[要約] RFC 8727は、インシデントオブジェクトの記述交換形式のJSONバインディングに関する仕様です。このRFCの目的は、インシデント情報の効率的な交換と共有を可能にするために、JSON形式でのデータバインディングを提供することです。
Internet Engineering Task Force (IETF) T. Takahashi
Request for Comments: 8727 NICT
Category: Standards Track R. Danyliw
ISSN: 2070-1721 CERT
M. Suzuki
NICT
August 2020
JSON Binding of the Incident Object Description Exchange Format
インシデントオブジェクト記述交換形式のJSONバインディング
Abstract
概要
The Incident Object Description Exchange Format (IODEF) defined in RFC 7970 provides an information model and a corresponding XML data model for exchanging incident and indicator information. This document gives implementers and operators an alternative format to exchange the same information by defining an alternative data model implementation in JSON and its encoding in Concise Binary Object Representation (CBOR).
RFC 7970で定義されたインシデントオブジェクト記述交換フォーマット(IODEF)は、インシデントとインジケーター情報を交換するための情報モデルと対応するXMLデータモデルを提供します。このドキュメントでは、JSONで代替データモデルの実装を定義し、そのエンコードをコンサイスバイナリオブジェクト表現(CBOR)で定義することで、同じ情報を交換するための代替形式を実装者とオペレーターに提供します。
Status of This Memo
このメモのステータス
This is an Internet Standards Track document.
これはInternet Standards Trackドキュメントです。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
このドキュメントは、IETF(Internet Engineering Task Force)の製品です。これは、IETFコミュニティのコンセンサスを表しています。これは公開レビューを受けており、Internet Engineering Steering Group(IESG)による公開が承認されています。インターネット標準の詳細については、RFC 7841のセクション2をご覧ください。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8727.
このドキュメントの現在のステータス、エラータ、およびフィードバックの提供方法に関する情報は、https://www.rfc-editor.org/info/rfc8727で入手できます。
Copyright Notice
著作権表示
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
著作権(c)2020 IETFトラストおよび文書の作成者として識別された人物。全著作権所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
この文書は、BCP 78およびIETF文書に関するIETFトラストの法的規定(https://trustee.ietf.org/license-info)の対象であり、この文書の発行日に有効です。これらのドキュメントは、このドキュメントに関するあなたの権利と制限を説明しているため、注意深く確認してください。このドキュメントから抽出されたコードコンポーネントには、Trust Legal Provisionsのセクション4.eに記載されているSimplified BSD Licenseのテキストが含まれている必要があり、Simplified BSD Licenseに記載されているように保証なしで提供されます。
Table of Contents
目次
1. Introduction 1.1. Requirements Language 2. IODEF Data Types 2.1. Abstract Data Type to JSON Data Type Mapping 2.2. Complex JSON Types 2.2.1. Integer 2.2.2. Multilingual Strings 2.2.3. Enum 2.2.4. Software and Software Reference 2.2.5. Structured Information 2.2.6. EXTENSION 3. IODEF JSON Data Model 3.1. Classes and Elements 3.2. Mapping between JSON and XML IODEF 4. Examples 4.1. Minimal Example 4.2. Indicators from a Campaign 5. Mapkeys 6. The IODEF Data Model (CDDL) 7. IANA Considerations 8. Security Considerations 9. References 9.1. Normative References 9.2. Informative References Appendix A. Data Types Used in This Document Appendix B. The IODEF Data Model (JSON Schema) Acknowledgments Authors' Addresses
1. はじめに1.1。要件言語2. IODEFデータ型2.1。抽象データ型からJSONデータ型へのマッピング2.2。複雑なJSON型2.2.1。整数2.2.2。多言語文字列2.2.3。列挙2.2.4。ソフトウェアおよびソフトウェアリファレンス2.2.5。構造化情報2.2.6。拡張3. IODEF JSONデータモデル3.1。クラスと要素3.2。 JSONとXML IODEFの間のマッピング4.例4.1。最小限の例4.2。キャンペーンの指標5.マップキー6. IODEFデータモデル(CDDL)7. IANAの考慮事項8.セキュリティの考慮事項9.参考資料9.1。規範的な参考文献9.2。参考資料付録A.このドキュメントで使用されるデータ型付録B. IODEFデータモデル(JSONスキーマ)謝辞著者のアドレス
The Incident Object Description Exchange Format (IODEF) [RFC7970] defines a data representation for security incident reports and indicators commonly exchanged by operational security teams. It facilitates the automated exchange of this information to enable mitigation and watch-and-warning. An information model using Unified Modeling Language (UML) is defined in Section 3 of [RFC7970] and a corresponding Extensible Markup Language (XML) schema data model is defined in Section 8 of [RFC7970]. This UML-based information model and XML-based data model are referred to as IODEF UML and IODEF XML, respectively, in this document.
インシデントオブジェクト記述交換フォーマット(IODEF)[RFC7970]は、運用セキュリティチームが通常交換するセキュリティインシデントレポートとインジケーターのデータ表現を定義します。これにより、この情報の自動交換が容易になり、緩和と監視と警告が可能になります。統一モデリング言語(UML)を使用する情報モデルは、[RFC7970]のセクション3で定義され、対応する拡張マークアップ言語(XML)スキーマデータモデルは、[RFC7970]のセクション8で定義されます。このドキュメントでは、このUMLベースの情報モデルとXMLベースのデータモデルをそれぞれIODEF UMLおよびIODEF XMLと呼びます。
IODEF documents are structured and thus suitable for machine processing. They will streamline incident response operations. Another well-used and structured format that is suitable for machine processing is JavaScript Object Notation (JSON) [RFC8259]. To facilitate the automation of incident response operations, IODEF documents and implementations should support JSON representation and its encoding in Concise Binary Object Representation (CBOR) [RFC7049].
IODEFドキュメントは構造化されているため、機械処理に適しています。彼らはインシデント対応オペレーションを合理化します。機械処理に適した、よく使用され構造化されたもう1つの形式は、JavaScript Object Notation(JSON)[RFC8259]です。インシデントレスポンスオペレーションの自動化を容易にするために、IODEFドキュメントと実装は、JSON表現とその簡潔なバイナリオブジェクト表現(CBOR)[RFC7049]でのエンコードをサポートする必要があります。
This document defines an alternate implementation of the IODEF UML information model by specifying a JSON data model using Concise Data Definition Language (CDDL) [RFC8610] and a JSON Schema [JSON-SCHEMA]. This JSON data model is referred to as IODEF JSON in this document. IODEF JSON provides all of the expressivity of IODEF XML. It gives implementers and operators an alternative format to exchange the same information.
このドキュメントでは、簡潔なデータ定義言語(CDDL)[RFC8610]とJSONスキーマ[JSON-SCHEMA]を使用してJSONデータモデルを指定することにより、IODEF UML情報モデルの代替実装を定義しています。このJSONデータモデルは、このドキュメントではIODEF JSONと呼ばれています。 IODEF JSONは、IODEF XMLの表現力のすべてを提供します。これは、実装者とオペレーターに同じ情報を交換するための代替フォーマットを提供します。
The normative IODEF JSON data model is found in Section 6. Sections 2 and 3 describe the data types and elements of this data model. Section 4 provides examples.
規範的なIODEF JSONデータモデルについては、セクション6を参照してください。セクション2および3では、このデータモデルのデータ型と要素について説明します。セクション4に例を示します。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
この文書のキーワード "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", および "OPTIONAL" はBCP 14 [RFC2119] [RFC8174]で説明されているように、すべて大文字の場合にのみ解釈されます。
IODEF JSON implements the abstract data types specified in Section 2 of [RFC7970].
IODEF JSONは、[RFC7970]のセクション2で指定された抽象データ型を実装します。
IODEF JSON uses native and derived JSON data types. Table 1 describes the mapping between the abstract data types in Section 2 of [RFC7970] and their corresponding implementations in IODEF JSON.
IODEF JSONは、ネイティブおよび派生JSONデータ型を使用します。表1は、[RFC7970]のセクション2の抽象データ型と、対応するIODEF JSONの実装との間のマッピングを示しています。
+=================+==========================+================+
| IODEF Data Type | Reference | JSON Data Type |
+=================+==========================+================+
| INTEGER | Section 2.1 of [RFC7970] | integer; see |
| | | Section 2.2.1 |
+-----------------+--------------------------+----------------+
| REAL | Section 2.2 of [RFC7970] | "number" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| CHARACTER | Section 2.3 of [RFC7970] | "string" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| STRING | Section 2.3 of [RFC7970] | "string" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| ML_STRING | Section 2.4 of [RFC7970] | see |
| | | Section 2.2.2 |
+-----------------+--------------------------+----------------+
| BYTE | Section 2.5.1 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| BYTE[] | Section 2.5.1 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| HEXBIN | Section 2.5.2 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| HEXBIN[] | Section 2.5.2 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| ENUM | Section 2.6 of [RFC7970] | see |
| | | Section 2.2.3 |
+-----------------+--------------------------+----------------+
| DATETIME | Section 2.7 of [RFC7970] | "string" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| TIMEZONE | Section 2.8 of [RFC7970] | "string" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| PORTLIST | Section 2.9 of [RFC7970] | "string" per |
| | | [RFC8259] |
+-----------------+--------------------------+----------------+
| POSTAL | Section 2.10 of | ML_STRING; see |
| | [RFC7970] | Section 2.2.2 |
+-----------------+--------------------------+----------------+
| PHONE | Section 2.11 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| EMAIL | Section 2.12 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| URL | Section 2.13 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| ID | Section 2.14 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| IDREF | Section 2.14 of | "string" per |
| | [RFC7970] | [RFC8259] |
+-----------------+--------------------------+----------------+
| SOFTWARE | Section 2.15 of | see |
| | [RFC7970] | Section 2.2.4 |
+-----------------+--------------------------+----------------+
| STRUCTUREDINFO | Section 4.4 of [RFC7203] | see |
| | | Section 2.2.5 |
+-----------------+--------------------------+----------------+
| EXTENSION | Section 2.16 of | see |
| | [RFC7970] | Section 2.2.6 |
+-----------------+--------------------------+----------------+
Table 1: JSON Data Types
表1:JSONデータ型
+=================+================+=============================+
| IODEF Data Type | CBOR Data Type | CDDL Prelude [RFC8610] |
+=================+================+=============================+
| INTEGER | 0, 1, 6 tag 2, | integer |
| | 6 tag 3 | |
+-----------------+----------------+-----------------------------+
| REAL | 7 bits 26 | float32 |
+-----------------+----------------+-----------------------------+
| CHARACTER | 3 | text |
+-----------------+----------------+-----------------------------+
| STRING | 3 | text |
+-----------------+----------------+-----------------------------+
| ML_STRING | 5 | Maps/Structs (Section 3.5.1 |
| | | of [RFC8610]) |
+-----------------+----------------+-----------------------------+
| BYTE | 6 tag 22 | eb64legacy |
+-----------------+----------------+-----------------------------+
| BYTE[] | 6 tag 22 | eb64legacy |
+-----------------+----------------+-----------------------------+
| HEXBIN | 6 tag 23 | eb16 |
+-----------------+----------------+-----------------------------+
| HEXBIN[] | 6 tag 23 | eb16 |
+-----------------+----------------+-----------------------------+
| ENUM | - | Choices (Section 2.2.2 of |
| | | [RFC8610]) |
+-----------------+----------------+-----------------------------+
| DATETIME | 6 tag 0 | tdate |
+-----------------+----------------+-----------------------------+
| TIMEZONE | 3 | text |
+-----------------+----------------+-----------------------------+
| PORTLIST | 3 | text |
+-----------------+----------------+-----------------------------+
| POSTAL | 3 | ML_STRING (Section 2.2.2) |
+-----------------+----------------+-----------------------------+
| PHONE | 3 | text |
+-----------------+----------------+-----------------------------+
| EMAIL | 3 | text |
+-----------------+----------------+-----------------------------+
| URL | 6 tag 32 | uri |
+-----------------+----------------+-----------------------------+
| ID | 3 | text |
+-----------------+----------------+-----------------------------+
| IDREF | 3 | text |
+-----------------+----------------+-----------------------------+
| SOFTWARE | 5 | Maps/Structs (Section 3.5.1 |
| | | of [RFC8610]) |
+-----------------+----------------+-----------------------------+
| STRUCTUREDINFO | 5 | Maps/Structs (Section 3.5.1 |
| | | of [RFC8610]) |
+-----------------+----------------+-----------------------------+
| EXTENSION | 5 | Maps/Structs (Section 3.5.1 |
| | | of [RFC8610]) |
+-----------------+----------------+-----------------------------+
Table 2: CBOR Data Types
表2:CBORデータ型
An integer is a subset of the "number" type of JSON, which represents signed digits encoded in Base 10. The definition of this integer is "[ minus ] int" per [RFC8259], Section 6.
整数は、JSONの「数値」タイプのサブセットであり、Base 10でエンコードされた符号付き数字を表します。この整数の定義は、[RFC8259]のセクション6に基づく「[マイナス] int」です。
A string that needs to be represented in a human-readable language different from the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as either an object with "value", "lang", and "translation-id" elements or a text string as defined in Section 6. An example is shown below.
ドキュメントのデフォルトのエンコーディングとは異なる人間が読める言語で表す必要がある文字列は、ML_STRINGデータ型によって情報モデルで表されます。このデータ型は、「value」、「lang」、および「translation-id」要素を持つオブジェクトとして、またはセクション6で定義されているテキスト文字列として実装されます。例を以下に示します。
"MLStringType": {
"value": "free-form text", # STRING
"lang": "en", # ENUM
"translation-id": "jp2en0023" # STRING
}
Note that in figures throughout this document, some supplementary information follows "#", but these are not valid syntax in JSON; instead, they are intended to facilitate reader understanding.
このドキュメント全体の図では、いくつかの補足情報が「#」に続いていますが、これらはJSONの有効な構文ではないことに注意してください。代わりに、読者の理解を容易にすることを目的としています。
Enum is an ordered list of acceptable string values. Each value has a representative keyword. Within the data model, the enumerated type keywords are used as attribute values.
Enumは、受け入れ可能な文字列値の順序付きリストです。各値には代表的なキーワードがあります。データモデル内では、列挙型キーワードが属性値として使用されます。
A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a Uniform Resource Locator (URL) [RFC3986], or free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", and "Description" elements as defined in Section 6. Examples are shown below.
ソフトウェアの特定のバージョンは、情報モデルではソフトウェアデータタイプによって表されます。このソフトウェアは、リファレンス、Uniform Resource Locator(URL)[RFC3986]、または自由形式のテキストを使用して記述できます。ソフトウェアデータ型は、セクション6で定義されている「SoftwareReference」、「URL」、および「Description」要素を持つオブジェクトとして実装されます。例を以下に示します。
"SoftwareType": {
"SoftwareReference": {...}, # SoftwareReference
"Description": ["MS Windows"] # STRING
}
SoftwareReference class is a reference to a particular version of software. Examples are shown below.
SoftwareReferenceクラスは、ソフトウェアの特定のバージョンへの参照です。以下に例を示します。
"SoftwareReference": {
"value": "cpe:/a:google:chrome:59.0.3071.115", # STRING
"spec-name": "cpe", # ENUM
"dtype": "string" # ENUM
}
Information provided in the form of a structured string, such as an ID, or structured information, such as XML documents, is represented in the information model by the STRUCTUREDINFO data type. Note that this type was originally specified in Section 4.4 of [RFC7203] as a basic structure of its extension classes. The STRUCTUREDINFO data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", and "Reference" elements. An example for embedding a structured ID is shown below.
IDなどの構造化文字列またはXMLドキュメントなどの構造化情報の形式で提供される情報は、情報モデルではSTRUCTUREDINFOデータ型によって表されます。このタイプは、最初に[RFC7203]のセクション4.4で拡張クラスの基本構造として指定されていたことに注意してください。 STRUCTUREDINFOデータ型は、「SpecID」、「ext-SpecID」、「ContentID」、「RawData」、および「Reference」要素を持つオブジェクトとして実装されます。構造化IDを埋め込む例を以下に示します。
"STRUCTUREDINFO": {
"SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM
"ContentID": "CWE-89" # STRING
}
When embedding the raw data, it should be encoded as a BYTE type object, as shown below.
