[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-takahashi-mile-jsoniodef) 00 01 02 03

MILE                                                        T. Takahashi
Internet-Draft                                                      NICT
Intended status: Standards Track                              R. Danyliw
Expires: September 19, 2018                                         CERT
                                                               M. Suzuki
                                                                    NICT
                                                          March 18, 2018


                         JSON binding of IODEF
                      draft-ietf-mile-jsoniodef-03

Abstract

   RFC7970 specified an information model and a corresponding XML data
   model for exchanging incident and indicator information.  This draft
   provides an alternative data model implementation in JSON.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 19, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of




Takahashi, et al.      Expires September 19, 2018               [Page 1]


Internet-Draft                 JSON-IODEF                     March 2018


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  IODEF Data Types  . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Abstract Data Type to JSON Data Type Mapping  . . . . . .   3
     2.2.  Complex JSON Types  . . . . . . . . . . . . . . . . . . .   4
       2.2.1.  Multilingual Strings  . . . . . . . . . . . . . . . .   4
       2.2.2.  Software  . . . . . . . . . . . . . . . . . . . . . .   5
       2.2.3.  StructuredInfo  . . . . . . . . . . . . . . . . . . .   5
   3.  IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Classes and Elements  . . . . . . . . . . . . . . . . . .   5
     3.2.  Mapping between JSON and XML IODEF  . . . . . . . . . . .  16
   4.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  16
     4.1.  Minimal Example . . . . . . . . . . . . . . . . . . . . .  17
     4.2.  Indicators from a Campaign  . . . . . . . . . . . . . . .  17
   5.  The IODEF Data Model (JSON Schema)  . . . . . . . . . . . . .  19
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  38
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  38
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  38
   9.  Normative References  . . . . . . . . . . . . . . . . . . . .  38
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  38

1.  Introduction

   [RFC7970] defines a data representation for security incident reports
   and indicators commonly exchanged by operational security teams.  It
   facilitates the automated exchange of this information to enable
   mitigation and watch-and-warning.  Section 3 of [RFC7970] defined an
   information model using Unified Modeling Language (UML) and a
   corresponding Extensible Markup Language (XML) schema data model in
   Section 8.  This UML-based information model and XML-based data model
   are referred to as IODEF UML and IODEF XML, respectively in this
   document.

   This document defines an alternate implementation of the IODEF UML
   information model by specifying a JavaScript Object Notation (JSON)
   data model using JSON Schema [jsonschema].  This JSON data model is
   referred to as IODEF JSON in this document.

   IODEF JSON provides all of the expressivity of IODEF XML.  It gives
   implementers and operators an alternative format to exchange the same
   information.





Takahashi, et al.      Expires September 19, 2018               [Page 2]


Internet-Draft                 JSON-IODEF                     March 2018


   The normative IODEF JSON data model is found in Section 5.  Section 2
   and Section 3 describe the data types and elements of this data
   model.  Section 4 provides examples.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  IODEF Data Types

   The abstract IODEF JSON implements the abstract data types specified
   in Section 2 of [RFC7970].

2.1.  Abstract Data Type to JSON Data Type Mapping

   IODEF JSON uses native and derived JSON data types.  Figure 1
   describes the mapping between the abstract data types in Section 2 of
   [RFC7970] and their corresponding implementations in IODEF JSON.































Takahashi, et al.      Expires September 19, 2018               [Page 3]


Internet-Draft                 JSON-IODEF                     March 2018


 +-----------------+-------------------+-------------------------------+
 | IODEF Data Type |      [RFC7970]    |       JSON Data Type          |
 |                 |      Reference    |                               |
 +-----------------+-------------------+-------------------------------+
 | INTEGER         | Section 2.1       | "integer" per [jsonschema]    |
 | REAL            | Section 2.2       | "number" per [jsonschema]     |
 | CHARACTER       | Section 2.3       | "string" per [jsonschema]     |
 | STRING          | Section 2.3       | "string" per [jsonschema]     |
 | ML_STRING       | Section 2.4       | see Section 2.2.1             |
 | BYTE            | Section 2.5.1     | "string" per [jsonschema]     |
 | BYTE[]          | Section 2.5.1     | "string" per [jsonschema]     |
 | HEXBIN          | Section 2.5.2     | "string" per [jsonschema]     |
 | HEXBIN[]        | Section 2.5.2     | "string" per [jsonschema]     |
 | ENUM            | Section 2.6       | "enum" array per [jsonschema] |
 | DATETIME        | Section 2.7       | "string" per [jsonschema]     |
 | TIMEZONE        | Section 2.8       | "string" per [jsonschema]     |
 | PORTLIST        | Section 2.9       | "string" per [jsonschema]     |
 | POSTAL          | Section 2.10      | "string" per [jsonschema]     |
 | POSTAL_ML       | Section 2.10      | see ML_STRING, Section 2.2.1  |
 | PHONE           | Section 2.11      | "string" per [jsonschema]     |
 | EMAIL           | Section 2.12      | "string" per [jsonschema]     |
 | URL             | Section 2.13      | "string" per [jsonschema]     |
 | IDREF           | Section 2.14      | "string" per [jsonschema]     |
 | SOFTWARE        | Section 2.15      | see Section 2.2.2             |
 | STRUCTURED      | N/A               | see Section 2.2.3             |
 +-----------------+-------------------+-------------------------------+

                                 Figure 1

2.2.  Complex JSON Types

2.2.1.  Multilingual Strings

   A string that needs to be represented in a human-readable language
   different than the default encoding of the document is represented in
   the information model by the ML_STRING data type.  This data type is
   implemented as an object with "value", "lang", and "translation-id"
   elements as defined in Section 5.  Examples are shown below.

   "MLStringType": {
     "value": "free-form text",                              //STRING
     "lang": "en",                                             //ENUM
     "translation-id": "jp2en0023"                           //STRING
   }







Takahashi, et al.      Expires September 19, 2018               [Page 4]


Internet-Draft                 JSON-IODEF                     March 2018


2.2.2.  Software

   A particular version of software is represented in the information
   model by the SOFTWARE data type.  This software can be described by
   using a reference, a URL, or with free-form text.  The SOFTWARE data
   type is implemented as an object with "SoftwareReference", "URL",
   "Description", and "Description_ML" elements as defined in Section 5.
   Examples are shown below.

   "SoftwareType": {
     "SoftwareReference": {...},          //SoftwareReference
     "Description": ["MS Windows"]        //STRING
   }

2.2.3.  StructuredInfo

   Information provided in a form of structured string, such as ID, or
   structured information, such as XML documents, is represented in the
   information model by the StructuredInfo data type.  Note that this
   type was originally specified in RFC7203.  The StructuredInfo data
   type is implemented as an object with "SpecID", "ext-SpecID",
   "ContentID", "RawData", "Reference" elements.  An example for
   embedding a structured ID is shown below.

   "StructuredInformation": {
     "SpecID": "cve",                                          //ENUM
     "ContentID": "CVE-2007-5000"                            //STRING
   }

   When embedding the raw data, base64 conversion should be used for
   encoding the data, as shown below.

   "StructuredInformation": {
     "SpecID": "oval",                                         //ENUM
     "RawData": "<<<strings encoded with base64>>>"            //BYTE
   }

3.  IODEF JSON Data Model

3.1.  Classes and Elements

   The following table shows the list of IODEF Classes, their elements,
   and the corresponding section in [RFC7970].  Note that the complete
   JSON schema is defined in Section 5.

