opentpx 2.2.0.17
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/LICENSE.txt +15 -0
- data/README.md +44 -0
- data/bin/opentpx_tools +15 -0
- data/lib/tpx.rb +7 -0
- data/lib/tpx/2_2/attribute_accessors.rb +34 -0
- data/lib/tpx/2_2/classification_element.rb +11 -0
- data/lib/tpx/2_2/classification_element_list.rb +11 -0
- data/lib/tpx/2_2/collection.rb +21 -0
- data/lib/tpx/2_2/collection_element.rb +13 -0
- data/lib/tpx/2_2/data_model.rb +32 -0
- data/lib/tpx/2_2/element_observable.rb +41 -0
- data/lib/tpx/2_2/element_observable_list.rb +17 -0
- data/lib/tpx/2_2/exceptions.rb +13 -0
- data/lib/tpx/2_2/exchange.rb +220 -0
- data/lib/tpx/2_2/heterogeneous_list.rb +136 -0
- data/lib/tpx/2_2/homogeneous_list.rb +82 -0
- data/lib/tpx/2_2/mandatory_attributes.rb +69 -0
- data/lib/tpx/2_2/merging_heterogeneous_list.rb +36 -0
- data/lib/tpx/2_2/merging_homogeneous_list.rb +37 -0
- data/lib/tpx/2_2/network.rb +23 -0
- data/lib/tpx/2_2/network_list.rb +11 -0
- data/lib/tpx/2_2/observable.rb +13 -0
- data/lib/tpx/2_2/observable_attribute_map.rb +12 -0
- data/lib/tpx/2_2/observable_definition.rb +15 -0
- data/lib/tpx/2_2/observable_dictionary.rb +12 -0
- data/lib/tpx/2_2/schema/tpx.2.2.schema.json +632 -0
- data/lib/tpx/2_2/threat_observable.rb +14 -0
- data/lib/tpx/2_2/validator.rb +279 -0
- data/lib/tpx/tools.rb +81 -0
- data/lib/tpx/version.rb +3 -0
- data/lib/tpx_2_2.rb +14 -0
- metadata +218 -0
@@ -0,0 +1,12 @@
|
|
1
|
+
require 'tpx/2_2/homogeneous_list'
|
2
|
+
require 'tpx/2_2/observable_definition'
|
3
|
+
|
4
|
+
module TPX_2_2
|
5
|
+
|
6
|
+
# A dictionary of observable objects.
|
7
|
+
class ObservableDictionary < HomogeneousList
|
8
|
+
homogeneous_list_of ObservableDefinition
|
9
|
+
children_keyed_by :observable_id_s
|
10
|
+
end
|
11
|
+
|
12
|
+
end
|
@@ -0,0 +1,632 @@
|
|
1
|
+
{
|
2
|
+
"$schema": "http://json-schema.org/draft-04/schema#",
|
3
|
+
"title": "OpenTPX",
|
4
|
+
"description": "An Open Threat Partner eXchange (OpenTPX) file",
|
5
|
+
|
6
|
+
"definitions": {
|
7
|
+
|
8
|
+
"suffixed_schema": {
|
9
|
+
"type": "object",
|
10
|
+
"patternProperties": {
|
11
|
+
"_ipv4_i$": { "type": "integer", "minimum": 0, "maximum": 4294967295 },
|
12
|
+
"_ipv4_ui$": { "type": "integer", "minimum": 0, "maximum": 4294967295 },
|
13
|
+
"_ipv4_s$": { "type": "string", "format": "ipv4" },
|
14
|
+
"_cidrv4_s$": { "type": "string" },
|
15
|
+
"_ipv6_ll$": { "type": "integer", "minimum": 0 },
|
16
|
+
"_ipv6_s$": { "type": "string", "format": "ipv6" },
|
17
|
+
"_cidrv6_s$": { "type": "string" },
|
18
|
+
"_fqdn_s$": { "type": "string" },
|
19
|
+
"_asn_number_ui$": { "type": "integer", "minimum": 0 },
|
20
|
+
"_asn_s$": { "type": "string" },
|
21
|
+
"_md5_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]{32}$" },
|
22
|
+
"_sha1_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]{40}$" },
|
23
|
+
"_sha256_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" },
|
24
|
+
"_sha512_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]{128}$" },
|
25
|
+
"_t$": { "type": "integer", "minimum": 0 },
|
26
|
+
"_s$": { "type": "string" },
|
27
|
+
"_i$": { "type": "integer" },
|
28
|
+
"_ui$": { "type": "integer" },
|
29
|
+