生データを埋め込むときは、次に示すように、BYTEタイプのオブジェクトとしてエンコードする必要があります。
"STRUCTUREDINFO": {
"SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM
"RawData": "<<< encoded structured data >>>" # BYTE
}
When embedding the raw data, base64 encoding defined in Section 4 of [RFC4648] MUST be used for JSON IODEF while binary representation MUST be used for CBOR IODEF.
生データを埋め込むときは、[RFC4648]のセクション4で定義されているbase64エンコーディングをJSON IODEFに使用する必要がありますが、CBOR IODEFにはバイナリ表現を使用する必要があります。
Information not otherwise represented in the IODEF can be added using the EXTENSION data type. This data type is a generic extension mechanism. The EXTENSION data type is implemented as an ExtensionType object with "value", "name", "dtype", "ext-dtype", "meaning", "formatid", "restriction", "ext-restriction", and "observable-id" elements. An example for embedding a structured ID is shown below.
他にIODEFで表されていない情報は、EXTENSIONデータ型を使用して追加できます。このデータ型は、一般的な拡張メカニズムです。 EXTENSIONデータ型は、「value」、「name」、「dtype」、「ext-dtype」、「meaning」、「formatid」、「restriction」、「ext-restriction」、および「observable」を持つExtensionTypeオブジェクトとして実装されます-id」要素。構造化IDを埋め込む例を以下に示します。
"ExtensionType": {
"value": "xxxxxxx", # STRING
"name": "Syslog", # STRING
"dtype": "string", # ENUM
"meaning": "Syslog from the security appliance X" # STRING
}
Note that this data type is specified in [RFC7970] as its generic extension mechanism. If a data item has internal structure that is intended to be processed outside of the IODEF framework, one may consider using the STRUCTUREDINFO data type mentioned in Section 2.2.5.
このデータ型は、その一般的な拡張メカニズムとして[RFC7970]で指定されていることに注意してください。データ項目がIODEFフレームワークの外部で処理されることを意図した内部構造を持っている場合、セクション2.2.5で言及されているSTRUCTUREDINFOデータ型の使用を検討することができます。
The following table shows the list of IODEF classes and their elements and the corresponding sections in [RFC7970]. Note that the complete JSON schema is defined in Section 6 using CDDL.
次の表は、IODEFクラスとその要素のリスト、および[RFC7970]の対応するセクションを示しています。完全なJSONスキーマは、セクション6でCDDLを使用して定義されていることに注意してください。
+===========================+============================+==========+
| IODEF Class | Class, Element, and |Section in|
| | Attribute |[RFC7970] |
+===========================+============================+==========+
| IODEF-Document | version | 3.1 |
| | lang? | |
| | format-id? | |
| | private-enum-name? | |
| | private-enum-id? | |
| | Incident+ | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| Incident | purpose | 3.2 |
| | ext-purpose? | |
| | status? | |
| | ext-status? | |
| | lang? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | IncidentID | |
| | AlternativeID? | |
| | RelatedActivity* | |
| | DetectTime? | |
| | StartTime? | |
| | EndTime? | |
| | RecoveryTime? | |
| | ReportTime? | |
| | GenerationTime | |
| | Description* | |
| | Discovery* | |
| | Assessment* | |
| | Method* | |
| | Contact+ | |
| | EventData* | |
| | Indicator* | |
| | History? | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| IncidentID | id | 3.4 |
| | name | |
| | instance? | |
| | restriction? | |
| | ext-restriction? | |
+---------------------------+----------------------------+----------+
| AlternativeID | restriction? | 3.5 |
| | ext-restriction? | |
| | IncidentID+ | |
+---------------------------+----------------------------+----------+
| RelatedActivity | restriction? | 3.6 |
| | ext-restriction? | |
| | IncidentID* | |
| | URL* | |
| | ThreatActor* | |
| | Campaign* | |
| | IndicatorID* | |
| | Confidence? | |
| | Description* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| ThreatActor | restriction? | 3.7 |
| | ext-restriction? | |
| | ThreatActorID* | |
| | URL* | |
| | Description* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| Campaign | restriction? | 3.8 |
| | ext-restriction? | |
| | CampaignID* | |
| | URL* | |
| | Description* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| Contact | role | 3.9 |
| | ext-role? | |
| | type | |
| | ext-type? | |
| | restriction? | |
| | ext-restriction? | |
| | ContactName* | |
| | ContactTitle* | |
| | Description* | |
| | RegistryHandle* | |
| | PostalAddress* | |
| | Email* | |
| | Telephone* | |
| | Timezone? | |
| | Contact* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| RegistryHandle | handle | 3.9.1 |
| | registry | |
| | ext-registry? | |
+---------------------------+----------------------------+----------+
| PostalAddress | type? | 3.9.2 |
| | ext-type? | |
| | PAddress | |
| | Description* | |
+---------------------------+----------------------------+----------+
| Email | type? | 3.9.3 |
| | ext-type? | |
| | EmailTo | |
| | Description* | |
+---------------------------+----------------------------+----------+
| Telephone | type? | 3.9.4 |
| | ext-type? | |
| | TelephoneNumber | |
| | Description* | |
+---------------------------+----------------------------+----------+
| Discovery | source? | 3.10 |
| | ext-source? | |
| | restriction? | |
| | ext-restriction? | |
| | Description* | |
| | Contact* | |
| | DetectionPattern* | |
+---------------------------+----------------------------+----------+
| DetectionPattern | restriction? | 3.10.1 |
| | ext-restriction? | |
| | observable-id? | |
| | Application | |
| | Description* | |
| | DetectionConfiguration* | |
+---------------------------+----------------------------+----------+
| Method | restriction? | 3.11 |
| | ext-restriction? | |
| | Reference* | |
| | Description* | |
| | AttackPattern* | |
| | Vulnerability* | |
| | Weakness* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| Weakness | restriction? | 4.5.5 in |
| | ext-restriction? |[RFC7203] |
+---------------------------+----------------------------+----------+
| Reference | observable-id? | 3.11.1 |
| | ReferenceName? | |
| | URL* | |
| | Description* | |
+---------------------------+----------------------------+----------+
| Assessment | occurrence? | 3.12 |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | IncidentCategory* | |
| | SystemImpact* | |
| | BusinessImpact* | |
| | TimeImpact* | |
| | MonetaryImpact* | |
| | IntendedImpact* | |
| | Counter* | |
| | MitigatingFactor* | |
| | Cause* | |
| | Confidence? | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| SystemImpact | severity? | 3.12.1 |
| | completion? | |
| | type | |
| | ext-type? | |
| | Description* | |
+---------------------------+----------------------------+----------+
| BusinessImpact | severity? | 3.12.2 |
| | ext-severity? | |
| | type | |
| | ext-type? | |
| | Description* | |
+---------------------------+----------------------------+----------+
| TimeImpact | value | 3.12.3 |
| | severity? | |
| | metric | |
| | ext-metric? | |
| | duration? | |
| | ext-duration? | |
+---------------------------+----------------------------+----------+
| MonetaryImpact | value | 3.12.4 |
| | severity? | |
| | currency? | |
+---------------------------+----------------------------+----------+
| Confidence | value | 3.12.5 |
| | rating | |
| | ext-rating? | |
+---------------------------+----------------------------+----------+
| History | restriction? | 3.13 |
| | ext-restriction? | |
| | HistoryItem+ | |
+---------------------------+----------------------------+----------+
| HistoryItem | action | 3.13.1 |
| | ext-action? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | DateTime | |
| | IncidentID? | |
| | Contact? | |
| | Description* | |
| | DefinedCOA* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| EventData | restriction? | 3.14 |
| | ext-restriction? | |
| | observable-id? | |
| | Description* | |
| | DetectTime? | |
| | StartTime? | |
| | EndTime? | |
| | RecoveryTime? | |
| | ReportTime? | |
| | Contact* | |
| | Discovery* | |
| | Assessment? | |
| | Method* | |
| | System* | |
| | Expectation* | |
| | RecordData* | |
| | EventData* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| Expectation | action? | 3.15 |
| | ext-action? | |
| | severity? | |
| | restriction? | |
| | ext-restriction? | |
| | observable-id? | |
| | Description* | |
| | DefinedCOA* | |
| | StartTime? | |
| | EndTime? | |
| | Contact? | |
+---------------------------+----------------------------+----------+
| System | category? | 3.17 |
| | ext-category? | |
| | interface? | |
| | spoofed? | |
| | virtual? | |
| | ownership? | |
| | ext-ownership? | |
| | restriction? | |
| | ext-restriction? | |
| | Node | |
| | NodeRole* | |
| | Service* | |
| | OperatingSystem* | |
| | Counter* | |
| | AssetID* | |
| | Description* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| Node | DomainData* | 3.18 |
| | Address* | |
| | PostalAddress? | |
| | Location* | |
| | Counter* | |
+---------------------------+----------------------------+----------+
| Address | value | 3.18.1 |
| | category | |
| | ext-category? | |
| | vlan-name? | |
| | vlan-num? | |
| | observable-id? | |
+---------------------------+----------------------------+----------+
| NodeRole | category | 3.18.2 |
| | ext-category? | |
| | Description* | |
+---------------------------+----------------------------+----------+
| Counter | value | 3.18.3 |
| | type | |
| | ext-type? | |
| | unit | |
| | ext-unit? | |
| | meaning? | |
| | duration? | |
| | ext-duration? | |
+---------------------------+----------------------------+----------+
| DomainData | system-status | 3.19 |
| | ext-system-status? | |
| | domain-status | |
| | ext-domain-status? | |
| | observable-id? | |
| | Name | |
| | DateDomainWasChecked? | |
| | RegistrationDate? | |
| | ExpirationDate? | |
| | RelatedDNS* | |
| | Nameservers* | |
| | DomainContacts? | |
+---------------------------+----------------------------+----------+
| Nameservers | Server | 3.19.1 |
| | Address* | |
+---------------------------+----------------------------+----------+
| DomainContacts | SameDomainContact? | 3.19.2 |
| | Contact+ | |
+---------------------------+----------------------------+----------+
| Service | ip-protocol? | 3.20 |
| | observable-id? | |
| | ServiceName? | |
| | Port? | |
| | Portlist? | |
| | ProtoCode? | |
| | ProtoType? | |
| | ProtoField? | |
| | ApplicationHeaderField* | |
| | EmailData? | |
| | Application? | |
+---------------------------+----------------------------+----------+
| ServiceName | IANAService? | 3.20.1 |
| | URL* | |
| | Description* | |
+---------------------------+----------------------------+----------+
| EmailData | observable-id? | 3.21 |
| | EmailTo* | |
| | EmailFrom? | |
| | EmailSubject? | |
| | EmailX-Mailer? | |
| | EmailHeaderField* | |
| | EmailHeaders? | |
| | EmailBody? | |
| | EmailMessage? | |
| | HashData* | |
| | Signature* | |
+---------------------------+----------------------------+----------+
| RecordData | restriction? | 3.22.1 |
| | ext-restriction? | |
| | observable-id? | |
| | DateTime? | |
| | Description* | |
| | Application? | |
| | RecordPattern* | |
| | RecordItem* | |
| | URL* | |
| | FileData* | |
| |WindowsRegistryKeysModified*| |
| | CertificateData* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| RecordPattern | type | 3.22.2 |
| | ext-type? | |
| | offset? | |
| | offsetunit? | |
| | ext-offsetunit? | |
| | instance? | |
| | value | |
+---------------------------+----------------------------+----------+
|WindowsRegistryKeysModified| observable-id? | 3.23 |
| | Key+ | |
+---------------------------+----------------------------+----------+
| Key | registryaction? | 3.23.1 |
| | ext-registryaction? | |
| | observable-id? | |
| | KeyName | |
| | KeyValue? | |
+---------------------------+----------------------------+----------+
| CertificateData | restriction? | 3.24 |
| | ext-restriction? | |
| | observable-id? | |
| | Certificate+ | |
+---------------------------+----------------------------+----------+
| Certificate | observable-id? | 3.24.1 |
| | X509Data | |
| | Description* | |
+---------------------------+----------------------------+----------+
| FileData | restriction? | 3.25 |
| | ext-restriction? | |
| | observable-id? | |
| | File+ | |
+---------------------------+----------------------------+----------+
| File | observable-id? | 3.25.1 |
| | FileName? | |
| | FileSize? | |
| | FileType? | |
| | URL* | |
| | HashData? | |
| | Signature* | |
| | AssociatedSoftware? | |
| | FileProperties* | |
+---------------------------+----------------------------+----------+
| HashData | scope | 3.26 |
| | HashTargetID? | |
| | Hash* | |
| | FuzzyHash* | |
+---------------------------+----------------------------+----------+
| Hash | DigestMethod | 3.26.1 |
| | DigestValue | |
| | CanonicalizationMethod? | |
| | Application? | |
+---------------------------+----------------------------+----------+
| FuzzyHash | FuzzyHashValue+ | 3.26.2 |
| | Application? | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| Indicator | restriction? | 3.29 |
| | ext-restriction? | |
| | IndicatorID | |
| | AlternativeIndicatorID* | |
| | Description* | |
| | StartTime? | |
| | EndTime? | |
| | Confidence? | |
| | Contact* | |
| | Observable? | |
| | uid-ref? | |
| | IndicatorExpression? | |
| | IndicatorReference? | |
| | NodeRole* | |
| | AttackPhase* | |
| | Reference* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| IndicatorID | id | 3.29.1 |
| | name | |
| | version | |
+---------------------------+----------------------------+----------+
| AlternativeIndicatorID | restriction? | 3.29.2 |
| | ext-restriction? | |
| | IndicatorID+ | |
+---------------------------+----------------------------+----------+
| Observable | restriction? | 3.29.3 |
| | ext-restriction? | |
| | System? | |
| | Address? | |
| | DomainData? | |
| | Service? | |
| | EmailData? | |
| |WindowsRegistryKeysModified?| |
| | FileData? | |
| | CertificateData? | |
| | RegistryHandle? | |
| | RecordData? | |
| | EventData? | |
| | Incident? | |
| | Expectation? | |
| | Reference? | |
| | Assessment? | |
| | DetectionPattern? | |
| | HistoryItem? | |
| | BulkObservable? | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| BulkObservable | type? | 3.29.3.1 |
| | ext-type? | |
| | BulkObservableFormat? | |
| | BulkObservableList | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| BulkObservableFormat | Hash? |3.29.3.1.1|
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| IndicatorExpression | operator? | 3.29.4 |
| | ext-operator? | |
| | IndicatorExpression* | |
| | Observable* | |
| | uid-ref* | |
| | IndicatorReference* | |
| | Confidence? | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
| IndicatorReference | uid-ref? | 3.29.7 |
| | euid-ref? | |
| | version? | |
+---------------------------+----------------------------+----------+
| AttackPhase | AttackPhaseID* | 3.29.8 |
| | URL* | |
| | Description* | |
| | AdditionalData* | |
+---------------------------+----------------------------+----------+
Table 3: IODEF Classes
表3:IODEFクラス
* Attributes and elements of each class in the XML IODEF document are both presented as JSON attributes in the JSON IODEF document, and the order of their appearances is ignored.
* XML IODEFドキュメント内の各クラスの属性と要素は、JSON IODEFドキュメント内でJSON属性として提示され、それらの出現順序は無視されます。
* Flow class is deleted, and classes with its instances now directly have instances of the EventData class that used to belong to the Flow class.
* Flowクラスが削除され、そのインスタンスを持つクラスは、以前はFlowクラスに属していたEventDataクラスのインスタンスを直接持ちます。
* ApplicationHeader class is deleted, and classes with its instances now directly have instances of the ApplicationHeaderField class that used to belong to the ApplicationHeader class.