   +-----------------------------+--------------------+---------------+
   | IODEF Class                 | Class              | Corresponding |
   |                             | Elements and       | Section       |



Takahashi, et al.      Expires September 19, 2018               [Page 5]


Internet-Draft                 JSON-IODEF                     March 2018


   |                             | Attribute          | in [RFC7970]  |
   +-----------------------------+--------------------+---------------+
   | IODEF-Document              | version            | 3.1           |
   |                             | lang?              |               |
   |                             | format-id?         |               |
   |                             | private-enum-name? |               |
   |                             | private-enum-id?   |               |
   |                             | Incident+          |               |
   |                             | AdditionalData*    |               |
   +-----------------------------+--------------------+---------------+
   | Incident                    | purpose            | 3.2           |
   |                             | ext-purpose?       |               |
   |                             | status?            |               |
   |                             | ext-status?        |               |
   |                             | lang?              |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | IncidentID         |               |
   |                             | AlternativeID?     |               |
   |                             | RelatedActivity*   |               |
   |                             | DetectTime?        |               |
   |                             | StartTime?         |               |
   |                             | EndTime?           |               |
   |                             | RecoveryTime?      |               |
   |                             | ReportTime?        |               |
   |                             | GenrationTime?     |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | Discovery*         |               |
   |                             | Assessment*        |               |
   |                             | Method*            |               |
   |                             | Contact+           |               |
   |                             | EventData*         |               |
   |                             | Indicator*         |               |
   |                             | History?           |               |
   |                             | AdditionalData*    |               |
   +-----------------------------+--------------------+---------------+
   | IncidentID                  | id                 | 3.4           |
   |                             | name               |               |
   |                             | instance?          |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   +-----------------------------+--------------------+---------------+
   | AlternativeID               | restriction?       | 3.5           |
   |                             | ext-restriction?   |               |
   |                             | IncidentID+        |               |
   +-----------------------------+--------------------+---------------+



Takahashi, et al.      Expires September 19, 2018               [Page 6]


Internet-Draft                 JSON-IODEF                     March 2018


   | RelatedActivity             | restriction?       | 3.6           |
   |                             | ext-restriction?   |               |
   |                             | IncidentID*        |               |
   |                             | URL*               |               |
   |                             | ThreatActor*       |               |
   |                             | Campaign*          |               |
   |                             | IndicatorID*       |               |
   |                             | Confidence?        |               |
   |                             | Description*       |               |
   |                             | AdditionalData*    |               |
   +-----------------------------+--------------------+---------------+
   | ThreatActor                 | restriction?       | 3.7           |
   |                             | ext-restriction?   |               |
   |                             | ThreatActorID*     |               |
   |                             | URL*               |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | AdditionalData*    |               |
   +-----------------------------+--------------------+---------------+
   | Campaign                    | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | CampaignID*        |               |
   |                             | URL*               |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | AdditionalData*    | 3.8           |
   +-----------------------------+--------------------+---------------+
   | Contact                     | role               |               |
   |                             | ext-role?          |               |
   |                             | type               |               |
   |                             | ext-type?          |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | ContactName*,ContactName_ML* |     |
   |                             | ContactTitle*      |               |
   |                             | ContactTitle_ML*   |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | RegistryHandle*    |               |
   |                             | PostalAddress*     |               |
   |                             | Email*             |               |
   |                             | Telephone*         |               |
   |                             | Timezone?          |               |
   |                             | Contact*           |               |
   |                             | AdditionalData*    | 3.9           |
   +-----------------------------+--------------------+---------------+
   | RegistryHandle              | handle|            |               |
   |                             | registry|          |               |



Takahashi, et al.      Expires September 19, 2018               [Page 7]


Internet-Draft                 JSON-IODEF                     March 2018


   |                             | ext-registry?      | 3.9.1         |
   +-----------------------------+--------------------+---------------+
   | PostalAddress               | type?|             |               |
   |                             | ext-type?|         |               |
   |                             | PAddress|          |               |
   |                             | Description*|      |               |
   |                             | Description_ML*    | 3.9.2         |
   +-----------------------------+--------------------+---------------+
   | Email                       | type?              |               |
   |                             | ext-type?          |               |
   |                             | EmailTo            |               |
   |                             | Description*       |               |
   |                             | Description_ML*    | 3.9.3         |
   +-----------------------------+--------------------+---------------+
   | Telephone                   | type?              |               |
   |                             | ext-type?          |               |
   |                             | TelephoneNumber    |               |
   |                             | Description*       |               |
   |                             | Description_ML*    | 3.9.4         |
   +-----------------------------+--------------------+---------------+
   | Discovery                   | source?            |               |
   |                             | ext-source?        |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | Contact*           |               |
   |                             | DetectionPattern*  | 3.10          |
   +-----------------------------+--------------------+---------------+
   | DetectionPattern            | restriction?       | 3.10.1        |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | Application        |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | DetectionConfiguration*  |         |
   +-----------------------------+--------------------+---------------+
   | Method                      | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | Reference*         |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | AttackPattern*     |               |
   |                             | Vulnerability*     |               |
   |                             | Weakness*          | 3.11          |
   +-----------------------------+--------------------+---------------+
   | Reference                   | observable-id?     |               |
   |                             | ReferenceName?     |               |



Takahashi, et al.      Expires September 19, 2018               [Page 8]


Internet-Draft                 JSON-IODEF                     March 2018


   |                             | URL*               |               |
   |                             | Description*       |               |
   |                             | Description_ML*    | 3.11.1        |
   +-----------------------------+--------------------+---------------+
   | Assessment                  | occurence?         |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | IncidentCategory*  |               |
   |                             | SystemImpact*      |               |
   |                             | BusinessImpact*    |               |
   |                             | TimeImpact*        |               |
   |                             | MonetaryImpact*    |               |
   |                             | IntendedImpact*    |               |
   |                             | Counter*           |               |
   |                             | MitigationFactor*  |               |
   |                             | MitigationFactor_ML*|              |
   |                             | Cause*             |               |
   |                             | Cause_ML*          |               |
   |                             | Confidence?        |               |
   |                             | AdditionalData*    | 3.12          |
   +-----------------------------+--------------------+---------------+
   | SystemImpact                | severity?          |               |
   |                             | completion?        |               |
   |                             | type               |               |
   |                             | ext-type?          |               |
   |                             | Description*       |               |
   |                             | Description_ML*    | 3.12.1        |
   +-----------------------------+--------------------+---------------+
   | BusinessImpact              | severity?          |               |
   |                             | ext-severity?      |               |
   |                             | type               |               |
   |                             | ext-type?          |               |
   |                             | Description*       |               |
   |                             | Description_ML*    | 3.12.2        |
   +-----------------------------+--------------------+---------------+
   | TimeImpact                  | value              |               |
   |                             | severity?          |               |
   |                             | metric             |               |
   |                             | ext-metric?        |               |
   |                             | duration?          |               |
   |                             | ext-duration?      | 3.12.3        |
   +-----------------------------+--------------------+---------------+
   | MonetaryImpact              | value              |               |
   |                             | severity?          |               |
   |                             | currency?          | 3.12.4        |
   +-----------------------------+--------------------+---------------+
   | Confidence                  | value              |               |



Takahashi, et al.      Expires September 19, 2018               [Page 9]


Internet-Draft                 JSON-IODEF                     March 2018


   |                             | rating             |               |
   |                             | ext-rating?        | 3.12.5        |
   +-----------------------------+--------------------+---------------+
   | History                     | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | HistoryItem+       | 3.13          |
   +-----------------------------+--------------------+---------------+
   | HistoryItem                 | action             |               |
   |                             | ext-action?        |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | DateTime           |               |
   |                             | IncidentID?        |               |
   |                             | Contact?           |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | DefinedCOA*        |               |
   |                             | AdditionalData*    | 3.13.1        |
   +-----------------------------+--------------------+---------------+
   | EventData                   | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | DetectTime?        |               |
   |                             | StartTime?         |               |
   |                             | EndTime?           |               |
   |                             | RecoveryTime?      |               |
   |                             | ReportTime?        |               |
   |                             | Contact*           |               |
   |                             | Discovery*         |               |
   |                             | Assessment?        |               |
   |                             | Method*            |               |
   |                             | Expectation*       |               |
   |                             | RecordData*        |               |
   |                             | EventData*         |               |
   |                             | AdditionalData*    | 3.14          |
   +-----------------------------+--------------------+---------------+
   | Expectation                 | action?            |               |
   |                             | ext-action?        |               |
   |                             | severity?          |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | DefinedCOA*        |               |
   |                             | StartTime?         |               |