"_ll$": { "type": "integer" },
|
30
|
+
"_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]+$" },
|
31
|
+
"_f$": { "type": "number" },
|
32
|
+
"_c_array$": { "type": "array", "minItems": 1, "items": { "type": "object" } },
|
33
|
+
"_c_map$": { "type": "object" },
|
34
|
+
"_s_array$": { "type": "array", "minItems": 1, "items": { "type": "string"} }
|
35
|
+
},
|
36
|
+
"additionalProperties": false
|
37
|
+
},
|
38
|
+
|
39
|
+
"observable": {
|
40
|
+
"allOf": [{
|
41
|
+
"type": "object",
|
42
|
+
"properties": {
|
43
|
+
"observable_id_s": {
|
44
|
+
"description": "The name of the observable",
|
45
|
+
"type": "string"
|
46
|
+
},
|
47
|
+
"criticality_i": {
|
48
|
+
"description": "The threat observable’s relative criticality between 1 and 100",
|
49
|
+
"type": "integer",
|
50
|
+
"minimum": 1,
|
51
|
+
"maximum": 100
|
52
|
+
},
|
53
|
+
"score_i": {
|
54
|
+
"description": "Optional overridden threat score between 1 and 100.",
|
55
|
+
"type": "integer",
|
56
|
+
"minimum": 1,
|
57
|
+
"maximum": 100
|
58
|
+
},
|
59
|
+
"score_24hr_decay_i": {
|
60
|
+
"description": "Optional parameter that defines the percentage of the score decays over time if no new observation. A valid decay is between 0 and 100. A value of 0 switches off decay due to time.",
|
61
|
+
"type": "integer",
|
62
|
+
"minimum": 0,
|
63
|
+
"maximum": 100
|
64
|
+
},
|
65
|
+
"score_calc_setting_s":{
|
66
|
+
"description": "Optional parameter that defines whether the score was calculated based on a manual or automatic calculation. Default: auto",
|
67
|
+
"type": "string",
|
68
|
+
"pattern": "^(auto|manual)$"
|
69
|
+
},
|
70
|
+
"description_s": {
|
71
|
+
"description": "A user displayable description of the observable",
|
72
|
+
"type": "string"
|
73
|
+
},
|
74
|
+
"classification_c_array": {
|
75
|
+
"description": "An array of classification of this threat observable.",
|
76
|
+
"type": "array",
|
77
|
+
"minItems": 1,
|
78
|
+
"items": {
|
79
|
+
"allOf": [{
|
80
|
+
"type": "object",
|
81
|
+
"properties": {
|
82
|
+
"classification_id_s": {
|
83
|
+
"description": "The name of the classification",
|
84
|
+
"type": "string"
|
85
|
+
},
|
86
|
+
"classification_family_s": {
|
87
|
+
"description": "The descriptive family name for this classification",
|
88
|
+
"type": "string"
|
89
|
+
},
|
90
|
+
"score_i": {
|
91
|
+
"description": "The criticality/score of the classification between 1 and 100 where a higher number is a higher risk classification",
|
92
|
+
"type": "integer",
|
93
|
+
"minimum": 1,
|
94
|
+
"maximum": 100
|
95
|
+
}
|
96
|
+
},
|
97
|
+
"additionalProperties": false,
|
98
|
+
"required": ["classification_id_s"]
|
99
|
+
},
|
100
|
+
{
|
101
|
+
"$ref": "#/definitions/suffixed_schema"
|
102
|
+
}]
|
103
|
+
}
|
104
|
+
},
|
105
|
+
"attribute_c_map": {
|
106
|
+
"description": "An map of attributes associated with the observable that are common across all subjects",
|
107
|
+
"$ref": "#/definitions/suffixed_schema"
|
108
|
+
},
|
109
|
+
"summary_s": {
|
110
|
+
"description": "A user displayable summary of the observable description",
|
111
|
+
"type": "string"
|
112
|
+
},
|
113
|
+
"notes_s": {
|
114
|
+
"description": "A user defined set of notes that provide background to the description",