* ApplicationHeaderクラスが削除され、そのインスタンスを持つクラスには、ApplicationHeaderクラスに属していたApplicationHeaderFieldクラスのインスタンスが直接含まれるようになりました。
* SignatureData class is deleted, and classes with its instances now directly have instances of the Signature class that used to belong to the SignatureData class.
* SignatureDataクラスは削除され、そのインスタンスを持つクラスは、SignatureDataクラスに属していたSignatureクラスのインスタンスを直接持つようになりました。
* IndicatorData class is deleted, and classes with its instances now directly have instances of the Indicator class that used to belong to the IndicatorData class.
* IndicatorDataクラスは削除され、そのインスタンスを持つクラスは、IndicatorDataクラスに属していたIndicatorクラスのインスタンスを直接持つようになりました。
* ObservableReference class is deleted, and classes with its instances now directly have uid-ref as an element.
* ObservableReferenceクラスが削除され、そのインスタンスを持つクラスが要素としてuid-refを直接持つようになりました。
* Record class is deleted, and classes with its instances now directly have instances of the RecordData class that used to belong to the Record class.
* Recordクラスが削除され、そのインスタンスを持つクラスには、以前Recordクラスに属していたRecordDataクラスのインスタンスが直接含まれるようになりました。
* The MLStringType was modified to support simple string by allowing the type to have not only a predefined object type but also a text type, in order to allow simple descriptions of elements of the type. Implementations need to be capable of parsing an MLStringType that could take the form of both text and an object.
* MLStringTypeは、型の要素の簡単な説明を可能にするために、型に事前定義されたオブジェクト型だけでなくテキスト型も含めることができるようにすることで、単純な文字列をサポートするように変更されました。実装は、テキストとオブジェクトの両方の形式をとることができるMLStringTypeを解析できる必要があります。
* The elements of the ML_STRING type in the XML IODEF document are presented as either STRING type or ML_STRING type in the JSON IODEF document. When converting from the XML IODEF document to the JSON IODEF document, or vice versa, the information contained in the original data of the ML_STRING type must be preserved. When STRING is used instead of ML_STRING, parsers can assume that its "xml:lang" is set to "en".
* XML IODEFドキュメントのML_STRINGタイプの要素は、JSON IODEFドキュメントではSTRINGタイプまたはML_STRINGタイプのいずれかとして示されます。 XML IODEFドキュメントからJSON IODEFドキュメントに、またはその逆に変換する場合、ML_STRINGタイプの元のデータに含まれている情報を保持する必要があります。 ML_STRINGの代わりにSTRINGを使用すると、パーサーはその「xml:lang」が「en」に設定されていると想定できます。
* Data models of the extension classes defined by [RFC7203] and referenced by [RFC7970] are represented by the STRUCTUREDINFO class defined in this document.
* [RFC7203]によって定義され、[RFC7970]によって参照される拡張クラスのデータモデルは、このドキュメントで定義されているSTRUCTUREDINFOクラスによって表されます。
* Signature, X509Data, and RawData are encoded using base64 encoding for JSON IODEF and binary representation for CBOR IODEF to represent them as BYTE objects.
* Signature、X509Data、RawDataは、JSON IODEFのbase64エンコーディングとCBOR IODEFのバイナリ表現を使用してエンコードされ、BYTEオブジェクトとして表されます。
* EmailBody represents a whole message body including MIME structure in the same manner defined in [RFC7970]. In case of an email composed of a MIME multipart, the EmailBody contains multiple body parts separated by boundary strings.
* EmailBodyは、[RFC7970]で定義されているのと同じ方法でMIME構造を含むメッセージ本文全体を表します。 MIMEマルチパートで構成される電子メールの場合、EmailBodyには境界文字列で区切られた複数のボディパーツが含まれます。
* The "ipv6-net-mask" type attribute of the BulkObservable class remains available for the purpose of backward compatibility, but the use of this attribute is not recommended because IPv6 does not use netmask any more.
* BulkObservableクラスの「ipv6-net-mask」タイプ属性は、下位互換性の目的で引き続き使用できますが、IPv6ではネットマスクを使用しないため、この属性の使用は推奨されません。
* ENUM values in this document are extensible and managed by IANA, which is also the case in [RFC7970]. The values in the table are used both by [RFC7970] implementations and by their JSON (and CBOR) bindings as specified by this document.
* このドキュメントのENUM値は拡張可能で、IANAによって管理されます。これは[RFC7970]の場合も同様です。表の値は、[RFC7970]実装と、このドキュメントで指定されているJSON(およびCBOR)バインディングの両方で使用されます。
* This document uses JSON's "number" type to represent integers that only have full precision for integer values between -2^(53) and 2^(53). When dealing with integers outside the range, this issue needs to be considered.
* このドキュメントでは、JSONの「数値」タイプを使用して、-2 ^(53)と2 ^(53)の間の整数値に対してのみ完全な精度を持つ整数を表します。範囲外の整数を扱う場合、この問題を考慮する必要があります。
* Binaries are encoded in bytes. Note that XML IODEF in [RFC7970] uses HEXBIN due to the incapability of XML for embedding binaries as they are.
* バイナリはバイトでエンコードされます。 [RFC7970]のXML IODEFは、バイナリをそのまま埋め込むためのXMLの機能がないため、HEXBINを使用することに注意してください。
This section provides examples of IODEF documents. These examples do not represent the full capabilities of the data model or the only way to encode particular information.
このセクションでは、IODEFドキュメントの例を示します。これらの例は、データモデルの完全な機能や特定の情報をエンコードする唯一の方法を表すものではありません。
A document containing only the mandatory elements and attributes is shown below in JSON and CBOR, respectively.
必須の要素と属性のみを含むドキュメントを、それぞれJSONとCBORで次に示します。
{
"version": "2.0",
"lang": "en",
"Incident": [{
"purpose": "reporting",
"restriction": "private",
"IncidentID": {
"id": "492382",
"name": "csirt.example.com"
},
"GenerationTime": "2015-07-18T09:00:00-05:00",
"Contact": [{
"type": "organization",
"role": "creator",
"Email": [{"EmailTo": "contact@csirt.example.com"}]
}]
}]
}
Figure 1: A Minimal Example in JSON
図1:JSONの最小限の例
A3 # map(3)
37 # negative(23)
63 # text(3)
322E30 # "2.0"
36 # negative(22)
62 # text(2)
656E # "en"
32 # negative(18)
81 # array(1)
A5 # map(5)
21 # negative(1)
69 # text(9)
7265706F7274696E67 # "reporting"
29 # negative(9)
67 # text(7)
70726976617465 # "private"
02 # unsigned(2)
A2 # map(2)
12 # unsigned(18)
66 # text(6)
343932333832 # "492382"
2E # negative(14)
71 # text(17)
63736972742E6578616D706C652E636F6D
# "csirt.example.com"
0A # unsigned(10)
78 19 # text(25)
323031352D30372D31385430393A30303A30302D30353A3030
# "2015-07-18T09:00:00
# -05:00"
0E # unsigned(14)
81 # array(1)
A3 # map(3)
18 1C # unsigned(28)
6C # text(12)
6F7267616E697A6174696F6E # "organization"
18 1A # unsigned(26)
67 # text(7)
63726561746F72 # "creator"
18 22 # unsigned(34)
81 # array(1)
A1 # map(1)
18 29 # unsigned(41)
78 19 # text(25)
636F6E746163744063736972742E6578616D70
6C652E636F6D
# "contact@csirt.example.com"
Figure 2: A Minimal Example in CBOR
図2:CBORの最小限の例
An example of C2 domains from a given campaign is shown below in JSON and CBOR, respectively.
特定のキャンペーンのC2ドメインの例を、それぞれJSONとCBORで以下に示します。
{
"version": "2.0",
"lang": "en",
"Incident": [{
"purpose": "watch",
"restriction": "green",
"IncidentID": {
"id": "897923",
"name": "csirt.example.com"
},
"RelatedActivity": [{
"ThreatActor": [{
"ThreatActorID": ["TA-12-AGGRESSIVE-BUTTERFLY"],
"Description": ["Aggressive Butterfly"]}],
"Campaign": [{
"CampaignID": ["C-2015-59405"],
"Description": ["Orange Giraffe"]
}]
}],
"GenerationTime": "2015-10-02T11:18:00-05:00",
"Description": ["Summarizes the Indicators of Compromise for the
Orange Giraffe campaign of the Aggressive Butterfly crime
gang."],
"Assessment": [{
"Impact": [{"BusinessImpact": {"type": "breach-proprietary"}}]
}],
"Contact": [{
"type": "organization",
"role": "creator",
"ContactName": ["CSIRT for example.com"],
"Email": [{
"EmailTo": "contact@csirt.example.com"
}]
}],
"Indicator": [{
"IndicatorID": {
"id": "G90823490",
"name": "csirt.example.com",
"version": "1"
},
"Description": ["C2 domains"],
"StartTime": "2014-12-02T11:18:00-05:00",
"Observable": {
"BulkObservable": {
"type": "domain-name",
"BulkObservableList": "kj290023j09r34.example.com"}
}
}]
}]
}
Figure 3: Indicators from a Campaign in JSON
図3:JSONのキャンペーンからのインジケーター
A3 # map(3)
37 # negative(23)
63 # text(3)
322E30 # "2.0"
36 # negative(22)
62 # text(2)
656E # "en"
32 # negative(18)
81 # array(1)
A9 # map(9)
21 # negative(1)
65 # text(5)
7761746368 # "watch"
29 # negative(9)
65 # text(5)
677265656E # "green"
02 # unsigned(2)
A2 # map(2)
12 # unsigned(18)
66 # text(6)
383937393233 # "897923"
2E # negative(14)
71 # text(17)
63736972742E6578616D706C652E636F6D
# "csirt.example.com"
04 # unsigned(4)
81 # array(1)
A2 # map(2)
14 # unsigned(20)
81 # array(1)
A2 # map(2)
18 18 # unsigned(24)
81 # array(1)
78 1A # text(26)
54412D31322D414747524553534956452D4
25554544552464C59
# "TA-12-AGGRESSIVE
# -BUTTERFLY"
24 # negative(4)
81 # array(1)
74 # text(20)
41676772657373697665204275747465726
66C79
# "Aggressive Butterfly"
15 # unsigned(21)
81 # array(1)
A2 # map(2)
18 19 # unsigned(25)
81 # array(1)
6C # text(12)
432D323031352D3539343035
# "C-2015-59405"
24 # negative(4)
81 # array(1)
6E # text(14)
4F72616E67652047697261666665
# "Orange Giraffe"
0A # unsigned(10)
78 19 # text(25)
323031352D31302D30325431313A31383A30302D30353A3030
# "2015-10-02T11:18:00-05:00"
24 # negative(4)
81 # array(1)
78 6F # text(111)
53756D6D6172697A65732074686520496E64696361746F7
273206F6620436F6D70726F6D69736520666F7220746865
204F72616E676520476972616666652063616D706169676
E206F662074686520416767726573736976652042757474
6572666C79206372696D652067616E672E
# "Summarizes the Indicators
# of Compromise for the
# Orange Giraffe campaign
# of the Aggressive
# Butterfly crime gang."
0C # unsigned(12)
81 # array(1)
A1 # map(1)
18 3F # unsigned(63)
81 # array(1)
A1 # map(1)
18 41 # unsigned(65)
A1 # map(1)
18 1C # unsigned(28)
72 # text(18)
6272656163682D70726F7072696574617279
# "breach-proprietary"
0E # unsigned(14)
81 # array(1)
A4 # map(4)
18 1C # unsigned(28)
6C # text(12)
6F7267616E697A6174696F6E
# "organization"
18 1A # unsigned(26)
67 # text(7)
63726561746F72 # "creator"
18 1E # unsigned(30)
81 # array(1)
75 # text(21)
435349525420666F72206578616D706C652E636F6D
# "CSIRT for example.com"
18 22 # unsigned(34)
81 # array(1)
A1 # map(1)
18 29 # unsigned(41)
78 19 # text(25)
636F6E746163744063736972742E6578616D70
6C652E636F6D
# "contact@csirt.example.com"
10 # unsigned(16)
81 # array(1)
A4 # map(4)
16 # unsigned(22)
A3 # map(3)
12 # unsigned(18)
69 # text(9)
473930383233343930 # "G90823490"
2E # negative(14)
71 # text(17)
63736972742E6578616D706C652E636F6D
# "csirt.example.com"
37 # negative(23)
61 # text(1)
31 # "1"
24 # negative(4)
81 # array(1)
6A # text(10)
433220646F6D61696E73 # "C2 domains"
06 # unsigned(6)
78 19 # text(25)
323031342D31322D30325431313A31383A30302D30353A3030
# "2014-12-02T11:18:00-05:00"
18 AB # unsigned(171)
A1 # map(1)
18 B0 # unsigned(176)
A2 # map(2)
18 1C # unsigned(28)
6B # text(11)
646F6D61696E2D6E616D65
# "domain-name"
18 B2 # unsigned(178)
78 1A # text(26)
6B6A3239303032336A30397233342E6578616D
706C652E636F6D
# "kj290023j09r34.example.com"
Figure 4: Indicators from a Campaign in CBOR
図4:CBORのキャンペーンの指標
The mapkeys are provided in Table 4 for minimizing the CBOR size.
