" / "ext-value" ? ext-metric: text ? duration: duration .default "hour" ? ext-duration: text } MonetaryImpact = { value: PositiveFloatType ? severity: "low" / "medium" / "high" ? currency: text } Confidence = { value: float32 rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" ? ext-rating: text } Takahashi, et al. Expires May 7, 2019 [Page 31] Internet-Draft JSON-IODEF November 2018 History = { ? restriction: restriction .default "private" ? ext-restriction: text HistoryItem: [+ HistoryItem] } HistoryItem = { action: action .default "other" ? ext-action: text ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype DateTime: DATETIME ? IncidentID: IncidentID ? Contact: Contact ? Description: [+ text / MLStringType] ? DefinedCOA: [+ text] ? AdditionalData: [+ ExtensionType] } EventData = { ? restriction: restriction .default "default" ? ext-restriction: text ? observable-id: IDtype ? Description: [+ text / MLStringType] ? DetectTime: DATETIME ? StartTime: DATETIME ? EndTime: DATETIME ? RecoveryTime: DATETIME ? ReportTime: DATETIME ? Contact: [+ Contact] ? Discovery: [+ Discovery] ? Assessment: Assessment ? Method: [+ Method] ? System: [+ System] ? Expectation: [+ Expectation] ? RecordData: [+ RecordData] ? EventData: [+ EventData] ? AdditionalData: [+ ExtensionType] } Expectation = { ? action: action .default "other" ? ext-action: text ? severity: "low" / "medium" / "high" ? restriction: restriction .default "default" ? ext-restriction: text ? observable-id: IDtype Takahashi, et al. Expires May 7, 2019 [Page 32] Internet-Draft JSON-IODEF November 2018 ? Description: [+ text / MLStringType] ? DefinedCOA: [+ text] ? StartTime: DATETIME ? EndTime: DATETIME ? Contact: Contact } System = { ? category: "source" / "target" / "intermediate" / "sensor" / "infrastructure" / "ext-value" ? ext-category: text ? interface: text ? spoofed: "unknown" / "yes" / "no" .default "unknown" ? virtual: "yes" / "no" / "unknown" .default "unknown" ? ownership: "organization" / "personal" / "partner" / "customer" / "no-relationship" / "unknown" / "ext-value" ? ext-ownership: text ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype Node: Node ? NodeRole: [+ NodeRole] ? Service: [+ Service] ? OperatingSystem: [+ SoftwareType] ? Counter: [+ Counter] ? AssetID: [+ text] ? Description: [+ text / MLStringType] ? AdditionalData: [+ ExtensionType] } Node = { ( DomainData:[+ DomainData] ? Address:[+ Address]) / (? DomainData:[+ DomainData] + Address:[+ Address]) ? PostalAddress: PostalAddress ? Location: [+ text / MLStringType] ? Counter: [+ Counter] } Address = { value: text category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-url" / "ext-value" .default "ipv6-addr" ? ext-category: text ? vlan-name: text Takahashi, et al. Expires May 7, 2019 [Page 33] Internet-Draft JSON-IODEF November 2018 ? vlan-num: integer ? observable-id: IDtype } NodeRole = { category: "client" / "client-enterprise" / "clent-partner" / "client-remote" / "client-kiosk" / "client-mobile" / "server-internal" / "server-public" / "www" / "mail" / "webmail" / "messaging" / "streaming" / "voice" / "file" / "ftp" / "p2p" / "name" / "directory" / "credential" / "print" / "application" / "database" / "backup" / "dhcp" / "assessment" / "source-control" / "config-management" / "monitoring" / "infra" / "infra-firewall" / "infra-router" / "infra-switch" / "camera" / "proxy" / "remote-access" / "log" / "virtualization" / "pos" / "scada" / "scada-supervisory" / "sinkhole" / "honeypot" / "anomyzation" / "c2-server" / "malware-distribution" / "drop-server" / "hot-point" / "reflector" / "phishing-site" / "spear-phishing-site" / "recruiting-site" / "fraudulent-site" / "ext-value" ? ext-category: text ? Description: [+ text / MLStringType] } Counter = { value: float32 type: "count" / "peak" / "average" / "ext-value" ? ext-type: text unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / "message" / "event" / "host" / "site" / "organization" / "ext-value" ? ext-unit: text ? meaning: text ? duration: duration .default "hour" ? ext-duration: text } DomainData = { system-status: "spoofed" / "fraudulent" / "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value" ? ext-system-status: text domain-status: "reservedDelegation" / "assignedAndActive" / "assignedAndInactive" / "assignedAndOnHold" / "revoked" / "transferPending" / "registryLock" / "registrarLock" / "other" / "unknown" / "ext-value" ? ext-domain-status: text ? observable-id: IDtype Name: text Takahashi, et al. Expires May 7, 2019 [Page 34] Internet-Draft JSON-IODEF November 2018 ? DateDomainWasChecked: DATETIME ? RegistrationDate: DATETIME ? ExpirationDate: DATETIME ? RelatedDNS: [+ ExtensionType] ? NameServers: [+ NameServers] ? DomainContacts: DomainContacts } NameServers = { Server: text Address: [+ Address] } DomainContacts = { ? SameDomainContact: text Contact: [+ Contact] } Service = { ? ip-protocol: integer ? observable-id: IDtype ? ServiceName: ServiceName ? Port: integer ? Portlist: PortlistType ? ProtoCode: integer ? ProtoType: integer ? ProtoField: integer ? ApplicationHeaderField: [+ ExtensionType] ? EmailData: EmailData ? Application: SoftwareType } ServiceName = { ? IANAService: text ? URL: [+ URLtype] ? Description: [+ text / MLStringType] } EmailData = { ? observable-id: IDtype ? EmailTo: [+ text] ? EmailFrom: text ? EmailSubject: text ? EmailX-Mailer: text ? EmailHeaderField: [+ ExtensionType] ? EmailHeaders: text ? EmailBody: text ? EmailMessage: text Takahashi, et al. Expires May 7, 2019 [Page 35] Internet-Draft JSON-IODEF November 2018 ? HashData: [+ HashData] ? Signature: [+ SignatureType] } SignatureType = { ? id: IDtype SignedInfo: SignedInfoType SignatureValue: SignatureValueType ? KeyInfo: KeyInfoType ? Object: [+ ObjectType] } SignedInfoType = { ? id: IDtype CanonicalizationMethod: CanonicalizationMethodType SignatureMethod: SignatureMethodType Reference: [+ ReferenceType] } SignatureMethodType = { ? value: text Algorithm: URLtype ? HMACOutputLength: HMACOutputLengthType } HMACOutputLengthType = integer ReferenceType = { ? id: IDtype ? URI: URLtype ? Type: URLtype ? Transforms: TransformsType DigestMethod: DigestMethodType DigestValue: DigestValueType } TransformsType = { Transform: [+ TransformType] } TransformType = { ? value: text Algorithm: URLtype ? XPath: [+ text] } DigestMethodType = { ? value: text Takahashi, et al. Expires May 7, 2019 [Page 36] Internet-Draft JSON-IODEF November 2018 Algorithm: URLtype } DigestValueType = eb64legacy SignatureValueType = { value: eb64legacy ? id: IDtype } KeyInfoType = { ? value: text ? id: IDtype KeyProperties: [+ {KeyName: text} / {KeyValue: KeyValueType} / {RetrievalMethod: RetrievalMethodType} / {X509Data: X509DataType} / {PGPData: PGPDataType} / {SPKIData: SPKIDataType} / {MgmtData: text}] } KeyValueType = { ? value: text KeyValueProperties: {DSAKeyValue: DSAKeyValueType} / {RSAKeyValue: RSAKeyValueType} } DSAKeyValueType = { ? P: CryptoBinary ? Q: CryptoBinary ? G: CryptoBinary Y: CryptoBinary ? J: CryptoBinary ? Seed: CryptoBinary ? PgenCounter: CryptoBinary } CryptoBinary = eb64legacy RSAKeyValueType ={ Modulus: CryptoBinary Exponent: CryptoBinary } RetrievalMethodType = { URI: URLtype ? Type: URLtype ? Transforms: TransformsType } Takahashi, et al. Expires May 7, 2019 [Page 37] Internet-Draft JSON-IODEF November 2018 PGPDataType = { ? value: text PGPDataProperties: {PGPKeyID: eb64legacy} / {PGPKeyPacket: eb64legacy} } SPKIDataType = { ? value: text SPKISexp: [+ eb64legacy] } ObjectType = { ? value: text ? id: IDtype ? MimeType: text ? Encoding: URLtype } RecordData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype ? DateTime: DATETIME ? Description: [+ text / MLStringType] ? Application: SoftwareType ? RecordPattern: [+ RecordPattern] ? RecordItem: [+ ExtensionType] ? URL: [+ URLtype] ? FileData: [+ FileData] ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] ? CertificateData: [+ CertificateData] ? AdditionalData: [+ ExtensionType] } RecordPattern = { value: text type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" ? ext-type: text ? offset: integer ? offsetunit: "line" / "byte" / "ext-value" .default "line" ? ext-offsetunit: text ? instance: integer } WindowsRegistryKeysModified = { ? observable-id: IDtype Key: [+ Key] } Takahashi, et al. Expires May 7, 2019 [Page 38] Internet-Draft JSON-IODEF November 2018 Key = { ? registryaction: "add-key" / "add-value" / "delete-key" / "delete-value" / "modify-key" / "modify-value" / "ext-value" ? ext-registryaction: text ? observable-id: IDtype KeyName: text ? KeyValue: text } CertificateData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype Certificate: [+ Certificate] } Certificate = { ? observable-id: IDtype X509Data: X509DataType ? Description: [+ text / MLStringType] } X509DataType = { X509DataProperties: [+ {X509IssuerSerial: X509IssuerSerialType} / {X509SKI: eb64legacy} / {X509SubjectName: text} / {X509Certificate: eb64legacy} / {X509CRL: eb64legacy}] } X509IssuerSerialType = { X509IssuerName: text X509SerialNumber: integer } FileData = { ? restriction: restriction .default "private" ? ext-restriction: text ? observable-id: IDtype File: [+ File] } File = { ? observable-id: IDtype ? FileName: text ? FileSize: integer ? FileType: text ? URL: [+ URLtype] Takahashi, et al. Expires May 7, 2019 [Page 39] Internet-Draft JSON-IODEF November 2018 ? HashData: HashData ? Signature: [+ SignatureType] ? AssociatedSoftware: SoftwareType ? FileProperties: [+ ExtensionType] } HashData = { scope: "file-contents" / "file-pe-section" / "file-pe-iat" / "file-pe-resource" / "file-pdf-object" / "email-hash" / "email-hash-header" / "email-hash-body" ? HashTargetID: text ? Hash: [+ Hash] ? FuzzyHash: [+ FuzzyHash] } Hash = { DigestMethod: DigestMethodType DigestValue: DigestValueType ? CanonicalizationMethod: CanonicalizationMethodType ? Application: SoftwareType } CanonicalizationMethodType = { ? value: text Algorithm: URLtype } FuzzyHash = { FuzzyHashValue: [+ ExtensionType] ? Application: SoftwareType ? AdditionalData: [+ ExtensionType] } Indicator = { ? restriction: restriction .default "private" ? ext-restriction: text IndicatorID: IndicatorID ? AlternativeIndicatorID: [+ AlternativeIndicatorID] ? Description: [+ text / MLStringType] ? StartTime: DATETIME ? EndTime: DATETIME ? Confidence: Confidence ? Contact: [+ Contact] ? Observable: Observable ? uid-ref: IDREFType ? IndicatorExpression: IndicatorExpression ? IndicatorReference: IndicatorReference Takahashi, et al. Expires May 7, 2019 [Page 40] Internet-Draft JSON-IODEF November 2018 ? NodeRole: [+ NodeRole] ? AttackPhase: [+ AttackPhase] ? Reference: [+ Reference] ? AdditionalData: [+ ExtensionType] } IndicatorID = { id: IDtype name: text version: text } AlternativeIndicatorID = { ? restriction: restriction .default "private" ? ext-restriction: text IndicatorReference: [+ IndicatorReference] } Observable = { ? restriction: restriction .default "private" ? ext-restriction: text ? System: System ? Address: Address ? DomainData: DomainData ? EmailData: EmailData ? Service: Service ? WindowsRegistryKeysModified: WindowsRegistryKeysModified ? FileData: FileData ? CertificateData: CertificateData ? RegistryHandle: RegistryHandle ? RecordData: RecordData ? EventData: EventData ? Incident: Incident ? Expectation: Expectation ? Reference: Reference ? Assessment: Assessment ? DetectionPattern: DetectionPattern ? HistoryItem: HistoryItem ? BulkObservable: BulkObservable ? AdditionalData: [+ ExtensionType] } BulkObservable = { ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "mac" / "site-url" / "domain-name" / "domain-to-ipv4" / "domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / Takahashi, et al. Expires May 7, 2019 [Page 41] Internet-Draft JSON-IODEF November 2018 "windows-reg-key" / "file-hash" / "email-x-mailer" / "email-subject" / "http-user-agent" / "http-request-uri" / "mutex" / "file-path" / "user-name" / "ext-value" ? ext-type: text ? BulkObservableFormat: BulkObservableFormat BulkObservableList: text ? AdditionalData: [+ ExtensionType] } BulkObservableFormat = { ? Hash: Hash ? AdditionalData: [+ ExtensionType] } IndicatorExpression = { ? operator: "not" / "and" / "or" / "xor" .default "and" ? ext-operator: text ? IndicatorExpression: [+ IndicatorExpression] ? Observable: [+ Observable] ? uid-ref: [+ IDREFType] ? IndicatorReference: [+ IndicatorReference] ? Confidence: Confidence ? AdditionalData: [+ ExtensionType] } IndicatorReference = { ? uid-ref: IDREFType ? euid-ref: text ? version: text } AttackPhase = { ? AttackPhaseID: [+ text] ? URL: [+ URLtype] ? Description: [+ text / MLStringType] ? AdditionalData: [+ ExtensionType] } Figure 7: Data Model in CDDL 6. Acknowledgements We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki Morita, and Takahiko Nagata for their insightful comments on CDDL. Takahashi, et al. Expires May 7, 2019 [Page 42] Internet-Draft JSON-IODEF November 2018 7. IANA Considerations This document registers a JSON schema. 8. Security Considerations This memo does not provide any further security considerations than the one described in [RFC7970]. 9. References 9.1. Normative References [cddlspec] Henk Birkholz, Christoph Vigano, and Carsten Bormann, "Concise data definition language (CDDL): a notational convention to express CBOR and JSON data structuresy", 2018. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, <https://www.rfc-editor.org/info/rfc7970>. 