|
115
|
+
"type": "string"
|
116
|
+
},
|
117
|
+
"reference_s_array": {
|
118
|
+
"description": "An array of string URL references to background information on the observable",
|
119
|
+
"type": "array",
|
120
|
+
"minItems": 1,
|
121
|
+
"items": {
|
122
|
+
"type": "string",
|
123
|
+
"format": "uri"
|
124
|
+
}
|
125
|
+
}
|
126
|
+
},
|
127
|
+
"required": ["observable_id_s", "description_s", "classification_c_array"]
|
128
|
+
},
|
129
|
+
{
|
130
|
+
"$ref": "#/definitions/suffixed_schema"
|
131
|
+
}]
|
132
|
+
},
|
133
|
+
|
134
|
+
"network": {
|
135
|
+
"type": "object",
|
136
|
+
"properties": {
|
137
|
+
"asn_i": {
|
138
|
+
"description": "The ID number of the ASN",
|
139
|
+
"type": "integer"
|
140
|
+
},
|
141
|
+
"as_owner_s": {
|
142
|
+
"description": "The owner of the ASN",
|
143
|
+
"type": "string"
|
144
|
+
},
|
145
|
+
"asn_routers_ip_array": {
|
146
|
+
"description": "The array of routers that make up this ASN",
|
147
|
+
"type": "array",
|
148
|
+
"minItems": 1,
|
149
|
+
"items": {
|
150
|
+
"type": "string",
|
151
|
+
"pattern": ".*"
|
152
|
+
}
|
153
|
+
},
|
154
|
+
"asn_router_conns_ip_array": {
|
155
|
+
"description": "The array of router interconnections in this ASN",
|
156
|
+
"type": "array",
|
157
|
+
"minItems": 1,
|
158
|
+
"items": {
|
159
|
+
"type": "string",
|
160
|
+
"pattern": ".*"
|
161
|
+
}
|
162
|
+
},
|
163
|
+
"asn_cidr_announcements_c_array": {
|
164
|
+
"description": "The array of CIDR announcements in this ASN",
|
165
|
+
"type": "array",
|
166
|
+
"minItems": 1,
|
167
|
+
"items": {
|
168
|
+
"$ref": "#/definitions/suffixed_schema"
|
169
|
+
}
|
170
|
+
},
|
171
|
+
"asn_downstream_i_array": {
|
172
|
+
"description": "The array of downstream ASNs from this ASN",
|
173
|
+
"type": "array",
|
174
|
+
"minItems": 1,
|
175
|
+
"items": {
|
176
|
+
"type": "integer"
|
177
|
+
}
|
178
|
+
},
|
179
|
+
"asn_upstream_i_array": {
|
180
|
+
"description": "The array of upstream ASNs from this ASN",
|
181
|
+
"type": "array",
|
182
|
+
"minItems": 1,
|
183
|
+
"items": {
|
184
|
+
"type": "integer"
|
185
|
+
}
|
186
|
+
},
|
187
|
+
"asn_community_c_array": {
|
188
|
+
"description": "The array of communities within this ASN",
|
189
|
+
"type": "array",
|
190
|
+
"minItems": 1,
|
191
|
+
"items": {
|
192
|
+
"$ref": "#/definitions/suffixed_schema"
|
193
|
+
}
|
194
|
+
}
|
195
|
+
}
|
196
|
+
},
|
197
|
+
|
198
|
+
"collection": {
|
199
|
+
"type": "object",
|
200
|
+
"properties": {
|
201
|
+
"name_id_s": {
|
202
|
+
"description": "The name of the collection",
|
203
|
+
"type": "string"
|
204
|
+
},
|
205
|
+
"last_updated_t": {
|
206
|
+
"description": "The UTC Epoch time of the last update to this collection",
|
207
|
+
"type": "integer",
|
208
|
+
"minimum": 0
|
209
|
+
},
|
210
|
+
"author_s": {
|
211
|
+
"description": "A name associated with the last team, group, company or person making the change",
|
212
|
+
"type": "string"
|
213
|
+
},
|
214
|
+
"workspace_s": {
|
215
|
+
"description": "A collaboration space this collection is associated with",
|
216
|
+
"type": "string"
|
217
|
+
},
|
218
|
+
"fqdn_ref_c_array": {
|
219
|
+