表4に、CBORサイズを最小化するためのマップキーを示します。
+===================================+=========+
| mapkey | cborkey |
+===================================+=========+
| iodef-version | -24 |
+-----------------------------------+---------+
| iodef-lang | -23 |
+-----------------------------------+---------+
| iodef-format-id | -22 |
+-----------------------------------+---------+
| iodef-private-enum-name | -21 |
+-----------------------------------+---------+
| iodef-private-enum-id | -20 |
+-----------------------------------+---------+
| iodef-Incident | -19 |
+-----------------------------------+---------+
| iodef-AdditionalData | -18 |
+-----------------------------------+---------+
| iodef-value | -17 |
+-----------------------------------+---------+
| iodef-translation-id | -16 |
+-----------------------------------+---------+
| iodef-name | -15 |
+-----------------------------------+---------+
| iodef-dtype | -14 |
+-----------------------------------+---------+
| iodef-ext-dtype | -13 |
+-----------------------------------+---------+
| iodef-meaning | -12 |
+-----------------------------------+---------+
| iodef-formatid | -11 |
+-----------------------------------+---------+
| iodef-restriction | -10 |
+-----------------------------------+---------+
| iodef-ext-restriction | -9 |
+-----------------------------------+---------+
| iodef-observable-id | -8 |
+-----------------------------------+---------+
| iodef-SoftwareReference | -7 |
+-----------------------------------+---------+
| iodef-URL | -6 |
+-----------------------------------+---------+
| iodef-Description | -5 |
+-----------------------------------+---------+
| iodef-spec-name | -4 |
+-----------------------------------+---------+
| iodef-ext-spec-name | -3 |
+-----------------------------------+---------+
| iodef-purpose | -2 |
+-----------------------------------+---------+
| iodef-ext-purpose | -1 |
+-----------------------------------+---------+
| iodef-status | 0 |
+-----------------------------------+---------+
| iodef-ext-status | 1 |
+-----------------------------------+---------+
| iodef-IncidentID | 2 |
+-----------------------------------+---------+
| iodef-AlternativeID | 3 |
+-----------------------------------+---------+
| iodef-RelatedActivity | 4 |
+-----------------------------------+---------+
| iodef-DetectTime | 5 |
+-----------------------------------+---------+
| iodef-StartTime | 6 |
+-----------------------------------+---------+
| iodef-EndTime | 7 |
+-----------------------------------+---------+
| iodef-RecoveryTime | 8 |
+-----------------------------------+---------+
| iodef-ReportTime | 9 |
+-----------------------------------+---------+
| iodef-GenerationTime | 10 |
+-----------------------------------+---------+
| iodef-Discovery | 11 |
+-----------------------------------+---------+
| iodef-Assessment | 12 |
+-----------------------------------+---------+
| iodef-Method | 13 |
+-----------------------------------+---------+
| iodef-Contact | 14 |
+-----------------------------------+---------+
| iodef-EventData | 15 |
+-----------------------------------+---------+
| iodef-Indicator | 16 |
+-----------------------------------+---------+
| iodef-History | 17 |
+-----------------------------------+---------+
| iodef-id | 18 |
+-----------------------------------+---------+
| iodef-instance | 19 |
+-----------------------------------+---------+
| iodef-ThreatActor | 20 |
+-----------------------------------+---------+
| iodef-Campaign | 21 |
+-----------------------------------+---------+
| iodef-IndicatorID | 22 |
+-----------------------------------+---------+
| iodef-Confidence | 23 |
+-----------------------------------+---------+
| iodef-ThreatActorID | 24 |
+-----------------------------------+---------+
| iodef-CampaignID | 25 |
+-----------------------------------+---------+
| iodef-role | 26 |
+-----------------------------------+---------+
| iodef-ext-role | 27 |
+-----------------------------------+---------+
| iodef-type | 28 |
+-----------------------------------+---------+
| iodef-ext-type | 29 |
+-----------------------------------+---------+
| iodef-ContactName | 30 |
+-----------------------------------+---------+
| iodef-ContactTitle | 31 |
+-----------------------------------+---------+
| iodef-RegistryHandle | 32 |
+-----------------------------------+---------+
| iodef-PostalAddress | 33 |
+-----------------------------------+---------+
| iodef-Email | 34 |
+-----------------------------------+---------+
| iodef-Telephone | 35 |
+-----------------------------------+---------+
| iodef-Timezone | 36 |
+-----------------------------------+---------+
| iodef-handle | 37 |
+-----------------------------------+---------+
| iodef-registry | 38 |
+-----------------------------------+---------+
| iodef-ext-registry | 39 |
+-----------------------------------+---------+
| iodef-PAddress | 40 |
+-----------------------------------+---------+
| iodef-EmailTo | 41 |
+-----------------------------------+---------+
| iodef-TelephoneNumber | 42 |
+-----------------------------------+---------+
| iodef-source | 43 |
+-----------------------------------+---------+
| iodef-ext-source | 44 |
+-----------------------------------+---------+
| iodef-DetectionPattern | 45 |
+-----------------------------------+---------+
| iodef-DetectionConfiguration | 46 |
+-----------------------------------+---------+
| iodef-Application | 47 |
+-----------------------------------+---------+
| iodef-Reference | 48 |
+-----------------------------------+---------+
| iodef-AttackPattern | 49 |
+-----------------------------------+---------+
| iodef-Vulnerability | 50 |
+-----------------------------------+---------+
| iodef-Weakness | 51 |
+-----------------------------------+---------+
| iodef-SpecID | 52 |
+-----------------------------------+---------+
| iodef-ext-SpecID | 53 |
+-----------------------------------+---------+
| iodef-ContentID | 54 |
+-----------------------------------+---------+
| iodef-RawData | 55 |
+-----------------------------------+---------+
| iodef-Platform | 56 |
+-----------------------------------+---------+
| iodef-Scoring | 57 |
+-----------------------------------+---------+
| iodef-ReferenceName | 58 |
+-----------------------------------+---------+
| iodef-specIndex | 59 |
+-----------------------------------+---------+
| iodef-ID | 60 |
+-----------------------------------+---------+
| iodef-occurrence | 61 |
+-----------------------------------+---------+
| iodef-IncidentCategory | 62 |
+-----------------------------------+---------+
| iodef-Impact | 63 |
+-----------------------------------+---------+
| iodef-SystemImpact | 64 |
+-----------------------------------+---------+
| iodef-BusinessImpact | 65 |
+-----------------------------------+---------+
| iodef-TimeImpact | 66 |
+-----------------------------------+---------+
| iodef-MonetaryImpact | 67 |
+-----------------------------------+---------+
| iodef-IntendedImpact | 68 |
+-----------------------------------+---------+
| iodef-Counter | 69 |
+-----------------------------------+---------+
| iodef-MitigatingFactor | 70 |
+-----------------------------------+---------+
| iodef-Cause | 71 |
+-----------------------------------+---------+
| iodef-severity | 72 |
+-----------------------------------+---------+
| iodef-completion | 73 |
+-----------------------------------+---------+
| iodef-ext-severity | 74 |
+-----------------------------------+---------+
| iodef-metric | 75 |
+-----------------------------------+---------+
| iodef-ext-metric | 76 |
+-----------------------------------+---------+
| iodef-duration | 77 |
+-----------------------------------+---------+
| iodef-ext-duration | 78 |
+-----------------------------------+---------+
| iodef-currency | 79 |
+-----------------------------------+---------+
| iodef-rating | 80 |
+-----------------------------------+---------+
| iodef-ext-rating | 81 |
+-----------------------------------+---------+
| iodef-HistoryItem | 82 |
+-----------------------------------+---------+
| iodef-action | 83 |
+-----------------------------------+---------+
| iodef-ext-action | 84 |
+-----------------------------------+---------+
| iodef-DateTime | 85 |
+-----------------------------------+---------+
| iodef-DefinedCOA | 86 |
+-----------------------------------+---------+
| iodef-System | 87 |
+-----------------------------------+---------+
| iodef-Expectation | 88 |
+-----------------------------------+---------+
| iodef-RecordData | 89 |
+-----------------------------------+---------+
| iodef-category | 90 |
+-----------------------------------+---------+
| iodef-ext-category | 91 |
+-----------------------------------+---------+
| iodef-interface | 92 |
+-----------------------------------+---------+
| iodef-spoofed | 93 |
+-----------------------------------+---------+
| iodef-virtual | 94 |
+-----------------------------------+---------+
| iodef-ownership | 95 |
+-----------------------------------+---------+
| iodef-ext-ownership | 96 |
+-----------------------------------+---------+
| iodef-Node | 97 |
+-----------------------------------+---------+
| iodef-NodeRole | 98 |
+-----------------------------------+---------+
| iodef-Service | 99 |
+-----------------------------------+---------+
| iodef-OperatingSystem | 100 |
+-----------------------------------+---------+
| iodef-AssetID | 101 |
+-----------------------------------+---------+
| iodef-DomainData | 102 |
+-----------------------------------+---------+
| iodef-Address | 103 |
+-----------------------------------+---------+
| iodef-Location | 104 |
+-----------------------------------+---------+
| iodef-vlan-name | 105 |
+-----------------------------------+---------+
| iodef-vlan-num | 106 |
+-----------------------------------+---------+
| iodef-unit | 107 |
+-----------------------------------+---------+
| iodef-ext-unit | 108 |
+-----------------------------------+---------+
| iodef-system-status | 109 |
+-----------------------------------+---------+
| iodef-ext-system-status | 110 |
+-----------------------------------+---------+
| iodef-domain-status | 111 |
+-----------------------------------+---------+
| iodef-ext-domain-status | 112 |
+-----------------------------------+---------+
| iodef-Name | 113 |
+-----------------------------------+---------+
| iodef-DateDomainWasChecked | 114 |
+-----------------------------------+---------+
| iodef-RegistrationDate | 115 |
+-----------------------------------+---------+
| iodef-ExpirationDate | 116 |
+-----------------------------------+---------+
| iodef-RelatedDNS | 117 |
+-----------------------------------+---------+
| iodef-NameServers | 118 |
+-----------------------------------+---------+
| iodef-DomainContacts | 119 |
+-----------------------------------+---------+
| iodef-Server | 120 |
+-----------------------------------+---------+
| iodef-SameDomainContact | 121 |
+-----------------------------------+---------+
| iodef-ip-protocol | 122 |
+-----------------------------------+---------+
| iodef-ServiceName | 123 |
+-----------------------------------+---------+
| iodef-Port | 124 |
+-----------------------------------+---------+
| iodef-Portlist | 125 |
+-----------------------------------+---------+
| iodef-ProtoCode | 126 |
+-----------------------------------+---------+
| iodef-ProtoType | 127 |
+-----------------------------------+---------+
| iodef-ProtoField | 128 |
+-----------------------------------+---------+
| iodef-ApplicationHeaderField | 129 |
+-----------------------------------+---------+
| iodef-EmailData | 130 |
+-----------------------------------+---------+
| iodef-IANAService | 131 |
+-----------------------------------+---------+
| iodef-EmailFrom | 132 |
+-----------------------------------+---------+
| iodef-EmailSubject | 133 |
+-----------------------------------+---------+
| iodef-EmailX-Mailer | 134 |
+-----------------------------------+---------+
| iodef-EmailHeaderField | 135 |
+-----------------------------------+---------+
| iodef-EmailHeaders | 136 |
+-----------------------------------+---------+
| iodef-EmailBody | 137 |
+-----------------------------------+---------+
| iodef-EmailMessage | 138 |
+-----------------------------------+---------+
| iodef-HashData | 139 |
+-----------------------------------+---------+
| iodef-Signature | 140 |
+-----------------------------------+---------+
| iodef-RecordPattern | 141 |
+-----------------------------------+---------+
| iodef-RecordItem | 142 |
+-----------------------------------+---------+
| iodef-FileData | 143 |
+-----------------------------------+---------+
| iodef-WindowsRegistryKeysModified | 144 |
+-----------------------------------+---------+
| iodef-CertificateData | 145 |
+-----------------------------------+---------+
| iodef-offset | 146 |
+-----------------------------------+---------+
| iodef-offsetunit | 147 |
+-----------------------------------+---------+
| iodef-ext-offsetunit | 148 |
+-----------------------------------+---------+
| iodef-Key | 149 |
+-----------------------------------+---------+
| iodef-registryaction | 150 |
+-----------------------------------+---------+
| iodef-ext-registryaction | 151 |
+-----------------------------------+---------+
| iodef-KeyName | 152 |
+-----------------------------------+---------+
| iodef-KeyValue | 153 |
+-----------------------------------+---------+
| iodef-Certificate | 154 |
+-----------------------------------+---------+
| iodef-X509Data | 155 |
+-----------------------------------+---------+
| iodef-File | 156 |
+-----------------------------------+---------+
| iodef-FileName | 157 |
+-----------------------------------+---------+
| iodef-FileSize | 158 |
+-----------------------------------+---------+
| iodef-FileType | 159 |
+-----------------------------------+---------+
| iodef-AssociatedSoftware | 160 |
+-----------------------------------+---------+
| iodef-FileProperties | 161 |
+-----------------------------------+---------+
| iodef-scope | 162 |
+-----------------------------------+---------+
| iodef-HashTargetID | 163 |
+-----------------------------------+---------+
| iodef-Hash | 164 |
+-----------------------------------+---------+
| iodef-FuzzyHash | 165 |
+-----------------------------------+---------+
| iodef-DigestMethod | 166 |
+-----------------------------------+---------+
| iodef-DigestValue | 167 |
+-----------------------------------+---------+
| iodef-CanonicalizationMethod | 168 |
+-----------------------------------+---------+
| iodef-FuzzyHashValue | 169 |
+-----------------------------------+---------+
| iodef-AlternativeIndicatorID | 170 |
+-----------------------------------+---------+
| iodef-Observable | 171 |
+-----------------------------------+---------+
| iodef-uid-ref | 172 |
+-----------------------------------+---------+
| iodef-IndicatorExpression | 173 |
+-----------------------------------+---------+
| iodef-IndicatorReference | 174 |
+-----------------------------------+---------+
| iodef-AttackPhase | 175 |
+-----------------------------------+---------+
| iodef-BulkObservable | 176 |
+-----------------------------------+---------+
| iodef-BulkObservableFormat | 177 |
+-----------------------------------+---------+
| iodef-BulkObservableList | 178 |
+-----------------------------------+---------+
| iodef-operator | 179 |
+-----------------------------------+---------+
| iodef-ext-operator | 180 |
+-----------------------------------+---------+
| iodef-euid-ref | 181 |
+-----------------------------------+---------+
| iodef-AttackPhaseID | 182 |
+-----------------------------------+---------+
Table 4: Mapkeys
表4:マップキー
This section provides the IODEF data model. Note that mapkeys are described at the beginning of the CDDL data model for better readability.
