JSON binding of IODEF
draft-ietf-mile-jsoniodef-13
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8727.
|
|
---|---|---|---|
Authors | Takeshi Takahashi , Roman Danyliw , Mio Suzuki | ||
Last updated | 2020-02-10 (Latest revision 2019-12-24) | ||
Replaces | draft-takahashi-mile-jsoniodef | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Last Call review
(of
-09)
by Robert Sparks
Almost ready
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Nancy Cam-Winget | ||
Shepherd write-up | Show Last changed 2019-04-08 | ||
IESG | IESG state | Became RFC 8727 (Proposed Standard) | |
Consensus boilerplate | Yes | ||
Telechat date |
(None)
Needs a YES. Needs 8 more YES or NO OBJECTION positions to pass. |
||
Responsible AD | Alexey Melnikov | ||
Send notices to | Nancy Cam-Winget <ncamwing@cisco.com> | ||
IANA | IANA review state | Version Changed - Review Needed |
draft-ietf-mile-jsoniodef-13
MILE T. Takahashi Internet-Draft NICT Intended status: Standards Track R. Danyliw Expires: August 13, 2020 CERT M. Suzuki NICT February 10, 2020 JSON binding of IODEF draft-ietf-mile-jsoniodef-13 Abstract The Incident Object Description Exchange Format defined in RFC 7970 provides an information model and a corresponding XML data model for exchanging incident and indicator information. This draft gives implementers and operators an alternative format to exchange the same information by defining an alternative data model implementation in JSON and its encoding in CBOR. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 13, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect Takahashi, et al. Expires August 13, 2020 [Page 1] Internet-Draft JSON-IODEF February 2020 to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 2.2.1. Integer . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.2. Multilingual Strings . . . . . . . . . . . . . . . . 5 2.2.3. Enum . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.4. Software and Software Reference . . . . . . . . . . . 6 2.2.5. Structured Information . . . . . . . . . . . . . . . 6 2.2.6. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 8 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 18 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 19 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 22 5. Mapkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 6. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 30 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50 8. Security Considerations . . . . . . . . . . . . . . . . . . . 50 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 50 10.1. Normative References . . . . . . . . . . . . . . . . . . 50 10.2. Informative References . . . . . . . . . . . . . . . . . 51 Appendix A. Data Types used in this document . . . . . . . . . . 51 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 52 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80 1. Introduction The Incident Object Description Exchange Format (IODEF) [RFC7970] defines a data representation for security incident reports and indicators commonly exchanged by operational security teams. It facilitates the automated exchange of this information to enable mitigation and watch-and-warning. Section 3 of [RFC7970] defined an information model using Unified Modeling Language (UML) and a corresponding Extensible Markup Language (XML) schema data model in Section 8. This UML-based information model and XML-based data model are referred to as IODEF UML and IODEF XML, respectively in this document. Takahashi, et al. Expires August 13, 2020 [Page 2] Internet-Draft JSON-IODEF February 2020 IODEF documents are structured and thus suitable for machine processing. They will streamline incident response operations. Another well-used and structured format that is suitable for machine processing is JavaScript Object Notation (JSON) [RFC8259]. To facilitate the automation of incident response operations, IODEF documents and implementations should support JSON representation and it encoding in Concise Binary Object Representation (CBOR) [RFC7049]. This document defines an alternate implementation of the IODEF UML information model by specifying a JavaScript Object Notation (JSON) data model using Concise Data Definition Language (CDDL) [RFC8610] and JSON Schema [I-D.handrews-json-schema-validation]. This JSON data model is referred to as IODEF JSON in this document. IODEF JSON provides all of the expressivity of IODEF XML. It gives implementers and operators an alternative format to exchange the same information. The normative IODEF JSON data model is found in Section 6. Section 2 and Section 3 describe the data types and elements of this data model. Section 4 provides examples. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here. 2. IODEF Data Types IODEF JSON implements the abstract data types specified in Section 2 of [RFC7970]. 2.1. Abstract Data Type to JSON Data Type Mapping IODEF JSON uses native and derived JSON data types. Figure 1 describes the mapping between the abstract data types in Section 2 of [RFC7970] and their corresponding implementations in IODEF JSON. Takahashi, et al. Expires August 13, 2020 [Page 3] Internet-Draft JSON-IODEF February 2020 +-----------------+-------------------+-------------------------------+ | IODEF Data Type | [RFC7970] | JSON Data Type | | | Reference | | +-----------------+-------------------+-------------------------------+ | INTEGER | Section 2.1 | integer, see Section 2.2.1 | | REAL | Section 2.2 | "number" per [RFC8259] | | CHARACTER | Section 2.3 | "string" per [RFC8259] | | STRING | Section 2.3 | "string" per [RFC8259] | | ML_STRING | Section 2.4 | see Section 2.2.2 | | BYTE | Section 2.5.1 | "string" per [RFC8259] | | BYTE[] | Section 2.5.1 | "string" per [RFC8259] | | HEXBIN | Section 2.5.2 | "string" per [RFC8259] | | HEXBIN[] | Section 2.5.2 | "string" per [RFC8259] | | ENUM | Section 2.6 | see Section 2.2.3 | | DATETIME | Section 2.7 | "string" per [RFC8259] | | TIMEZONE | Section 2.8 | "string" per [RFC8259] | | PORTLIST | Section 2.9 | "string" per [RFC8259] | | POSTAL | Section 2.10 | ML_STRING, Section 2.2.2 | | PHONE | Section 2.11 | "string" per [RFC8259] | | EMAIL | Section 2.12 | "string" per [RFC8259] | | URL | Section 2.13 | "string" per [RFC8259] | | ID | Section 2.14 | "string" per [RFC8259] | | IDREF | Section 2.14 | "string" per [RFC8259] | | SOFTWARE | Section 2.15 | see Section 2.2.4 | | STRUCTUREDINFO | [RFC 7203] | see Section 2.2.5 | | EXTENSION | Section 2.16 | see Section 2.2.6 | +-----------------+-------------------+-------------------------------+ Figure 1: JSON Data Types Takahashi, et al. Expires August 13, 2020 [Page 4] Internet-Draft JSON-IODEF February 2020 +-----------------+------------------+---------------------------------+ | IODEF Data Type | CBOR Data Type | CDDL prelude | | | | [RFC8610] | +-----------------+------------------+---------------------------------+ | INTEGER | 0, 1, 6 tag 2, | integer | | | 6 tag 3 | | | REAL | 7 bits 26 | float32 | | CHARACTER | 3 | text | | STRING | 3 | text | | ML_STRING | 5 | Maps/Structs (Section 3.5.1) | | BYTE | 6 tag 22 | eb64legacy | | BYTE[] | 6 tag 22 | eb64legacy | | HEXBIN | 6 tag 23 | eb16 | | HEXBIN[] | 6 tag 23 | eb16 | | ENUM | - | Choices (Section 2.2.2) | | DATETIME | 6 tag 0 | tdate | | TIMEZONE | 3 | text | | PORTLIST | 3 | text | | POSTAL | 3 | ML_STRING (Section 2.2.1) | | PHONE | 3 | text | | EMAIL | 3 | text | | URL | 6 tag 32 | uri | | ID | 3 | text | | IDREF | 3 | text | | SOFTWARE | 5 | Maps/Structs (Section 3.5.1) | | STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1) | | EXTENSION | 5 | Maps/Structs (Section 3.5.1) | +-----------------+------------------+---------------------------------+ Figure 2: CBOR Data Types 2.2. Complex JSON Types 2.2.1. Integer An integer is a subset of "number" type of JSON, which represents signed digits encoded in Base 10. The definition of this integer is "[ minus ] int" in [RFC8259] Section 6 manner. 2.2.2. Multilingual Strings A string that needs to be represented in a human-readable language different from the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as either an object with "value", "lang", and "translation-id" elements or a text string as defined in Section 6. An example is shown below. Takahashi, et al. Expires August 13, 2020 [Page 5] Internet-Draft JSON-IODEF February 2020 "MLStringType": { "value": "free-form text", # STRING "lang": "en", # ENUM "translation-id": "jp2en0023" # STRING } Note that in figures throughout this document, some supplementary information follows "#", but these are not valid syntax in JSON, but are intended to facilitate reader understanding. 2.2.3. Enum Enum is an ordered list of acceptable string values. Each value has a representative keyword. Within the data model, the enumerated type keywords are used as attribute values. 2.2.4. Software and Software Reference A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a Uniform Resource Locator (URL) [RFC3986], or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined in Section 6. Examples are shown below. "SoftwareType": { "SoftwareReference": {...}, # SoftwareReference "Description": ["MS Windows"] # STRING } SoftwareReference class is a reference to a particular version of software. Examples are shown below. "SoftwareReference": { "value": "cpe:/a:google:chrome:59.0.3071.115", # STRING "spec-name": "cpe", # ENUM "dtype": "string" # ENUM } 2.2.5. Structured Information Information provided in a form of structured string, such as ID, or structured information, such as XML documents, is represented in the information model by the STRUCTUREDINFO data type. Note that this type was originally specified in Section 4.4 of [RFC7203] as a basic structure of its extension classes. The STRUCTUREDINFO data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", Takahashi, et al. Expires August 13, 2020 [Page 6] Internet-Draft JSON-IODEF February 2020 "RawData", and "Reference" elements. An example for embedding a structured ID is shown below. "StructuredInfo": { "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM "ContentID": "CWE-89" # STRING } When embedding the raw data, it should be encoded as a BYTE type object, as shown below. "StructuredInfo": { "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM "RawData": "<<< encoded structured data >>>" # BYTE } When embedding the raw data, base64 encoding defined in Section 4 of [RFC4648] SHOULD be used for JSON IODEF while binary representation SHOULD be used for CBOR IODEF. 2.2.6. EXTENSION Information not otherwise represented in the IODEF can be added using the EXTENSION data type. This data type is a generic extension mechanism. The EXTENSION data type is implemented as an ExtensionType object with "value", "name", "dtype", "ext-dtype", "meaning", "formatid", "restriction", "ext-restriction", and "observable-id" elements. An example for embedding a structured ID is shown below. "ExtensionType": { "value": "xxxxxxx", # STRING "name": "Syslog", # STRING "dtype": "string", # ENUM "meaning": "Syslog from the security appliance X" # STRING } Note that this data type is prepared in [RFC7970] as its generic extension mechanism. If a data item has internal structure that is intended to be processed outside of the IODEF framework, one may consider using StructuredInfo data type mentioned in Section 2.2.5. 3. IODEF JSON Data Model Takahashi, et al. Expires August 13, 2020 [Page 7] Internet-Draft JSON-IODEF February 2020 3.1. Classes and Elements The following table shows the list of IODEF Classes, their elements, and the corresponding section in [RFC7970]. Note that the complete JSON schema is defined in Section 6 using CDDL. +-----------------------------+--------------------+---------------+ | IODEF Class | Class | Corresponding | | | Elements and | Section | | | Attribute | in [RFC7970] | +-----------------------------+--------------------+---------------+ | IODEF-Document | version | 3.1 | | | lang? | | | | format-id? | | | | private-enum-name? | | | | private-enum-id? | | | | Incident+ | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Incident | purpose | 3.2 | | | ext-purpose? | | | | status? | | | | ext-status? | | | | lang? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentID | | | | AlternativeID? | | | | RelatedActivity* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | GenerationTime | | | | Description* | | | | Discovery* | | | | Assessment* | | | | Method* | | | | Contact+ | | | | EventData* | | | | Indicator* | | | | History? | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | IncidentID | id | 3.4 | | | name | | Takahashi, et al. Expires August 13, 2020 [Page 8] Internet-Draft JSON-IODEF February 2020 | | instance? | | | | restriction? | | | | ext-restriction? | | +-----------------------------+--------------------+---------------+ | AlternativeID | restriction? | 3.5 | | | ext-restriction? | | | | IncidentID+ | | +-----------------------------+--------------------+---------------+ | RelatedActivity | restriction? | 3.6 | | | ext-restriction? | | | | IncidentID* | | | | URL* | | | | ThreatActor* | | | | Campaign* | | | | IndicatorID* | | | | Confidence? | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | ThreatActor | restriction? | 3.7 | | | ext-restriction? | | | | ThreatActorID* | | | | URL* | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Campaign | restriction? | | | | ext-restriction? | | | | CampaignID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.8 | +-----------------------------+--------------------+---------------+ | Contact | role | | | | ext-role? | | | | type | | | | ext-type? | | | | restriction? | | | | ext-restriction? | | | | ContactName*, | | | | ContactTitle* | | | | Description* | | | | RegistryHandle* | | | | PostalAddress* | | | | Email* | | | | Telephone* | | | | Timezone? | | | | Contact* | | Takahashi, et al. Expires August 13, 2020 [Page 9] Internet-Draft JSON-IODEF February 2020 | | AdditionalData* | 3.9 | +-----------------------------+--------------------+---------------+ | RegistryHandle | handle | | | | registry | | | | ext-registry? | 3.9.1 | +-----------------------------+--------------------+---------------+ | PostalAddress | type? | | | | ext-type? | | | | PAddress | | | | Description* | 3.9.2 | +-----------------------------+--------------------+---------------+ | Email | type? | | | | ext-type? | | | | EmailTo | | | | Description* | 3.9.3 | +-----------------------------+--------------------+---------------+ | Telephone | type? | | | | ext-type? | | | | TelephoneNumber | | | | Description* | 3.9.4 | +-----------------------------+--------------------+---------------+ | Discovery | source? | | | | ext-source? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | Contact* | | | | DetectionPattern* | 3.10 | +-----------------------------+--------------------+---------------+ | DetectionPattern | restriction? | 3.10.1 | | | ext-restriction? | | | | observable-id? | | | | Application | | | | Description* | | | | DetectionConfiguration* | | +-----------------------------+--------------------+---------------+ | Method | restriction? | | | | ext-restriction? | | | | Reference* | | | | Description* | | | | AttackPattern* | | | | Vulnerability* | | | | Weakness* | | | | AdditionalData* | 3.11 | +-----------------------------+--------------------+---------------+ | Weakness (TBD) | restriction? | | | | ext-restriction? | | +-----------------------------+--------------------+---------------+ Takahashi, et al. Expires August 13, 2020 [Page 10] Internet-Draft JSON-IODEF February 2020 | Reference | observable-id? | | | | ReferenceName? | | | | URL* | | | | Description* | 3.11.1 | +-----------------------------+--------------------+---------------+ | Assessment | occurence? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentCategory* | | | | SystemImpact* | | | | BusinessImpact* | | | | TimeImpact* | | | | MonetaryImpact* | | | | IntendedImpact* | | | | Counter* | | | | MitigatingFactor* | | | | Cause* | | | | Confidence? | | | | AdditionalData* | 3.12 | +-----------------------------+--------------------+---------------+ | SystemImpact | severity? | | | | completion? | | | | type | | | | ext-type? | | | | Description* | 3.12.1 | +-----------------------------+--------------------+---------------+ | BusinessImpact | severity? | | | | ext-severity? | | | | type | | | | ext-type? | | | | Description* | 3.12.2 | +-----------------------------+--------------------+---------------+ | TimeImpact | value | | | | severity? | | | | metric | | | | ext-metric? | | | | duration? | | | | ext-duration? | 3.12.3 | +-----------------------------+--------------------+---------------+ | MonetaryImpact | value | | | | severity? | | | | currency? | 3.12.4 | +-----------------------------+--------------------+---------------+ | Confidence | value | | | | rating | | | | ext-rating? | 3.12.5 | +-----------------------------+--------------------+---------------+ Takahashi, et al. Expires August 13, 2020 [Page 11] Internet-Draft JSON-IODEF February 2020 | History | restriction? | | | | ext-restriction? | | | | HistoryItem+ | 3.13 | +-----------------------------+--------------------+---------------+ | HistoryItem | action | | | | ext-action? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime | | | | IncidentID? | | | | Contact? | | | | Description* | | | | DefinedCOA* | | | | AdditionalData* | 3.13.1 | +-----------------------------+--------------------+---------------+ | EventData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | Contact* | | | | Discovery* | | | | Assessment? | | | | Method* | | | | System* | | | | Expectation* | | | | RecordData* | | | | EventData* | | | | AdditionalData* | 3.14 | +-----------------------------+--------------------+---------------+ | Expectation | action? | | | | ext-action? | | | | severity? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | DefinedCOA* | | | | StartTime? | | | | EndTime? | | | | Contact? | 3.15 | +-----------------------------+--------------------+---------------+ | System | category? | | Takahashi, et al. Expires August 13, 2020 [Page 12] Internet-Draft JSON-IODEF February 2020 | | ext-category? | | | | interface? | | | | spoofed? | | | | virtual? | | | | ownership? | | | | ext-ownership? | | | | restriction? | | | | ext-restriction? | | | | Node | | | | NodeRole* | | | | Service* | | | | OperatingSystem* | | | | Counter* | | | | AssetID* | | | | Description* | | | | AdditionalData* | 3.17 | +-----------------------------+--------------------+---------------+ | Node | DomainData* | | | | Address* | | | | PostalAddress? | | | | Location* | | | | Counter* | 3.18 | +-----------------------------+--------------------+---------------+ | Address | value | | | | category | | | | ext-category? | | | | vlan-name? | | | | vlan-num? | | | | observable-id? | 3.18.1 | +-----------------------------+--------------------+---------------+ | NodeRole | category | | | | ext-category? | | | | Description* | 3.18.2 | +-----------------------------+--------------------+---------------+ | Counter | value | | | | type | | | | ext-type? | | | | unit | | | | ext-unit? | | | | meaning? | | | | duration? | | | | ext-duration? | 3.18.3 | +-----------------------------+--------------------+---------------+ | DomainData | system-status | | | | ext-system-status? | | | | domain-status | | | | ext-domain-status? | | | | observable-id? | | Takahashi, et al. Expires August 13, 2020 [Page 13] Internet-Draft JSON-IODEF February 2020 | | Name | | | | DateDomainWasChecked?| | | | RegistrationDate? | | | | ExpirationDate? | | | | RelatedDNS* | | | | Nameservers* | | | | DomainContacts? | 3.19 | +-----------------------------+--------------------+---------------+ | Nameserver | Server | | | | Address* | 3.19.1 | +-----------------------------+--------------------+---------------+ | DomainContacts | SameDomainContact? | | | | Contact+ | 3.19.2 | +-----------------------------+--------------------+---------------+ | Service | ip-protocol? | | | | observable-id? | | | | ServiceName? | | | | Port? | | | | Portlist? | | | | ProtoCode? | | | | ProtoType? | | | | ProtoField? | | | | ApplicationHeaderField*| | | | EmailData? | | | | Application? | 3.20 | +-----------------------------+--------------------+---------------+ | ServiceName | IANAService? | | | | URL* | | | | Description* | 3.20.1 | +-----------------------------+--------------------+---------------+ | EmailData | observable-id? | | | | EmailTo* | | | | EmailFrom? | | | | EmailSubject? | | | | EmailX-Mailer? | | | | EmailHeaderField* | | | | EmailHeaders? | | | | EmailBody? | | | | EmailMessage? | | | | HashData* | | | | Signature* | 3.21 | +-----------------------------+--------------------+---------------+ | RecordData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime? | | | | Description* | | | | Application? | | Takahashi, et al. Expires August 13, 2020 [Page 14] Internet-Draft JSON-IODEF February 2020 | | RecordPattern* | | | | RecordItem* | | | | URL* | | | | FileData* | | | | WindowsRegistryKeysModified*| | | | CertificateData* | | | | AdditionalData* | 3.22.1 | +-----------------------------+--------------------+---------------+ | RecordPattern | type | | | | ext-type? | | | | offset? | | | | offsetunit? | | | | ext-offsetunit? | | | | instance? | | | | value | 3.22.2 | +-----------------------------+--------------------+---------------+ | WindowsRegistryKeysModified | observable-id? | 3.23 | | | Key+ | | +-----------------------------+--------------------+---------------+ | Key | registryaction? | | | | ext-registryaction?| | | | observable-id? | | | | KeyName | | | | KeyValue? | 3.23.1 | +-----------------------------+--------------------+---------------+ | CertificateData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Certificate+ | 3.24 | +-----------------------------+--------------------+---------------+ | Certificate | observable-id? | | | | X509Data | | | | Description* | 3.24.1 | +-----------------------------+--------------------+---------------+ | FileData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | File+ | 3.25 | +-----------------------------+--------------------+---------------+ | File | observable-id? | | | | FileName? | | | | FileSize? | | | | FileType? | | | | URL* | | | | HashData? | | | | Signature* | | | | AssociatedSoftware?| | | | FileProperties* | 3.25.1 | Takahashi, et al. Expires August 13, 2020 [Page 15] Internet-Draft JSON-IODEF February 2020 +-----------------------------+--------------------+---------------+ | HashData | scope | | | | HashTargetID? | | | | Hash* | | | | FuzzyHash* | 3.26 | +-----------------------------+--------------------+---------------+ | Hash | DigestMethod | | | | DigestValue | | | | CanonicalizationMethod?| | | | Application? | 3.26.1 | +-----------------------------+--------------------+---------------+ | FuzzyHash | FuzzyHashValue+ | | | | Application? | | | | AdditionalData* | 3.26.2 | +-----------------------------+--------------------+---------------+ | Indicator | restriction? | | | | ext-restriction? | | | | IndicatorID | | | | AlternativeIndicatorID*| | | | Description* | | | | StartTime? | | | | EndTime? | | | | Confidence? | | | | Contact* | | | | Observable? | | | | uid-ref? | | | | IndicatorExpression?| | | | IndicatorReference?| | | | NodeRole* | | | | AttackPhase* | | | | Reference* | | | | AdditionalData* | 3.29 | +-----------------------------+--------------------+---------------+ | IndicatorID | id | | | | name | | | | version | 3.29.1 | +-----------------------------+--------------------+---------------+ | AlternativeIndicatorID | restriction? | | | | ext-restriction? | | | | IndicatorID+ | 3.29.2 | +-----------------------------+--------------------+---------------+ | Observable | restriction? | | | | ext-restriction? | | | | System? | | | | Address? | | | | DomainData? | | | | Service? | | | | EmailData? | | Takahashi, et al. Expires August 13, 2020 [Page 16] Internet-Draft JSON-IODEF February 2020 | | WindowsRegistryKeysModified?| | | | FileData? | | | | CertificateData? | | | | RegistryHandle? | | | | RecordData? | | | | EventData? | | | | Incident? | | | | Expectation? | | | | Reference? | | | | Assessment? | | | | DetectionPattern? | | | | HistoryItem? | | | | BulkObservable? | | | | AdditionalData* | 3.29.3 | +-----------------------------+--------------------+---------------+ | BulkObservable | type? | | | | ext-type? | | | | BulkObservableFormat?| | | | BulkObservableList | | | | AdditionalData* | 3.29.4 | +-----------------------------+--------------------+---------------+ | BulkObservableFormat | Hash? | | | | AdditionalData* | 3.29.5 | +-----------------------------+--------------------+---------------+ | IndicatorExpression | operator? | | | | ext-operator? | | | | IndicatorExpression*| | | | Observable* | | | | uid-ref* | | | | IndicatorReference*| | | | Confidence? | | | | AdditionalData* | 3.29.6 | +-----------------------------+--------------------+---------------+ | IndicatorReference | uid-ref? | | | | euid-ref? | | | | version? | 3.29.7 | +-----------------------------+--------------------+---------------+ | AttackPhase | AttackPhaseID* | | | | URL* | | | | Description* | | | | AdditionalData* | 3.29.8 | +-----------------------------+--------------------+---------------+ Figure 3: IODEF Classes Takahashi, et al. Expires August 13, 2020 [Page 17] Internet-Draft JSON-IODEF February 2020 3.2. Mapping between JSON and XML IODEF o Attributes and elements of each class in XML IODEF document are both presented as JSON attributes in JSON IODEF document, and the order of their appearances is ignored. o Flow class is deleted, and classes with its instances now directly have instances of EventData class that used to belong to the Flow class. o ApplicationHeader class is deleted, and classes with its instances now directly have instances of ApplicationHeaderField class that used to belong to the ApplicationHeader class. o SignatureData class is deleted, and classes with its instances now directly have instance of Signature class that used to belong to the SignatureData class. o IndicatorData class is deleted, and classes with its instances now directly have the instances of Indicator class that used to belong to the IndicatorData class. o ObservableReference class is deleted, and classes with its instances now directly have uid-ref as an element. o Record class is deleted, and classes with its instances now directly have the instances of RecordData class that used to belong to