"description": "An array of FQDN elements referenced by this collection",
|
220
|
+
"type": "array",
|
221
|
+
"minItems": 1,
|
222
|
+
"items": {
|
223
|
+
"$ref": "#/definitions/suffixed_schema"
|
224
|
+
}
|
225
|
+
},
|
226
|
+
"ip_ref_c_array": {
|
227
|
+
"description": "An array of IP (v4 and v6) elements referenced by this collection",
|
228
|
+
"type": "array",
|
229
|
+
"minItems": 1,
|
230
|
+
"items": {
|
231
|
+
"$ref": "#/definitions/suffixed_schema"
|
232
|
+
}
|
233
|
+
},
|
234
|
+
"asn_ref_c_array": {
|
235
|
+
"description": "An array of ASN elements referenced by this collection",
|
236
|
+
"type": "array",
|
237
|
+
"minItems": 1,
|
238
|
+
"items": {
|
239
|
+
"$ref": "#/definitions/suffixed_schema"
|
240
|
+
}
|
241
|
+
},
|
242
|
+
"cidr_ref_c_array": {
|
243
|
+
"description": "An array of CIDR elements referenced by this collection",
|
244
|
+
"type": "array",
|
245
|
+
"minItems": 1,
|
246
|
+
"items": {
|
247
|
+
"$ref": "#/definitions/suffixed_schema"
|
248
|
+
}
|
249
|
+
},
|
250
|
+
"observable_ref_c_array": {
|
251
|
+
"description": "An array of observables referenced by this collection",
|
252
|
+
"type": "array",
|
253
|
+
"minItems": 1,
|
254
|
+
"items": {
|
255
|
+
"$ref": "#/definitions/suffixed_schema"
|
256
|
+
}
|
257
|
+
},
|
258
|
+
"collection_c_array": {
|
259
|
+
"description": "An array of children collections contained within this collection",
|
260
|
+
"type": "array",
|
261
|
+
"minItems": 1,
|
262
|
+
"items": {
|
263
|
+
"$ref": "#/definitions/collection"
|
264
|
+
}
|
265
|
+
}
|
266
|
+
},
|
267
|
+
"required": ["name_id_s"]
|
268
|
+
},
|
269
|
+
|
270
|
+
"element_observable": {
|
271
|
+
"allOf": [{
|
272
|
+
"type": "object",
|
273
|
+
"properties": {
|
274
|
+
"score_i": {
|
275
|
+
"description": "The element’s overridden score if not derived from scoring of the observables",
|
276
|
+
"type": "integer",
|
277
|
+
"minimum": 1,
|
278
|
+
"maximum": 100
|
279
|
+
},
|
280
|
+
"score_24hr_decay_i": {
|
281
|
+
"description": "The element’s overridden score decay if not derived from the observable’s decay parameter. 0 indicates this particular element’s score will not change due to time decay alone.",
|
282
|
+
"type": "integer",
|
283
|
+
"minimum": 0,
|
284
|
+
"maximum": 100
|
285
|
+
},
|
286
|
+
"threat_observable_c_map": {
|
287
|
+
"description": "A map of Threat Observables that are associated with the subject. The threat observable must already be defined in the observable dictionary to be referenced by this map.",
|
288
|
+
"type": "object",
|
289
|
+
"patternProperties": {
|
290
|
+
".+": {
|
291
|
+
"allOf": [{
|
292
|
+
"type": "object",
|
293
|
+
"properties": {
|
294
|
+
"occurred_at_t": {
|
295
|
+
"description": "The Epoch UTC timestamp when this particular threat observable was first observed associated with the subject",
|
296
|
+
"type": "integer",
|
297
|
+
"minimum": 0
|
298
|
+
},
|
299
|
+
"last_seen_t": {
|
300
|
+
"description": "The Epoch UTC timestamp of the last update when this threat observable was observed associated with the subject",
|
301
|
+
"type": "integer",
|
302
|
+
"minimum": 0
|
303
|
+
},
|
304
|
+
"country_code_s": {
|
305
|
+
"description": "The 2 or 3 digit country code associated with the threat observable",