このセクションでは、IODEFデータモデルについて説明します。読みやすくするために、マップキーはCDDLデータモデルの最初に記述されています。
start = iodef
開始= iodef
;;; iodef.json: IODEF-Document
iodef-version = -24
iodef-lang = -23
iodef-format-id = -22
iodef-private-enum-name = -21
iodef-private-enum-id = -20
iodef-Incident = -19
iodef-AdditionalData = -18
iodef-value = -17
iodef-translation-id = -16
iodef-name = -15
iodef-dtype = -14
iodef-ext-dtype = -13
iodef-meaning = -12
iodef-formatid = -11
iodef-restriction = -10
iodef-ext-restriction = -9
iodef-observable-id = -8
iodef-SoftwareReference = -7
iodef-URL = -6
iodef-Description = -5
iodef-spec-name = -4
iodef-ext-spec-name = -3
iodef-purpose = -2
iodef-ext-purpose = -1
iodef-status = 0
iodef-ext-status = 1
iodef-IncidentID = 2
iodef-AlternativeID = 3
iodef-RelatedActivity = 4
iodef-DetectTime = 5
iodef-StartTime = 6
iodef-EndTime = 7
iodef-RecoveryTime = 8
iodef-ReportTime = 9
iodef-GenerationTime = 10
iodef-Discovery = 11
iodef-Assessment = 12
iodef-Method = 13
iodef-Contact = 14
iodef-EventData = 15
iodef-Indicator = 16
iodef-History = 17
iodef-id = 18
iodef-instance = 19
iodef-ThreatActor = 20
iodef-Campaign = 21
iodef-IndicatorID = 22
iodef-Confidence = 23
iodef-ThreatActorID = 24
iodef-CampaignID = 25
iodef-role = 26
iodef-ext-role = 27
iodef-type = 28
iodef-ext-type = 29
iodef-ContactName = 30
iodef-ContactTitle = 31
iodef-RegistryHandle = 32
iodef-PostalAddress = 33
iodef-Email = 34
iodef-Telephone = 35
iodef-Timezone = 36
iodef-handle = 37
iodef-registry = 38
iodef-ext-registry = 39
iodef-PAddress = 40
iodef-EmailTo = 41
iodef-TelephoneNumber = 42
iodef-source = 43
iodef-ext-source = 44
iodef-DetectionPattern = 45
iodef-DetectionConfiguration = 46
iodef-Application = 47
iodef-Reference = 48
iodef-AttackPattern = 49
iodef-Vulnerability = 50
iodef-Weakness = 51
iodef-SpecID = 52
iodef-ext-SpecID = 53
iodef-ContentID = 54
iodef-RawData = 55
iodef-Platform = 56
iodef-Scoring = 57
iodef-ReferenceName = 58
iodef-specIndex = 59
iodef-ID = 60
iodef-occurrence = 61
iodef-IncidentCategory = 62
iodef-Impact = 63
iodef-SystemImpact = 64
iodef-BusinessImpact = 65
iodef-TimeImpact = 66
iodef-MonetaryImpact = 67
iodef-IntendedImpact = 68
iodef-Counter = 69
iodef-MitigatingFactor = 70
iodef-Cause = 71
iodef-severity = 72
iodef-completion = 73
iodef-ext-severity = 74
iodef-metric = 75
iodef-ext-metric = 76
iodef-duration = 77
iodef-ext-duration = 78
iodef-currency = 79
iodef-rating = 80
iodef-ext-rating = 81
iodef-HistoryItem = 82
iodef-action = 83
iodef-ext-action = 84
iodef-DateTime = 85
iodef-DefinedCOA = 86
iodef-System = 87
iodef-Expectation = 88
iodef-RecordData = 89
iodef-category = 90
iodef-ext-category = 91
iodef-interface = 92
iodef-spoofed = 93
iodef-virtual = 94
iodef-ownership = 95
iodef-ext-ownership = 96
iodef-Node = 97
iodef-NodeRole = 98
iodef-Service = 99
iodef-OperatingSystem = 100
iodef-AssetID = 101
iodef-DomainData = 102
iodef-Address = 103
iodef-Location = 104
iodef-vlan-name = 105
iodef-vlan-num = 106
iodef-unit = 107
iodef-ext-unit = 108
iodef-system-status = 109
iodef-ext-system-status = 110
iodef-domain-status = 111
iodef-ext-domain-status = 112
iodef-Name = 113
iodef-DateDomainWasChecked = 114
iodef-RegistrationDate = 115
iodef-ExpirationDate = 116
iodef-RelatedDNS = 117
iodef-NameServers = 118
iodef-DomainContacts = 119
iodef-Server = 120
iodef-SameDomainContact = 121
iodef-ip-protocol = 122
iodef-ServiceName = 123
iodef-Port = 124
iodef-Portlist = 125
iodef-ProtoCode = 126
iodef-ProtoType = 127
iodef-ProtoField = 128
iodef-ApplicationHeaderField = 129
iodef-EmailData = 130
iodef-IANAService = 131
iodef-EmailFrom = 132
iodef-EmailSubject = 133
iodef-EmailX-Mailer = 134
iodef-EmailHeaderField = 135
iodef-EmailHeaders = 136
iodef-EmailBody = 137
iodef-EmailMessage = 138
iodef-HashData = 139
iodef-Signature = 140
iodef-RecordPattern = 141
iodef-RecordItem = 142
iodef-FileData = 143
iodef-WindowsRegistryKeysModified = 144
iodef-CertificateData = 145
iodef-offset = 146
iodef-offsetunit = 147
iodef-ext-offsetunit = 148
iodef-Key = 149
iodef-registryaction = 150
iodef-ext-registryaction = 151
iodef-KeyName = 152
iodef-KeyValue = 153
iodef-Certificate = 154
iodef-X509Data = 155
iodef-File = 156
iodef-FileName = 157
iodef-FileSize = 158
iodef-FileType = 159
iodef-AssociatedSoftware = 160
iodef-FileProperties = 161
iodef-scope = 162
iodef-HashTargetID = 163
iodef-Hash = 164
iodef-FuzzyHash = 165
iodef-DigestMethod = 166
iodef-DigestValue = 167
iodef-CanonicalizationMethod = 168
iodef-FuzzyHashValue = 169
iodef-AlternativeIndicatorID = 170
iodef-Observable = 171
iodef-uid-ref = 172
iodef-IndicatorExpression = 173
iodef-IndicatorReference = 174
iodef-AttackPhase = 175
iodef-BulkObservable = 176
iodef-BulkObservableFormat = 177
iodef-BulkObservableList = 178
iodef-operator = 179
iodef-ext-operator = 180
iodef-euid-ref = 181
iodef-AttackPhaseID = 182
iodef = {
iodef-version => text,
? iodef-lang => lang,
? iodef-format-id => text
? iodef-private-enum-name => text,
? iodef-private-enum-id => text,
iodef-Incident => [+ Incident],
? iodef-AdditionalData => [+ ExtensionType]
}
duration = "second" / "minute" / "hour" / "day" / "month" /
"quarter" / "year" / "ext-value"
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" /
"ext-value"
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype
URLtype = uri
TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp
"[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
action = "nothing" / "contact-source-site" / "contact-target-site" /
"contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value"
DATETIME = tdate
DATETIME = tdate
BYTE = eb64legacy
BYTE = eb64legacy
MLStringType = {
iodef-value => text,
? iodef-lang => lang,
? iodef-translation-id => text
} / text
PositiveFloatType = float32 .gt 0
PositiveFloatType = float32 .gt 0
PAddressType = MLStringType
PAddressType = MLStringType
ExtensionType = {
iodef-value => text,
? iodef-name => text,
iodef-dtype => "boolean" / "byte" / "bytes" / "character" /
"date-time" / "ntpstamp" / "integer" / "portlist" / "real" /
"string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
"json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" /
"ext-value"
.default "string"
? iodef-ext-dtype => text,
? iodef-meaning => text,
? iodef-formatid => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
}
SoftwareType = {
? iodef-SoftwareReference => SoftwareReference,
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType]
}
SoftwareReference = {
? iodef-value => text,
iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
? iodef-ext-spec-name => text,
? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" /
"ext-value" .default "string",
? iodef-ext-dtype => text
}
Incident = {
iodef-purpose => "traceback" / "mitigation" / "reporting" /
"watch" / "other" / "ext-value",
? iodef-ext-purpose => text,
? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" /
"future" / "ext-value",
? iodef-ext-status => text,
? iodef-lang => lang,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
iodef-IncidentID => IncidentID,
? iodef-AlternativeID => AlternativeID,
? iodef-RelatedActivity => [+ RelatedActivity],
? iodef-DetectTime => DATETIME,
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-RecoveryTime => DATETIME,
? iodef-ReportTime => DATETIME,
iodef-GenerationTime => DATETIME,
? iodef-Description => [+ MLStringType],
? iodef-Discovery => [+ Discovery],
? iodef-Assessment => [+ Assessment],
? iodef-Method => [+ Method],
iodef-Contact => [+ Contact],
? iodef-EventData => [+ EventData],
? iodef-Indicator => [+ Indicator],
? iodef-History => History,
? iodef-AdditionalData => [+ ExtensionType]
}
IncidentID = {
iodef-id => text,
iodef-name => text,
? iodef-instance => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text
}
AlternativeID = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
iodef-IncidentID => [+ IncidentID]
}
RelatedActivity = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-IncidentID => [+ IncidentID],
? iodef-URL => [+ URLtype],
? iodef-ThreatActor => [+ ThreatActor],
? iodef-Campaign => [+ Campaign],
? iodef-IndicatorID => [+ IndicatorID],
? iodef-Confidence => Confidence,
? iodef-Description => [+ text],
? iodef-AdditionalData => [+ ExtensionType]
}
ThreatActor = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-ThreatActorID => [+ text],
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType]
}
Campaign = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-CampaignID => [+ text],
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType]
}
Contact = {
iodef-role => "creator" / "reporter" / "admin" / "tech" /
"provider" / "user" / "billing" / "legal" / "irt" / "abuse" /
"cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" /
"victim" / "victim-notified" / "ext-value",
? iodef-ext-role => text,
iodef-type => "person" / "organization" / "ext-value",
? iodef-ext-type => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-ContactName => [+ MLStringType],
? iodef-ContactTitle => [+ MLStringType],
? iodef-Description => [+ MLStringType],
? iodef-RegistryHandle => [+ RegistryHandle],
? iodef-PostalAddress => [+ PostalAddress],
? iodef-Email => [+ Email],
? iodef-Telephone => [+ Telephone],
? iodef-Timezone => TimeZonetype,
? iodef-Contact => [+ Contact],
? iodef-AdditionalData => [+ ExtensionType]
}
RegistryHandle = {
iodef-handle => text,
iodef-registry => "internic" / "apnic" / "arin" / "lacnic" /
"ripe" / "afrinic" / "local" / "ext-value",
? iodef-ext-registry => text
}
PostalAddress = {
? iodef-type => "street" / "mailing" / "ext-value",
? iodef-ext-type => text,
iodef-PAddress => PAddressType,
? iodef-Description => [+ MLStringType]
}
Email = {
? iodef-type => "direct" / "hotline" / "ext-value",
? iodef-ext-type => text,
iodef-EmailTo => text,
? iodef-Description => [+ MLStringType]
}
Telephone = {
? iodef-type => "wired" / "mobile" / "fax" / "hotline" /
"ext-value",
? iodef-ext-type => text,
iodef-TelephoneNumber => text,
? iodef-Description => [+ MLStringType]
}
Discovery = {
? iodef-source => "nidps" / "hips" / "siem" / "av" /
"third-party-monitoring" / "incident" / "os-log" /
"application-log" / "device-log" / "network-flow" /
"passive-dns" / "investigation" / "audit" /
"internal-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value",
? iodef-ext-source => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-Description => [+ MLStringType],
? iodef-Contact => [+ Contact],
? iodef-DetectionPattern => [+ DetectionPattern]
}
DetectionPattern = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
(iodef-Description => [+ MLStringType] //
iodef-DetectionConfiguration => [+ text]),
iodef-Application => SoftwareType
}
Method = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-Reference => [+ Reference],
? iodef-Description => [+ MLStringType],
? iodef-AttackPattern => [+ STRUCTUREDINFO],
? iodef-Vulnerability => [+ STRUCTUREDINFO],
? iodef-Weakness => [+ STRUCTUREDINFO],
? iodef-AdditionalData => [+ ExtensionType]
}
STRUCTUREDINFO = {
iodef-SpecID => SpecID,
? iodef-ext-SpecID => text,
? iodef-ContentID => text,
? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]),
? iodef-Platform => [+ Platform],
? iodef-Scoring => [+ Scoring]
}
Platform = {
iodef-SpecID => SpecID,
? iodef-ext-SpecID => text,
? iodef-ContentID => text,
? iodef-RawData => [+ BYTE],
? iodef-Reference => [+ Reference]
}
Scoring = {
iodef-SpecID => SpecID,
? iodef-ext-SpecID => text,
? iodef-ContentID => text,
? iodef-RawData => [+ BYTE],
? iodef-Reference => [+ Reference]
}
Reference = {
? iodef-observable-id => IDtype,
? iodef-ReferenceName => ReferenceName,
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType]
}
ReferenceName = {
iodef-specIndex => integer,
iodef-ID => IDtype
}
Assessment = {
? iodef-occurrence => "actual" / "potential",
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
? iodef-IncidentCategory => [+ MLStringType],
iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} /
{iodef-BusinessImpact => BusinessImpact /
{iodef-TimeImpact => TimeImpact} /
{iodef-MonetaryImpact => MonetaryImpact} /
{iodef-IntendedImpact => BusinessImpact}],
? iodef-Counter => [+ Counter],
? iodef-MitigatingFactor => [+ MLStringType],
? iodef-Cause => [+ MLStringType],
? iodef-Confidence => Confidence,
? iodef-AdditionalData => [+ ExtensionType]
}
SystemImpact = {
? iodef-severity => "low" / "medium" / "high",
? iodef-completion => "failed" / "succeeded",
iodef-type => "takeover-account" / "takeover-service" /
"takeover-system" / "cps-manipulation" / "cps-damage" /
"availability-data" / "availability-account" /
"availability-service" / "availability-system" / "damaged-system" /
"damaged-data" / "breach-proprietary" / "breach-privacy" /
"breach-credential" / "breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown",
? iodef-ext-type => text,
? iodef-Description => [+ MLStringType]
}
BusinessImpact = {
? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" /
"ext-value" .default "unknown",
? iodef-ext-severity => text,
iodef-type => "breach-proprietary" / "breach-privacy" /
"breach-credential" / "loss-of-integrity" / "loss-of-service" /
"theft-financial" / "theft-service" / "degraded-reputation" /
"asset-damage" / "asset-manipulation" / "legal" / "extortion" /
"unknown" / "ext-value" .default "unknown",
? iodef-ext-type => text,
? iodef-Description => [+ MLStringType]
}
TimeImpact = {
iodef-value => PositiveFloatType,
? iodef-severity => "low" / "medium" / "high",
iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value",
? iodef-ext-metric => text,
? iodef-duration => duration .default "hour",
? iodef-ext-duration => text
}
MonetaryImpact = {
iodef-value => PositiveFloatType,
? iodef-severity => "low" / "medium" / "high",
? iodef-currency => text
}
Confidence = {
iodef-value => float32,
iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" /
"ext-value",
? iodef-ext-rating => text
}
History = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
iodef-HistoryItem => [+ HistoryItem]
}
HistoryItem = {
iodef-action => action .default "other",
? iodef-ext-action => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
iodef-DateTime => DATETIME,
? iodef-IncidentID => IncidentID,
? iodef-Contact => Contact,
? iodef-Description => [+ MLStringType],
? iodef-DefinedCOA => [+ text],
? iodef-AdditionalData => [+ ExtensionType]
}
EventData = {
? iodef-restriction => restriction .default "default",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
? iodef-Description => [+ MLStringType],
? iodef-DetectTime => DATETIME,
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-RecoveryTime => DATETIME,
? iodef-ReportTime => DATETIME,
? iodef-Contact => [+ Contact],
? iodef-Discovery => [+ Discovery],
? iodef-Assessment => Assessment,
? iodef-Method => [+ Method],
? iodef-System => [+ System],
? iodef-Expectation => [+ Expectation],