Takahashi, et al.      Expires September 19, 2018              [Page 10]


Internet-Draft                 JSON-IODEF                     March 2018


   |                             | EndTime?           |               |
   |                             | Contact?           | 3.15          |
   +-----------------------------+--------------------+---------------+
   | System                      | category?          |               |
   |                             | ext-category?      |               |
   |                             | interface?         |               |
   |                             | spoofed?           |               |
   |                             | virtual?           |               |
   |                             | ownership?         |               |
   |                             | ext-ownership?     |               |
   |                             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | Node               |               |
   |                             | NodeRole*          |               |
   |                             | Service*           |               |
   |                             | OperatingSystem*   |               |
   |                             | Counter*           |               |
   |                             | AssetID*           |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | AdditionalData*    | 3.16          |
   +-----------------------------+--------------------+---------------+
   | Node                        | DomainData*        |               |
   |                             | Address*           |               |
   |                             | PostalAddress?     |               |
   |                             | Location*          |               |
   |                             | Location_ML*       |               |
   |                             | Counter*           | 3.17          |
   +-----------------------------+--------------------+---------------+
   | Address                     | value              |               |
   |                             | category           |               |
   |                             | ext-category?      |               |
   |                             | vlan-name?         |               |
   |                             | vlan-num?          |               |
   |                             | observable-id?     | 3.17.1        |
   +-----------------------------+--------------------+---------------+
   | NodeRole                    | category           |               |
   |                             | ext-category?      |               |
   |                             | Description*       |               |
   |                             | Description_ML*    | 3.17.2        |
   +-----------------------------+--------------------+---------------+
   | Counter                     | value              |               |
   |                             | type               |               |
   |                             | ext-type?          |               |
   |                             | unit               |               |
   |                             | ext-unit?          |               |
   |                             | meaning?           |               |
   |                             | meaning_ML?        |               |



Takahashi, et al.      Expires September 19, 2018              [Page 11]


Internet-Draft                 JSON-IODEF                     March 2018


   |                             | duration?          |               |
   |                             | ext-duration?      | 3.17.3        |
   +-----------------------------+--------------------+---------------+
   | DomainData                  | system-status      |               |
   |                             | ext-system-status? |               |
   |                             | domain-status      |               |
   |                             | ext-domain-status? |               |
   |                             | observable-id?     |               |
   |                             | Name               |               |
   |                             | DateDomainWasChecked?|             |
   |                             | RegistrationDate?  |               |
   |                             | ExpirationDate    ?|               |
   |                             | RelatedDNS*        |               |
   |                             | Nameservers*       |               |
   |                             | DomainContacts?    | 3.18          |
   +-----------------------------+--------------------+---------------+
   | Nameserver                  | Server             |               |
   |                             | Address*           | 3.18.1        |
   +-----------------------------+--------------------+---------------+
   | DomainContacts              | SameDomainContact? |               |
   |                             | Contact+           | 3.18.2        |
   +-----------------------------+--------------------+---------------+
   | Service                     | ip-protocol?       |               |
   |                             | observable-id?     |               |
   |                             | ServiceName?       |               |
   |                             | Port?              |               |
   |                             | Portlist?          |               |
   |                             | ProtoCode?         |               |
   |                             | ProtoType?         |               |
   |                             | ProtoField?        |               |
   |                             | ApplicationHeaderField+|           |
   |                             | EmailData?         |               |
   |                             | Application?       | 3.19          |
   +-----------------------------+--------------------+---------------+
   | ServiceName                 | IANAService?       |               |
   |                             | URL*               |               |
   |                             | Description*       |               |
   |                             | Description_ML*    | 3.19.1        |
   +-----------------------------+--------------------+---------------+
   | EmailData                   | observable-id?     |               |
   |                             | EmailTo*           |               |
   |                             | EmailFrom?         |               |
   |                             | EmailSubject?      |               |
   |                             | EmailX-Mailer?     |               |
   |                             | EmailHeaderField*  |               |
   |                             | EmailHeaders?      |               |
   |                             | EmailBody?         |               |
   |                             | EmailMessage?      |               |



Takahashi, et al.      Expires September 19, 2018              [Page 12]


Internet-Draft                 JSON-IODEF                     March 2018


   |                             | HashData*          |               |
   |                             | Signature*         | 3.19.2        |
   +-----------------------------+--------------------+---------------+
   | RecordData                  | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | DateTime?          |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | Application?       |               |
   |                             | RecordPattern*     |               |
   |                             | RecordItem*        |               |
   |                             | URL*               |               |
   |                             | FileData*          |               |
   |                             | WindowsRegistryKeysModified*|      |
   |                             | CertificateData*   |               |
   |                             | AdditionalData*    | 3.19.3        |
   +-----------------------------+--------------------+---------------+
   | RecordPattern               | type               |               |
   |                             | ext-type?          |               |
   |                             | offset?            |               |
   |                             | offsetunit?        |               |
   |                             | ext-offsetunit?    |               |
   |                             | instance?          |               |
   |                             | value              | 3.19.4        |
   +-----------------------------+--------------------+---------------+
   | WindowsRegistryKeysModified | observable-id?     | 3.20          |
   |                             | Key+               |               |
   +-----------------------------+--------------------+---------------+
   | Key                         | registryaction?    |               |
   |                             | ext-registryaction?|               |
   |                             | observable-id?     |               |
   |                             | KeyName            |               |
   |                             | KeyValue?          | 3.20.1        |
   +-----------------------------+--------------------+---------------+
   | CertificateData             | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |
   |                             | Certificate+       | 3.21          |
   +-----------------------------+--------------------+---------------+
   | Certificate                 | observable-id?     |               |
   |                             | X509Data           |               |
   |                             | Description*       |               |
   |                             | Description_ML*    | 3.21.1        |
   +-----------------------------+--------------------+---------------+
   | FileData                    | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | observable-id?     |               |



Takahashi, et al.      Expires September 19, 2018              [Page 13]


Internet-Draft                 JSON-IODEF                     March 2018


   |                             | File+              | 3.22          |
   +-----------------------------+--------------------+---------------+
   | File                        | observable-id?     |               |
   |                             | FileName?          |               |
   |                             | FileSize?          |               |
   |                             | FileType?          |               |
   |                             | URL*               |               |
   |                             | HashData?          |               |
   |                             | Signature*         |               |
   |                             | AssociatedSoftware?|               |
   |                             | FileProperties*    | 3.22.1        |
   +-----------------------------+--------------------+---------------+
   | HashData                    | scope              |               |
   |                             | HashTargetID?      |               |
   |                             | Hash*              |               |
   |                             | FuzzyHash*         | 3.23          |
   +-----------------------------+--------------------+---------------+
   | Hash                        | DigestMethod       |               |
   |                             | DigestValue        |               |
   |                             | CanonicalizationMethod?|           |
   |                             | Application?       | 3.23.1        |
   +-----------------------------+--------------------+---------------+
   | FuzzyHash                   | FuzzyHashValue+    |               |
   |                             | Application?       |               |
   |                             | AdditionalData?    | 3.23.2        |
   +-----------------------------+--------------------+---------------+
   | Indicator                   | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | IndicatorID        |               |
   |                             | AlternativeIndicatorID*|           |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | StartTime?         |               |
   |                             | EndTime?           |               |
   |                             | Confidence?        |               |
   |                             | Contact*           |               |
   |                             | Observable?        |               |
   |                             | uid-ref?           |               |
   |                             | IndicatorExpression?|              |
   |                             | IndicatorReference?|               |
   |                             | NodeRole*          |               |
   |                             | AttackPhase*       |               |
   |                             | Reference*         |               |
   |                             | AdditionalData*    | 3.24          |
   +-----------------------------+--------------------+---------------+
   | IndicatorID                 | id                 |               |
   |                             | name               |               |
   |                             | version            | 3.24.1        |