|
306
|
+
"type": "string",
|
307
|
+
"minLength": 2,
|
308
|
+
"maxLength": 3
|
309
|
+
},
|
310
|
+
"destination_fqdn_s": {
|
311
|
+
"description": "The domain that a particular botnet or peer to peer communication threat was destined to",
|
312
|
+
"type": "string"
|
313
|
+
},
|
314
|
+
"description_s": {
|
315
|
+
"description": "The description of the observable or element or collection",
|
316
|
+
"type": "string"
|
317
|
+
},
|
318
|
+
"url_s": {
|
319
|
+
"description": "The description of the observable or element or collection",
|
320
|
+
"type": "string",
|
321
|
+
"format": "uri"
|
322
|
+
},
|
323
|
+
"score_i": {
|
324
|
+
"description": "The criticality/score of the classification between 1 and 100 where a higher number is a higher risk observable",
|
325
|
+
"type": "integer",
|
326
|
+
"minimum": 1,
|
327
|
+
"maximum": 100
|
328
|
+
},
|
329
|
+
"classification_s": {
|
330
|
+
"description": "The name of the classification",
|
331
|
+
"type": "string"
|
332
|
+
},
|
333
|
+
"filesize_i": {
|
334
|
+
"description": "The size of a file used to convey some behavior",
|
335
|
+
"type": "integer",
|
336
|
+
"minimum": 0
|
337
|
+
},
|
338
|
+
"magic_s": {
|
339
|
+
"description": "The description of the file",
|
340
|
+
"type": "string"
|
341
|
+
},
|
342
|
+
"mime_type_s": {
|
343
|
+
"description": "The mime type of the file",
|
344
|
+
"type": "string"
|
345
|
+
},
|
346
|
+
"hash_md5_h": {
|
347
|
+
"description": "The MD5 hash of a file",
|
348
|
+
"type": "string"
|
349
|
+
},
|
350
|
+
"hash_sha1_h": {
|
351
|
+
"description": "The SHA1 hash of a file",
|
352
|
+
"type": "string"
|
353
|
+
},
|
354
|
+
"hash_sha256_h": {
|
355
|
+
"description": "The SHA256 hash of a file",
|
356
|
+
"type": "string"
|
357
|
+
},
|
358
|
+
"hash _sha512_h": {
|
359
|
+
"description": "The SHA512 hash of a file",
|
360
|
+
"type": "string"
|
361
|
+
},
|
362
|
+
"dns_request_c_array": {
|
363
|
+
"description": "The list of DNS requests made",
|
364
|
+
"type": "array",
|
365
|
+
"items": { "$ref": "#/definitions/suffixed_schema" }
|
366
|
+
},
|
367
|
+
"dns_response_c_array": {
|
368
|
+
"description": "The list of DNS responses where each response is { Dns-record-type : Dns-value}",
|
369
|
+
"type": "array",
|
370
|
+
"items": { "$ref": "#/definitions/suffixed_schema" }
|
371
|
+
},
|
372
|
+
"host_c_array": {
|
373
|
+
"description": "The list of hosts in the PCAP",
|
374
|
+
"type": "array",
|
375
|
+
"items": { "$ref": "#/definitions/suffixed_schema" }
|
376
|
+
},
|
377
|
+
"http_c_array": {
|
378
|
+
"description": "The list of HTTP key/value pairs in the PCAP",
|
379
|
+
"type": "array",
|
380
|
+
"items": { "$ref": "#/definitions/suffixed_schema" }
|
381
|
+
},
|
382
|
+
"smtp_c_array": {
|
383
|
+
"description": "The list of SMTP key/value pairs in the PCAP",
|
384
|
+
"type": "array",
|
385
|
+
"items": { "$ref": "#/definitions/suffixed_schema" }
|
386
|
+
},
|
387
|
+
"tcp_c_array": {
|
388
|
+
"description": "The list of TCP key/value pairs in the PCAP",
|
389
|
+
"type": "array",
|
390
|
+
"items": { "$ref": "#/definitions/suffixed_schema" }
|
391
|
+
},
|
392
|
+
"fqdn_c_array": {
|
393
|
+