? iodef-RecordData => [+ RecordData],
? iodef-EventData => [+ EventData],
? iodef-AdditionalData => [+ ExtensionType]
}
Expectation = {
? iodef-action => action .default "other",
? iodef-ext-action => text,
? iodef-severity => "low" / "medium" / "high",
? iodef-restriction => restriction .default "default",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
? iodef-Description => [+ MLStringType],
? iodef-DefinedCOA => [+ text],
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-Contact => Contact
}
System = {
? iodef-category => "source" / "target" / "intermediate" /
"sensor" / "infrastructure" / "ext-value",
? iodef-ext-category => text,
? iodef-interface => text,
? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown",
? iodef-virtual => "yes" / "no" / "unknown" .default "unknown",
? iodef-ownership => "organization" / "personal" / "partner" /
"customer" / "no-relationship" / "unknown" / "ext-value",
? iodef-ext-ownership => text,
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
iodef-Node => Node,
? iodef-NodeRole => [+ NodeRole],
? iodef-Service => [+ Service],
? iodef-OperatingSystem => [+ SoftwareType],
? iodef-Counter => [+ Counter],
? iodef-AssetID => [+ text],
? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType]
}
Node = {
(iodef-DomainData => [+ DomainData] //
iodef-Address => [+ Address]),
? iodef-PostalAddress => PostalAddress,
? iodef-Location => [+ MLStringType],
? iodef-Counter => [+ Counter]
}
Address = {
iodef-value => text,
iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" /
"ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
"ext-value" .default "ipv6-addr",
? iodef-ext-category => text,
? iodef-vlan-name => text,
? iodef-vlan-num => integer,
? iodef-observable-id => IDtype
}
NodeRole = {
iodef-category => "client" / "client-enterprise" /
"client-partner" / "client-remote" / "client-kiosk" /
"client-mobile" / "server-internal" / "server-public" /
"www" / "mail" / "webmail" / "messaging" / "streaming" /
"voice" / "file" / "ftp" / "p2p" / "name" / "directory" /
"credential" / "print" / "application" / "database" /
"backup" / "dhcp" / "assessment" / "source-control" /
"config-management" / "monitoring" / "infra" / "infra-firewall" /
"infra-router" / "infra-switch" / "camera" / "proxy" /
"remote-access" / "log" / "virtualization" / "pos" / "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hop-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value",
? iodef-ext-category => text,
? iodef-Description => [+ MLStringType]
}
Counter = {
iodef-value => float32,
iodef-type => "count" / "peak" / "average" / "ext-value",
? iodef-ext-type => text,
iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" /
"alert" / "message" / "event" / "host" / "site" / "organization" /
"ext-value",
? iodef-ext-unit => text,
? iodef-meaning => text,
? iodef-duration => duration .default "hour",
? iodef-ext-duration => text
}
DomainData = {
iodef-system-status => "spoofed" / "fraudulent" /
"innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value",
? iodef-ext-system-status => text,
iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value",
? iodef-ext-domain-status => text,
? iodef-observable-id => IDtype,
iodef-Name => text,
? iodef-DateDomainWasChecked => DATETIME,
? iodef-RegistrationDate => DATETIME,
? iodef-ExpirationDate => DATETIME,
? iodef-RelatedDNS => [+ ExtensionType],
? iodef-NameServers => [+ NameServers],
? iodef-DomainContacts => DomainContacts
}
NameServers = {
iodef-Server => text,
iodef-Address => [+ Address]
}
DomainContacts = {
(iodef-SameDomainContact => text // iodef-Contact => [+ Contact])
}
Service = {
? iodef-ip-protocol => integer,
? iodef-observable-id => IDtype,
? iodef-ServiceName => ServiceName,
? iodef-Port => integer,
? iodef-Portlist => PortlistType,
? iodef-ProtoCode => integer,
? iodef-ProtoType => integer,
? iodef-ProtoField => integer,
? iodef-ApplicationHeaderField => [+ ExtensionType],
? iodef-EmailData => EmailData,
? iodef-Application => SoftwareType
}
ServiceName = {
? iodef-IANAService => text,
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType]
}
EmailData = {
? iodef-observable-id => IDtype,
? iodef-EmailTo => [+ text],
? iodef-EmailFrom => text,
? iodef-EmailSubject => text,
? iodef-EmailX-Mailer => text,
? iodef-EmailHeaderField => [+ ExtensionType],
? iodef-EmailHeaders => text,
? iodef-EmailBody => text,
? iodef-EmailMessage => text,
? iodef-HashData => [+ HashData],
? iodef-Signature => [+ BYTE]
}
RecordData = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
? iodef-DateTime => DATETIME,
? iodef-Description => [+ MLStringType],
? iodef-Application => SoftwareType,
? iodef-RecordPattern => [+ RecordPattern],
? iodef-RecordItem => [+ ExtensionType],
? iodef-URL => [+ URLtype],
? iodef-FileData => [+ FileData],
? iodef-WindowsRegistryKeysModified =>
[+ WindowsRegistryKeysModified],
? iodef-CertificateData => [+ CertificateData],
? iodef-AdditionalData => [+ ExtensionType]
}
RecordPattern = {
iodef-value => text,
iodef-type => "regex" / "binary" / "xpath" /
"ext-value" .default "regex",
? iodef-ext-type => text,
? iodef-offset => integer,
? iodef-offsetunit => "line" / "byte" /
"ext-value" .default "line",
? iodef-ext-offsetunit => text,
? iodef-instance => integer
}
WindowsRegistryKeysModified = {
? iodef-observable-id => IDtype,
iodef-Key => [+ Key]
}
Key = {
? iodef-registryaction => "add-key" / "add-value" / "delete-key" /
"delete-value" / "modify-key" / "modify-value" /
"ext-value",
? iodef-ext-registryaction => text,
? iodef-observable-id => IDtype,
iodef-KeyName => text,
? iodef-KeyValue => text
}
CertificateData = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
iodef-Certificate => [+ Certificate]
}
Certificate = {
? iodef-observable-id => IDtype,
iodef-X509Data => BYTE,
? iodef-Description => [+ MLStringType]
}
FileData = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? iodef-observable-id => IDtype,
iodef-File => [+ File]
}
File = {
? iodef-observable-id => IDtype,
? iodef-FileName => text,
? iodef-FileSize => integer,
? iodef-FileType => text,
? iodef-URL => [+ URLtype],
? iodef-HashData => HashData,
? iodef-Signature => [+ BYTE],
? iodef-AssociatedSoftware => SoftwareType,
? iodef-FileProperties => [+ ExtensionType]
}
HashData = {
iodef-scope => "file-contents" / "file-pe-section" /
"file-pe-iat" / "file-pe-resource" / "file-pdf-object" /
"email-hash" / "email-headers-hash" / "email-body-hash" /
"ext-value",
? iodef-HashTargetID => text,
? iodef-Hash => [+ Hash],
? iodef-FuzzyHash => [+ FuzzyHash]
}
Hash = {
iodef-DigestMethod => BYTE,
iodef-DigestValue => BYTE,
? iodef-CanonicalizationMethod => BYTE,
? iodef-Application => SoftwareType
}
FuzzyHash = {
iodef-FuzzyHashValue => [+ ExtensionType],
? iodef-Application => SoftwareType,
? iodef-AdditionalData => [+ ExtensionType]
}
Indicator = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
iodef-IndicatorID => IndicatorID,
? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID],
? iodef-Description => [+ MLStringType],
? iodef-StartTime => DATETIME,
? iodef-EndTime => DATETIME,
? iodef-Confidence => Confidence,
? iodef-Contact => [+ Contact],
(iodef-Observable => Observable // iodef-uid-ref => IDREFType //
iodef-IndicatorExpression => IndicatorExpression //
iodef-IndicatorReference => IndicatorReference),
? iodef-NodeRole => [+ NodeRole],
? iodef-AttackPhase => [+ AttackPhase],
? iodef-Reference => [+ Reference],
? iodef-AdditionalData => [+ ExtensionType]
}
IndicatorID = {
iodef-id => IDtype,
iodef-name => text,
iodef-version => text
}
AlternativeIndicatorID = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
iodef-IndicatorID => [+ IndicatorID]
}
Observable = {
? iodef-restriction => restriction .default "private",
? iodef-ext-restriction => text,
? (iodef-System => System // iodef-Address => Address //
iodef-DomainData => DomainData //
iodef-EmailData => EmailData //
iodef-Service => Service //
iodef-WindowsRegistryKeysModified =>
WindowsRegistryKeysModified //
iodef-FileData => FileData //iodef-CertificateData =>
CertificateData //
iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>
RecordData //
iodef-EventData => EventData // iodef-Incident => Incident //
iodef-Expectation => Expectation // iodef-Reference =>
Reference //
iodef-Assessment => Assessment //
iodef-DetectionPattern => DetectionPattern //
iodef-HistoryItem => HistoryItem //
iodef-BulkObservable => BulkObservable //
iodef-AdditionalData => [+ ExtensionType])
}
BulkObservable = {
? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" /
"ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" /
"ipv6-net-mask" / "mac" / "site-uri" / "domain-name" /
"domain-to-ipv4" / "domain-to-ipv6" /
"domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" /
"ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" /
"email-x-mailer" / "email-subject" / "http-user-agent" /
"http-request-uri" / "mutex" / "file-path" / "user-name" /
"ext-value",
? iodef-ext-type => text,
? iodef-BulkObservableFormat => BulkObservableFormat,
iodef-BulkObservableList => text,
? iodef-AdditionalData => [+ ExtensionType]
}
BulkObservableFormat = {
(iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType])
}
IndicatorExpression = {
? iodef-operator => "not" / "and" / "or" / "xor" .default "and",
? iodef-ext-operator => text,
? iodef-IndicatorExpression => [+ IndicatorExpression],
? iodef-Observable => [+ Observable],
? iodef-uid-ref => [+ IDREFType],
? iodef-IndicatorReference => [+ IndicatorReference],
? iodef-Confidence => Confidence,
? iodef-AdditionalData => [+ ExtensionType]
}
IndicatorReference = {
(iodef-uid-ref => IDREFType // iodef-euid-ref => text),
? iodef-version => text
}
AttackPhase = {
? iodef-AttackPhaseID => [+ text],
? iodef-URL => [+ URLtype],
? iodef-Description => [+ MLStringType],
? iodef-AdditionalData => [+ ExtensionType]
}
Figure 5: Data Model in CDDL
図5:CDDLのデータモデル
This document has no IANA actions.
このドキュメントにはIANAアクションはありません。
This document provides a mapping from XML IODEF defined in [RFC7970] to JSON, and Section 3.2 describes several issues that arise when converting XML IODEF and JSON IODEF. Though it does not provide any further security considerations other than the one described in [RFC7970], implementers of this document should be aware of those issues to avoid any unintended outcome.
このドキュメントは、[RFC7970]で定義されたXML IODEFからJSONへのマッピングを提供し、セクション3.2では、XML IODEFおよびJSON IODEFを変換するときに発生するいくつかの問題について説明します。 [RFC7970]で説明されているもの以外のセキュリティに関する考慮事項は提供されていませんが、このドキュメントの実装者は意図しない結果を回避するためにこれらの問題に注意する必要があります。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119] Bradner、S。、「要件レベルを示すためにRFCで使用するキーワード」、BCP 14、RFC 2119、DOI 10.17487 / RFC2119、1997年3月、<https://www.rfc-editor.org/info/ rfc2119>。
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/info/rfc3986>.
[RFC3986] Berners-Lee、T.、Fielding、R。、およびL. Masinter、「Uniform Resource Identifier(URI):Generic Syntax」、STD 66、RFC 3986、DOI 10.17487 / RFC3986、2005年1月、<https:/ /www.rfc-editor.org/info/rfc3986>。
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, <https://www.rfc-editor.org/info/rfc4648>.
[RFC4648] Josefsson、S。、「The Base16、Base32、およびBase64データエンコーディング」、RFC 4648、DOI 10.17487 / RFC4648、2006年10月、<https://www.rfc-editor.org/info/rfc4648>。
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, October 2013, <https://www.rfc-editor.org/info/rfc7049>.
[RFC7049] Bormann、C。およびP. Hoffman、「簡潔なバイナリオブジェクト表現(CBOR)」、RFC 7049、DOI 10.17487 / RFC7049、2013年10月、<https://www.rfc-editor.org/info/rfc7049> 。
[RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information", RFC 7203, DOI 10.17487/RFC7203, April 2014, <https://www.rfc-editor.org/info/rfc7203>.
[RFC7203]高橋敏夫、ランドフィールドK.、および門林裕二、「構造化サイバーセキュリティ情報のためのインシデントオブジェクト記述交換フォーマット(IODEF)拡張」、RFC 7203、DOI 10.17487 / RFC7203、2014年4月、<https:/ /www.rfc-editor.org/info/rfc7203>。
[RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, <https://www.rfc-editor.org/info/rfc7970>.
[RFC7970] Danyliw、R。、「The Incident Object Description Exchange Format Version 2」、RFC 7970、DOI 10.17487 / RFC7970、2016年11月、<https://www.rfc-editor.org/info/rfc7970>。
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174] Leiba、B。、「RFC 2119キーワードの大文字と小文字のあいまいさ」、BCP 14、RFC 8174、DOI 10.17487 / RFC8174、2017年5月、<https://www.rfc-editor.org/info/ rfc8174>。
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", STD 90, RFC 8259, DOI 10.17487/RFC8259, December 2017, <https://www.rfc-editor.org/info/rfc8259>.
[RFC8259]ブレイ、T。、編、「JavaScript Object Notation(JSON)データ交換フォーマット」、STD 90、RFC 8259、DOI 10.17487 / RFC8259、2017年12月、<https://www.rfc-editor.org / info / rfc8259>。
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, June 2019, <https://www.rfc-editor.org/info/rfc8610>.
[RFC8610] Birkholz、H.、Vigano、C。、およびC. Bormann、「簡潔なデータ定義言語(CDDL):簡潔なバイナリオブジェクト表現(CBOR)およびJSONデータ構造を表現するための表記法」、RFC 8610、DOI 10.17487 / RFC8610、2019年6月、<https://www.rfc-editor.org/info/rfc8610>。
[JSON-SCHEMA] Wright, A., Andrews, H., and B. Hutton, "JSON Schema Validation: A Vocabulary for Structural Validation of JSON", Work in Progress, Internet-Draft, draft-handrews-json-schema-validation-02, 17 September 2019, <https://tools.ietf.org/html/draft-handrews-json-schema-validation-02>.
[JSON-SCHEMA]ライト、A。、アンドリュース、H。、およびB.ハットン、「JSONスキーマ検証:JSONの構造検証のための語彙」、作業中、インターネットドラフト、draft-handrews-json-schema- validation-02、2019年9月17日、<https://tools.ietf.org/html/draft-handrews-json-schema-validation-02>。
The CDDL prelude used in this document is mapped to JSON as shown in the table below.
このドキュメントで使用されているCDDLプレリュードは、次の表に示すようにJSONにマッピングされています。
+==============+=========+==========+=============================+
| CDDL Prelude | Use of | Instance | Validation |
| | JSON | | |
+==============+=========+==========+=============================+
| bytes | n/a | string | tool available |
+--------------+---------+----------+-----------------------------+
| text | string | string | unnecessary |
+--------------+---------+----------+-----------------------------+
| tdate | n/a | string | date-time per Section 7.3.1 |
| | | | of [JSON-SCHEMA] |
+--------------+---------+----------+-----------------------------+
| integer | n/a | number | integer |
+--------------+---------+----------+-----------------------------+
| eb64legacy | n/a | string | tool available |
+--------------+---------+----------+-----------------------------+
| uri | n/a | string | uri per Section 7.3.6 of |
| | | | [JSON-SCHEMA] |
+--------------+---------+----------+-----------------------------+
| float32 | float32 | number | unnecessary |
+--------------+---------+----------+-----------------------------+
Table 5: CDDL Prelude Mapping in JSON
表5:JSONでのCDDLプレリュードマッピング
This section provides a JSON schema [JSON-SCHEMA] that defines the IODEF data model defined in this document. Note that this section is informative.