Takahashi, et al.      Expires September 19, 2018              [Page 14]


Internet-Draft                 JSON-IODEF                     March 2018


   +-----------------------------+--------------------+---------------+
   | AlternativeIndicatorID      | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | IndicatorReference+| 3.24.2        |
   +-----------------------------+--------------------+---------------+
   | Observable                  | restriction?       |               |
   |                             | ext-restriction?   |               |
   |                             | System?            |               |
   |                             | Address?           |               |
   |                             | DomainData?        |               |
   |                             | Service?           |               |
   |                             | EmailData?         |               |
   |                             | WindowsRegistryKeysModified?|      |
   |                             | FileData?          |               |
   |                             | CertificateData?   |               |
   |                             | RegistryHandle?    |               |
   |                             | RecordData?        |               |
   |                             | EventData?         |               |
   |                             | Incident?          |               |
   |                             | Expectation?       |               |
   |                             | Reference?         |               |
   |                             | Assessment?        |               |
   |                             | DetectionPattern?  |               |
   |                             | HistoryItem?       |               |
   |                             | BulkObservable?    |               |
   |                             | AdditionalData*    | 3.24.3        |
   +-----------------------------+--------------------+---------------+
   | BulkObservable              | type?              |               |
   |                             | ext-type?          |               |
   |                             | BulkObservableFormat?|             |
   |                             | BulkObservableList |               |
   |                             | AdditionalData*    | 3.24.4        |
   +-----------------------------+--------------------+---------------+
   | BulkObservableFormat        | Hash?              |               |
   |                             | AdditionalData*    | 3.24.5        |
   +-----------------------------+--------------------+---------------+
   | IndicatorExpression         | operator?          |               |
   |                             | ext-operator?      |               |
   |                             | IndicatorExpression*|              |
   |                             | Observable*        |               |
   |                             | uid-ref*           |               |
   |                             | IndicatorReference*|               |
   |                             | Confidence?        |               |
   |                             | AdditionalData*    | 3.24.6        |
   +-----------------------------+--------------------+---------------+
   | IndicatorReference          | uid-ref?           |               |
   |                             | euid-ref?          |               |
   |                             | version?           | 3.24.7        |



Takahashi, et al.      Expires September 19, 2018              [Page 15]


Internet-Draft                 JSON-IODEF                     March 2018


   +-----------------------------+--------------------+---------------+
   | AttackPhase                 | AttackPhaseID*     |               |
   |                             | URL*               |               |
   |                             | Description*       |               |
   |                             | Description_ML*    |               |
   |                             | AdditionalData*    | 3.24.8        |
   +-----------------------------+--------------------+---------------+

3.2.  Mapping between JSON and XML IODEF

   o  This document treats attributes and elements of each class defined
      in [RFC7970] equally and is agnostic on the order of their
      appearances.

   o  Flow class is deleted, and classes with its instances now directly
      have instances of EventData class that used to belong to the Flow
      classs.

   o  ApplicationHeader class is deleted, and classes with its instances
      now directly have instances of ApplicationHeaderField class that
      used to belong to the ApplicationHeader class.

   o  SignatureData class is deleted, and classes with its instances now
      directly have instance of Signature class that used to belong to
      the SignatureData class.

   o  IndicatorData class is deleted, and classes with its instances now
      directly have the instances of Indicator class that used to belong
      to the IndicatorData class.

   o  ObservableReference class is deleted, and classes with its
      instances now directly have uid-ref as an element.

   o  Record class is deleted, and classes with its instances now
      directly have the instances of RecordData class that used to
      belong to the Record class.

   o  The elements of ML_STRING type are prepared as two separate
      elements: one of STRING type and another of ML_STRING type, in
      order to maintain the simplicity of IODEF documents when writing
      with only STRING type characters.

4.  Examples

   This section provides example of IODEF documents.  These examples do
   not represent the full capabilities of the data model or the the only
   way to encode particular information.




Takahashi, et al.      Expires September 19, 2018              [Page 16]


Internet-Draft                 JSON-IODEF                     March 2018


4.1.  Minimal Example

   A document containing only the mandatory elements and attributes.

   {
     "version": "2.0",
     "lang": "en",
     "Incident": [
       {
         "purpose": "reporting",
         "restriction": "private",
         "IncidentID": {
           "id": 492382,
           "name": "csirt.example.com"
         },
         "GenerationTime": "2015-07-18T09:00:00-05:00",
         "Contact": [
           {
             "type": "organization",
             "role": "creator",
             "email": {
               "emailTo": "contact@csirt.example.com"
             }
           }
         ]
       }
     ]
   }

4.2.  Indicators from a Campaign

   An example of C2 domains from a given campaign.

{
  "version": "2.0",
  "lang": "en",
  "Incidents": [
    {
      "purpose": "watch",
      "restriction": "green",
      "IncidentID": {
        "id": "897923",
        "name": "csirt.example.com"
      },
      "RelatedActivity": [
        {
          "ThreatActor": [
            {



Takahashi, et al.      Expires September 19, 2018              [Page 17]


Internet-Draft                 JSON-IODEF                     March 2018


              "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY",
              "Description": "Aggressive Butterfly"
            }
          ],
          "Campaign": [
            {
              "CampaignID": "C-2015-59405",
              "Description": "Orange Giraffe"
            }
          ]
        }
      ],
      "GenerationTime": "2015-10-02T11:18:00-05:00",
      "Description": [
        "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang."
      ],
      "Assessment": [
        {
          "BusinessImpact": {
            "type": "breach-proprietary"
          }
        }
      ],
      "Contacts": [
        {
          "type": "organization",
          "role": "creator",
          "ContactName": "CSIRT for example.com",
          "Email": {
            "emailTo": "contact@csirt.example.com"
          }
        }
      ],
      "IndicatorList": [
        {
          "IndicatorID": {
            "id": "G90823490",
            "name": "csirt.example.com",
            "version": "1"
          },
          "Description": "C2 domains",
          "StartTime": "2014-12-02T11:18:00-05:00",
          "Observable": {
            "BulkObservable": {
              "type": "fqdn"
            },
            "BulkObservableList": [
              "kj290023j09r34.example.com",



Takahashi, et al.      Expires September 19, 2018              [Page 18]


Internet-Draft                 JSON-IODEF                     March 2018


              "09ijk23jfj0k8.example.net",
              "klknjwfjiowjefr923.example.org",
              "oimireik79msd.example.org"
            ]
          }
        }
      ]
    }
  ]
}

5.  The IODEF Data Model (JSON Schema)

{ "$schema": "http://json-schema.org/draft-04/schema#",
  "definitions": {
    "action": {"enum": ["nothing","contact-source-site","contact-target-site",
               "contact-sender", "investigate","block-host","block-network",
               "block-port","rate-limit-host","rate-limit-network",
               "rate-limit-port","redirect-traffic","honeypot",
               "upgrade-software","rebuild-asset","harden-asset",
               "remediate-other","status-triage","status-new-info",
               "watch-and-report","training","defined-coa","ext-value"]},
    "duration": {"enum": ["second","minute","hour","day","month","quarter",
                 "year","ext-value"]},
    "lang": {"enum": ["en","jp"]},
    "purpose": {"enum": ["traceback","mitigation","reporting","watch","other",
               "ext-value"]},
    "restriction": {"enum": ["public","partner","need-to-know","private",
                   "default","white","green","amber","red","ext-value"]},
    "status": {"enum": ["new","in-progress","forwarded","resolved","future",
              "ext-value"]},
    "DATETIME": {"type": "string"},
    "PORTLIST": {"type": "string"},
    "URLtype": {"type": "string"},
    "IDtype": {"type": "string"},
    "ExtensionType": {
      "type": "object",
      "properties": {
        "name": {"type": "string"},
        "dtype": {"enum": ["boolean","byte","bytes","character","date-time",
                  "ntpstamp","integer","portlist","real","string","file",
                  "path","frame","packet","ipv4-packet","ipv6-packet","url",
                  "csv","winreg","xml","ext-value"]},
        "ext-dtype": {"type": "string"},
        "meaning": {"type": "string"},
        "formatid": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},