"description": "The list of SMTP key/value pairs in the PCAP",
|
394
|
+
"type": "array",
|
395
|
+
"items": { "$ref": "#/definitions/suffixed_schema" }
|
396
|
+
},
|
397
|
+
"ssl_c_array": {
|
398
|
+
"description": "The list of SSL key/value pairs in the PCAP",
|
399
|
+
"type": "array",
|
400
|
+
"items": { "$ref": "#/definitions/suffixed_schema" }
|
401
|
+
},
|
402
|
+
"geoloc_lat_f": {
|
403
|
+
"description": "The latitude of the observable if known",
|
404
|
+
"type": "number"
|
405
|
+
},
|
406
|
+
"geoloc_long_f": {
|
407
|
+
"description": "The longitude of the observable if known",
|
408
|
+
"type": "number"
|
409
|
+
},
|
410
|
+
"dest_port_i": {
|
411
|
+
"description": "A destination protocol port",
|
412
|
+
"type": "integer"
|
413
|
+
},
|
414
|
+
"dest_ipv4_s": {
|
415
|
+
"description": "A destination IP v4 address as a string",
|
416
|
+
"type": "string"
|
417
|
+
},
|
418
|
+
"dest_ipv4_i": {
|
419
|
+
"description": "A destination IP v4 address as an integer",
|
420
|
+
"type": "integer"
|
421
|
+
},
|
422
|
+
"src_port_i": {
|
423
|
+
"description": "A source protocol port",
|
424
|
+
"type": "integer"
|
425
|
+
},
|
426
|
+
"src_ipv4_s": {
|
427
|
+
"description": "A source IP v4 address as a string",
|
428
|
+
"type": "string"
|
429
|
+
},
|
430
|
+
"src_ipv4_i": {
|
431
|
+
"description": "A source IP v4 address as an integer",
|
432
|
+
"type": "integer"
|
433
|
+
},
|
434
|
+
"size_i": {
|
435
|
+
"description": "A size in bytes of a communication or entity",
|
436
|
+
"type": "integer"
|
437
|
+
},
|
438
|
+
"tlp_i": {
|
439
|
+
"description": "The Traffic Light Protocol value. 0 – White, 1 – Green, 2 – Amber, 3 – Red",
|
440
|
+
"type": "integer"
|
441
|
+
},
|
442
|
+
"name_id_s": {
|
443
|
+
"description": "The name of the country provided as part of a country code file",
|
444
|
+
"type": "string"
|
445
|
+
},
|
446
|
+
"country_code_i": {
|
447
|
+
"description": "The country identifier as part of the country code file",
|
448
|
+
"type": "integer",
|
449
|
+
"minimum": 0
|
450
|
+
},
|
451
|
+
"iso_3_s": {
|
452
|
+
"description": "The ISO 3 letter code for the country",
|
453
|
+
"type": "string",
|
454
|
+
"minLength": 3,
|
455
|
+
"maxLength": 3
|
456
|
+
},
|
457
|
+
"iso_2_s": {
|
458
|
+
"description": "The ISO 2 letter code for the country",
|
459
|
+
"type": "string",
|
460
|
+
"minLength": 2,
|
461
|
+
"maxLength": 2
|
462
|
+
},
|
463
|
+
"region_code_i": {
|
464
|
+
"description": "The regional code for the country code file",
|
465
|
+
"type": "integer"
|
466
|
+
},
|
467
|
+
"continent_code_i": {
|
468
|
+
"description": "The continent code for the country code file",
|
469
|
+
"type": "integer"
|
470
|
+
},
|
471
|
+
"continent_code_s": {
|
472
|
+
"description": "The continent name for the country code file",
|
473
|
+
"type": "string"
|
474
|
+
},
|
475
|
+
"naics_code_i": {
|
476
|
+
"description": "The NAICS code",
|
477
|
+
"type": "integer"
|
478
|
+
},
|
479
|
+
"naics_code_s": {
|
480
|
+
"description": "The NAICS code as a string",
|
481
|
+
"type": "string"
|
482
|
+
}
|
483
|
+
},
|
484
|
+
"required": ["occurred_at_t"]
|
485
|
+
},
|
486
|
+
{ "$ref": "#/definitions/suffixed_schema" }
|
487
|
+