the Record class. o The MLStringType were modified to support simple string by allowing the type to have not only a predefined object type but also text type, in order to allow simple descriptions of elements of the type. Implementations need to be capable of parsing MLStringType that could take form of both text and object. o The elements of ML_STRING type in XML IODEF document are presented as either STRING type or ML_STRING type in JSON IODEF document. When converting from XML IODEF document to JSON one or vice versa, the information contained in the original data of ML_STRING type must be preserved. When STRING is used instead of ML_STRING, parsers can assume that its xml:lang is set to "en". Otherwise it is expected that both receiver and sender have some external methods to agree upon the language used in this field. o Data models of the extension classes defined by [RFC7203] and referenced by [RFC7970] are represented by StructuredInfo class defined in this document. Takahashi, et al. Expires August 13, 2020 [Page 18] Internet-Draft JSON-IODEF February 2020 o Signature, X509Data, and RawData are encoded using base64 encoding for JSON IODEF and binary representation for CBOR IODEF to represent them as BYTE object. o EmailBody represents an whole message body including MIME structure in the same manner defined in [RFC7970]. In case of an email composed of MIME multipart, the EmailBody contains multiple body parts separated by boundary strings. o The "ipv6-net-mask" type attribute of BulkObservable class remains available for the backward compatibility purpose, but the use of this attribute is not recommended because IPV6 does not use netmask any more. o ENUM values in this document is extensible and is managed by IANA, as with [RFC7970]. The values in the table are used both by [RFC7970] implementations and by their JSON (and CBOR) bindings as specified by this document. o This document uses JSON's "number" type to represent integers that only has full precision for integer values between -2**53 and 2**53. When dealing with integers outside the range, this issue needs to be considered. o Binaries are encoded in bytes. Note that XML IODEF in [RFC7970] uses HEXBIN due to the incapability of XML for embedding binaries as they are. 4. Examples This section provides examples of IODEF documents. These examples do not represent the full capabilities of the data model or the only way to encode particular information. 4.1. Minimal Example A document containing only the mandatory elements and attributes is shown below in JSON and CBOR, respectively. Takahashi, et al. Expires August 13, 2020 [Page 19] Internet-Draft JSON-IODEF February 2020 { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "reporting", "restriction": "private", "IncidentID": { "id": "492382", "name": "csirt.example.com" }, "GenerationTime": "2015-07-18T09:00:00-05:00", "Contact": [{ "type": "organization", "role": "creator", "Email": [{"EmailTo": "contact@csirt.example.com"}] }] }] } Figure 4: A Minimal Example in JSON Takahashi, et al. Expires August 13, 2020 [Page 20] Internet-Draft JSON-IODEF February 2020 A3 # map(3) 01 # unsigned(1) 63 # text(3) 322E30 # "2.0" 02 # unsigned(2) 62 # text(2) 656E # "en" 06 # unsigned(6) 81 # array(1) A5 # map(5) 17 # unsigned(23) 69 # text(9) 7265706F7274696E67 # "reporting" 0F # unsigned(15) 67 # text(7) 70726976617465 # "private" 18 1B # unsigned(27) A2 # map(2) 18 2B # unsigned(43) 66 # text(6) 343932333832 # "492382" 0A # unsigned(10) 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 18 23 # unsigned(35) 78 19 # text(25) 323031352D30372D31385430393A30303A30302D30353A3030 # "2015-07-18T09:00:00-05:00" 18 27 # unsigned(39) 81 # array(1) A3 # map(3) 18 35 # unsigned(53) 6C # text(12) 6F7267616E697A6174696F6E # "organization" 18 33 # unsigned(51) 67 # text(7) 63726561746F72 # "creator" 18 3B # unsigned(59) 81 # array(1) A1 # map(1) 18 42 # unsigned(66) 78 19 # text(25) 636F6E746163744063736972742E6578616D706C652E636F6D # "contact@csirt.example.com" Figure 5: A Minimal Example in CBOR Takahashi, et al. Expires August 13, 2020 [Page 21] Internet-Draft JSON-IODEF February 2020 4.2. Indicators from a Campaign An example of C2 domains from a given campaign is shown below in JSON and CBOR, respectively. { "version": "2.0", "lang": "en", "Incident": [{ "purpose": "watch", "restriction": "green", "IncidentID": { "id": "897923", "name": "csirt.example.com" }, "RelatedActivity": [{ "ThreatActor": [{ "ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"], "Description": ["Aggressive Butterfly"]}], "Campaign": [{ "CampaignID": ["C-2015-59405"], "Description": ["Orange Giraffe"] }] }], "GenerationTime": "2015-10-02T11:18:00-05:00", "Description": ["Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."], "Assessment": [{ "Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}] }], "Contact": [{ "type": "organization", "role": "creator", "ContactName": ["CSIRT for example.com"], "Email": [{ "EmailTo": "contact@csirt.example.com" }] }], "Indicator": [{ "IndicatorID": { "id": "G90823490", "name": "csirt.example.com", "version": "1" }, "Description": ["C2 domains"], "StartTime": "2014-12-02T11:18:00-05:00", "Observable": { "BulkObservable": { Takahashi, et al. Expires August 13, 2020 [Page 22] Internet-Draft JSON-IODEF February 2020 "type": "domain-name", "BulkObservableList": "kj290023j09r34.example.com"} } }] }] } Figure 6: Indicators from a Campaign in JSON A3 # map(3) 01 # unsigned(1) 63 # text(3) 322E30 # "2.0" 02 # unsigned(2) 62 # text(2) 656E # "en" 06 # unsigned(6) 81 # array(1) A9 # map(9) 17 # unsigned(23) 65 # text(5) 7761746368 # "watch" 0F # unsigned(15) 65 # text(5) 677265656E # "green" 18 1B # unsigned(27) A2 # map(2) 18 2B # unsigned(43) 66 # text(6) 383937393233 # "897923" 0A # unsigned(10) 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 18 1D # unsigned(29) 81 # array(1) A2 # map(2) 18 2D # unsigned(45) 81 # array(1) A2 # map(2) 18 31 # unsigned(49) 81 # array(1) 78 1A # text(26) 54412D31322D414747524553534956452D425554544552464C59 # "TA-12-AGGRESSIVE-BUTTERFLY" 14 # unsigned(20) 81 # array(1) 74 # text(20) 4167677265737369766520427574746572666C79 Takahashi, et al. Expires August 13, 2020 [Page 23] Internet-Draft JSON-IODEF February 2020 # "Aggressive Butterfly" 18 2E # unsigned(46) 81 # array(1) A2 # map(2) 18 32 # unsigned(50) 81 # array(1) 6C # text(12) 432D323031352D3539343035 # "C-2015-59405" 14 # unsigned(20) 81 # array(1) 6E # text(14) 4F72616E67652047697261666665 # "Orange Giraffe" 18 23 # unsigned(35) 78 19 # text(25) 323031352D31302D30325431313A31383A30302D30353A3030 # "2015-10-02T11:18:00-05:00" 14 # unsigned(20) 81 # array(1) 78 70 # text(112) 53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F72207468650D0A4F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E # "Summarizes the Indicators of Compromise for the\r\nOrange Giraffe campaign of the Aggressive Butterfly crime gang." 18 25 # unsigned(37) 81 # array(1) A1 # map(1) 18 58 # unsigned(88) 81 # array(1) A1 # map(1) 18 5A # unsigned(90) A1 # map(1) 18 35 # unsigned(53) 72 # text(18) 6272656163682D70726F7072696574617279 # "breach-proprietary" 18 27 # unsigned(39) 81 # array(1) A4 # map(4) 18 35 # unsigned(53) 6C # text(12) 6F7267616E697A6174696F6E # "organization" 18 33 # unsigned(51) 67 # text(7) 63726561746F72 # "creator" 18 37 # unsigned(55) 81 # array(1) 75 # text(21) 435349525420666F72206578616D706C652E636F6D Takahashi, et al. Expires August 13, 2020 [Page 24] Internet-Draft JSON-IODEF February 2020 # "CSIRT for example.com" 18 3B # unsigned(59) 81 # array(1) A1 # map(1) 18 42 # unsigned(66) 78 19 # text(25) 636F6E746163744063736972742E6578616D706C652E636F6D # "contact@csirt.example.com" 18 29 # unsigned(41) 81 # array(1) A4 # map(4) 18 2F # unsigned(47) A3 # map(3) 18 2B # unsigned(43) 69 # text(9) 473930383233343930 # "G90823490" 0A # unsigned(10) 71 # text(17) 63736972742E6578616D706C652E636F6D # "csirt.example.com" 01 # unsigned(1) 61 # text(1) 31 # "1" 14 # unsigned(20) 81 # array(1) 6A # text(10) 433220646F6D61696E73 # "C2 domains" 18 1F # unsigned(31) 78 19 # text(25) 323031342D31322D30325431313A31383A30302D30353A3030 # "2014-12-02T11:18:00-05:00" 18 C4 # unsigned(196) A1 # map(1) 18 C9 # unsigned(201) A2 # map(2) 18 35 # unsigned(53) 6B # text(11) 646F6D61696E2D6E616D65 # "domain-name" 18 CB # unsigned(203) 78 1A # text(26) 6B6A3239303032336A30397233342E6578616D706C652E636F6D # "kj290023j09r34.example.com" Figure 7: Indicators from a Campaign in CBOR Takahashi, et al. Expires August 13, 2020 [Page 25] Internet-Draft JSON-IODEF February 2020 5. Mapkeys The mapkeys are provided in Table Figure 8 for minimizing the CBOR size. +---------------------------------+-------+ |mapkey |cborkey| +---------------------------------+-------+ |iodef-version |1 | |iodef-lang |2 | |iodef-format-id |3 | |iodef-private-enum-name |4 | |iodef-private-enum-id |5 | |iodef-Incident |6 | |iodef-AdditionalData |7 | |iodef-value |8 | |iodef-translation-id |9 | |iodef-name |10 | |iodef-dtype |11 | |iodef-ext-dtype |12 | |iodef-meaning |13 | |iodef-formatid |14 | |iodef-restriction |15 | |iodef-ext-restriction |16 | |iodef-observable-id |17 | |iodef-SoftwareReference |18 | |iodef-URL |19 | |iodef-Description |20 | |iodef-spec-name |21 | |iodef-ext-spec-name |22 | |iodef-purpose |23 | |iodef-ext-purpose |24 | |iodef-status |25 | |iodef-ext-status |26 | |iodef-IncidentID |27 | |iodef-AlternativeID |28 | |iodef-RelatedActivity |29 | |iodef-DetectTime |30 | |iodef-StartTime |31 | |iodef-EndTime |32 | |iodef-RecoveryTime |33 | |iodef-ReportTime |34 | |iodef-GenerationTime |35 | |iodef-Discovery |36 | |iodef-Assessment |37 | |iodef-Method |38 | |iodef-Contact |39 | |iodef-EventData |40 | Takahashi, et al. Expires August 13, 2020 [Page 26] Internet-Draft JSON-IODEF February 2020 |iodef-Indicator |41 | |iodef-History |42 | |iodef-id |43 | |iodef-instance |44 | |iodef-ThreatActor |45 | |iodef-Campaign |46 | |iodef-IndicatorID |47 | |iodef-Confidence |48 | |iodef-ThreatActorID |49 | |iodef-CampaignID |50 | |iodef-role |51 | |iodef-ext-role |52 | |iodef-type |53 | |iodef-ext-type |54 | |iodef-ContactName |55 | |iodef-ContactTitle |56 | |iodef-RegistryHandle |57 | |iodef-PostalAddress |58 | |iodef-Email |59 | |iodef-Telephone |60 | |iodef-Timezone |61 | |iodef-handle |62 | |iodef-registry |63 | |iodef-ext-registry |64 | |iodef-PAddress |65 | |iodef-EmailTo |66 | |iodef-TelephoneNumber |67 | |iodef-source |68 | |iodef-ext-source |69 | |iodef-DetectionPattern |70 | |iodef-DetectionConfiguration |71 | |iodef-Application |72 | |iodef-Reference |73 | |iodef-AttackPattern |74 | |iodef-Vulnerability |75 | |iodef-Weakness |76 | |iodef-SpecID |77 | |iodef-ext-SpecID |78 | |iodef-ContentID |79 | |iodef-RawData |80 | |iodef-Platform |81 | |iodef-Scoring |82 | |iodef-ReferenceName |83 | |iodef-specIndex |84 | |iodef-ID |85 | |iodef-occurrence |86 | |iodef-IncidentCategory |87 | |iodef-Impact |88 | Takahashi, et al. Expires August 13, 2020 [Page 27] Internet-Draft JSON-IODEF February 2020 |iodef-SystemImpact |89 | |iodef-BusinessImpact |90 | |iodef-TimeImpact |91 | |iodef-MonetaryImpact |92 | |iodef-IntendedImpact |93 | |iodef-Counter |94 | |iodef-MitigatingFactor |95 | |iodef-Cause |96 | |iodef-severity |97 | |iodef-completion |98 | |iodef-ext-severity |99 | |iodef-metric |100 | |iodef-ext-metric |101 | |iodef-duration |102 | |iodef-ext-duration |103 | |iodef-currency |104 | |iodef-rating |105 | |iodef-ext-rating |106 | |iodef-HistoryItem |107 | |iodef-action |108 | |iodef-ext-action |109 | |iodef-DateTime |110 | |iodef-DefinedCOA |111 | |iodef-System |112 | |iodef-Expectation |113 | |iodef-RecordData |114 | |iodef-category |115 | |iodef-ext-category |116 | |iodef-interface |117 | |iodef-spoofed |118 | |iodef-virtual |119 | |iodef-ownership |120 | |iodef-ext-ownership |121 | |iodef-Node |122 | |iodef-NodeRole |123 | |iodef-Service |124 | |iodef-OperatingSystem |125 | |iodef-AssetID |126 | |iodef-DomainData |127 | |iodef-Address |128 | |iodef-Location |129 | |iodef-vlan-name |130 | |iodef-vlan-num |131 | |iodef-unit |132 | |iodef-ext-unit |133 | |iodef-system-status |134 | |iodef-ext-system-status |135 | |iodef-domain-status |136 | Takahashi, et al. Expires August 13, 2020 [Page 28] Internet-Draft JSON-IODEF February 2020 |iodef-ext-domain-status |137 | |iodef-Name |138 | |iodef-DateDomainWasChecked |139 | |iodef-RegistrationDate |140 | |iodef-ExpirationDate |141 | |iodef-RelatedDNS |142 | |iodef-NameServers |143 | |iodef-DomainContacts |144 | |iodef-Server |145 | |iodef-SameDomainContact |146 | |iodef-ip-protocol |147 | |iodef-ServiceName |148 | |iodef-Port |149 | |iodef-Portlist |150 | |iodef-ProtoCode |151 | |iodef-ProtoType |152 | |iodef-ProtoField |153 | |iodef-ApplicationHeaderField |154 | |iodef-EmailData |155 | |iodef-IANAService |156 | |iodef-EmailFrom |157 | |iodef-EmailSubject |158 | |iodef-EmailX-Mailer |159 | |iodef-EmailHeaderField |160 | |iodef-EmailHeaders |161 | |iodef-EmailBody |162 | |iodef-EmailMessage |163 | |iodef-HashData |164 | |iodef-Signature |165 | |iodef-RecordPattern |166 | |iodef-RecordItem |167 | |iodef-FileData |168 | |iodef-WindowsRegistryKeysModified|169 | |iodef-CertificateData |170 | |iodef-offset |171 | |iodef-offsetunit |172 | |iodef-ext-offsetunit |173 | |iodef-Key |174 | |iodef-registryaction |175 | |iodef-ext-registryaction |176 | |iodef-KeyName |177 | |iodef-KeyValue |178 | |iodef-Certificate |179 | |iodef-X509Data |180 | |iodef-File |181 | |iodef-FileName |182 | |iodef-FileSize |183 | |iodef-FileType |184 | Takahashi, et al. Expires August 13, 2020 [Page 29] Internet-Draft JSON-IODEF February 2020 |iodef-AssociatedSoftware |185 | |iodef-FileProperties |186 | |iodef-scope |187 | |iodef-HashTargetID |188 | |iodef-Hash |189 | |iodef-FuzzyHash |190 | |iodef-DigestMethod |191 | |iodef-DigestValue |192 | |iodef-CanonicalizationMethod |193 | |iodef-FuzzyHashValue |194 | |iodef-AlternativeIndicatorID |195 | |iodef-Observable |196 | |iodef-uid-ref |197 | |iodef-IndicatorExpression |198 | |iodef-IndicatorReference |199 | |iodef-AttackPhase |200 | |iodef-BulkObservable |201 | |iodef-BulkObservableFormat |202 | |iodef-BulkObservableList |203 | |iodef-operator |204 | |iodef-ext-operator |205 | |iodef-euid-ref |206 | |iodef-AttackPhaseID |207 | +---------------------------------+-------+ Figure 8: Mapkeys 6. The IODEF Data Model (CDDL) This section provides the IODEF data model. Note that mapkeys are described at the beginning of the CDDL data model for better readability. start = iodef ;;; iodef.json: IODEF-Document iodef-version = 1 iodef-lang = 2 iodef-format-id = 3 iodef-private-enum-name = 4 iodef-private-enum-id = 5 iodef-Incident = 6 iodef-AdditionalData = 7 iodef-value = 8 iodef-translation-id = 9 iodef-name = 10 iodef-dtype = 11 Takahashi, et al. Expires August 13, 2020 [Page 30] Internet-Draft JSON-IODEF February 2020 iodef-ext-dtype = 12 iodef-meaning = 13 iodef-formatid = 14 iodef-restriction = 15 iodef-ext-restriction = 16 iodef-observable-id = 17 iodef-SoftwareReference = 18 iodef-URL = 19 iodef-Description = 20 iodef-spec-name = 21 iodef-ext-spec-name = 22 iodef-purpose = 23 iodef-ext-purpose = 24 iodef-status = 25 iodef-ext-status = 26 iodef-IncidentID = 27 iodef-AlternativeID = 28 iodef-RelatedActivity = 29 iodef-DetectTime = 30 iodef-StartTime = 31 iodef-EndTime = 32 iodef-RecoveryTime = 33 iodef-ReportTime = 34 iodef-GenerationTime = 35 iodef-Discovery = 36 iodef-Assessment = 37 iodef-Method = 38 iodef-Contact = 39 iodef-EventData = 40 iodef-Indicator = 41 iodef-History = 42 iodef-id = 43 iodef-instance = 44 iodef-ThreatActor = 45 iodef-Campaign = 46 iodef-IndicatorID = 47 iodef-Confidence = 48 iodef-ThreatActorID = 49 iodef-CampaignID = 50 iodef-role = 51 iodef-ext-role = 52 iodef-type = 53 iodef-ext-type = 54 iodef-ContactName = 55 iodef-ContactTitle = 56 iodef-RegistryHandle = 57 iodef-PostalAddress = 58 iodef-Email = 59 Takahashi, et al. Expires August 13, 2020 [Page 31] Internet-Draft JSON-IODEF February 2020 iodef-Telephone = 60 iodef-Timezone = 61 iodef-handle = 62 iodef-registry = 63 iodef-ext-registry = 64 iodef-PAddress = 65 iodef-EmailTo = 66 iodef-TelephoneNumber = 67 iodef-source = 68 iodef-ext-source = 69 iodef-DetectionPattern = 70 iodef-DetectionConfiguration = 71 iodef-Application = 72 iodef-Reference = 73 iodef-AttackPattern = 74 iodef-Vulnerability = 75 iodef-Weakness = 76 iodef-SpecID = 77 iodef-ext-SpecID = 78 iodef-ContentID = 79 iodef-RawData = 80 iodef-Platform = 81 iodef-Scoring = 82 iodef-ReferenceName = 83 iodef-specIndex = 84 iodef-ID = 85 iodef-occurrence = 86 iodef-IncidentCategory = 87 iodef-Impact = 88 iodef-SystemImpact = 89 iodef-BusinessImpact = 90 iodef-TimeImpact = 91 iodef-MonetaryImpact = 92 iodef-IntendedImpact = 93 iodef-Counter = 94 iodef-MitigatingFactor = 95 iodef-Cause = 96 iodef-severity = 97 iodef-completion = 98 iodef-ext-severity = 99 iodef-metric = 100 iodef-ext-metric = 101 iodef-duration = 102 iodef-ext-duration = 103 iodef-currency = 104 iodef-rating = 105 iodef-ext-rating = 106 iodef-HistoryItem = 107 Takahashi, et al. Expires August 13, 2020 [Page 32] Internet-Draft JSON-IODEF February 2020 iodef-action = 108 iodef-ext-action = 109 iodef-DateTime = 110 iodef-DefinedCOA = 111 iodef-System = 112 iodef-Expectation = 113 iodef-RecordData = 114 iodef-category = 115 iodef-ext-category = 116 iodef-interface = 117 iodef-spoofed = 118 iodef-virtual = 119 iodef-ownership = 120 iodef-ext-ownership = 121 iodef-Node = 122 iodef-NodeRole = 123 iodef-Service = 124 iodef-OperatingSystem = 125 iodef-AssetID = 126 iodef-DomainData = 127 iodef-Address = 128 iodef-Location = 129 iodef-vlan-name = 130 iodef-vlan-num = 131 iodef-unit = 132 iodef-ext-unit = 133 iodef-system-status = 134 iodef-ext-system-status = 135 iodef-domain-status = 136 iodef-ext-domain-status = 137 iodef-Name = 138 iodef-DateDomainWasChecked = 139 iodef-RegistrationDate = 140 iodef-ExpirationDate = 141 iodef-RelatedDNS = 142 iodef-NameServers = 143 iodef-DomainContacts = 144 iodef-Server = 145 iodef-SameDomainContact = 146 iodef-ip-protocol = 147 iodef-ServiceName = 148 iodef-Port = 149 iodef-Portlist = 150 iodef-ProtoCode = 151 iodef-ProtoType = 152 iodef-ProtoField = 153 iodef-ApplicationHeaderField = 154 iodef-EmailData = 155 Takahashi, et al. Expires August 13, 2020 [Page 33] Internet-Draft JSON-IODEF February 2020 iodef-IANAService = 156 iodef-EmailFrom = 157 iodef-EmailSubject = 158 iodef-EmailX-Mailer = 159 iodef-EmailHeaderField = 160 iodef-EmailHeaders = 161 iodef-EmailBody = 162 iodef-EmailMessage = 163 iodef-HashData = 164 iodef-Signature = 165 iodef-RecordPattern = 166 iodef-RecordItem = 167 iodef-FileData = 168 iodef-WindowsRegistryKeysModified = 169 iodef-CertificateData = 170 iodef-offset = 171 iodef-offsetunit = 172 iodef-ext-offsetunit = 173 iodef-Key = 174 iodef-registryaction = 175 iodef-ext-registryaction = 176 iodef-KeyName = 177 iodef-KeyValue = 178 iodef-Certificate = 179 iodef-X509Data = 180 iodef-File = 181 iodef-FileName = 182 iodef-FileSize = 183 iodef-FileType = 184 iodef-AssociatedSoftware = 185 iodef-FileProperties = 186 iodef-scope = 187 iodef-HashTargetID = 188 iodef-Hash = 189 iodef-FuzzyHash = 190 iodef-DigestMethod = 191 iodef-DigestValue = 192 iodef-CanonicalizationMethod = 193 iodef-FuzzyHashValue = 194 iodef-AlternativeIndicatorID = 195 iodef-Observable = 196 iodef-uid-ref = 197 iodef-IndicatorExpression = 198 iodef-IndicatorReference = 199 iodef-AttackPhase = 200 iodef-BulkObservable = 201 iodef-BulkObservableFormat = 202 iodef-BulkObservableList = 203 Takahashi, et al. Expires August 13, 2020 [Page 34] Internet-Draft JSON-IODEF February 2020 iodef-operator = 204 iodef-ext-operator = 205 iodef-euid-ref = 206 iodef-AttackPhaseID = 207 iodef = { iodef-version => text, ? iodef-lang => lang, ? iodef-format-id => text ? iodef-private-enum-name => text, ? iodef-private-enum-id => text, iodef-Incident => [+ Incident], ? iodef-AdditionalData => [+ ExtensionType] } duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / "year" / "ext-value" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" restriction = "public" / "partner" / "need-to-know" / "private" / "default" / "white" / "green" / "amber" / "red" / "ext-value" SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" IDREFType = IDtype URLtype = uri TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]" PortlistType = text .regexp "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*" action = "nothing" / "contact-source-site" / "contact-target-site" / "contact-sender" / "investigate" / "block-host" / "block-network" / "block-port" / "rate-limit-host" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "honeypot" / "upgrade-software" / "rebuild-asset" / "harden-asset" / "remediate-other" / "status-triage" / "status-new-info" / "watch-and-report" / "training" / "defined-coa" / "other" / "ext-value" DATETIME = tdate BYTE = eb64legacy MLStringType = { iodef-value => text, ? iodef-lang => lang, ? iodef-translation-id => text } / text PositiveFloatType = float32 .gt 0 Takahashi, et al. Expires August 13, 2020 [Page 35] Internet-Draft JSON-IODEF February 2020 PAddressType = MLStringType ExtensionType = { iodef-value => text, ? iodef-name => text, iodef-dtype => "boolean" / "byte" / "bytes" / "character" / "date-time" / "ntpstamp" / "integer" / "portlist" / "real" / "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" .default "string" ? iodef-ext-dtype => text, ? iodef-meaning => text, ? iodef-formatid => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, } SoftwareType = { ? iodef-SoftwareReference => SoftwareReference, ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType] } SoftwareReference = { ? iodef-value => text, iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value", ? iodef-ext-spec-name => text, ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" .default "string", ? iodef-ext-dtype => text } Incident = { iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" / "other" / "ext-value", ? iodef-ext-purpose => text, ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" / "future" / "ext-value", ? iodef-ext-status => text, ? iodef-lang => lang, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-IncidentID => IncidentID, ? iodef-AlternativeID => AlternativeID, ? iodef-RelatedActivity => [+ RelatedActivity], ? iodef-DetectTime => DATETIME, Takahashi, et al. Expires August 13, 2020 [Page 36] Internet-Draft JSON-IODEF February 2020 ? iodef-StartTime => DATETIME, ? iodef-EndTime => DATETIME, ? iodef-RecoveryTime => DATETIME, ? iodef-ReportTime => DATETIME, iodef-GenerationTime => DATETIME, ? iodef-Description => [+ MLStringType], ? iodef-Discovery => [+ Discovery], ? iodef-Assessment => [+ Assessment], ? iodef-Method => [+ Method], iodef-Contact => [+ Contact], ? iodef-EventData => [+ EventData], ? iodef-Indicator => [+ Indicator], ? iodef-History => History, ? iodef-AdditionalData => [+ ExtensionType] } IncidentID = { iodef-id => text, iodef-name => text, ? iodef-instance => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text } AlternativeID = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, iodef-IncidentID => [+ IncidentID] } RelatedActivity = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-IncidentID => [+ IncidentID], ? iodef-URL => [+ URLtype], ? iodef-ThreatActor => [+ ThreatActor], ? iodef-Campaign => [+ Campaign], ? iodef-IndicatorID => [+ IndicatorID], ? iodef-Confidence => Confidence, ? iodef-Description => [+ text], ? iodef-AdditionalData => [+ ExtensionType] } ThreatActor = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-ThreatActorID => [+ text], ? iodef-URL => [+ URLtype], Takahashi, et al. Expires August 13, 2020 [Page 37] Internet-Draft JSON-IODEF February 2020 ? iodef-Description => [+ MLStringType], ? iodef-AdditionalData => [+ ExtensionType] } Campaign = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-CampaignID => [+ text], ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType], ? iodef-AdditionalData => [+ ExtensionType] } Contact = { iodef-role => "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /, "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" / "victim" / "victim-notified" / "ext-value", ? iodef-ext-role => text, iodef-type => "person" / "organization" / "ext-value", ? iodef-ext-type => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-ContactName => [+ MLStringType], ? iodef-ContactTitle => [+ MLStringType], ? iodef-Description => [+ MLStringType], ? iodef-RegistryHandle => [+ RegistryHandle], ? iodef-PostalAddress => [+ PostalAddress], ? iodef-Email => [+ Email], ? iodef-Telephone => [+ Telephone], ? iodef-Timezone => TimeZonetype, ? iodef-Contact => [+ Contact], ? iodef-AdditionalData => [+ ExtensionType] } RegistryHandle = { iodef-handle => text, iodef-registry => "internic" / "apnic" / "arin" / "lacnic" / "ripe" / "afrinic" / "local" / "ext-value", ? iodef-ext-registry => text } PostalAddress = { ? iodef-type => "street" / "mailing" / "ext-value", ? iodef-ext-type => text, iodef-PAddress => PAddressType, ? iodef-Description => [+ MLStringType] } Takahashi, et al. Expires August 13, 2020 [Page 38] Internet-Draft JSON-IODEF February 2020 Email = { ? iodef-type => "direct" / "hotline" / "ext-value", ? iodef-ext-type => text, iodef-EmailTo => text, ? iodef-Description => [+ MLStringType] } Telephone = { ? iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value", ? iodef-ext-type => text, iodef-TelephoneNumber => text, ? iodef-Description => [+ MLStringType] } Discovery = { ? iodef-source => "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / "incident" / "os-log" / "application-log" / "device-log" / "network-flow" / "passive-dns" / "investigation" / "audit" / "internal-notification" / "external-notification" / "leo" / "partner" / "actor" / "unknown" / "ext-value", ? iodef-ext-source => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-Description => [+ MLStringType], ? iodef-Contact => [+ Contact], ? iodef-DetectionPattern => [+ DetectionPattern] } DetectionPattern = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, (iodef-Description => [+ MLStringType], iodef-DetectionConfiguration => [+ text]), iodef-Application => SoftwareType } Method = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-Reference => [+ Reference], ? iodef-Description => [+ MLStringType], ? iodef-AttackPattern => [+ StructuredInfo], ? iodef-Vulnerability => [+ StructuredInfo], ? iodef-Weakness => [+ StructuredInfo], ? iodef-AdditionalData => [+ ExtensionType] } Takahashi, et al. Expires August 13, 2020 [Page 39] Internet-Draft