Takahashi, et al.      Expires September 19, 2018              [Page 19]


Internet-Draft                 JSON-IODEF                     March 2018


        "observable-id": {"$ref": "#/definitions/IDtype"}}},
    "ExtensionTypeList": {
      "type": "array",
      "items": {"$ref": "#/definitions/ExtensionType"}},
    "SoftwareType": {
      "type": "object",
      "properties": {
        "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"},
        "URL": {"$ref": "#/definitions/URLtype"},
        "Description": {"type": "array", "items": {"type":"string"}}},
      "required": [],
      "additionalProperties": false},
    "SoftwareReference": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "spec-name": {"type": "string"},
        "ext-spec-name": {"type": "string"},
        "dtype": {"type": "string"},
        "ext-dtype": {"type": "string"}},
      "required": ["spec-name"],
      "additionalProperties": false},
    "StructuredInfo": {
      "type": "object",
      "properties": {
        "specID": {"type": "string"},
        "ext-specID": {"type": "string"},
        "contentID": {"type": "string"},
        "RawData": {"type": "string"},
        "URL": {"$ref": "#/definitions/URLtype"}},
      "required": ["specID"],
      "additionalProperties": false},
    "Incident": {
      "title": "Incident",
      "description": "JSON schema for Incident class",
      "type": "object",
      "properties": {
        "purpose": {"$ref": "#/definitions/purpose"},
        "ext-purpose": {"type": "string"},
        "status": {"$ref": "#/definitions/status"},
        "ext-status": {"type": "string"},
        "lang": {"$ref": "#/definitions/lang"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "IncidentID": {"$ref": "#/definitions/IncidentID"},
        "AlternativeID": {"$ref": "#/definitions/AlternativeID"},
        "RelatedActivity": {



Takahashi, et al.      Expires September 19, 2018              [Page 20]


Internet-Draft                 JSON-IODEF                     March 2018


          "type": "array","items": {"$ref": "#/definitions/RelatedActivity"}},
        "DetectTime": {"type": "string"},
        "StartTime": {"type": "string"},
        "EndTime": {"type": "string"},
        "RecoveryTime": {"type": "string"},
        "ReportTime": {"type": "string"},
        "GenerationTime": {"type": "string"},
        "Description": {"type": "array","items": {"type": "string"}},
        "Discovery": {
          "type": "array","items": {"$ref": "#/definitions/Discovery"}},
        "Assessment": {
          "type": "array","items": {"$ref": "#/definitions/Assessment"}},
        "Methods": {
          "type": "array","items": {"$ref": "#/definitions/Method"}},
        "Contacts": {
          "type": "array","items": {"$ref": "#/definitions/Contact"}},
        "EventData": {
          "type": "array","items": {"$ref": "#/definitions/EventData"}},
        "IndicatorList": {
          "type": "array","items": {"$ref": "#/definitions/Indicator"}},
        "History": {"$ref": "#/definitions/History"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["IncidentID","GenerationTime","Contacts","purpose"],
      "additionalProperties": false},
    "IncidentID": {
      "title": "IncidentID",
      "description": "JSON schema for IncidentID class",
      "type": "object",
      "properties": {
        "id": {"type": "string"},
        "name": {"type": "string"},
        "instance": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"}},
      "required": ["name"],
      "additionalProperties": false},
    "AlternativeID": {
      "title": "AlternativeID",
      "description": "JSON schema for AlternativeID class",
      "type": "object",
      "properties": {
        "IncidentID": {
          "type": "array","items":{"$ref": "#/definitions/IncidentID"}},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"}},
      "required": ["IncidentID"],
      "additionalProperties": false},
    "RelatedActivity": {



Takahashi, et al.      Expires September 19, 2018              [Page 21]


Internet-Draft                 JSON-IODEF                     March 2018


      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "IncidentID": {
          "type": "array","items": {"$ref": "#/definitions/IncidentID"}},
        "URL": {
          "type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "ThreatActor": {
          "type": "array","items": {"$ref": "#/definitions/ThreatActor"}},
        "Campaign": {
          "type": "array","items": {"$ref": "#/definitions/Campaign"}},
        "IndicatorID": {
          "type": "array","items": {"$ref": "#/definitions/IndicatorID"}},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "Description": { "type": "array","items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false},
    "ThreatActor": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "ThreatActorID": {"type": "array", "items": {"type": "string"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "additionalProperties": false},
    "Campaign": {
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "CampaignID": {"type": "array", "items": {"type": "string"}},
        "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}},
    "Contact": {
      "type": "object",
      "properties": {
        "role": {
          "enum": ["creator","reporter","admin","tech","provider","user",
                   "billing","legal","irt","abuse","cc","cc-irt","leo",
                   "vendor","vendor-support","victim","victim-notified",
                   "ext-value"]},
        "ext-role": {"type": "string"},
        "type": {"enum": ["person","organization","ext-value"]},
        "ext-type": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "ContactName": {"type": "array", "items": {"type": "string"}},



Takahashi, et al.      Expires September 19, 2018              [Page 22]


Internet-Draft                 JSON-IODEF                     March 2018


        "ContactTitle": {"type": "array", "items": {"type": "string"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "RegistryHandle": {
          "type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}},
        "PostalAddress": {
          "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}},
        "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}},
        "Telephone": {
          "type": "array", "items": {"$ref": "#/definitions/Telephone"}},
        "Timezone": {"type": "string"},
        "Contact": {
          "type": "array", "items": {"$ref": "#/definitions/Contact"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["role","type"],
      "additionalProperties": false},
    "RegistryHandle": {
      "type": "object",
      "properties": {
        "handle": {"type": "string"},
        "registry": {
          "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local",
                   "ext-value"]},
        "ext-registry": {"type": "string"}},
      "required": ["registry"],
      "additionalProperties": false},
    "PostalAddress": {
      "type": "object",
      "properties": {
        "type": {"type": "string"},
        "ext-type": {"type": "string"},
        "PAddress": {"type": "string"},
        "Description": {"type": "array", "items": {"type": "string"}}},
      "required": ["PAddress"],
      "additionalProperties": false},
    "Email": {
      "type": "object",
      "properties": {
        "type": {
          "enum":["direct","hotline","ext-value"]},
        "ext-type": {"type": "string"},
        "EmailTo": {"type": "string"},
        "Description": {"type": "array", "items": {"type": "string"}}},
      "required": ["EmailTo"],
      "additionalProperties": false},
    "Telephone": {
      "type": "object",
      "properties": {
        "type": {



Takahashi, et al.      Expires September 19, 2018              [Page 23]


Internet-Draft                 JSON-IODEF                     March 2018


          "enum":["wired","mobile","fax","hotline","ext-value"]},
        "ext-type": {"type": "string"},
        "TelephoneNumber": {"type": "string"},
        "Description": {"type": "array", "items": {"type": "string"}}},
      "required": ["TelephoneNumber"],
      "additionalProperties": false},
    "Discovery": {
      "type": "object",
      "properties": {
        "source": {
          "enum":["nidps","hips","siem","av","third-party-monitoring",
                  "incident","os-log","application-log","device-log",
                  "network-flow","passive-dns","investigation","audit",
                  "internal-notification","external-notification","leo",
                  "partner","actor","unknown","ext-value"]},
        "ext-source": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "Description": {"type": "array", "items": {"type": "string"}},
        "Contact": {
          "type": "array", "items": {"$ref": "#/definitions/Contact"}},
        "DetectionPattern": {
          "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}},
      "required": [],
      "additionalProperties": false},
    "DetectionPattern": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "Description": {"type": "array", "items": {"type": "string"}},
        "DetectionConfiguration": {
          "type": "array", "items": {"type": "string"}}},
      "required": ["Application"],
      "additionalProperties": false},
    "Method": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "References": {
          "type": "array","items": {"$ref": "#/definitions/Reference"}},
        "Description": {"type": "array", "items": {"type": "string"}},
        "AttackPattern": {
          "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "Vulnerability": {