9.2. Informative References [jsonschema] Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: core definitions and terminology", 2013. Appendix A. Data Types used in this document The CDDL prelude used in this document is mapped to JSON as shown in the table below. Takahashi, et al. Expires May 7, 2019 [Page 43] Internet-Draft JSON-IODEF November 2018 +-----------------+-------------------+----------------------------+ | CDDL Prelude | Use of JSON | Instance | Validation | +-----------------+-------------------+----------------------------+ | bytes | n/a | string | tool available | | text | string | string | unnecessary | | tdate | n/a | string | 7.3.1 date-time | | integer | n/a | number | integer | | eb64legacy | n/a | string | tool available | | uri | n/a | string | 7.3.6 uri | | float32 | float32 | number | unnecessary | +-----------------+-------------------+----------------------------+ Figure 8 Appendix B. The IODEF Data Model (JSON Schema) This section provides a JSON schema that defines the IODEF Data Model defined in this draft. { "$schema": "http://json-schema.org/draft-04/schema#", "definitions": { "action": {"enum": ["nothing","contact-source-site", "contact-target-site","contact-sender","investigate", "block-host","block-network","block-port","rate-limit-host", "rate-limit-network","rate-limit-port","redirect-traffic", "honeypot","upgrade-software","rebuild-asset","harden-asset", "remediate-other","status-triage","status-new-info", "watch-and-report","training","defined-coa","other", "ext-value"]}, "duration":{"enum":["second","minute","hour","day","month", "quarter","year","ext-value"]}, "SpecID":{ "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, "lang": { "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, "purpose": {"enum": ["traceback","mitigation","reporting","watch", "other","ext-value"]}, "restriction":{"enum":["public","partner","need-to-know","private", "default","white","green","amber","red","ext-value"]}, "status": {"enum": ["new","in-progress","forwarded","resolved", "future","ext-value"]}, "DATETIME": {"type": "string","format": "date-time"}, "PortlistType": { "type": "string","pattern": "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"}, "TimeZonetype": { "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, "URLtype": { "type": "string", Takahashi, et al. Expires May 7, 2019 [Page 44] Internet-Draft JSON-IODEF November 2018 "pattern": "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, "IDREFType": {"$ref": "#/definitions/IDtype"}, "CryptoBinary": {"type": "string"}, "MLStringType": { "type": "object", "properties": { "value": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "translation-id": {"type": "string"}}, "required": ["value"], "additionalProperties":false}, "PositiveFloatType": {"type": "number","minimum": 0}, "PAddressType": {"$ref": "#/definitions/MLStringType"}, "ExtensionType": { "type": "object", "properties": { "value": {"type": "string"}, "Name": {"type": "string"}, "dtype":{"enum":["boolean","byte","bytes","character", "date-time","ntpstamp","integer","portlist","real","string", "file","path","frame","packet","ipv4-packet","ipv6-packet", "url", "csv","winreg","xml","ext-value"],"default": "string"}, "ext-dtype": {"type": "string"}, "meaning": {"type": "string"}, "formatid": {"type": "string"}, "restriction": { "$ref": "#/definitions/restriction","default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required": ["value","dtype"], "additionalProperties":false}, "ExtensionTypeList": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "SoftwareType": { "type": "object", "properties": { "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype", "minItems": 1}}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, Takahashi, et al. Expires May 7, 2019 [Page 45] Internet-Draft JSON-IODEF November 2018 {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1 }}, "required": [], "additionalProperties": false}, "SoftwareReference": { "type": "object", "properties": { "value": {"type": "string"}, "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, "ext-spec-name": {"type": "string"}, "dtype": {"enum": ["bytes","integer","real","string","xml", "ext-value"] , "default": "string"}, "ext-dtype": {"type": "string"}}, "required": ["spec-name"], "additionalProperties": false}, "StructuredInformation": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": {"$ref": "#/definitions/ExtensionTypeList"}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1 }, "Platform": { "type": "array", "items": {"$ref": "#/definitions/Platform"}, "minItems": 1 }, "Scoring": { "type": "array", "items": {"$ref": "#/definitions/Scoring"}, "minItems": 1}}, "required": ["SpecID"], "additionalProperties": false}, "Platform": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": {"$ref": "#/definitions/ExtensionTypeList"}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, Takahashi, et al. Expires May 7, 2019 [Page 46] Internet-Draft JSON-IODEF November 2018 "minItems": 1}}, "required": ["SpecID"], "additionalProperties": false}, "Scoring": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": {"$ref": "#/definitions/ExtensionTypeList"}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}}, "required": ["SpecID"], "additionalProperties": false}, "Incident": { "title": "Incident", "description": "JSON schema for Incident class", "type": "object", "properties": { "purpose": {"$ref": "#/definitions/purpose"}, "ext-purpose": {"type": "string"}, "status": {"$ref": "#/definitions/status"}, "ext-status": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "RelatedActivity": { "type": "array", "items": {"$ref": "#/definitions/RelatedActivity"}, "minItems": 1}, "DetectTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"}, "GenerationTime": {"$ref": "#/definitions/DATETIME"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "Discovery": { Takahashi, et al. Expires May 7, 2019 [Page 47] Internet-Draft JSON-IODEF November 2018 "type": "array", "items": {"$ref": "#/definitions/Discovery"}, "minItems": 1}, "Assessment": { "type": "array", "items": {"$ref": "#/definitions/Assessment"}, "minItems": 1}, "Method": { "type": "array", "items": {"$ref": "#/definitions/Method"}, "minItems": 1}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "EventData": { "type": "array", "items": {"$ref": "#/definitions/EventData"}, "minItems": 1}, "Indicator": { "type": "array", "items": {"$ref": "#/definitions/Indicator"}, "minItems": 1}, "History": {"$ref": "#/definitions/History"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IncidentID","GenerationTime","Contact","purpose"], "additionalProperties": false}, "IncidentID": { "title": "IncidentID", "description": "JSON schema for IncidentID