JSON-IODEF February 2020 StructuredInfo = { iodef-SpecID => SpecID, ? iodef-ext-SpecID => text, ? iodef-ContentID => text, ? (iodef-RawData => [+ BYTE], iodef-Reference => [+ Reference]), ? iodef-Platform => [+ Platform], ? iodef-Scoring => [+ Scoring] } Platform = { iodef-SpecID => SpecID, ? iodef-ext-SpecID => text, ? iodef-ContentID => text, ? iodef-RawData => [+ BYTE], ? iodef-Reference => [+ Reference] } Scoring = { iodef-SpecID => SpecID, ? iodef-ext-SpecID => text, ? iodef-ContentID => text, ? iodef-RawData => [+ BYTE], ? iodef-Reference => [+ Reference] } Reference = { ? iodef-observable-id => IDtype, ? iodef-ReferenceName => ReferenceName, ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType] } ReferenceName = { iodef-specIndex => integer, iodef-ID => IDtype } Assessment = { ? iodef-occurrence => "actual" / "potential", ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, ? iodef-IncidentCategory => [+ MLStringType], iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} / {iodef-BusinessImpact => BusinessImpact / {iodef-TimeImpact => TimeImpact} / {iodef-MonetaryImpact => MonetaryImpact} / {iodef-IntendedImpact => BusinessImpact}], ? iodef-Counter => [+ Counter], Takahashi, et al. Expires August 13, 2020 [Page 40] Internet-Draft JSON-IODEF February 2020 ? iodef-MitigatingFactor => [+ MLStringType], ? iodef-Cause => [+ MLStringType], ? iodef-Confidence => Confidence, ? iodef-AdditionalData => [+ ExtensionType] } SystemImpact = { ? iodef-severity => "low" / "medium" / "high", ? iodef-completion => "failed" / "succeeded", iodef-type => "takeover-account" / "takeover-service" / "takeover-system" / "cps-manipulation" / "cps-damage" / "availability-data" / "availability-account" / "availability-service" / "availability-system" / "damaged-system" / "damaged-data" / "breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-configuration" / "integrity-data" / "integrity-configuration" / "integrity-hardware" / "traffic-redirection" / "monitoring-traffic" / "monitoring-host" / "policy" / "unknown" / "ext-value" .default "unknown", ? iodef-ext-type => text, ? iodef-Description => [+ MLStringType] } BusinessImpact = { ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" / "ext-value" .default "unknown", ? iodef-ext-severity => text, iodef-type => "breach-proprietary" / "breach-privacy" / "breach-credential" / "loss-of-integrity" / "loss-of-service" / "theft-financial" / "theft-service" / "degraded-reputation" / "asset-damage" / "asset-manipulation" / "legal" / "extortion" / "unknown" / "ext-value" .default "unknown", ? iodef-ext-type => text, ? iodef-Description => [+ MLStringType] } TimeImpact = { iodef-value => PositiveFloatType, ? iodef-severity => "low" / "medium" / "high", iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value", ? iodef-ext-metric => text, ? iodef-duration => duration .default "hour", ? iodef-ext-duration => text } MonetaryImpact = { iodef-value => PositiveFloatType, ? iodef-severity => "low" / "medium" / "high", ? iodef-currency => text Takahashi, et al. Expires August 13, 2020 [Page 41] Internet-Draft JSON-IODEF February 2020 } Confidence = { iodef-value => float32, iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value", ? iodef-ext-rating => text } History = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, iodef-HistoryItem => [+ HistoryItem] } HistoryItem = { iodef-action => action .default "other", ? iodef-ext-action => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-DateTime => DATETIME, ? iodef-IncidentID => IncidentID, ? iodef-Contact => Contact, ? iodef-Description => [+ MLStringType], ? iodef-DefinedCOA => [+ text], ? iodef-AdditionalData => [+ ExtensionType] } EventData = { ? iodef-restriction => restriction .default "default", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, ? iodef-Description => [+ MLStringType], ? iodef-DetectTime => DATETIME, ? iodef-StartTime => DATETIME, ? iodef-EndTime => DATETIME, ? iodef-RecoveryTime => DATETIME, ? iodef-ReportTime => DATETIME, ? iodef-Contact => [+ Contact], ? iodef-Discovery => [+ Discovery], ? iodef-Assessment => Assessment, ? iodef-Method => [+ Method], ? iodef-System => [+ System], ? iodef-Expectation => [+ Expectation], ? iodef-RecordData => [+ RecordData], ? iodef-EventData => [+ EventData], ? iodef-AdditionalData => [+ ExtensionType] } Takahashi, et al. Expires August 13, 2020 [Page 42] Internet-Draft JSON-IODEF February 2020 Expectation = { ? iodef-action => action .default "other", ? iodef-ext-action => text, ? iodef-severity => "low" / "medium" / "high", ? iodef-restriction => restriction .default "default", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, ? iodef-Description => [+ MLStringType], ? iodef-DefinedCOA => [+ text], ? iodef-StartTime => DATETIME, ? iodef-EndTime => DATETIME, ? iodef-Contact => Contact } System = { ? iodef-category => "source" / "target" / "intermediate" / "sensor" / "infrastructure" / "ext-value", ? iodef-ext-category => text, ? iodef-interface => text, ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown", ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown", ? iodef-ownership => "organization" / "personal" / "partner" / "customer" / "no-relationship" / "unknown" / "ext-value", ? iodef-ext-ownership => text, ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-Node => Node, ? iodef-NodeRole => [+ NodeRole], ? iodef-Service => [+ Service], ? iodef-OperatingSystem => [+ SoftwareType], ? iodef-Counter => [+ Counter], ? iodef-AssetID => [+ text], ? iodef-Description => [+ MLStringType], ? iodef-AdditionalData => [+ ExtensionType] } Node = { (iodef-DomainData => [+ DomainData], ? iodef-Address => [+ Address] // ? iodef-DomainData => [+ DomainData], iodef-Address => [+ Address]), ? iodef-PostalAddress => PostalAddress, ? iodef-Location => [+ MLStringType], ? iodef-Counter => [+ Counter] } Address = { Takahashi, et al. Expires August 13, 2020 [Page 43] Internet-Draft JSON-IODEF February 2020 iodef-value => text, iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / "ext-value" .default "ipv6-addr", ? iodef-ext-category => text, ? iodef-vlan-name => text, ? iodef-vlan-num => integer, ? iodef-observable-id => IDtype } NodeRole = { iodef-category => "client" / "client-enterprise" / "client-partner" / "client-remote" / "client-kiosk" / "client-mobile" / "server-internal" / "server-public" / "www" / "mail" / "webmail" / "messaging" / "streaming" / "voice" / "file" / "ftp" / "p2p" / "name" / "directory" / "credential" / "print" / "application" / "database" / "backup" / "dhcp" / "assessment" / "source-control" / "config-management" / "monitoring" / "infra" / "infra-firewall" / "infra-router" / "infra-switch" / "camera" / "proxy" / "remote-access" / "log" / "virtualization" / "pos" / "scada" / "scada-supervisory" / "sinkhole" / "honeypot" / "anomyzation" / "c2-server" / "malware-distribution" / "drop-server" / "hop-point" / "reflector" / "phishing-site" / "spear-phishing-site" / "recruiting-site" / "fraudulent-site" / "ext-value", ? iodef-ext-category => text, ? iodef-Description => [+ MLStringType] } Counter = { iodef-value => float32, iodef-type => "count" / "peak" / "average" / "ext-value", ? iodef-ext-type => text, iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / "message" / "event" / "host" / "site" / "organization" / "ext-value", ? iodef-ext-unit => text, ? iodef-meaning => text, ? iodef-duration => duration .default "hour", ? iodef-ext-duration => text } DomainData = { iodef-system-status => "spoofed" / "fraudulent" / "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value", ? iodef-ext-system-status => text, Takahashi, et al. Expires August 13, 2020 [Page 44] Internet-Draft JSON-IODEF February 2020 iodef-domain-status => "reservedDelegation" / "assignedAndActive" / "assignedAndInactive" / "assignedAndOnHold" / "revoked" / "transferPending" / "registryLock" / "registrarLock" / "other" / "unknown" / "ext-value", ? iodef-ext-domain-status => text, ? iodef-observable-id => IDtype, iodef-Name => text, ? iodef-DateDomainWasChecked => DATETIME, ? iodef-RegistrationDate => DATETIME, ? iodef-ExpirationDate => DATETIME, ? iodef-RelatedDNS => [+ ExtensionType], ? iodef-NameServers => [+ NameServers], ? iodef-DomainContacts => DomainContacts } NameServers = { iodef-Server => text, iodef-Address => [+ Address] } DomainContacts = { (iodef-SameDomainContact => text // iodef-Contact => [+ Contact]) } Service = { ? iodef-ip-protocol => integer, ? iodef-observable-id => IDtype, ? iodef-ServiceName => ServiceName, ? iodef-Port => integer, ? iodef-Portlist => PortlistType, ? iodef-ProtoCode => integer, ? iodef-ProtoType => integer, ? iodef-ProtoField => integer, ? iodef-ApplicationHeaderField => [+ ExtensionType], ? iodef-EmailData => EmailData, ? iodef-Application => SoftwareType } ServiceName = { ? iodef-IANAService => text, ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType] } EmailData = { ? iodef-observable-id => IDtype, ? iodef-EmailTo => [+ text], ? iodef-EmailFrom => text, Takahashi, et al. Expires August 13, 2020 [Page 45] Internet-Draft JSON-IODEF February 2020 ? iodef-EmailSubject => text, ? iodef-EmailX-Mailer => text, ? iodef-EmailHeaderField => [+ ExtensionType], ? iodef-EmailHeaders => text, ? iodef-EmailBody => text, ? iodef-EmailMessage => text, ? iodef-HashData => [+ HashData], ? iodef-Signature => [+ BYTE] } RecordData = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, ? iodef-DateTime => DATETIME, ? iodef-Description => [+ MLStringType], ? iodef-Application => SoftwareType, ? iodef-RecordPattern => [+ RecordPattern], ? iodef-RecordItem => [+ ExtensionType], ? iodef-URL => [+ URLtype], ? iodef-FileData => [+ FileData], ? iodef-WindowsRegistryKeysModified => [+ WindowsRegistryKeysModified], ? iodef-CertificateData => [+ CertificateData], ? iodef-AdditionalData => [+ ExtensionType] } RecordPattern = { iodef-value => text, iodef-type => "regex" / "binary" / "xpath" / "ext-value" .default "regex", ? iodef-ext-type => text, ? iodef-offset => integer, ? iodef-offsetunit => "line" / "byte" / "ext-value" .default "line", ? iodef-ext-offsetunit => text, ? iodef-instance => integer } WindowsRegistryKeysModified = { ? iodef-observable-id => IDtype, iodef-Key => [+ Key] } Key = { ? iodef-registryaction => "add-key" / "add-value" / "delete-key" / "delete-value" / "modify-key" / "modify-value" / "ext-value", ? iodef-ext-registryaction => text, ? iodef-observable-id => IDtype, iodef-KeyName => text, Takahashi, et al. Expires August 13, 2020 [Page 46] Internet-Draft JSON-IODEF February 2020 ? iodef-KeyValue => text } CertificateData = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-Certificate => [+ Certificate] } Certificate = { ? iodef-observable-id => IDtype, iodef-X509Data => BYTE, ? iodef-Description => [+ MLStringType] } FileData = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? iodef-observable-id => IDtype, iodef-File => [+ File] } File = { ? iodef-observable-id => IDtype, ? iodef-FileName => text, ? iodef-FileSize => integer, ? iodef-FileType => text, ? iodef-URL => [+ URLtype], ? iodef-HashData => HashData, ? iodef-Signature => [+ BYTE], ? iodef-AssociatedSoftware => SoftwareType, ? iodef-FileProperties => [+ ExtensionType] } HashData = { iodef-scope => "file-contents" / "file-pe-section" / "file-pe-iat" / "file-pe-resource" / "file-pdf-object" / "email-hash" / "email-headers-hash" / "email-body-hash" / "ext-value", ? iodef-HashTargetID => text, ? iodef-Hash => [+ Hash], ? iodef-FuzzyHash => [+ FuzzyHash] } Hash = { iodef-DigestMethod => BYTE, iodef-DigestValue => BYTE, ? iodef-CanonicalizationMethod => BYTE, Takahashi, et al. Expires August 13, 2020 [Page 47] Internet-Draft JSON-IODEF February 2020 ? iodef-Application => SoftwareType } FuzzyHash = { iodef-FuzzyHashValue => [+ ExtensionType], ? iodef-Application => SoftwareType, ? iodef-AdditionalData => [+ ExtensionType] } Indicator = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, iodef-IndicatorID => IndicatorID, ? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID], ? iodef-Description => [+ MLStringType], ? iodef-StartTime => DATETIME, ? iodef-EndTime => DATETIME, ? iodef-Confidence => Confidence, ? iodef-Contact => [+ Contact], (iodef-Observable => Observable // iodef-uid-ref => IDREFType // iodef-IndicatorExpression => IndicatorExpression // iodef-IndicatorReference => IndicatorReference), ? iodef-NodeRole => [+ NodeRole], ? iodef-AttackPhase => [+ AttackPhase], ? iodef-Reference => [+ Reference], ? iodef-AdditionalData => [+ ExtensionType] } IndicatorID = { iodef-id => IDtype, iodef-name => text, iodef-version => text } AlternativeIndicatorID = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, iodef-IndicatorID => [+ IndicatorID] } Observable = { ? iodef-restriction => restriction .default "private", ? iodef-ext-restriction => text, ? (iodef-System => System // iodef-Address => Address // iodef-DomainData => DomainData // iodef-EmailData => EmailData // iodef-Service => Service // iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified // iodef-FileData => FileData // iodef-CertificateData => CertificateData // iodef-RegistryHandle => RegistryHandle // iodef-RecordData => RecordData // Takahashi, et al. Expires August 13, 2020 [Page 48] Internet-Draft JSON-IODEF February 2020 iodef-EventData => EventData // iodef-Incident => Incident // iodef-Expectation => Expectation // iodef-Reference => Reference // iodef-Assessment => Assessment // iodef-DetectionPattern => DetectionPattern // iodef-HistoryItem => HistoryItem // iodef-BulkObservable => BulkObservable // iodef-AdditionalData => [+ ExtensionType]) } BulkObservable = { ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / "domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" / "email-x-mailer" / "email-subject" / "http-user-agent" / "http-request-uri" / "mutex" / "file-path" / "user-name" / "ext-value", ? iodef-ext-type => text, ? iodef-BulkObservableFormat => BulkObservableFormat, iodef-BulkObservableList => text, ? iodef-AdditionalData => [+ ExtensionType] } BulkObservableFormat = { (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType]) } IndicatorExpression = { ? iodef-operator => "not" / "and" / "or" / "xor" .default "and", ? iodef-ext-operator => text, ? iodef-IndicatorExpression => [+ IndicatorExpression], ? iodef-Observable => [+ Observable], ? iodef-uid-ref => [+ IDREFType], ? iodef-IndicatorReference => [+ IndicatorReference], ? iodef-Confidence => Confidence, ? iodef-AdditionalData => [+ ExtensionType] } IndicatorReference = { (iodef-uid-ref => IDREFType // iodef-euid-ref => text), ? iodef-version => text } AttackPhase = { ? iodef-AttackPhaseID => [+ text], ? iodef-URL => [+ URLtype], ? iodef-Description => [+ MLStringType], ? iodef-AdditionalData => [+ ExtensionType] } Takahashi, et al. Expires August 13, 2020 [Page 49] Internet-Draft JSON-IODEF February 2020 Figure 9: Data Model in CDDL 7. IANA Considerations This document does not require any IANA actions. 8. Security Considerations This document provides a mapping from XML IODEF defined in [RFC7970] to JSON, and Section 3.2 describes several issues that arise when converting XML IODEF and JSON IODEF. Though it does not provide any further security considerations than the one described in [RFC7970], impelementers of this document should be aware of those issues to avoid any unintended outcome. 9. Acknowledgments We would like to thank Henk Birkholz, Carsten Bormann, Benjamin Kaduk, Yasuaki Morita, and Takahiko Nagata for their insightful comments on this document and CDDL. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/info/rfc3986>. [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, <https://www.rfc-editor.org/info/rfc4648>. [RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, October 2013, <https://www.rfc-editor.org/info/rfc7049>. [RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information", RFC 7203, DOI 10.17487/RFC7203, April 2014, <https://www.rfc-editor.org/info/rfc7203>. Takahashi, et al. Expires August 13, 2020 [Page 50] Internet-Draft JSON-IODEF February 2020 [RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, <https://www.rfc-editor.org/info/rfc7970>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>. [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, <https://www.rfc-editor.org/info/rfc8259>. [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, June 2019, <https://www.rfc-editor.org/info/rfc8610>. 10.2. Informative References [I-D.handrews-json-schema-validation] Wright, A., Andrews, H., and B. Hutton, "JSON Schema Validation: A Vocabulary for Structural Validation of JSON", draft-handrews-json-schema-validation-02 (work in progress), September 2019. Appendix A. Data Types used in this document The CDDL prelude used in this document is mapped to JSON as shown in the table below. +-----------------+-------------------+----------------------------+ | CDDL Prelude | Use of JSON | Instance | Validation | +-----------------+-------------------+----------------------------+ | bytes | n/a | string | tool available | | text | string | string | unnecessary | | tdate | n/a | string | 7.3.1 date-time | | integer | n/a | number | integer | | eb64legacy | n/a | string | tool available | | uri | n/a | string | 7.3.6 uri | | float32 | float32 | number | unnecessary | +-----------------+-------------------+----------------------------+ Figure 10: CDDL Prelude mapping in JSON Takahashi, et al. Expires August 13, 2020 [Page 51] Internet-Draft JSON-IODEF February 2020 Appendix B. The IODEF Data Model (JSON Schema) This section provides a JSON schema [I-D.handrews-json-schema-validation] that defines the IODEF Data Model defined in this draft. Note that this section is Informative. { "$schema": "http://json-schema.org/draft-04/schema#", "definitions": { "action": {"enum": ["nothing","contact-source-site", "contact-target-site","contact-sender","investigate", "block-host","block-network","block-port","rate-limit-host", "rate-limit-network","rate-limit-port","redirect-traffic", "honeypot","upgrade-software","rebuild-asset","harden-asset", "remediate-other","status-triage","status-new-info", "watch-and-report","training","defined-coa","other", "ext-value"]}, "duration":{"enum":["second","minute","hour","day","month", "quarter","year","ext-value"]}, "SpecID":{ "enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2","private"]}, "lang": { "type":"string","pattern":"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"}, "purpose": {"enum": ["traceback","mitigation","reporting","watch", "other","ext-value"]}, "restriction":{"enum":["public","partner","need-to-know","private", "default","white","green","amber","red","ext-value"]}, "status": {"enum": ["new","in-progress","forwarded","resolved", "future","ext-value"]}, "DATETIME": {"type": "string","format": "date-time"}, "BYTE": {"type": "string"}, "PortlistType": { "type": "string","pattern": "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"}, "TimeZonetype": { "type":"string","pattern":"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"}, "URLtype": { "type": "string", "pattern": "^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?"}, "IDtype": {"type": "string","pattern": "[a-zA-Z_][a-zA-Z0-9_.-]*"}, "IDREFType": {"$ref": "#/definitions/IDtype"}, "MLStringType": { "oneOf": [{"type": "string"}, {"type": "object", "properties": { "value": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "translation-id": {"type": "string"}}, "required": ["value"], Takahashi, et al. Expires August 13, 2020 [Page 52] Internet-Draft JSON-IODEF February 2020 "additionalProperties":false}]}, "PositiveFloatType": {"type": "number","minimum": 0}, "PAddressType": {"$ref": "#/definitions/MLStringType"}, "ExtensionType": { "type": "object", "properties": { "value": {"type": "string"}, "name": {"type": "string"}, "dtype":{"enum":["boolean","byte","bytes","character", "json", "date-time","ntpstamp","integer","portlist","real","string", "file","path","frame","packet","ipv4-packet","ipv6-packet", "url", "csv","winreg","xml","ext-value"],"default": "string"}, "ext-dtype": {"type": "string"}, "meaning": {"type": "string"}, "formatid": {"type": "string"}, "restriction": { "$ref": "#/definitions/restriction","default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required": ["value","dtype"], "additionalProperties":false}, "ExtensionTypeList": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "SoftwareType": { "type": "object", "properties": { "SoftwareReference":{"$ref": "#/definitions/SoftwareReference"}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype", "minItems": 1}}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1 }}, "required": [], "additionalProperties": false}, "SoftwareReference": { "type": "object", "properties": { "value": {"type": "string"}, "spec-name": {"enum": ["custom","cpe","swid","ext-value"]}, "ext-spec-name": {"type": "string"}, "dtype": {"enum": ["bytes","integer","real","string","xml", "ext-value"] , "default": "string"}, "ext-dtype": {"type": "string"}}, Takahashi, et al. Expires August 13, 2020 [Page 53] Internet-Draft JSON-IODEF February 2020 "required": ["spec-name"], "additionalProperties": false}, "StructuredInfo": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1 }, "Platform": { "type": "array", "items": {"$ref": "#/definitions/Platform"}, "minItems": 1 }, "Scoring": { "type": "array", "items": {"$ref": "#/definitions/Scoring"}, "minItems": 1}}, "allOf": [ {"required": ["SpecID"]}, {"anyOf": [ {"oneOf": [ {"required":["Reference"]}, {"required":["RawData"]}]}, { "not" : {"required":["Reference", "RawData"]}}]}], "additionalProperties": false}, "Platform": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", Takahashi, et al. Expires August 13, 2020 [Page 54] Internet-Draft JSON-IODEF February 2020 "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}}, "required": ["SpecID"], "additionalProperties": false}, "Scoring": { "type": "object", "properties": { "SpecID": {"$ref":"#/definitions/SpecID"}, "ext-SpecID": {"type": "string"}, "ContentID": {"type": "string"}, "RawData": { "type": "array", "items": {"$ref":"#/definitions/BYTE"}, "minItems": 1 }, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}}, "required": ["SpecID"], "additionalProperties": false}, "Incident": { "title": "Incident", "description": "JSON schema for Incident class", "type": "object", "properties": { "purpose": {"$ref": "#/definitions/purpose"}, "ext-purpose": {"type": "string"}, "status": {"$ref": "#/definitions/status"}, "ext-status": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "RelatedActivity": { "type": "array", "items": {"$ref": "#/definitions/RelatedActivity"}, "minItems": 1}, "DetectTime": {"$ref": "#/definitions/DATETIME"}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"}, "GenerationTime": {"$ref": "#/definitions/DATETIME"}, "Description": { Takahashi, et al. Expires August 13, 2020 [Page 55] Internet-Draft JSON-IODEF February 2020 "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Discovery": { "type": "array", "items": {"$ref": "#/definitions/Discovery"}, "minItems": 1}, "Assessment": { "type": "array", "items": {"$ref": "#/definitions/Assessment"}, "minItems": 1}, "Method": { "type": "array", "items": {"$ref": "#/definitions/Method"}, "minItems": 1}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "EventData": { "type": "array", "items": {"$ref": "#/definitions/EventData"}, "minItems": 1}, "Indicator": { "type": "array", "items": {"$ref": "#/definitions/Indicator"}, "minItems": 1}, "History": {"$ref": "#/definitions/History"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IncidentID","GenerationTime","Contact","purpose"], "additionalProperties": false}, "IncidentID": { "title": "IncidentID", "description": "JSON schema for IncidentID class", "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "instance": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}}, "required": ["id","name"], "additionalProperties": false}, "AlternativeID": { "title": "AlternativeID", "description": "JSON schema for AlternativeID class", "type": "object", Takahashi, et al. Expires August 13, 2020 [Page 56] Internet-Draft JSON-IODEF February 2020 "properties": { "IncidentID": { "type": "array", "items":{"$ref": "#/definitions/IncidentID"}, "minItems": 1}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}}, "required": ["IncidentID"], "additionalProperties": false}, "RelatedActivity": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IncidentID": { "type": "array", "items": {"$ref": "#/definitions/IncidentID"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "ThreatActor": { "type": "array", "items": {"$ref": "#/definitions/ThreatActor"}, "minItems": 1}, "Campaign": { "type": "array", "items": {"$ref": "#/definitions/Campaign"}, "minItems": 1}, "IndicatorID": { "type": "array", "items": {"$ref": "#/definitions/IndicatorID"}, "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Description": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "ThreatActor": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "ThreatActorID": { Takahashi, et al. Expires August 13, 2020 [Page 57] Internet-Draft JSON-IODEF February 2020 "type": "array", "items": {"type": "string"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "URL": { "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "Campaign": { "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "CampaignID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "URL": { "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "Contact": { "type": "object", "properties": { "role": { "enum":["creator","reporter","admin","tech","provider","user", "billing","legal","irt","abuse","cc","cc-irt","leo", "vendor","vendor-support","victim","victim-notified", "ext-value"]}, "ext-role": {"type": "string"}, "type": {"enum": ["person","organization","ext-value"]}, "ext-type": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "ContactName": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, Takahashi, et al. Expires August 13, 2020 [Page 58] Internet-Draft JSON-IODEF February 2020 "minItems": 1}, "ContactTitle": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "RegistryHandle": { "type":"array", "items":{"$ref":"#/definitions/RegistryHandle"}, "minItems": 1}, "PostalAddress": { "type":"array", "items":{"$ref":"#/definitions/PostalAddress"}, "minItems": 1}, "Email": { "type": "array", "items": {"$ref": "#/definitions/Email"}, "minItems": 1}, "Telephone": { "type": "array", "items": {"$ref": "#/definitions/Telephone"}, "minItems": 