Takahashi, et al.      Expires September 19, 2018              [Page 24]


Internet-Draft                 JSON-IODEF                     March 2018


          "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "Weakness": {
          "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "Reference": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "ReferenceName": {"type": "string"},
        "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}},
        "Description": {"type": "array", "items": {"type": "string"}}},
      "required": [],
      "additionalProperties": false},
    "Assessment": {
      "type": "object",
      "properties": {
        "occurrence": {"enum":["actual","potential"]},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "IncidentCategory": {"type": "array", "items": {"type": "string"}},
        "SystemImpact": {
          "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}},
        "BusinessImpact": {
          "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}},
        "TimeImpact": {
          "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}},
        "MonetaryImpact": {
          "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}},
        "IntendedImpact": {
          "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}},
        "Counter": {
          "type": "array", "items": {"$ref": "#/definitions/Counter"}},
        "MitigatingFactor": {
          "type": "array", "items": {"$type": "string"}},
        "Cause": {"type": "array", "items": {"$type": "string"}},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "SystemImpact": {
      "type": "object",
      "properties": {
        "severity": {
          "enum":["low","medium","high"]},
        "completion": {"enum":["failed","succeeded"]},



Takahashi, et al.      Expires September 19, 2018              [Page 25]


Internet-Draft                 JSON-IODEF                     March 2018


        "type": {
          "enum":["takeover-account","takeover-service","takeover-system",
                  "cps-manipulation","cps-damage","availability-data",
                  "availability-account","availability-service",
                  "availability-system","damaged-system","damaged-data",
                  "breach-proprietary","breach-privacy","breach-credential",
                  "breach-configuration","integrity-data",
                  "integrity-configuration","integrity-hardware",
                  "traffic-redirection","monitoring-traffic","monitoring-host",
                  "policy","unknown","ext-value"]},
        "ext-type": {"type": "string"},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": ["type"],
      "additionalProperties": false},
    "BusinessImpact": {
      "type": "object",
      "properties": {
        "severity": {
          "enum":["none","low","medium","high","unknown","ext-value"]},
        "ext-severity": {"type":"string"},
        "type": {
          "enum":["breach-proprietary","breach-privacy","breach-credential",
                  "loss-of-integrity","loss-of-service","theft-financial",
                  "theft-service","degraded-reputation","asset-damage",
                  "asset-manipulation","legal","extortion","unknown",
                  "ext-value"]},
        "ext-type": {"type": "string"},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": ["type"],
      "additionalProperties": false},
    "TimeImpact": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "severity": {"enum": ["low","medium","high"]},
        "metric": {"enum": ["labor","elapsed","downtime","ext-value"]},
        "ext-metric": {"type": "string"},
        "duration": {"$ref":"#/definitions/duration"},
        "ext-duration": {"type": "string"}},
      "required": ["metric"],
      "additionalProperties": false},
    "MonetaryImpact": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "severity": {"enum":["low","medium","high"]},
        "currency": {"type": "string"}},
      "required": [],



Takahashi, et al.      Expires September 19, 2018              [Page 26]


Internet-Draft                 JSON-IODEF                     March 2018


      "additionalProperties": false},
    "Confidence": {
      "type": "object",
      "properties": {
        "value": {"type": "number"},
        "rating": {
          "enum": ["low","medium","high","numeric","unknown","ext-value"]},
        "ext-rating": {"type":"string"}},
      "required": ["rating"],
      "additionalProperties": false},
    "History": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "HistoryItem": {
          "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}},
      "required": ["HistoryItem"],
      "additionalProperties": false},
    "HistoryItem": {
      "type": "object",
      "properties": {
        "action": {"$ref": "#/definitions/action"},
        "ext-action": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {"$ref": "#/definitions/DATETIME"},
        "IncidentID": {"$ref": "#/definitions/IncidentID"},
        "Contact": {"$ref": "#/definitions/Contact"},
        "Description": {"type": "array","items": {"type": "string"}},
        "DefinedCOA": {"type": "array","items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["DateTime","action"],
      "additionalProperties": false},
    "EventData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Description": {"type": "array","items": {"type": "string"}},
        "DetectTime": {"type": "string"},
        "StartTime": {"type": "string"},
        "EndTime": {"type": "string"},
        "RecoveryTime": {"type": "string"},
        "ReportTime": {"type": "string"},
        "Contact": {



Takahashi, et al.      Expires September 19, 2018              [Page 27]


Internet-Draft                 JSON-IODEF                     March 2018


          "type": "array","items": {"$ref": "#/definitions/Contact"}},
        "Discovery": {
          "type": "array","items": {"$ref": "#/definitions/Discovery"}},
        "Assessment": {"$ref": "#/definitions/Assessment"},
        "Method": {
          "type": "array","items": {"$ref": "#/definitions/Method"}},
        "System": {
          "type": "array","items": {"$ref": "#/definitions/System"}},
        "Expectation": {
          "type": "array","items": {"$ref": "#/definitions/Expectation"}},
        "RecordData": {"type": "array", "items": {"$ref": "#/definitions/RecordData"}},
        "EventData": {
          "type": "array","items": {"$ref": "#/definitions/EventData"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["ReportTime"],
      "additionalProperties": false},
    "Expectation": {
      "type": "object",
      "properties": {
        "action": {"$ref":"#/definitions/action"},
        "ext-action": {"type": "string"},
        "severity": {"enum": ["low","medium","high"]},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Description": {"type": "array","items": {"type": "string"}},
        "DefinedCOA": {"type": "array","items": {"type": "string"}},
        "StartTime": {"type": "string"},
        "EndTime": {"type": "string"},
        "Contact": {"$ref": "#/definitions/Contact"}},
      "required": [],
      "additionalProperties": false},
    "System": {
      "type": "object",
      "properties": {
        "category": {
          "enum": ["source","target","intermediate","sensor","infrastructure",
                   "ext-value"]},
        "ext-category": {"type": "string"},
        "interface": {"type": "string"},
        "spoofed": {"enum": ["unknown","yes","no"]},
        "virtual": {"enum": ["yes","no","unknown"]},
        "ownership": {
          "enum":["organization","personal","partner","customer",
                  "no-relationship","unknown","ext-value"]},
        "ext-ownership": {"type": "string"},
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},



Takahashi, et al.      Expires September 19, 2018              [Page 28]


Internet-Draft                 JSON-IODEF                     March 2018


        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Node": {"$ref": "#/definitions/Node"},
        "NodeRole": {
          "type": "array","items": {"$ref": "#/definitions/NodeRole"}},
        "Service": {
          "type": "array","items": {"$ref": "#/definitions/Service"}},
        "OperatingSystem": {
          "type": "array","items": {"$ref": "#/definitions/SoftwareType"}},
        "Counter": {
          "type": "array","items": {"$ref": "#/definitions/Counter"}},
        "AssetID": {"type": "array","items": {"type": "string"}},
        "Description": {"type": "array","items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["Node"],
      "additionalProperties": false},
    "Node": {
      "type": "object",
      "properties": {
        "DomainData": {
          "type": "array","items": {"$ref": "#/definitions/DomainData"}},
        "Address": {
          "type": "array","items": {"$ref": "#/definitions/Address"}},
        "PostalAddress": {"type": "string"},
        "Location": {"type": "array","items": {"type": "string"}},
        "Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}},
      "required": [],
      "additionalProperties": false},
    "Address": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "category": {
           "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
                    "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net",
                    "ipv6-net-masked","mac","site-url","ext-value"]},
        "ext-category": {"type": "string"},
        "vlan-name": {"type": "string"},
        "vlan-num": {"type": "integer"},
        "observable-id": {"$ref": "#/definitions/IDtype"}},
      "required": ["category"],
      "additionalProperties": false},
    "NodeRole": {
      "type": "object",
      "properties": {
        "category": {
          "enum":["client","client-enterprise","clent-partner","client-remote",
                  "client-kiosk","client-mobile","server-internal",
                  "server-public","www","mail","webmail","messaging",