このセクションでは、このドキュメントで定義されているIODEFデータモデルを定義するJSONスキーマ[JSON-SCHEMA]を提供します。このセクションは参考情報であることに注意してください。
{ "$schema": "https://json-schema.org/draft-04/schema#",
"definitions": {
"action": {"enum": ["nothing", "contact-source-site",
"contact-target-site", "contact-sender", "investigate",
"block-host", "block-network", "block-port",
"rate-limit-host", "rate-limit-network",
"rate-limit-port", "redirect-traffic", "honeypot",
"upgrade-software", "rebuild-asset", "harden-asset",
"remediate-other", "status-triage", "status-new-info",
"watch-and-report", "training", "defined-coa", "other",
"ext-value"]},
"duration":{"enum":["second", "minute", "hour", "day",
"month", "quarter", "year", "ext-value"]},
"SpecID":{
"enum":["urn:ietf:params:xml:ns:mile:mmdef:1.2",
"private"]},
"lang": {
"type":"string", "pattern":
"^$|[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"},
"purpose": {"enum": ["traceback", "mitigation",
"reporting", "watch", "other", "ext-value"]},
"restriction":{"enum": ["public", "partner",
"need-to-know", "private", "default", "white", "green",
"amber", "red", "ext-value"]},
"status": {"enum": ["new", "in-progress", "forwarded",
"resolved", "future", "ext-value"]},
"DATETIME": {"type": "string", "format": "date-time"},
"BYTE": {"type": "string"},
"PortlistType": {
"type": "string", "pattern":
"[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"},
"TimeZonetype": {
"type":"string", "pattern":
"Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"},
"URLtype": {
"type": "string",
"pattern":
"^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))
?(#(.*))?"},
"IDtype": {"type": "string", "pattern":
"[a-zA-Z_][a-zA-Z0-9_.-]*"},
"IDREFType": {"$ref": "#/definitions/IDtype"},
"MLStringType": {
"oneOf": [{"type": "string"},
{"type": "object",
"properties": {
"value": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"},
"translation-id": {"type": "string"}},
"required": ["value"],
"additionalProperties":false}]},
"PositiveFloatType": {"type": "number", "minimum": 0},
"PAddressType": {"$ref": "#/definitions/MLStringType"},
"ExtensionType": {
"type": "object",
"properties": {
"value": {"type": "string"},
"name": {"type": "string"},
"dtype":{"enum":["boolean", "byte", "bytes",
"character", "json", "date-time", "ntpstamp",
"integer", "portlist", "real", "string", "file",
"path", "frame", "packet", "ipv4-packet",
"ipv6-packet", "url", "csv", "winreg",
"xml", "ext-value"], "default": "string"},
"ext-dtype": {"type": "string"},
"meaning": {"type": "string"},
"formatid": {"type": "string"},
"restriction": {
"$ref": "#/definitions/restriction", "default":
"private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["value", "dtype"],
"additionalProperties":false},
"ExtensionTypeList": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"SoftwareType": {
"type": "object",
"properties": {
"SoftwareReference":{
"$ref":"#/definitions/SoftwareReference"},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype",
"minItems": 1}},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1 }},
"required": [],
"additionalProperties": false},
"SoftwareReference": {
"type": "object",
"properties": {
"value": {"type": "string"},
"spec-name": {"enum": ["custom", "cpe", "swid",
"ext-value"]},
"ext-spec-name": {"type": "string"},
"dtype": {"enum": ["bytes", "integer", "real", "string",
"xml", "ext-value"], "default": "string"},
"ext-dtype": {"type": "string"}},
"required": ["spec-name"],
"additionalProperties": false},
"STRUCTUREDINFO": {
"type": "object",
"properties": {
"SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"},
"RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1
},
"Platform": {
"type": "array",
"items": {"$ref": "#/definitions/Platform"},
"minItems": 1
},
"Scoring": {
"type": "array",
"items": {"$ref": "#/definitions/Scoring"},
"minItems": 1}},
"allOf": [
{"required": ["SpecID"]},
{"anyOf": [
{"oneOf": [
{"required":["Reference"]},
{"required":["RawData"]}]},
{ "not" : {"required":["Reference", "RawData"]}}]}],
"additionalProperties": false},
"Platform": {
"type": "object",
"properties": {
"SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"},
"RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1}},
"required": ["SpecID"],
"additionalProperties": false},
"Scoring": {
"type": "object",
"properties": {
"SpecID": {"$ref":"#/definitions/SpecID"},
"ext-SpecID": {"type": "string"},
"ContentID": {"type": "string"},
"RawData": {
"type": "array",
"items": {"$ref":"#/definitions/BYTE"},
"minItems": 1
},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1}},
"required": ["SpecID"],
"additionalProperties": false},
"Incident": {
"title": "Incident",
"description": "JSON schema for Incident class",
"type": "object",
"properties": {
"purpose": {"$ref": "#/definitions/purpose"},
"ext-purpose": {"type": "string"},
"status": {"$ref": "#/definitions/status"},
"ext-status": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentID": {"$ref": "#/definitions/IncidentID"},
"AlternativeID": {
"$ref":"#/definitions/AlternativeID"},
"RelatedActivity": {
"type": "array",
"items": {"$ref": "#/definitions/RelatedActivity"},
"minItems": 1},
"DetectTime": {"$ref": "#/definitions/DATETIME"},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"$ref": "#/definitions/DATETIME"},
"GenerationTime": {"$ref": "#/definitions/DATETIME"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Discovery": {
"type": "array",
"items": {"$ref": "#/definitions/Discovery"},
"minItems": 1},
"Assessment": {
"type": "array",
"items": {"$ref": "#/definitions/Assessment"},
"minItems": 1},
"Method": {
"type": "array",
"items": {"$ref": "#/definitions/Method"},
"minItems": 1},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"EventData": {
"type": "array",
"items": {"$ref": "#/definitions/EventData"},
"minItems": 1},
"Indicator": {
"type": "array",
"items": {"$ref": "#/definitions/Indicator"},
"minItems": 1},
"History": {"$ref": "#/definitions/History"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["IncidentID", "GenerationTime", "Contact",
"purpose"],
"additionalProperties": false},
"IncidentID": {
"title": "IncidentID",
"description": "JSON schema for IncidentID class",
"type": "object",
"properties": {
"id": {"type": "string"},
"name": {"type": "string"},
"instance": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}},
"required": ["id", "name"],
"additionalProperties": false},
"AlternativeID": {
"title": "AlternativeID",
"description": "JSON schema for AlternativeID class",
"type": "object",
"properties": {
"IncidentID": {
"type": "array",
"items":{"$ref": "#/definitions/IncidentID"},
"minItems": 1},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"}},
"required": ["IncidentID"],
"additionalProperties": false},
"RelatedActivity": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"IncidentID": {
"type": "array",
"items": {"$ref": "#/definitions/IncidentID"},
"minItems": 1},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"ThreatActor": {
"type": "array",
"items": {"$ref": "#/definitions/ThreatActor"},
"minItems": 1},
"Campaign": {
"type": "array",
"items": {"$ref": "#/definitions/Campaign"},
"minItems": 1},
"IndicatorID": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorID"},
"minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"},
"Description": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"AdditionalData": {
"$ref": "#/definitions/ExtensionTypeList"}},
"additionalProperties": false},
"ThreatActor": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"ThreatActorID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"URL": {
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"additionalProperties": false},
"Campaign": {
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"CampaignID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"URL": {
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}}},
"Contact": {
"type": "object",
"properties": {
"role": {
"enum":["creator", "reporter", "admin", "tech",
"provider", "user", "billing", "legal",
"irt", "abuse", "cc", "cc-irt", "leo",
"vendor", "vendor-support", "victim",
"victim-notified", "ext-value"]},
"ext-role": {"type": "string"},
"type": {
"enum": ["person", "organization", "ext-value"]},
"ext-type": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"ContactName": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"ContactTitle": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"RegistryHandle": {
"type":"array",
"items":{"$ref":"#/definitions/RegistryHandle"},
"minItems": 1},
"PostalAddress": {
"type":"array",
"items":{"$ref":"#/definitions/PostalAddress"},
"minItems": 1},
"Email": {
"type": "array",
"items": {"$ref": "#/definitions/Email"},
"minItems": 1},
"Telephone": {
"type": "array",
"items": {"$ref": "#/definitions/Telephone"},
"minItems": 1},
"Timezone": {"$ref": "#/definitions/TimeZonetype"},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["role", "type"],
"additionalProperties": false},
"RegistryHandle": {
"type": "object",
"properties": {
"handle": {"type": "string"},
"registry": {
"enum": ["internic", "apnic", "arin", "lacnic",
"ripe", "afrinic", "local", "ext-value"]},
"ext-registry": {"type": "string"}},
"required": ["handle", "registry"],
"additionalProperties": false},
"PostalAddress": {
"type": "object",
"properties": {
"type": {
"enum": ["street", "mailing", "ext-value"]},
"ext-type": {"type": "string"},
"PAddress": {"$ref": "#/definitions/PAddressType"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["PAddress"],
"additionalProperties": false},
"Email": {
"type": "object",
"properties": {
"type": {
"enum":["direct", "hotline", "ext-value"]},
"ext-type": {"type": "string"},
"EmailTo": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["EmailTo"],
"additionalProperties": false},
"Telephone": {
"type": "object",
"properties": {
"type": {
"enum":["wired", "mobile", "fax", "hotline",
"ext-value"]},
"ext-type": {"type": "string"},
"TelephoneNumber": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["TelephoneNumber"],
"additionalProperties": false},
"Discovery": {
"type": "object",
"properties": {
"source": {
"enum":["nidps", "hips", "siem", "av",
"third-party-monitoring", "incident", "os-log",
"application-log", "device-log", "network-flow",
"passive-dns", "investigation", "audit",
"internal-notification", "external-notification",
"leo", "partner", "actor", "unknown", "ext-value"]},
"ext-source": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"DetectionPattern": {
"type":"array",
"items":{"$ref":"#/definitions/DetectionPattern"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"DetectionPattern": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Application": {"$ref": "#/definitions/SoftwareType"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"DetectionConfiguration": {
"type": "array",
"items": {"type": "string"},
"minItems": 1}},
"allOf": [
{"required": ["Application"]},
{"oneOf": [
{"required":["Description"]},
{"required":["DetectionConfiguration"]}]}],
"additionalProperties": false},
"Method": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AttackPattern": {
"type":"array",
"items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1},
"Vulnerability": {
"type":"array",
"items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1},
"Weakness": {
"type":"array",
"items":{"$ref":"#/definitions/STRUCTUREDINFO"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"Reference": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"ReferenceName": {
"$ref":"#/definitions/ReferenceName"},
"URL":{
"type":"array",
"items":{"$ref":"#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"ReferenceName" : {
"type": "object",
"properties": {
"specIndex": {"type": "number"},
"ID": {"$ref":"#/definitions/IDtype"}},
"required": ["specIndex", "ID"],
"additionalProperties": false},
"Assessment": {
"type": "object",
"properties": {
"occurrence": {"enum":["actual", "potential"]},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"IncidentCategory": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Impact": {
"type": "array",
"items": {
"properties": {
"SystemImpact":{
"$ref":"#/definitions/SystemImpact"},
"BusinessImpact":{
"$ref":"#/definitions/BusinessImpact"},
"TimeImpact":{"$ref":"#/definitions/TimeImpact"},
"MonetaryImpact":{
"$ref":"#/definitions/MonetaryImpact"},
"IntendedImpact":{
"$ref":"#/definitions/BusinessImpact"}},
"additionalProperties":false},
"minItems" : 1
},
"Counter": {
"type": "array",
"items": {"$ref": "#/definitions/Counter"},
"minItems": 1},
"MitigatingFactor": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Cause": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Confidence": {"$ref": "#/definitions/Confidence"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Impact"],
"additionalProperties": false},
"SystemImpact": {
"type": "object",
"properties": {
"severity": {"enum":["low", "medium", "high"]},
"completion": {"enum":["failed", "succeeded"]},
"type": {
"enum":["takeover-account", "takeover-service",
"takeover-system", "cps-manipulation", "cps-damage",
"availability-data", "availability-account",
"availability-service", "availability-system",
"damaged-system", "damaged-data",
"breach-proprietary", "breach-privacy",
"breach-credential", "breach-configuration",
"integrity-data", "integrity-configuration",
"integrity-hardware", "traffic-redirection",
"monitoring-traffic", "monitoring-host",
"policy", "unknown", "ext-value"]},
"ext-type": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["type"],
"additionalProperties": false},
"BusinessImpact": {
"type": "object",
"properties": {
"severity": {"enum":["none", "low", "medium", "high",
"unknown", "ext-value"], "default": "unknown"},
"ext-severity": {"type":"string"},
"type": {"enum":["breach-proprietary",
"breach-privacy", "breach-credential",
"loss-of-integrity", "loss-of-service",
"theft-financial", "theft-service",
"degraded-reputation", "asset-damage",
"asset-manipulation", "legal", "extortion",
"unknown", "ext-value"]},
"ext-type": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["type"],
"additionalProperties": false},
"TimeImpact": {
"type": "object",
"properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum": ["low", "medium", "high"]},
"metric": {"enum": ["labor", "elapsed", "downtime",
"ext-value"]},
"ext-metric": {"type": "string"},
"duration": {
"$ref":"#/definitions/duration", "default": "hour"},
"ext-duration": {"type": "string"}},
"required": ["value", "metric"],
"additionalProperties": false},
"MonetaryImpact": {
"type": "object",
"properties": {
"value": {"$ref": "#/definitions/PositiveFloatType"},
"severity": {"enum":["low", "medium", "high"]},
"currency": {"type": "string"}},
"required": ["value"],
"additionalProperties": false},
"Confidence": {
"type": "object",
"properties": {
"value": {"type": "number"},
"rating": {"enum": ["low", "medium", "high", "numeric",
"unknown", "ext-value"]},
"ext-rating": {"type":"string"}},
"required": ["value", "rating"],
"additionalProperties": false},
"History": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"HistoryItem": {
"type": "array",
"items": {"$ref": "#/definitions/HistoryItem"},
"minItems": 1}},
"required": ["HistoryItem"],
"additionalProperties": false},
"HistoryItem": {
"type": "object",
"properties": {
"action": {
"$ref": "#/definitions/action", "default": "other"},
"ext-action": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"},
"IncidentID": {"$ref": "#/definitions/IncidentID"},
"Contact": {"$ref": "#/definitions/Contact"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"DefinedCOA": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["DateTime", "action"],
"additionalProperties": false},
"EventData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {"type": "array",
"items": { "$ref":"#/definitions/MLStringType"}},
"DetectTime": {"$ref": "#/definitions/DATETIME"},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"RecoveryTime": {"$ref": "#/definitions/DATETIME"},
"ReportTime": {"$ref": "#/definitions/DATETIME"},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"Discovery": {
"type": "array",
"items": {"$ref": "#/definitions/Discovery"},
"minItems": 1},
"Assessment": {"$ref": "#/definitions/Assessment"},
"Method": {
"type": "array",
"items": {"$ref": "#/definitions/Method"},
"minItems": 1},
"System": {
"type": "array",
"items": {"$ref": "#/definitions/System"},
"minItems": 1},
"Expectation": {
"type": "array",
"items": {"$ref": "#/definitions/Expectation"},
"minItems": 1},
"RecordData": {
"type": "array",
"items": {"$ref": "#/definitions/RecordData"},
"minItems": 1},
"EventData": {
"type": "array",
"items": {"$ref": "#/definitions/EventData"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"Expectation": {
"type": "object",
"properties": {
"action": {
"$ref":"#/definitions/action", "default": "other"},
"ext-action": {"type": "string"},
"severity": {"enum": ["low", "medium", "high"]},
"restriction": {"$ref": "#/definitions/restriction",
"default": "default"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"DefinedCOA": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"Contact": {"$ref": "#/definitions/Contact"}},
"required": [],
"additionalProperties": false},
"System": {
"type": "object",
"properties": {
"category": {
"enum": ["source", "target", "intermediate", "sensor",
"infrastructure", "ext-value"]},
"ext-category": {"type": "string"},
"interface": {"type": "string"},
"spoofed": {
"enum": ["unknown", "yes", "no"], "default":"unknown"},
"virtual": {
"enum": ["yes", "no", "unknown"], "default":"unknown"},
"ownership": {
"enum":["organization", "personal", "partner",
"customer", "no-relationship", "unknown",
"ext-value"]},
"ext-ownership": {"type": "string"},
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Node": {"$ref": "#/definitions/Node"},