1}, "Timezone": {"$ref": "#/definitions/TimeZonetype"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["role","type"], "additionalProperties": false}, "RegistryHandle": { "type": "object", "properties": { "handle": {"type": "string"}, "registry": { "enum": ["internic","apnic","arin","lacnic","ripe","afrinic", "local","ext-value"]}, "ext-registry": {"type": "string"}}, "required": ["handle","registry"], "additionalProperties": false}, "PostalAddress": { "type": "object", "properties": { "type": { "enum": ["street","mailing","ext-value"]}, Takahashi, et al. Expires August 13, 2020 [Page 59] Internet-Draft JSON-IODEF February 2020 "ext-type": {"type": "string"}, "PAddress": {"$ref": "#/definitions/PAddressType"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["PAddress"], "additionalProperties": false}, "Email": { "type": "object", "properties": { "type": { "enum":["direct","hotline","ext-value"]}, "ext-type": {"type": "string"}, "EmailTo": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["EmailTo"], "additionalProperties": false}, "Telephone": { "type": "object", "properties": { "type": { "enum":["wired","mobile","fax","hotline","ext-value"]}, "ext-type": {"type": "string"}, "TelephoneNumber": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["TelephoneNumber"], "additionalProperties": false}, "Discovery": { "type": "object", "properties": { "source": { "enum":["nidps","hips","siem","av","third-party-monitoring", "incident","os-log","application-log","device-log", "network-flow","passive-dns","investigation","audit", "internal-notification","external-notification","leo", "partner","actor","unknown","ext-value"]}, "ext-source": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "Description": { Takahashi, et al. Expires August 13, 2020 [Page 60] Internet-Draft JSON-IODEF February 2020 "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "DetectionPattern": { "type":"array", "items":{"$ref":"#/definitions/DetectionPattern"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "DetectionPattern": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Application": {"$ref": "#/definitions/SoftwareType"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DetectionConfiguration": { "type": "array", "items": {"type": "string"}, "minItems": 1}}, "allOf": [ {"required": ["Application"]}, {"oneOf": [ {"required":["Description"]}, {"required":["DetectionConfiguration"]}]}], "additionalProperties": false}, "Method": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, Takahashi, et al. Expires August 13, 2020 [Page 61] Internet-Draft JSON-IODEF February 2020 "minItems": 1}, "AttackPattern": { "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}, "minItems": 1}, "Vulnerability": { "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}, "minItems": 1}, "Weakness": { "type":"array", "items":{"$ref":"#/definitions/StructuredInfo"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Reference": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "ReferenceName": {"$ref":"#/definitions/ReferenceName"}, "URL":{ "type":"array", "items":{"$ref":"#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "ReferenceName" : { "type": "object", "properties": { "specIndex": {"type": "number"}, "ID": {"$ref":"#/definitions/IDtype"}}, "required": ["specIndex","ID"], "additionalProperties": false}, "Assessment": { "type": "object", "properties": { "occurrence": {"enum":["actual","potential"]}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentCategory": { "type": "array", Takahashi, et al. Expires August 13, 2020 [Page 62] Internet-Draft JSON-IODEF February 2020 "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Impact": { "type": "array", "items": { "properties": { "SystemImpact":{"$ref":"#/definitions/SystemImpact"}, "BusinessImpact":{"$ref":"#/definitions/BusinessImpact"}, "TimeImpact":{"$ref":"#/definitions/TimeImpact"}, "MonetaryImpact":{"$ref":"#/definitions/MonetaryImpact"}, "IntendedImpact":{"$ref":"#/definitions/BusinessImpact"}}, "additionalProperties":false}, "minItems" : 1 }, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}, "minItems": 1}, "MitigatingFactor": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Cause": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Confidence": {"$ref": "#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Impact"], "additionalProperties": false}, "SystemImpact": { "type": "object", "properties": { "severity": {"enum":["low","medium","high"]}, "completion": {"enum":["failed","succeeded"]}, "type": { "enum":["takeover-account","takeover-service", "takeover-system","cps-manipulation","cps-damage", "availability-data","availability-account", "availability-service","availability-system", "damaged-system","damaged-data","breach-proprietary", "breach-privacy","breach-credential", "breach-configuration","integrity-data", "integrity-configuration","integrity-hardware", "traffic-redirection","monitoring-traffic", "monitoring-host","policy","unknown","ext-value"]}, "ext-type": {"type": "string"}, "Description": { Takahashi, et al. Expires August 13, 2020 [Page 63] Internet-Draft JSON-IODEF February 2020 "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "BusinessImpact": { "type": "object", "properties": { "severity": {"enum":["none","low","medium","high","unknown", "ext-value"],"default": "unknown"}, "ext-severity": {"type":"string"}, "type": {"enum":["breach-proprietary","breach-privacy", "breach-credential","loss-of-integrity","loss-of-service", "theft-financial","theft-service","degraded-reputation", "asset-damage","asset-manipulation","legal","extortion", "unknown","ext-value"]}, "ext-type": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["type"], "additionalProperties": false}, "TimeImpact": { "type": "object", "properties": { "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum": ["low","medium","high"]}, "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "ext-metric": {"type": "string"}, "duration": {"$ref":"#/definitions/duration","default": "hour"}, "ext-duration": {"type": "string"}}, "required": ["value","metric"], "additionalProperties": false}, "MonetaryImpact": { "type": "object", "properties": { "value": {"$ref": "#/definitions/PositiveFloatType"}, "severity": {"enum":["low","medium","high"]}, "currency": {"type": "string"}}, "required": ["value"], "additionalProperties": false}, "Confidence": { "type": "object", "properties": { "value": {"type": "number"}, "rating": {"enum": ["low","medium","high","numeric","unknown", "ext-value"]}, Takahashi, et al. Expires August 13, 2020 [Page 64] Internet-Draft JSON-IODEF February 2020 "ext-rating": {"type":"string"}}, "required": ["value","rating"], "additionalProperties": false}, "History": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "HistoryItem": { "type": "array", "items": {"$ref": "#/definitions/HistoryItem"}, "minItems": 1}}, "required": ["HistoryItem"], "additionalProperties": false}, "HistoryItem": { "type": "object", "properties": { "action": {"$ref": "#/definitions/action","default": "other"}, "ext-action": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "Contact": {"$ref": "#/definitions/Contact"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DefinedCOA": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["DateTime","action"], "additionalProperties": false}, "EventData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": {"type": "array", "items": { "$ref":"#/definitions/MLStringType"}}, "DetectTime": {"$ref": "#/definitions/DATETIME"}, Takahashi, et al. Expires August 13, 2020 [Page 65] Internet-Draft JSON-IODEF February 2020 "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "RecoveryTime": {"$ref": "#/definitions/DATETIME"}, "ReportTime": {"$ref": "#/definitions/DATETIME"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "Discovery": { "type": "array", "items": {"$ref": "#/definitions/Discovery"}, "minItems": 1}, "Assessment": {"$ref": "#/definitions/Assessment"}, "Method": { "type": "array", "items": {"$ref": "#/definitions/Method"}, "minItems": 1}, "System": { "type": "array", "items": {"$ref": "#/definitions/System"}, "minItems": 1}, "Expectation": { "type": "array", "items": {"$ref": "#/definitions/Expectation"}, "minItems": 1}, "RecordData": { "type": "array", "items": {"$ref": "#/definitions/RecordData"}, "minItems": 1}, "EventData": { "type": "array", "items": {"$ref": "#/definitions/EventData"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Expectation": { "type": "object", "properties": { "action": {"$ref":"#/definitions/action","default": "other"}, "ext-action": {"type": "string"}, "severity": {"enum": ["low","medium","high"]}, "restriction": {"$ref": "#/definitions/restriction", "default": "default"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": { "type": "array", Takahashi, et al. Expires August 13, 2020 [Page 66] Internet-Draft JSON-IODEF February 2020 "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "DefinedCOA": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Contact": {"$ref": "#/definitions/Contact"}}, "required": [], "additionalProperties": false}, "System": { "type": "object", "properties": { "category": { "enum": ["source","target","intermediate","sensor", "infrastructure","ext-value"]}, "ext-category": {"type": "string"}, "interface": {"type": "string"}, "spoofed": {"enum": ["unknown","yes","no"],"default":"unknown"}, "virtual": {"enum": ["yes","no","unknown"],"default":"unknown"}, "ownership": { "enum":["organization","personal","partner","customer", "no-relationship","unknown","ext-value"]}, "ext-ownership": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Node": {"$ref": "#/definitions/Node"}, "NodeRole": { "type": "array", "items": {"$ref": "#/definitions/NodeRole"}, "minItems": 1}, "Service": { "type": "array", "items": {"$ref": "#/definitions/Service"}, "minItems": 1}, "OperatingSystem": { "type": "array", "items": {"$ref": "#/definitions/SoftwareType"}, "minItems": 1}, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}, "minItems": 1}, "AssetID": { "type": "array", Takahashi, et al. Expires August 13, 2020 [Page 67] Internet-Draft JSON-IODEF February 2020 "items": {"type": "string"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Node"], "additionalProperties": false}, "Node": { "type": "object", "properties": { "DomainData": { "type": "array", "items": {"$ref": "#/definitions/DomainData"}, "minItems": 1}, "Address": { "type": "array", "items": {"$ref": "#/definitions/Address"}, "minItems": 1}, "PostalAddress": {"$ref": "#/definitions/PostalAddress"}, "Location": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Counter": { "type":"array", "items":{"$ref":"#/definitions/Counter"}, "minItems": 1}}, "anyOf": [ {"required": ["DomainData"]}, {"required": ["Address"]} ], "additionalProperties": false}, "Address": { "type": "object", "properties": { "value": {"type": "string"}, "category": { "enum":["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv6-net-masked","mac","site-uri","ext-value"], "default": "ipv6-addr"}, "ext-category": {"type": "string"}, "vlan-name": {"type": "string"}, "vlan-num": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required": ["value","category"], Takahashi, et al. Expires August 13, 2020 [Page 68] Internet-Draft JSON-IODEF February 2020 "additionalProperties": false}, "NodeRole": { "type": "object", "properties": { "category": { "enum":["client","client-enterprise","client-partner", "client-remote","client-kiosk","client-mobile", "server-internal","server-public","www","mail","webmail", "messaging","streaming","voice","file","ftp","p2p","name", "directory","credential","print","application","database", "backup","dhcp","assessment","source-control", "config-management","monitoring","infra","infra-firewall", "infra-router","infra-switch","camera","proxy", "remote-access","log","virtualization","pos", "scada", "scada-supervisory","sinkhole","honeypot","anomyzation", "c2-server","malware-distribution","drop-server", "hop-point","reflector","phishing-site", "spear-phishing-site","recruiting-site","fraudulent-site", "ext-value"]}, "ext-category": {"type": "string"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["category"], "additionalProperties": false}, "Counter": { "type": "object", "properties": { "value": {"type": "number"}, "type": {"enum": ["count","peak","average","ext-value"]}, "ext-type": {"type": "string"}, "unit":{"enum":["byte","mbit","packet","flow","session","alert", "message","event","host","site","organization","ext-value"]}, "ext-unit": {"type": "string"}, "meaning": {"type": "string"}, "duration": {"$ref":"#/definitions/duration","default": "hour"}, "ext-duration": {"type": "string"}}, "required": ["value","type","unit"], "additionalProperties": false}, "DomainData": { "type": "object", "properties": { "system-status": { "enum": ["spoofed","fraudulent","innocent-hacked", "innocent-hijacked","unknown","ext-value"]}, "ext-system-status": {"type": "string"}, "domain-status": { Takahashi, et al. Expires August 13, 2020 [Page 69] Internet-Draft JSON-IODEF February 2020 "enum": [ "reservedDelegation","assignedAndActive", "assignedAndInactive","assignedAndOnHold","revoked", "transferPending","registryLock","registrarLock", "other","unknown","ext-value"]}, "ext-domain-status": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Name": {"type": "string"}, "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "RelatedDNS": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "NameServers": { "type": "array", "items": {"$ref": "#/definitions/NameServers"}, "minItems": 