Takahashi, et al.      Expires September 19, 2018              [Page 29]


Internet-Draft                 JSON-IODEF                     March 2018


                  "streaming","voice","file","ftp","p2p","name","directory",
                  "credential","print","application","database","backup",
                  "dhcp","assessment","source-control","config-management",
                  "monitoring","infra","infra-firewall","infra-router",
                  "infra-switch","camera","proxy","remote-access","log",
                  "virtualization","pos", "scada", "scada-supervisory",
                  "sinkhole","honeypot","anomyzation","c2-server",
                  "malware-distribution","drop-server","hot-point","reflector",
                  "phishing-site","spear-phishing-site","recruiting-site",
                  "fraudulent-site","ext-value"]},
        "ext-category": {"type": "string"},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": ["category"],
      "additionalProperties": false},
    "Counter": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "type": {"enum": ["count","peak","average","ext-value"]},
        "ext-type": {"type": "string"},
        "unit": {"enum": ["byte","mbit","packet","flow","session","alert",
                 "message","event","host","site","organization","ext-value"]},
        "ext-unit": {"type": "string"},
        "meaning": {"type": "string"},
        "duration": {"$ref":"#/definitions/duration"},
        "ext-duration": {"type": "string"}},
      "required": ["type","unit"],
      "additionalProperties": false},
    "DomainData": {
      "type": "object",
      "properties": {
        "system-status": {
          "enum": ["spoofed","fraudulent","innocent-hacked",
                   "innocent-hijacked","unknown","ext-value"]},
        "ext-system-status": {"type": "string"},
        "domain-status": {
          "enum": [
            "reservedDelegation","assignedAndActive","assignedAndInactive",
            "assignedAndOnHold","revoked","transferPending","registryLock",
            "registrarLock","other","unknown","ext-value"]},
        "ext-domain-status": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Name": {"type": "string"},
        "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"},
        "RegistrationDate": {"$ref": "#/definitions/DATETIME"},
        "ExpirationDate": {"$ref": "#/definitions/DATETIME"},
        "RelatedDNS": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},



Takahashi, et al.      Expires September 19, 2018              [Page 30]


Internet-Draft                 JSON-IODEF                     March 2018


        "NameServers": {
          "type": "array","items": {"$ref": "#/definitions/NameServers"}},
        "DomainContacts": {
          "$ref": "#/definitions/DomainContacts"}},
      "required": ["Name","system-status","domain-status"],
      "additionalProperties": false},
    "NameServers": {
      "type": "object",
      "properties": {
        "Server": {"type": "string"},
        "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}},
      "required": ["Server","Address"],
      "additionalProperties": false},
    "DomainContacts": {
      "type": "object",
      "properties": {
        "SameDomainContact": {"type": "string"},
        "Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}},
      "required": ["Contact"],
      "additionalProperties": false},
    "Service": {
      "type": "object",
      "properties": {
        "ip-protocol": {"type": "integer"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "ServiceName": {"$ref": "#/definitions/ServiceName"},
        "Port": {"type": "integer"},
        "Portlist": {"$ref": "#/definitions/PORTLIST"},
        "ProtoCode": {"type": "integer"},
        "ProtoType": {"type": "integer"},
        "ProtoField": {"type": "integer"},
        "ApplicationHeaderField": {"$ref":"#/definitions/ExtensionTypeList"},
        "EmailData": {"$ref": "#/definitions/EmailData"},
        "Application": {"$ref": "#/definitions/SoftwareType"}},
      "required": [],
      "additionalProperties": false},
    "ServiceName": {
      "type": "object",
      "properties": {
        "IANAService": {"type": "string"},
        "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": [],
      "additionalProperties": false},
    "EmailData": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},



Takahashi, et al.      Expires September 19, 2018              [Page 31]


Internet-Draft                 JSON-IODEF                     March 2018


        "EmailTo": {"type": "array","items": {"type": "string"}},
        "EmailFrom": {"type": "string"},
        "EmailSubject": {"type": "string"},
        "EmailX-Mailer": {"type": "string"},
        "EmailHeaderField": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "EmailHeaders": {"type": "string"},
        "EmailBody": {"type": "string"},
        "EmailMessage": {"type": "string"},
        "HashData": {
          "type": "array","items": {"$ref": "#/definitions/HashData"}},
        "Signature": {"type": "array","items": {"type": "string"}}},
      "required": [],
      "additionalProperties": false},
    "RecordData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "DateTime": {"$ref": "#/definitions/DATETIME"},
        "Description": {"type": "array","items": {"type": "string"}},
        "Applicadtion": {"$ref": "#/definitions/SoftwareType"},
        "RecordPattern": {
          "type": "array","items": {"$ref": "#/definitions/RecordPattern"}},
        "RecordItem": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "URL": {
          "type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "FileData": {
          "type": "array","items": {"$ref": "#/definitions/FileData"}},
        "WindowsRegistryKeysModified": {
          "type": "array",
          "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}},
        "CertificateData": {
          "type": "array","items": {"$ref": "#/definitions/CertificateData"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false
    },
    "RecordPattern": {
      "type": "object",
      "properties": {
        "value": {"type": "string"},
        "type": {"enum": ["regex","binary","xpath","ext-value"]},
        "ext-type": {"type": "string"},
        "offset": {"type": "integer"},
        "offsetunit": {"enum":["line","byte","ext-value"]},



Takahashi, et al.      Expires September 19, 2018              [Page 32]


Internet-Draft                 JSON-IODEF                     March 2018


        "ext-offsetunit": {"type": "string"},
        "instance": {"type": "integer"}},
      "required": ["type"],
      "additionalProperties": false},
    "WindowsRegistryKeysModified": {
      "type": "object",
      "properties": {
        "observabile-id": {"$ref": "#/definitions/IDtype"},
        "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}},
      "required": ["Key"],
      "additionalProperties": false},
    "Key": {
      "type": "object",
      "properties": {
        "registryaction": {"enum": ["add-key","add-value","delete-key",
                          "delete-value","modify-key","modify-value",
                          "ext-value"]},
        "ext-registryaction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "KeyName": {"type":"string"},
        "KeyValue": {"type": "string"}},
      "required": ["KeyName"],
      "additionalProperties": false},
    "CertificateData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "Certificate": {
          "type": "array","items": {"$ref": "#/definitions/Certificate"}}},
      "required": ["Certificate"],
      "additionalProperties": false},
    "Certificate": {
      "type": "object",
      "properties": {
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "X509Data": {type: "string"},
        "Description": {"type": "array","items": {"type": "string"}}},
      "required": ["X509Data"],
      "additionalProperties": false},
    "FileData": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "observable-id": {"$ref": "#/definitions/IDtype"},
        "File": {"type": "array","items": {"$ref": "#/definitions/File"}}},



Takahashi, et al.      Expires September 19, 2018              [Page 33]