class", "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "instance": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}}, "required": ["id","name"], "additionalProperties": false}, "AlternativeID": { "title": "AlternativeID", "description": "JSON schema for AlternativeID class", "type": "object", "properties": { "IncidentID": { "type": "array", "items":{"$ref": "#/definitions/IncidentID"}, Takahashi, et al. Expires May 7, 2019 [Page 48] Internet-Draft JSON-IODEF November 2018 "minItems": 1}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}}, "required": ["IncidentID"], "additionalProperties": false}, "RelatedActivity": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IncidentID": { "type": "array", "items": {"$ref": "#/definitions/IncidentID"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "ThreatActor": { "type": "array", "items": {"$ref": "#/definitions/ThreatActor"}, "minItems": 1}, "Campaign": { "type": "array", "items": {"$ref": "#/definitions/Campaign"}, "minItems": 1}, "IndicatorID": { "type": "array", "items": {"$ref": "#/definitions/IndicatorID"}, "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Description": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "ThreatActor": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "ThreatActorID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "Description": { Takahashi, et al. Expires May 7, 2019 [Page 49] Internet-Draft JSON-IODEF November 2018 "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "URL": { "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "Campaign": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "CampaignID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "URL": { "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "Contact": { "type": "object", "properties": { "role": { "enum":["creator","reporter","admin","tech","provider","user", "billing","legal","irt","abuse","cc","cc-irt","leo", "vendor","vendor-support","victim","victim-notified", "ext-value"]}, "ext-role": {"type": "string"}, "type": {"enum": ["person","organization","ext-value"]}, "ext-type": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "ContactName": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, Takahashi, et al. Expires May 7, 2019 [Page 50] Internet-Draft JSON-IODEF November 2018 "ContactTitle": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "RegistryHandle": { "type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}, "minItems": 1}, "PostalAddress": { "type":"array", "items":{"$ref":"#/definitions/PostalAddress"}, "minItems": 1}, "Email": { "type": "array", "items": {"$ref": "#/definitions/Email"}, "minItems": 1}, "Telephone": { "type": "array", "items": {"$ref": "#/definitions/Telephone"}, "minItems": 1}, "Timezone": {"$ref": "#/definitions/TimeZonetype"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["role","type"], "additionalProperties": false}, "RegistryHandle": { "type": "object", "properties": { "handle": {"type": "string"}, "registry": { "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", "local","ext-value"]}, "ext-registry": {"type": "string"}}, "required": ["handle","registry"], "additionalProperties": false}, "PostalAddress": { "type": "object", "properties": { "type": {"type": "string"}, Takahashi, et al. Expires May 7, 2019 [Page 51] Internet-Draft JSON-IODEF November 2018 "ext-type": {"type": "string"}, "PAddress": {"$ref": "#/definitions/PAddressType"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": ["PAddress"], "additionalProperties": false}, "Email": { "type": "object", "properties": { "type": { "enum":["direct","hotline","ext-value"]}, "ext-type": {"type": "string"}, "EmailTo": {"type": "string"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": ["EmailTo"], "additionalProperties": false}, "Telephone": { "type": "object", "properties": { "type": { "enum":["wired","mobile","fax","hotline","ext-value"]}, "ext-type": {"type": "string"}, "TelephoneNumber": {"type": "string"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": ["TelephoneNumber"], "additionalProperties": false}, "Discovery": { "type": "object", "properties": { "source": { "enum":["nidps","hips","siem","av","third-party-monitoring", "incident","os-log","application-log","device-log", "network-flow","passive-dns","investigation","audit", "internal-notification","external-notification","leo", "partner","actor","unknown","ext-value"]}, "ext-source": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", Takahashi, et al. Expires May 7, 2019 [Page 52] Internet-Draft JSON-IODEF November 2018 "default": "private"}, "ext-restriction": {"type": "string"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "DetectionPattern": { "type":"array", "items":{"$ref":"#/definitions/DetectionPattern"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "DetectionPattern": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Application": {"$ref": "#/definitions/SoftwareType"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "DetectionConfiguration": { "type": "array", "items": {"type": "string"}, "minItems": 1}}, "required": ["Application"], "additionalProperties": false}, "Method": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}, "Description": { "type": "array", Takahashi, et al. Expires May 7, 2019 [Page 53] Internet-Draft JSON-IODEF November 2018 "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "AttackPattern": { "type":"array", "items":{"$ref":"#/definitions/StructuredInformation"}, "minItems": 1}, "Vulnerability": { "type":"array", "items":{"$ref":"#/definitions/StructuredInformation"}, "minItems": 1}, "Weakness": { "type":"array", "items":{"$ref":"#/definitions/StructuredInformation"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Reference": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, "URL":{ "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": [], "additionalProperties": false}, "ReferenceName" : { "type": "object", "properties": { "specIndex": {"type": "number"}, "ID": {"$ref":"#/definitions/IDtype"}}, "required": ["specIndex","ID"], "additionalProperties": false}, "Assessment": { "type": "object", "properties": { "occurrence": {"enum":["actual","potential"]}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, Takahashi, et al. Expires May 7, 2019 [Page 54] Internet-Draft JSON-IODEF November 2018 "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentCategory": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "Impact": { "type": "array", "items": { "properties": { "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, "additionalProperties":false}, "minItems" : 1 }, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}, "minItems": 