"NodeRole": {
"type": "array",
"items": {"$ref": "#/definitions/NodeRole"},
"minItems": 1},
"Service": {
"type": "array",
"items": {"$ref": "#/definitions/Service"},
"minItems": 1},
"OperatingSystem": {
"type": "array",
"items": {"$ref": "#/definitions/SoftwareType"},
"minItems": 1},
"Counter": {
"type": "array",
"items": {"$ref": "#/definitions/Counter"},
"minItems": 1},
"AssetID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["Node"],
"additionalProperties": false},
"Node": {
"type": "object",
"properties": {
"DomainData": {
"type": "array",
"items": {"$ref": "#/definitions/DomainData"},
"minItems": 1},
"Address": {
"type": "array",
"items": {"$ref": "#/definitions/Address"},
"minItems": 1},
"PostalAddress": {
"$ref": "#/definitions/PostalAddress"},
"Location": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Counter": {
"type":"array",
"items":{"$ref":"#/definitions/Counter"},
"minItems": 1}},
"anyOf": [
{"required": ["DomainData"]},
{"required": ["Address"]}
],
"additionalProperties": false},
"Address": {
"type": "object",
"properties": {
"value": {"type": "string"},
"category": {
"enum":["asn", "atm", "e-mail", "ipv4-addr", "ipv4-net",
"ipv4-net-masked", "ipv4-net-mask", "ipv6-addr",
"ipv6-net", "ipv6-net-masked", "mac", "site-uri",
"ext-value"], "default": "ipv6-addr"},
"ext-category": {"type": "string"},
"vlan-name": {"type": "string"},
"vlan-num": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"}},
"required": ["value", "category"],
"additionalProperties": false},
"NodeRole": {
"type": "object",
"properties": {
"category": {
"enum":["client", "client-enterprise",
"client-partner", "client-remote", "client-kiosk",
"client-mobile", "server-internal", "server-public",
"www", "mail", "webmail", "messaging", "streaming",
"voice", "file", "ftp", "p2p", "name", "directory",
"credential", "print", "application", "database",
"backup", "dhcp", "assessment", "source-control",
"config-management", "monitoring", "infra",
"infra-firewall", "infra-router", "infra-switch",
"camera", "proxy", "remote-access", "log",
"virtualization", "pos", "scada",
"scada-supervisory", "sinkhole", "honeypot",
"anomyzation", "c2-server", "malware-distribution",
"drop-server", "hop-point", "reflector",
"phishing-site", "spear-phishing-site",
"recruiting-site", "fraudulent-site",
"ext-value"]},
"ext-category": {"type": "string"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["category"],
"additionalProperties": false},
"Counter": {
"type": "object",
"properties": {
"value": {"type": "number"},
"type": {
"enum": ["count", "peak", "average", "ext-value"]},
"ext-type": {"type": "string"},
"unit":{"enum":["byte", "mbit", "packet", "flow",
"session", "alert", "message", "event", "host",
"site", "organization", "ext-value"]},
"ext-unit": {"type": "string"},
"meaning": {"type": "string"},
"duration": {
"$ref":"#/definitions/duration", "default": "hour"},
"ext-duration": {"type": "string"}},
"required": ["value", "type", "unit"],
"additionalProperties": false},
"DomainData": {
"type": "object",
"properties": {
"system-status": {
"enum": ["spoofed", "fraudulent", "innocent-hacked",
"innocent-hijacked", "unknown", "ext-value"]},
"ext-system-status": {"type": "string"},
"domain-status": {
"enum": [ "reservedDelegation", "assignedAndActive",
"assignedAndInactive", "assignedAndOnHold",
"revoked", "transferPending",
"registryLock", "registrarLock",
"other", "unknown", "ext-value"]},
"ext-domain-status": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Name": {"type": "string"},
"DateDomainWasChecked": {
"$ref": "#/definitions/DATETIME"},
"RegistrationDate": {
"$ref": "#/definitions/DATETIME"},
"ExpirationDate": {"$ref": "#/definitions/DATETIME"},
"RelatedDNS": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"NameServers": {
"type": "array",
"items": {"$ref": "#/definitions/NameServers"},
"minItems": 1},
"DomainContacts": {
"$ref": "#/definitions/DomainContacts"}},
"required": ["Name", "system-status", "domain-status"],
"additionalProperties": false},
"NameServers": {
"type": "object",
"properties": {
"Server": {"type": "string"},
"Address": {
"type":"array",
"items":{"$ref":"#/definitions/Address"},
"minItems": 1}},
"required": ["Server", "Address"],
"additionalProperties": false},
"DomainContacts": {
"type": "object",
"properties": {
"SameDomainContact": {"type": "string"},
"Contact": {
"type":"array",
"items":{"$ref":"#/definitions/Contact"},
"minItems": 1}},
"oneOf": [
{"required": ["SameDomainContact"]},
{"required": ["Contact"]}],
"additionalProperties": false},
"Service": {
"type": "object",
"properties": {
"ip-protocol": {"type": "number"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"ServiceName": {"$ref": "#/definitions/ServiceName"},
"Port": {"type": "number"},
"Portlist": {"$ref": "#/definitions/PortlistType"},
"ProtoCode": {"type": "number"},
"ProtoType": {"type": "number"},
"ProtoField": {"type": "number"},
"ApplicationHeaderField":{
"$ref":"#/definitions/ExtensionTypeList"},
"EmailData": {"$ref": "#/definitions/EmailData"},
"Application": {
"$ref": "#/definitions/SoftwareType"}},
"required": [],
"additionalProperties": false},
"ServiceName": {
"type": "object",
"properties": {
"IANAService": {"type": "string"},
"URL": {
"type": "array", "items": {
"$ref": "#/definitions/URLtype"}},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"EmailData": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"EmailTo": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"EmailFrom": {"type": "string"},
"EmailSubject": {"type": "string"},
"EmailX-Mailer": {"type": "string"},
"EmailHeaderField": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"EmailHeaders": {"type": "string"},
"EmailBody": {"type": "string"},
"EmailMessage": {"type": "string"},
"HashData": {
"type": "array",
"items": {"$ref": "#/definitions/HashData"},
"minItems": 1},
"Signature": {
"type": "array",
"items": {"$ref": "#/definitions/BYTE"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"RecordData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"DateTime": {"$ref": "#/definitions/DATETIME"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"},
"RecordPattern": {
"type": "array",
"items": {"$ref": "#/definitions/RecordPattern"},
"minItems": 1},
"RecordItem": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"FileData": {
"type": "array",
"items": {"$ref": "#/definitions/FileData"},
"minItems": 1},
"WindowsRegistryKeysModified": {
"type": "array",
"items": {
"$ref":"#/definitions/WindowsRegistryKeysModified"},
"minItems": 1},
"CertificateData": {
"type":"array",
"items":{"$ref":"#/definitions/CertificateData"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"RecordPattern": {
"type": "object",
"properties": {
"value": {"type": "string"},
"type": {
"enum": ["regex", "binary", "xpath", "ext-value"],
"default": "regex"},
"ext-type": {"type": "string"},
"offset": {"type": "number"},
"offsetunit": {"enum":["line", "byte", "ext-value"] ,
"default": "line"},
"ext-offsetunit": {"type": "string"},
"instance": {"type": "number"}},
"required": ["value", "type"],
"additionalProperties": false},
"WindowsRegistryKeysModified": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"Key": {
"type": "array",
"items": {"$ref": "#/definitions/Key"},
"minItems": 1}},
"required": ["Key"],
"additionalProperties": false},
"Key": {
"type": "object",
"properties": {
"registryaction": {"enum": ["add-key", "add-value",
"delete-key", "delete-value",
"modify-key", "modify-value",
"ext-value"]},
"ext-registryaction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"KeyName": {"type":"string"},
"KeyValue": {"type": "string"}},
"required": ["KeyName"],
"additionalProperties": false},
"CertificateData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"Certificate": {
"type": "array",
"items": {"$ref": "#/definitions/Certificate"},
"minItems": 1}},
"required": ["Certificate"],
"additionalProperties": false},
"Certificate": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"X509Data": {"$ref": "#/definitions/BYTE"},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1}},
"required": ["X509Data"],
"additionalProperties": false},
"FileData": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction"},
"ext-restriction": {"type": "string"},
"observable-id": {"$ref": "#/definitions/IDtype"},
"File": {
"type": "array",
"items": {"$ref": "#/definitions/File"},
"minItems": 1}},
"required": ["File"],
"additionalProperties": false},
"File": {
"type": "object",
"properties": {
"observable-id": {"$ref": "#/definitions/IDtype"},
"FileName": {"type": "string"},
"FileSize": {"type": "number"},
"FileType": {"type": "string"},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"HashData": {"$ref": "#/definitions/HashData"},
"Signature": {
"type": "array",
"items": {"$ref": "#/definitions/BYTE"},
"minItems": 1},
"AssociatedSoftware": {
"$ref": "#/definitions/SoftwareType"},
"FileProperties": {
"type":"array",
"items":{"$ref":"#/definitions/ExtensionType"},
"minItems": 1}},
"required": [],
"additionalProperties": false},
"HashData": {
"type": "object",
"properties": {
"scope": {"enum": ["file-contents", "file-pe-section",
"file-pe-iat", "file-pe-resource", "file-pdf-object",
"email-hash", "email-headers-hash", "email-body-hash",
"ext-value"]},
"HashTargetID": {"type": "string"},
"Hash": {
"type": "array",
"items": {"$ref": "#/definitions/Hash"},
"minItems": 1},
"FuzzyHash": {
"type": "array",
"items": {"$ref": "#/definitions/FuzzyHash"},
"minItems": 1}},
"required": ["scope"],
"additionalProperties": false},
"Hash": {
"type": "object",
"properties": {
"DigestMethod": {"$ref": "#/definitions/BYTE"},
"DigestValue": {"$ref": "#/definitions/BYTE"},
"CanonicalizationMethod": {
"$ref": "#/definitions/BYTE"},
"Application": {
"$ref": "#/definitions/SoftwareType"}},
"required": ["DigestMethod", "DigestValue"],
"additionalProperties": false},
"FuzzyHash": {
"type": "object",
"properties": {
"FuzzyHashValue": {
"type": "array",
"items": {"$ref": "#/definitions/ExtensionType"},
"minItems": 1},
"Application": {"$ref": "#/definitions/SoftwareType"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["FuzzyHashValue"],
"additionalProperties": false},
"Indicator": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"IndicatorID": {"$ref": "#/definitions/IndicatorID"},
"AlternativeIndicatorID": {
"type": "array",
"items": {
"$ref": "#/definitions/AlternativeIndicatorID"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"StartTime": {"$ref": "#/definitions/DATETIME"},
"EndTime": {"$ref": "#/definitions/DATETIME"},
"Confidence": {"$ref": "#/definitions/Confidence"},
"Contact": {
"type": "array",
"items": {"$ref": "#/definitions/Contact"},
"minItems": 1},
"Observable": {"$ref": "#/definitions/Observable"},
"uid-ref": {"$ref": "#/definitions/IDREFType"},
"IndicatorExpression":{
"$ref":"#/definitions/IndicatorExpression"},
"IndicatorReference":{
"$ref": "#/definitions/IndicatorReference"},
"NodeRole": {
"type": "array",
"items": {"$ref": "#/definitions/NodeRole"},
"minItems": 1},
"AttackPhase": {
"type": "array",
"items": {"$ref": "#/definitions/AttackPhase"},
"minItems": 1},
"Reference": {
"type": "array",
"items": {"$ref": "#/definitions/Reference"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"allOf": [
{"required": ["IndicatorID"]},
{"oneOf": [
{"required":["Observable"]},
{"required":["uid-ref"]},
{"required":["IndicatorExpression"]},
{"required":["IndicatorReference"]}]}],
"additionalProperties": false},
"IndicatorID": {
"type": "object",
"properties": {
"id": {"type": "string"},
"name": {"type": "string"},
"version": {"type": "string"}},
"required": ["id", "name", "version"],
"additionalProperties": false},
"AlternativeIndicatorID": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"IndicatorID": {
"type": "array",
"items": {"$ref": "#/definitions/IndicatorID"},
"minItems": 1}},
"required": ["IndicatorID"],
"additionalProperties": false},
"Observable": {
"type": "object",
"properties": {
"restriction": {"$ref": "#/definitions/restriction",
"default": "private"},
"ext-restriction": {"type": "string"},
"System": {"$ref": "#/definitions/System"},
"Address": {"$ref": "#/definitions/Address"},
"DomainData": {"$ref": "#/definitions/DomainData"},
"EmailData": {"$ref": "#/definitions/EmailData"},
"Service": {"$ref": "#/definitions/Service"},
"WindowsRegistryKeysModified": {
"$ref": "#/definitions/WindowsRegistryKeysModified"},
"FileData": {"$ref": "#/definitions/FileData"},
"CertificateData": {
"$ref": "#/definitions/CertificateData"},
"RegistryHandle": {
"$ref": "#/definitions/RegistryHandle"},
"RecordData": {"$ref": "#/definitions/RecordData"},
"EventData": {"$ref": "#/definitions/EventData"},
"Incident": {"$ref": "#/definitions/Incident"},
"Expectation": {"$ref": "#/definitions/Expectation"},
"Reference": {"$ref": "#/definitions/Reference"},
"Assessment": {"$ref": "#/definitions/Assessment"},
"DetectionPattern": {
"$ref": "#/definitions/DetectionPattern"},
"HistoryItem": {"$ref": "#/definitions/HistoryItem"},
"BulkObservable": {
"$ref": "#/definitions/BulkObservable"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"oneOf": [
{"required":["System"]},
{"required":["Address"]},
{"required":["DomainData"]},
{"required":["EmailData"]},
{"required":["Service"]},
{"required":["WindowsRegistryKeysModified"]},
{"required":["FileData"]},
{"required":["CertificateData"]},
{"required":["RegistryHandle"]},
{"required":["RecordData"]},
{"required":["EventData"]},
{"required":["Incident"]},
{"required":["Expectation"]},
{"required":["Reference"]},
{"required":["Assessment"]},
{"required":["DetectionPattern"]},
{"required":["HistoryItem"]},
{"required":["BulkObservable"]},
{"required":["AdditionalData"]}],
"additionalProperties": false},
"BulkObservable": {
"type": "object",
"properties": {
"type": {"enum": ["asn", "atm", "e-mail", "ipv4-addr",
"ipv4-net", "ipv4-net-mask", "ipv6-addr", "ipv6-net",
"ipv6-net-mask", "mac", "site-uri", "domain-name",
"domain-to-ipv4", "domain-to-ipv6",
"domain-to-ipv4-timestamp",
"domain-to-ipv6-timestamp", "ipv4-port", "ipv6-port",
"windows-reg-key", "file-hash", "email-x-mailer",
"email-subject", "http-user-agent",
"http-request-url", "mutex", "file-path", "user-name",
"ext-value"]},
"ext-type": {"type": "string"},
"BulkObservableFormat":{
"$ref": "#/definitions/BulkObservableFormat"},
"BulkObservableList": {"type": "string"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["BulkObservableList"],
"additionalProperties": false},
"BulkObservableFormat": {
"type": "object",
"properties": {
"Hash": {"$ref": "#/definitions/Hash"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"oneOf": [
{"required": ["Hash"]},
{"required": ["AdditionalData"]}
],
"additionalProperties": false},
"IndicatorExpression": {
"type": "object",
"properties": {
"operator": {
"enum": ["not", "and", "or", "xor"], "default": "and"},
"ext-operator": {"type": "string"},
"IndicatorExpression": {
"type": "array",
"items": {
"$ref": "#/definitions/IndicatorExpression"},
"minItems": 1},
"Observable": {
"type": "array",
"items": {"$ref": "#/definitions/Observable"},
"minItems": 1},
"uid-ref": {
"type": "array",
"items": {"$ref": "#/definitions/IDREFType"},
"minItems": 1},
"IndicatorReference": {
"type": "array",
"items": {
"$ref": "#/definitions/IndicatorReference"},
"minItems": 1},
"Confidence": {"$ref":"#/definitions/Confidence"},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false},
"IndicatorReference": {
"type": "object",
"properties": {
"uid-ref": {"$ref":"#/definitions/IDREFType"},
"euid-ref": {"type": "string"},
"version": {"type": "string"}},
"oneOf": [
{"required": ["uid-ref"]},
{"required": ["euid-ref"]}
],
"additionalProperties": false},
"AttackPhase": {
"type": "object",
"properties": {
"AttackPhaseID": {
"type": "array",
"items": {"type": "string"},
"minItems": 1},
"URL": {
"type": "array",
"items": {"$ref": "#/definitions/URLtype"},
"minItems": 1},
"Description": {
"type": "array",
"items": {"$ref": "#/definitions/MLStringType"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": [],
"additionalProperties": false}},
"title": "IODEF-Document",
"description": "JSON schema for IODEF-Document class",
"type": "object",
"properties": {
"version": {"type": "string"},
"lang": {"$ref": "#/definitions/lang"},
"format-id": {"type": "string"},
"private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"},
"Incident": {
"type": "array",
"items": {"$ref": "#/definitions/Incident"},
"minItems": 1},
"AdditionalData": {
"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version", "Incident"],
"additionalProperties": false}
Figure 6: JSON Schema
図6:JSONスキーマ
Acknowledgments
謝辞
We would like to thank Henk Birkholz, Carsten Bormann, Benjamin Kaduk, Alexey Melnikov, Yasuaki Morita, and Takahiko Nagata for their insightful comments on this document and CDDL.
このドキュメントとCDDLに関する洞察に満ちたコメントを提供してくれたHenk Birkholz、Carsten Bormann、Benjamin Kaduk、Alexey Melnikov、Yasuaki Morita、およびNagata Takahikoに感謝します。
Authors' Addresses
著者のアドレス
Takeshi Takahashi National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi, Koganei, Tokyo 184-8795 Japan
たけし たかはし なちおなl いんsちつて おf いんふぉrまちおん あんd こっむにかちおんs てchのぉgy 4ー2ー1 ぬくいーきたまち、 こがねい、 ときょ 184ー8795 じゃぱん
Phone: +81 42 327 5862
Email: takeshi_takahashi@nict.go.jp
Roman Danyliw CERT, Software Engineering Institute, Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA United States of America
Roman Danyliw CERT、カーネギーメロン大学ソフトウェアエンジニアリングインスティテュート4500フィフスアベニューピッツバーグ、PAアメリカ合衆国
Email: rdd@cert.org
Mio Suzuki National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi, Koganei, Tokyo 184-8795 Japan
みお すずき なちおなl いんsちつて おf いんふぉrまちおん あんd こっむにかちおんs てchのぉgy 4ー2ー1 ぬくいーきたまち、 こがねい、 ときょ 184ー8795 じゃぱん
Email: mio@nict.go.jp