Internet-Draft                 JSON-IODEF                     March 2018


      "required": ["File"],
      "additionalProperties": false},
    "File": {
      "type": "object",
      "properties": {
        "FileName": {"type": "string"},
        "FileSize": {"type": "integer"},
        "FileType": {"type": "string"},
        "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "HashData": {"$ref": "#/definitions/HashData"},
        "Signature": {"type": "array","items": {"type": "string"}},
        "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"},
        "FileProperties": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}},
      "required": [],
      "additionalProperties": false},
    "HashData": {
      "type": "object",
      "properties": {
        "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat",
                 "file-pe-resource","file-pdf-object","email-hash",
                 "email-hash-header","email-hash-body"]},
        "HashTargetID": {"type": "string"},
        "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}},
        "FuzzyHash": {
          "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}},
      "required": ["scope"],
      "additionalProperties": false},
    "Hash": {
      "type": "object",
      "properties": {
        "DigestMethod": {"type": "string"},
        "DigestValue": {"type": "string"},
        "CanonicalizationMethod": {},
        "Application": {"$ref": "#/definitions/SoftwareType"}},
      "required": ["DigestMethod","DigestValue"],
      "additionalProperties": false},
    "FuzzyHash": {
      "type": "object",
      "properties": {
        "FuzzyHashValue": {
          "type": "array","items": {"$ref": "#/definitions/ExtensionType"}},
        "Application": {"$ref": "#/definitions/SoftwareType"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["FuzzyHashValue"],
      "additionalProperties": false},
    "Indicator": {
      "type": "object",



Takahashi, et al.      Expires September 19, 2018              [Page 34]


Internet-Draft                 JSON-IODEF                     March 2018


      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "IndicatorID": {"$ref": "#/definitions/IndicatorID"},
        "AlternativeIndicatorID": {
          "type": "array",
          "items": {"$ref": "#/definitions/AlternativeIndicatorID"}},
        "Description": {"type": "array","items": {"type": "string"}},
        "StartTime": {"$ref": "#/definitions/DATETIME"},
        "EndTime": {"$ref": "#/definitions/DATETIME"},
        "Confidence": {"$ref": "#/definitions/Confidence"},
        "Contact": {
          "type": "array","items": {"$ref": "#/definitions/Contact"}},
        "Observable": {"$ref": "#/definitions/Observable"},
        "uid-ref": {"type": "string"},
        "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"},
        "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"},
        "NodeRole": {
          "type": "array","items": {"$ref": "#/definitions/NodeRole"}},
        "AttackPhase": {
          "type": "array","items": {"$ref": "#/definitions/AttackPhase"}},
        "Reference": {
          "type": "array","items": {"$ref": "#/definitions/Reference"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": ["IndicatorID"],
      "additionalProperties": false},
    "IndicatorID": {
      "type": "object",
      "properties": {
        "id": {"type": "string"},
        "name": {"type": "string"},
        "version": {"type": "string"}},
      "required": ["name","version"],
      "additionalProperties": false},
    "AlternativeIndicatorID": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},
        "ext-restriction": {"type": "string"},
        "IndicatorReference": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorReference"}}},
      "required": ["IndicatorReference"],
      "additionalProperties": false},
    "Observable": {
      "type": "object",
      "properties": {
        "restriction": {"$ref": "#/definitions/restriction"},



Takahashi, et al.      Expires September 19, 2018              [Page 35]


Internet-Draft                 JSON-IODEF                     March 2018


        "ext-restriction": {"type": "string"},
        "System": {"$ref": "#/definitions/System"},
        "Address": {"$ref": "#/definitions/Address"},
        "DomainData": {"$ref": "#/definitions/DomainData"},
        "EmailData": {"$ref": "#/definitions/EmailData"},
        "Service": {"$ref": "#/definitions/Service"},
        "WindowsRegistryKeysModified": {
          "$ref": "#/definitions/WindowsRegistryKeysModified"},
        "FileData": {"$ref": "#/definitions/FileData"},
        "CertificateData": {"$ref": "#/definitions/CertificateData"},
        "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"},
        "RecordData": {"type": "array", "item": {"$ref": "#/definitions/Record"}},
        "EventData": {"$ref": "#/definitions/EventData"},
        "Incident": {"$ref": "#/definitions/Incident"},
        "Expectation": {"$ref": "#/definitions/Expectation"},
        "Reference": {"$ref": "#/definitions/Reference"},
        "Assessment": {"$ref": "#/definitions/Assessment"},
        "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"},
        "HistoryItem": {"$ref": "#/definitions/HistoryItem"},
        "BulkObservable": {"$ref": "#/definitions/BulkObservable"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "BulkObservable": {
      "type": "object",
      "properties": {
        "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net",
                 "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac",
                 "site-url","domain-name","domain-to-ipv4","domain-to-ipv6",
                 "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp",
                 "ipv4-port","ipv6-port","windows-reg-key","file-hash",
                 "email-x-mailer","email-subject","http-user-agent",
                 "http-request-url","mutex","file-path","user-name",
                 "ext-value"]},
        "ext-type": {"type": "string"},
        "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"},
        "BulkObservableList": {"type": "array", "item":{"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "BulkObservableFormat": {
      "type": "object",
      "properties": {
        "Hash": {"$ref": "#/definitions/Hash"},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "IndicatorExpression": {



Takahashi, et al.      Expires September 19, 2018              [Page 36]


Internet-Draft                 JSON-IODEF                     March 2018


      "type": "object",
      "properties": {
        "operator": {"enum": ["not","and","or","xor"]},
        "ext-operator": {"type": "string"},
        "IndicatorExpression": {
          "type": "array",
          "items": {"$ref": "#/definitions/IndicatorExpression"}},
        "Observable": {
          "type": "array","items": {"$ref": "#/definitions/Observable"}},
        "uid-ref": {"type": "string"},
        "IndicatorReference": {
          "type": "array",
         "items": {"$ref": "#/definitions/IndicatorReference"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false},
    "IndicatorReference": {
      "type": "object",
      "properties": {
        "uid-ref": {"type": "string"},
        "euid-ref": {"type": "string"},
        "version": {"type": "string"}},
      "required": [],
      "additionalProperties": false},
    "AttackPhase": {
      "type": "object",
      "properties": {
        "AttackPhaseID": {"type": "array","items": {"type": "string"}},
        "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}},
        "Description": {"type": "array","items": {"type": "string"}},
        "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
      "required": [],
      "additionalProperties": false}},
  "title": "IODEF-Document",
  "description": "JSON schema for IODEF-Document class",
  "type": "object",
  "properties": {
    "version": {"type": "string"},
    "lang": {"$ref": "#/definitions/lang"},
    "format-id": {"type": "string"},
    "private-enum-name": {"type": "string"},
    "private-enum-id": {"type": "string"},
    "Incident": {
      "type": "array","items": {"$ref": "#/definitions/Incident"}},
      "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
  "required": ["version","Incident"],
  "additionalProperties": false}




Takahashi, et al.      Expires September 19, 2018              [Page 37]


Internet-Draft                 JSON-IODEF                     March 2018


                           Figure 2: JSON schema

6.  Acknowledgements

   TBD.

7.  IANA Considerations

   This memo includes no request to IANA.

8.  Security Considerations

   This memo does not provide any further security considerations than
   the one described in [RFC7970].

9.  Normative References

   [jsonschema]
              "JSON Schema", 2006.

              http://json-schema.org/

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7970]  Danyliw, R., "The Incident Object Description Exchange
              Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
              November 2016, <https://www.rfc-editor.org/info/rfc7970>.

Authors' Addresses

   Takeshi Takahashi
   National Institute of Information and Communications Technology
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Phone: +81 42 327 5862
   Email: takeshi_takahashi@nict.go.jp










Takahashi, et al.      Expires September 19, 2018              [Page 38]


Internet-Draft                 JSON-IODEF                     March 2018


   Roman Danyliw
   CERT, Software Engineering Institute, Carnegie Mellon University
   4500 Fifth Avenue
   Pittsburgh, PA
   USA

   Email: rdd@cert.org


   Mio Suzuki
   National Institute of Information and Communications Technology
   4-2-1 Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Email: mio@nict.go.jp



































Takahashi, et al.      Expires September 19, 2018              [Page 39]


Html markup produced by rfcmarkup 1.127, available from https://tools.ietf.org/tools/rfcmarkup/