1}, "MitigatingFactor": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "Cause": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Impact"], "additionalProperties": false}, "SystemImpact": { "type": "object", "properties": { "severity": {"enum":["low","medium","high"]}, "completion": {"enum":["failed","succeeded"]}, "type": { "enum":["takeover-account","takeover-service", "takeover-system","cps-manipulation","cps-damage", "availability-data","availability-account", "availability-service","availability-system", "damaged-system","damaged-data","breach-proprietary", "breach-privacy","breach-credential", Takahashi, et al. Expires May 7, 2019 [Page 55] Internet-Draft JSON-IODEF November 2018 "breach-configuration","integrity-data", "integrity-configuration","integrity-hardware", "traffic-redirection","monitoring-traffic", "monitoring-host","policy","unknown","ext-value"]}, "ext-type": {"type": "string"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "BusinessImpact": { "type": "object", "properties": { "severity": {"enum":["none","low","medium","high","unknown", "ext-value"],"default": "unknown"}, "ext-severity": {"type":"string"}, "type": {"enum":["breach-proprietary","breach-privacy", "breach-credential","loss-of-integrity","loss-of-service", "theft-financial","theft-service","degraded-reputation", "asset-damage","asset-manipulation","legal","extortion", "unknown","ext-value"]}, "ext-type": {"type": "string"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "TimeImpact": { "type": "object", "properties": { "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum": ["low","medium","high"]}, "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "ext-metric": {"type": "string"}, "duration": {"$ref":"#/definitions/duration","default": "hour"}, "ext-duration": {"type": "string"}}, "required": ["value","metric"], "additionalProperties": false}, "MonetaryImpact": { "type": "object", "properties": { "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum":["low","medium","high"]}, "currency": {"type": "string"}}, Takahashi, et al. Expires May 7, 2019 [Page 56] Internet-Draft JSON-IODEF November 2018 "required": ["value"], "additionalProperties": false}, "Confidence": { "type": "object", "properties": { "value": {"type": "number"}, "rating": {"enum": ["low","medium","high","numeric","unknown", "ext-value"]}, "ext-rating": {"type":"string"}}, "required": ["value","rating"], "additionalProperties": false}, "History": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "HistoryItem": { "type": "array", "items": {"$ref": "#/definitions/HistoryItem"}, "minItems": 1}}, "required": ["HistoryItem"], "additionalProperties": false}, "HistoryItem": { "type": "object", "properties": { "action": {"$ref": "#/definitions/action","default": "other"}, "ext-action": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "Contact": {"$ref": "#/definitions/Contact"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "DefinedCOA": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["DateTime","action"], "additionalProperties": false}, "EventData": { Takahashi, et al. Expires May 7, 2019 [Page 57] Internet-Draft JSON-IODEF November 2018 "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": {"type": "array", "items": { "type":"string", "$ref":"#/definitions/MLStringType"}}, "DetectTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "Discovery": { "type": "array", "items": {"$ref": "#/definitions/Discovery"}, "minItems": 1}, "Assessment": {"$ref": "#/definitions/Assessment"}, "Method": { "type": "array", "items": {"$ref": "#/definitions/Method"}, "minItems": 1}, "System": { "type": "array", "items": {"$ref": "#/definitions/System"}, "minItems": 1}, "Expectation": { "type": "array", "items": {"$ref": "#/definitions/Expectation"}, "minItems": 1}, "RecordData": { "type": "array", "items": {"$ref": "#/definitions/RecordData"}, "minItems": 1}, "EventData": { "type": "array", "items": {"$ref": "#/definitions/EventData"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Expectation": { "type": "object", Takahashi, et al. Expires May 7, 2019 [Page 58] Internet-Draft JSON-IODEF November 2018 "properties": { "action": {"$ref":"#/definitions/action","default": "other"}, "ext-action": {"type": "string"}, "severity": {"enum": ["low","medium","high"]}, "restriction": {"$ref": "#/definitions/restriction", "default": "default"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "DefinedCOA": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Contact": {"$ref": "#/definitions/Contact"}}, "required": [], "additionalProperties": false}, "System": { "type": "object", "properties": { "category": { "enum": ["source","target","intermediate","sensor", "infrastructure","ext-value"]}, "ext-category": {"type": "string"}, "interface": {"type": "string"}, "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, "ownership": { "enum":["organization","personal","partner","customer", "no-relationship","unknown","ext-value"]}, "ext-ownership": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Node": {"$ref": "#/definitions/Node"}, "NodeRole": { "type": "array", "items": {"$ref": "#/definitions/NodeRole"}, "minItems": 1}, "Service": { "type": "array", "items": {"$ref": "#/definitions/Service"}, Takahashi, et al. Expires May 7, 2019 [Page 59] Internet-Draft JSON-IODEF November 2018 "minItems": 1}, "OperatingSystem": { "type": "array", "items": {"$ref": "#/definitions/SoftwareType"}, "minItems": 1}, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}, "minItems": 1}, "AssetID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Node"], "additionalProperties": false}, "Node": { "type": "object", "properties": { "DomainData": { "type": "array", "items": {"$ref": "#/definitions/DomainData"}, "minItems": 1}, "Address": { "type": "array", "items": {"$ref": "#/definitions/Address"}, "minItems": 1}, "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, "Location": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "Counter": { "type":"array", "items":{"$ref":"#/definitions/Counter"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "Address": { "type": "object", "properties": { "value": {"type": "string"}, Takahashi, et al. Expires May 7, 2019 [Page 60] Internet-Draft JSON-IODEF November 2018 "category": { "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv6-net-masked","mac","site-url","ext-value"], "default": "ipv6-addr"}, "ext-category": {"type": "string"}, "vlan-name": {"type": "string"}, "vlan-num": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required": ["value","category"], "additionalProperties": false}, "NodeRole": { "type": "object", "properties": { "category": { "enum":["client","client-enterprise","clent-partner", "client-remote","client-kiosk","client-mobile", "server-internal","server-public","www","mail","webmail", "messaging","streaming","voice","file","ftp","p2p","name", "directory","credential","print","application","database", "backup","dhcp","assessment","source-control", "config-management","monitoring","infra","infra-firewall", "infra-router","infra-switch","camera","proxy", "remote-access","log","virtualization","pos", "scada", "scada-supervisory","sinkhole","honeypot","anomyzation", "c2-server","malware-distribution","drop-server", "hot-point","reflector","phishing-site", "spear-phishing-site","recruiting-site","fraudulent-site", "ext-value"]}, "ext-category": {"type": "string"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": ["category"], "additionalProperties": false}, "Counter": { "type": "object", "properties": { "value": {"type": "number"}, "type": {"enum": ["count","peak","average","ext-value"]}, "ext-type": {"type": "string"}, "unit":{"enum":["byte","mbit","packet","flow","session","alert", "message","event","host","site","organization","ext-value"]}, "ext-unit": {"type": "string"}, "meaning": {"type": "string"}, "duration": {"$ref":"#/definitions/duration","default": "hour"}, Takahashi, et al. Expires May 7, 2019 [Page 61] Internet-Draft JSON-IODEF November 2018 "ext-duration": {"type": "string"}}, "required": ["value","type","unit"], "additionalProperties": false}, "DomainData": { "type": "object", "properties": { "system-status": { "enum": ["spoofed","fraudulent","innocent-hacked", "innocent-hijacked","unknown","ext-value"]}, "ext-system-status": {"type": "string"}, "domain-status": { "enum": [ "reservedDelegation","assignedAndActive", "assignedAndInactive","assignedAndOnHold","revoked", "transferPending","registryLock","registrarLock", "other","unknown","ext-value"]}, "ext-domain-status": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Name": {"type": "string"}, "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "RelatedDNS": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "NameServers": { "type": "array", "items": {"$ref": "#/definitions/NameServers"}, "minItems": 1}, "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, "required": ["Name","system-status","domain-status"], "additionalProperties": false}, "NameServers": { "type": "object", "properties": { "Server": {"type": "string"}, "Address": { "type":"array", "items":{"$ref":"#/definitions/Address"}, "minItems": 1}}, "required": ["Server","Address"], "additionalProperties": false}, "DomainContacts": { "type": "object", "properties": { "SameDomainContact": {"type": "string"}, "Contact": { "type":"array", Takahashi, et al. Expires May 7, 2019 [Page 62] Internet-Draft JSON-IODEF November 2018 "items":{"$ref":"#/definitions/Contact"}, "minItems": 1}}, "required": ["Contact"], "additionalProperties": false}, "Service": { "type": "object", "properties": { "ip-protocol": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "ServiceName": {"$ref": "#/definitions/ServiceName"}, "Port": {"type": "number"}, "Portlist": {"$ref": "#/definitions/PortlistType"}, "ProtoCode": {"type": "number"}, "ProtoType": {"type": "number"}, "ProtoField": {"type": "number"}, "ApplicationHeaderField":{ "$ref":"#/definitions/ExtensionTypeList"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": [], "additionalProperties": false}, "ServiceName": { "type": "object", "properties": { "IANAService": {"type": "string"}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": [], "additionalProperties": false}, "EmailData": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "EmailTo": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "EmailFrom": {"type": "string"}, "EmailSubject": {"type": "string"}, "EmailX-Mailer": {"type": "string"}, "EmailHeaderField": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, Takahashi, et al. Expires May 7, 2019 [Page 63] Internet-Draft JSON-IODEF November 2018 "minItems": 1}, "EmailHeaders": {"type": "string"}, "EmailBody": {"type": "string"}, "EmailMessage": {"type": "string"}, "HashData": { "type": "array", "items": {"$ref": "#/definitions/HashData"}, "minItems": 1}, "Signature": { "type": "array", "items": {"$ref": "#/definitions/SignatureType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "SignatureType": { "type": "object", "properties": { "id": {"$ref": "#/definitions/IDtype"}, "SignedInfo": {"$ref": "#/definitions/SignedInfoType"}, "SignatureValue": {"$ref": "#/definitions/SignatureValueType"}, "KeyInfo": {"$ref": "#/definitions/KeyInfoType"}, "Object": { "type": "array", "items": {"$ref": "#/definitions/ObjectType"}, "minItems": 1}}, "required": ["SignedInfo","SignatureValue"], "additionalProperties": false }, "SignatureValueType": { "type": "object", "properties": { "value": {"type": "string"}, "id": {"$ref": "#/definitions/IDtype"} }, "required": ["value"], "additionalProperties": false }, "SignedInfoType": { "type": "object", "properties": { "id": {"$ref": "#/definitions/IDtype"}, "CanonicalizationMethod": {"$ref": "#/definitions/CanonicalizationMethodType"}, "SignatureMethod": {"$ref":"#/definitions/SignatureMethodType"}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/ReferenceType"}, "minItems": 1} Takahashi, et al. Expires May 7, 2019 [Page 64] Internet-Draft JSON-IODEF November 2018 }, "required": ["CanonicalizationMethod","SignatureMethod", "Reference"], "additionalProperties": false }, "SignatureMethodType": { "type": "object", "properties": { "value": {"type": "string"}, "Algorithm": {"$ref": "#/definitions/URLtype"}, "HMACOutputLength":{"$ref":"#/definitions/HMACOutputLengthType"} }, "required": ["Algorithm"], "additionalProperties": false }, "HMACOutputLengthType": {"type": "number"}, "ReferenceType": { "type": "object", "properties": { "id": {"$ref": "#/definitions/IDtype"}, "URI": {"$ref": "#/definitions/URLtype"}, "Type": {"$ref": "#/definitions/URLtype"}, "Transforms": {"$ref": "#/definitions/TransformsType"}, "DigestMethod": {"$ref": "#/definitions/DigestMethodType"}, "DigestValue": {"$ref": "#/definitions/DigestValueType"} }, "required": ["DigestMethod","DigestValue"], "additionalProperties": false }, "TransformsType": { "type": "object", "properties": { "Transform": { "type": "array", "items": {"$ref": "#/definitions/TransformType"}, "minItems": 1} }, "required": ["Transform"], "additionalProperties": false }, "TransformType": { "type": "object", "properties": { "value": {"type": "string"}, "Algorithm": {"$ref": "#/definitions/URLtype"}, "XPath": { "type": "array", "items": {"type": "string"}, Takahashi, et al. Expires May 7, 2019 [Page 65] Internet-Draft JSON-IODEF November 2018 "minItems": 1} }, "required": ["Algorithm"], "additionalProperties": false }, "DigestMethodType": { "type": "object", "properties": { "value": {"type": "string"}, "Algorithm": {"$ref": "#/definitions/URLtype"} }, "required": ["Algorithm"], "additionalProperties": false }, "DigestValueType": {"type": "string"}, "KeyInfoType": { "type": "object", "properties": { "value": {"type": "string"}, "id": {"$ref": "#/definitions/IDtype"}, "KeyProperties": { "type": "array", "items": { "type": "object", "properties": { "KeyName": {"type": "string"}, "KeyValue": {"$ref": "#/definitions/KeyValueType"}, "RetrievalMethod": {"$ref": "#/definitions/RetrievalMethodType"}, "X509Data": {"$ref": "#/definitions/X509DataType"}, "PGPData": {"$ref": "#/definitions/PGPDataType"}, "SPKIData": {"$ref": "#/definitions/SPKIDataType"}, "MgmtData": {"type": "string"}}, "additionalProperties": false}, "minItems" : 1}}, "required": ["KeyProperties"], "additionalProperties": false }, "KeyValueType": { "type": "object", "properties": { "value": {"type": "string"}, "KeyValueProperties": { "items": { "type": "object", "properties": { "DSAKeyValue": {"$ref": "#/definitions/DSAKeyValueType"}, "RSAKeyValue": {"$ref": "#/definitions/RSAKeyValueType"}}, Takahashi, et al. Expires May 7, 2019 [Page 66] Internet-Draft JSON-IODEF November 2018 "additionalProperties": false}} }, "required": ["KeyValueProperties"], "additionalProperties": false }, "DSAKeyValueType": { "type": "object", "properties": { "P": {"$ref": "#/definitions/CryptoBinary"}, "Q": {"$ref": "#/definitions/CryptoBinary"}, "G": {"$ref": "#/definitions/CryptoBinary"}, "Y": {"$ref": "#/definitions/CryptoBinary"}, "J": {"$ref": "#/definitions/CryptoBinary"}, "Seed": {"$ref": "#/definitions/CryptoBinary"}, "PgenCounter": {"$ref": "#/definitions/CryptoBinary"} }, "required": ["Y"], "additionalProperties": false }, "RSAKeyValueType":{ "type": "object", "properties": { "Modulus": {"$ref": "#/definitions/CryptoBinary"}, "Exponent": {"$ref": "#/definitions/CryptoBinary"} }, "required": ["Modulus","Exponent"], "additionalProperties": false }, "RetrievalMethodType": { "type": "object", "properties": { "URI": {"$ref": "#/definitions/URLtype"}, "Type": {"$ref": "#/definitions/URLtype"}, "Transforms": {"$ref": "#/definitions/TransformsType"} }, "required": ["URI"], "additionalProperties": false }, "PGPDataType": { "type": "object", "properties": { "value": {"type": "string"}, "PGPDataProperties": { "items": { "type": "object", "properties": { "PGPKeyID": {"type": "string"}, "PGPKeyPacket": {"type": "string"}}, Takahashi, et al. Expires May 7, 2019 [Page 67] Internet-Draft JSON-IODEF November 2018 "additionalProperties": false}}}, "required": ["PGPDataProperties"], "additionalProperties": false }, "SPKIDataType": { "type": "object", "properties": { "value": {"type": "string"}, "SPKISexp": { "type": "array", "items": {"type": "string"}, "minItems": 1} }, "required": ["SPKISexp"], "additionalProperties": false }, "ObjectType": { "type": "object", "properties": { "value": {"type": "string"}, "id": {"$ref": "#/definitions/IDtype"}, "MimeType": {"type": "string"}, "Encoding": {"$ref": "#/definitions/URLtype"} }, "additionalProperties": false }, "RecordData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "RecordPattern": { "type": "array", "items": {"$ref": "#/definitions/RecordPattern"}, "minItems": 1}, "RecordItem": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, Takahashi, et al. Expires May 7, 2019 [Page 68] Internet-Draft JSON-IODEF November 2018 "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "FileData": { "type": "array", "items": {"$ref": "#/definitions/FileData"}, "minItems": 1}, "WindowsRegistryKeysModified": { "type": "array", "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, "minItems": 1}, "CertificateData": { "type":"array", "items":{"$ref":"#/definitions/CertificateData"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "RecordPattern": { "type": "object", "properties": { "value": {"type": "string"}, "type": {"enum": ["regex","binary","xpath","ext-value"], "default": "regex"}, "ext-type": {"type": "string"}, "offset": {"type": "number"}, "offsetunit": {"enum":["line","byte","ext-value"] , "default": "line"}, "ext-offsetunit": {"type": "string"}, "instance": {"type": "number"}}, "required": ["value","type"], "additionalProperties": false}, "WindowsRegistryKeysModified": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "Key": { "type": "array", "items": {"$ref": "#/definitions/Key"}, "minItems": 1}}, "required": ["Key"], "additionalProperties": false}, "Key": { "type": "object", "properties": { "registryaction": {"enum": ["add-key","add-value","delete-key", "delete-value","modify-key","modify-value", Takahashi, et al. Expires May 7, 2019 [Page 69] Internet-Draft JSON-IODEF November 2018 "ext-value"]}, "ext-registryaction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "KeyName": {"type":"string"}, "KeyValue": {"type": "string"}}, "required": ["KeyName"], "additionalProperties": false}, "CertificateData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Certificate": { "type": "array", "items": {"$ref": "#/definitions/Certificate"}, "minItems": 1}}, "required": ["Certificate"], "additionalProperties": false}, "Certificate": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "X509Data": {"$ref": "#/definitions/X509DataType"}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}}, "required": ["X509Data"], "additionalProperties": false}, "X509DataType": { "type": "object", "properties": { "X509DataProperties": { "type": "array", "items": { "type": "object", "properties": { "X509IssuerSerial": {"$ref": "#/definitions/X509IssuerSerialType"}, "X509SKI": {"type": "string"}, "X509SubjectName": {"type": "string"}, "X509Certificate": {"type": "string"}, "X509CRL": {"type": "string"}}, "additionalProperties": false}, "minItems" : 1}}, Takahashi, et al. Expires May 7, 2019 [Page 70] Internet-Draft JSON-IODEF November 2018 "required": ["X509DataProperties"], "additionalProperties": false }, "X509IssuerSerialType": { "type": "object", "properties": { "X509IssuerName": {"type": "string"}, "X509SerialNumber": {"type": "number"} }, "required": ["X509IssuerName","X509SerialNumber"], "additionalProperties": false }, "FileData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "File": { "type": "array", "items": {"$ref": "#/definitions/File"}, "minItems": 1}}, "required": ["File"], "additionalProperties": false}, "File": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "FileName": {"type": "string"}, "FileSize": {"type": "number"}, "FileType": {"type": "string"}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "HashData": {"$ref": "#/definitions/HashData"}, "Signature": { "type": "array", "items": {"$ref": "#/definitions/SignatureType"}, "minItems": 1}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "FileProperties": { "type":"array", "items":{"$ref":"#/definitions/ExtensionType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "HashData": { Takahashi, et