1}, "DomainContacts": {"$ref": "#/definitions/DomainContacts"}}, "required": ["Name","system-status","domain-status"], "additionalProperties": false}, "NameServers": { "type": "object", "properties": { "Server": {"type": "string"}, "Address": { "type":"array", "items":{"$ref":"#/definitions/Address"}, "minItems": 1}}, "required": ["Server","Address"], "additionalProperties": false}, "DomainContacts": { "type": "object", "properties": { "SameDomainContact": {"type": "string"}, "Contact": { "type":"array", "items":{"$ref":"#/definitions/Contact"}, "minItems": 1}}, "oneOf": [ {"required": ["SameDomainContact"]}, {"required": ["Contact"]}], "additionalProperties": false}, "Service": { "type": "object", "properties": { "ip-protocol": {"type": "number"}, "observable-id": {"$ref": "#/definitions/IDtype"}, Takahashi, et al. Expires August 13, 2020 [Page 70] Internet-Draft JSON-IODEF February 2020 "ServiceName": {"$ref": "#/definitions/ServiceName"}, "Port": {"type": "number"}, "Portlist": {"$ref": "#/definitions/PortlistType"}, "ProtoCode": {"type": "number"}, "ProtoType": {"type": "number"}, "ProtoField": {"type": "number"}, "ApplicationHeaderField":{ "$ref":"#/definitions/ExtensionTypeList"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": [], "additionalProperties": false}, "ServiceName": { "type": "object", "properties": { "IANAService": {"type": "string"}, "URL": { "type": "array","items": {"$ref": "#/definitions/URLtype"}}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "EmailData": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "EmailTo": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "EmailFrom": {"type": "string"}, "EmailSubject": {"type": "string"}, "EmailX-Mailer": {"type": "string"}, "EmailHeaderField": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "EmailHeaders": {"type": "string"}, "EmailBody": {"type": "string"}, "EmailMessage": {"type": "string"}, "HashData": { "type": "array", "items": {"$ref": "#/definitions/HashData"}, "minItems": 1}, "Signature": { "type": "array", Takahashi, et al. Expires August 13, 2020 [Page 71] Internet-Draft JSON-IODEF February 2020 "items": {"$ref": "#/definitions/BYTE"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "RecordData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "RecordPattern": { "type": "array", "items": {"$ref": "#/definitions/RecordPattern"}, "minItems": 1}, "RecordItem": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "FileData": { "type": "array", "items": {"$ref": "#/definitions/FileData"}, "minItems": 1}, "WindowsRegistryKeysModified": { "type": "array", "items": {"$ref":"#/definitions/WindowsRegistryKeysModified"}, "minItems": 1}, "CertificateData": { "type":"array", "items":{"$ref":"#/definitions/CertificateData"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "RecordPattern": { "type": "object", "properties": { "value": {"type": "string"}, Takahashi, et al. Expires August 13, 2020 [Page 72] Internet-Draft JSON-IODEF February 2020 "type": {"enum": ["regex","binary","xpath","ext-value"], "default": "regex"}, "ext-type": {"type": "string"}, "offset": {"type": "number"}, "offsetunit": {"enum":["line","byte","ext-value"] , "default": "line"}, "ext-offsetunit": {"type": "string"}, "instance": {"type": "number"}}, "required": ["value","type"], "additionalProperties": false}, "WindowsRegistryKeysModified": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "Key": { "type": "array", "items": {"$ref": "#/definitions/Key"}, "minItems": 1}}, "required": ["Key"], "additionalProperties": false}, "Key": { "type": "object", "properties": { "registryaction": {"enum": ["add-key","add-value","delete-key", "delete-value","modify-key","modify-value", "ext-value"]}, "ext-registryaction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "KeyName": {"type":"string"}, "KeyValue": {"type": "string"}}, "required": ["KeyName"], "additionalProperties": false}, "CertificateData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Certificate": { "type": "array", "items": {"$ref": "#/definitions/Certificate"}, "minItems": 1}}, "required": ["Certificate"], "additionalProperties": false}, "Certificate": { "type": "object", "properties": { Takahashi, et al. Expires August 13, 2020 [Page 73] Internet-Draft JSON-IODEF February 2020 "observable-id": {"$ref": "#/definitions/IDtype"}, "X509Data": {"$ref": "#/definitions/BYTE"}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}}, "required": ["X509Data"], "additionalProperties": false}, "FileData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "File": { "type": "array", "items": {"$ref": "#/definitions/File"}, "minItems": 1}}, "required": ["File"], "additionalProperties": false}, "File": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "FileName": {"type": "string"}, "FileSize": {"type": "number"}, "FileType": {"type": "string"}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "HashData": {"$ref": "#/definitions/HashData"}, "Signature": { "type": "array", "items": {"$ref": "#/definitions/BYTE"}, "minItems": 1}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "FileProperties": { "type":"array", "items":{"$ref":"#/definitions/ExtensionType"}, "minItems": 1}}, "required": [], "additionalProperties": false}, "HashData": { "type": "object", "properties": { "scope": {"enum": ["file-contents","file-pe-section", "file-pe-iat","file-pe-resource","file-pdf-object", Takahashi, et al. Expires August 13, 2020 [Page 74] Internet-Draft JSON-IODEF February 2020 "email-hash","email-headers-hash","email-body-hash", "ext-value"]}, "HashTargetID": {"type": "string"}, "Hash": { "type": "array", "items": {"$ref": "#/definitions/Hash"}, "minItems": 1}, "FuzzyHash": { "type": "array", "items": {"$ref": "#/definitions/FuzzyHash"}, "minItems": 1}}, "required": ["scope"], "additionalProperties": false}, "Hash": { "type": "object", "properties": { "DigestMethod": {"$ref": "#/definitions/BYTE"}, "DigestValue": {"$ref": "#/definitions/BYTE"}, "CanonicalizationMethod": {"$ref": "#/definitions/BYTE"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": ["DigestMethod","DigestValue"], "additionalProperties": false}, "FuzzyHash": { "type": "object", "properties": { "FuzzyHashValue": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}, "minItems": 1}, "Application": {"$ref": "#/definitions/SoftwareType"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["FuzzyHashValue"], "additionalProperties": false}, "Indicator": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "AlternativeIndicatorID": { "type": "array", "items": {"$ref": "#/definitions/AlternativeIndicatorID"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, Takahashi, et al. Expires August 13, 2020 [Page 75] Internet-Draft JSON-IODEF February 2020 "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}, "minItems": 1}, "Observable": {"$ref": "#/definitions/Observable"}, "uid-ref": {"$ref": "#/definitions/IDREFType"}, "IndicatorExpression":{ "$ref":"#/definitions/IndicatorExpression"}, "IndicatorReference":{ "$ref": "#/definitions/IndicatorReference"}, "NodeRole": { "type": "array", "items": {"$ref": "#/definitions/NodeRole"}, "minItems": 1}, "AttackPhase": { "type": "array", "items": {"$ref": "#/definitions/AttackPhase"}, "minItems": 1}, "Reference": { "type": "array", "items": {"$ref": "#/definitions/Reference"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "allOf": [ {"required": ["IndicatorID"]}, {"oneOf": [ {"required":["Observable"]}, {"required":["uid-ref"]}, {"required":["IndicatorExpression"]}, {"required":["IndicatorReference"]}]}], "additionalProperties": false}, "IndicatorID": { "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "version": {"type": "string"}}, "required": ["id","name","version"], "additionalProperties": false}, "AlternativeIndicatorID": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, Takahashi, et al. Expires August 13, 2020 [Page 76] Internet-Draft JSON-IODEF February 2020 "IndicatorID": { "type": "array", "items": {"$ref": "#/definitions/IndicatorID"}, "minItems": 1}}, "required": ["IndicatorID"], "additionalProperties": false}, "Observable": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction", "default": "private"}, "ext-restriction": {"type": "string"}, "System": {"$ref": "#/definitions/System"}, "Address": {"$ref": "#/definitions/Address"}, "DomainData": {"$ref": "#/definitions/DomainData"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Service": {"$ref": "#/definitions/Service"}, "WindowsRegistryKeysModified": { "$ref": "#/definitions/WindowsRegistryKeysModified"}, "FileData": {"$ref": "#/definitions/FileData"}, "CertificateData": {"$ref": "#/definitions/CertificateData"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "RecordData": {"$ref": "#/definitions/RecordData"}, "EventData": {"$ref": "#/definitions/EventData"}, "Incident": {"$ref": "#/definitions/Incident"}, "Expectation": {"$ref": "#/definitions/Expectation"}, "Reference": {"$ref": "#/definitions/Reference"}, "Assessment": {"$ref": "#/definitions/Assessment"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "oneOf": [ {"required":["System"]}, {"required":["Address"]}, {"required":["DomainData"]}, {"required":["EmailData"]}, {"required":["Service"]}, {"required":["WindowsRegistryKeysModified"]}, {"required":["FileData"]}, {"required":["CertificateData"]}, {"required":["RegistryHandle"]}, {"required":["RecordData"]}, {"required":["EventData"]}, {"required":["Incident"]}, {"required":["Expectation"]}, {"required":["Reference"]}, {"required":["Assessment"]}, Takahashi, et al. Expires August 13, 2020 [Page 77] Internet-Draft JSON-IODEF February 2020 {"required":["DetectionPattern"]}, {"required":["HistoryItem"]}, {"required":["BulkObservable"]}, {"required":["AdditionalData"]}], "additionalProperties": false}, "BulkObservable": { "type": "object", "properties": { "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask", "mac","site-uri","domain-name","domain-to-ipv4", "domain-to-ipv6","domain-to-ipv4-timestamp", "domain-to-ipv6-timestamp","ipv4-port","ipv6-port", "windows-reg-key","file-hash","email-x-mailer", "email-subject","http-user-agent","http-request-url", "mutex","file-path","user-name","ext-value"]}, "ext-type": {"type": "string"}, "BulkObservableFormat":{ "$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableList": {"type": "string"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["BulkObservableList"], "additionalProperties": false}, "BulkObservableFormat": { "type": "object", "properties": { "Hash": {"$ref": "#/definitions/Hash"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "oneOf": [ {"required": ["Hash"]}, {"required": ["AdditionalData"]} ], "additionalProperties": false}, "IndicatorExpression": { "type": "object", "properties": { "operator": {"enum": ["not","and","or","xor"],"default": "and"}, "ext-operator": {"type": "string"}, "IndicatorExpression": { "type": "array", "items": {"$ref": "#/definitions/IndicatorExpression"}, "minItems": 1}, "Observable": { "type": "array", "items": {"$ref": "#/definitions/Observable"}, "minItems": 1}, "uid-ref": { "type": "array", Takahashi, et al. Expires August 13, 2020 [Page 78] Internet-Draft JSON-IODEF February 2020 "items": {"$ref": "#/definitions/IDREFType"}, "minItems": 1}, "IndicatorReference": { "type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}, "minItems": 1}, "Confidence": {"$ref":"#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorReference": { "type": "object", "properties": { "uid-ref": {"$ref":"#/definitions/IDREFType"}, "euid-ref": {"type": "string"}, "version": {"type": "string"}}, "oneOf": [ {"required": ["uid-ref"]}, {"required": ["euid-ref"]} ], "additionalProperties": false}, "AttackPhase": { "type": "object", "properties": { "AttackPhaseID": { "type": "array", "items": {"type": "string"}, "minItems": 1}, "URL": { "type": "array", "items": {"$ref": "#/definitions/URLtype"}, "minItems": 1}, "Description": { "type": "array", "items": {"$ref": "#/definitions/MLStringType"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}}, "title": "IODEF-Document", "description": "JSON schema for IODEF-Document class", "type": "object", "properties": { "version": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "format-id": {"type": "string"}, "private-enum-name": {"type": "string"}, "private-enum-id": {"type": "string"}, Takahashi, et al. Expires August 13, 2020 [Page 79] Internet-Draft JSON-IODEF February 2020 "Incident": { "type": "array", "items": {"$ref": "#/definitions/Incident"}, "minItems": 1}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["version","Incident"], "additionalProperties": false} Figure 11: JSON schema Authors' Addresses Takeshi Takahashi National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Phone: +81 42 327 5862 Email: takeshi_takahashi@nict.go.jp Roman Danyliw CERT, Software Engineering Institute, Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA USA Email: rdd@cert.org Mio Suzuki National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Email: mio@nict.go.jp Takahashi, et al. Expires August 13, 2020 [Page 80]