al. Expires May 7, 2019 [Page 71] Internet-Draft JSON-IODEF November 2018 "type": "object", "properties": { "scope": {"enum": ["file-contents","file-pe-section", "file-pe-iat","file-pe-resource","file-pdf-object", "email-hash","email-hash-header","email-hash-body"]}, "HashTargetID": {"type": "string"}, "Hash": { "type": "array", "items": {"$ref": "#/definitions/Hash"}, "minItems": 1}, "FuzzyHash": { "type": "array", "items": {"$ref": "#/definitions/FuzzyHash"}, "minItems": 1}}, "required": ["scope"], "additionalProperties": false}, "Hash": { "type": "object", "properties": { "DigestMethod": {"$ref": "#/definitions/DigestMethodType"}, "DigestValue": {"$ref": "#/definitions/DigestValueType"}, "CanonicalizationMethod": {"$ref": "#/definitions/CanonicalizationMethodType"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": ["DigestMethod","DigestValue"], "additionalProperties": false}, "CanonicalizationMethodType": { "type": "object", "properties": { "value": {"type": "string"}, "Algorithm": {"$ref": "#/definitions/URLtype"} }, "required": ["Algorithm"], "additionalProperties": false }, "FuzzyHash": { "type": "object", "properties": { "FuzzyHashValue": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["FuzzyHashValue"], "additionalProperties": false}, "Indicator": { "type": "object", Takahashi, et al. Expires May 7, 2019 [Page 72] Internet-Draft JSON-IODEF November 2018 "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "AlternativeIndicatorID": { "type": "array", "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, "minItems": 1}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "Observable": {"$ref": "#/definitions/Observable"}, "uid-ref": {"$ref": "#/definitions/IDREFType"}, "IndicatorExpression":{ "$ref":"#/definitions/IndicatorExpression"}, "IndicatorReference":{ "$ref": "#/definitions/IndicatorReference"}, "NodeRole": { "type": "array", "items": {"$ref": "#/definitions/NodeRole"}, "minItems": 1}, "AttackPhase": { "type": "array", "items": {"$ref": "#/definitions/AttackPhase"}, "minItems": 1}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IndicatorID"], "additionalProperties": false}, "IndicatorID": { "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "version": {"type": "string"}}, Takahashi, et al. Expires May 7, 2019 [Page 73] Internet-Draft JSON-IODEF November 2018 "required": ["id","name","version"], "additionalProperties": false}, "AlternativeIndicatorID": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorReference": { "type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}, "minItems": 1}}, "required": ["IndicatorReference"], "additionalProperties": false}, "Observable": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "System": {"$ref": "#/definitions/System"}, "Address": {"$ref": "#/definitions/Address"}, "DomainData": {"$ref": "#/definitions/DomainData"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Service": {"$ref": "#/definitions/Service"}, "WindowsRegistryKeysModified": { "$ref": "#/definitions/WindowsRegistryKeysModified"}, "FileData": {"$ref": "#/definitions/FileData"}, "CertificateData": {"$ref": "#/definitions/CertificateData"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "RecordData": {"$ref": "#/definitions/RecordData"}, "EventData": {"$ref": "#/definitions/EventData"}, "Incident": {"$ref": "#/definitions/Incident"}, "Expectation": {"$ref": "#/definitions/Expectation"}, "Reference": {"$ref": "#/definitions/Reference"}, "Assessment": {"$ref": "#/definitions/Assessment"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "BulkObservable": { "type": "object", "properties": { "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", "mac","site-url","domain-name","domain-to-ipv4", Takahashi, et al. Expires May 7, 2019 [Page 74] Internet-Draft JSON-IODEF November 2018 "domain-to-ipv6","domain-to-ipv4-timestamp", "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", "windows-reg-key","file-hash","email-x-mailer", "email-subject","http-user-agent","http-request-url", "mutex","file-path","user-name","ext-value"]}, "ext-type": {"type": "string"}, "BulkObservableFormat":{ "$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableList": {"type": "string"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["BulkObservableList"], "additionalProperties": false}, "BulkObservableFormat": { "type": "object", "properties": { "Hash": {"$ref": "#/definitions/Hash"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorExpression": { "type": "object", "properties": { "operator": {"enum": ["not","and","or","xor"],"default": "and"}, "ext-operator": {"type": "string"}, "IndicatorExpression": { "type": "array", "items": {"$ref": "#/definitions/IndicatorExpression"}, "minItems": 1}, "Observable": { "type": "array", "items": {"$ref": "#/definitions/Observable"}, "minItems": 1}, "uid-ref": { "type": "array", "items": {"$ref": "#/definitions/IDREFType"}, "minItems": 1}, "IndicatorReference": { "type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}, "minItems": 1}, "Confidence": {"$ref":"#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorReference": { "type": "object", "properties": { "uid-ref": {"$ref":"#/definitions/IDREFType"}, Takahashi, et al. Expires May 7, 2019 [Page 75] Internet-Draft JSON-IODEF November 2018 "euid-ref": {"type": "string"}, "version": {"type": "string"}}, "required": [], "additionalProperties": false}, "AttackPhase": { "type": "object", "properties": { "AttackPhaseID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"oneOf":[{"type": "string"}, {"$ref": "#/definitions/MLStringType"}]}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}}, "title": "IODEF-Document", "description": "JSON schema for IODEF-Document class", "type": "object", "properties": { "version": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "format-id": {"type": "string"}, "private-enum-name": {"type": "string"}, "private-enum-id": {"type": "string"}, "Incident": { "type": "array", "items": {"$ref": "#/definitions/Incident"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["version","Incident"], "additionalProperties": false} Figure 9: JSON schema Authors' Addresses Takahashi, et al. Expires May 7, 2019 [Page 76] Internet-Draft JSON-IODEF November 2018 Takeshi Takahashi National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Phone: +81 42 327 5862 Email: takeshi_takahashi@nict.go.jp Roman Danyliw CERT, Software Engineering Institute, Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA USA Email: rdd@cert.org Mio Suzuki National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Email: mio@nict.go.jp Takahashi, et al. Expires May 7, 2019 [Page 77]