]
|
488
|
+
}
|
489
|
+
}
|
490
|
+
}
|
491
|
+
},
|
492
|
+
"required": ["threat_observable_c_map"]
|
493
|
+
},
|
494
|
+
{ "$ref": "#/definitions/suffixed_schema" },
|
495
|
+
{
|
496
|
+
"oneOf": [
|
497
|
+
{ "required": ["subject_ipv4_i"] },
|
498
|
+
{ "required": ["subject_ipv4_ui"] },
|
499
|
+
{ "required": ["subject_ipv4_s"] },
|
500
|
+
{ "required": ["subject_ipv6_ui"] },
|
501
|
+
{ "required": ["subject_ipv6_s"] },
|
502
|
+
{ "required": ["subject_fqdn_s"] },
|
503
|
+
{ "required": ["subject_cidrv4_s"] },
|
504
|
+
{ "required": ["subject_cidrv6_s"] },
|
505
|
+
{ "required": ["subject_asn_s"] },
|
506
|
+
{ "required": ["subject_asn_ui"] },
|
507
|
+
{ "required": ["subject_md5_h"] },
|
508
|
+
{ "required": ["subject_sha1_h"] },
|
509
|
+
{ "required": ["subject_sha256_h"] },
|
510
|
+
{ "required": ["subject_sha512_h"] },
|
511
|
+
{ "required": ["subject_registrykey_s"] },
|
512
|
+
{ "required": ["subject_filename_s"] },
|
513
|
+
{ "required": ["subject_filepath_s"] },
|
514
|
+
{ "required": ["subject_mutex_s"] },
|
515
|
+
{ "required": ["subject_actor_s"] },
|
516
|
+
{ "required": ["subject_email_s"] }
|
517
|
+
]
|
518
|
+
}
|
519
|
+
]
|
520
|
+
}
|
521
|
+
},
|
522
|
+
|
523
|
+
"type": "object",
|
524
|
+
"properties": {
|
525
|
+
"schema_version_s": {
|
526
|
+
"description": "The provider’s version of their schema",
|
527
|
+
"type": "string"
|
528
|
+
},
|
529
|
+
"provider_s": {
|
530
|
+
"description": "The provider’s company name",
|
531
|
+
"type": "string"
|
532
|
+
},
|
533
|
+
"source_observable_s": {
|
534
|
+
"description": "The prefix associated with this threat list",
|
535
|
+
"type": "string"
|
536
|
+
},
|
537
|
+
"source_description_s": {
|
538
|
+
"description": "A description of the source feed that provides background to the type of data, the types of information available to the user",
|
539
|
+
"type": "string"
|
540
|
+
},
|
541
|
+
"source_file_s": {
|
542
|
+
"description": "The file containing the original feed information",
|
543
|
+
"type": "string",
|
544
|
+
"format": "uri"
|
545
|
+
},
|
546
|
+
"score_i": {
|
547
|
+
"description": "The score of the source feed accuracy. As assessment of the source feed’s accuracy between 1 and 100 where 100 is completely accurate",
|
548
|
+
"type": "integer",
|
549
|
+
"minimum": 1,
|
550
|
+
"maximum": 100
|
551
|
+
},
|
552
|
+
"last_updated_t": {
|
553
|
+
"description": "The Epoch UTC timestamp this file was last changed by the provider",
|
554
|
+
"type": "integer",
|
555
|
+
"minimum": 0
|
556
|
+
},
|
557
|
+
"distribution_time_t": {
|
558
|
+
"description": "The Epoch UTC timestamp this file was distributed by the provider",
|
559
|
+
"type": "integer",
|
560
|
+
"minimum": 0
|
561
|
+
},
|
562
|
+
"list_name_s": {
|
563
|
+
"description": "The threat feed list name",
|
564
|
+
"type": "string"
|
565
|
+
},
|
566
|
+
"observable_dictionary_c_array": {
|
567
|
+
"description": "An array of observable definitions",
|
568
|
+
"type": "array",
|
569
|
+
"minItems": 0,
|
570
|
+
"items": {
|
571
|
+
"$ref": "#/definitions/observable"
|
572
|
+
}
|
573
|
+
},
|
574
|
+
"element_observable_c_array": {
|
575
|
+
"description": "An array of Element Threat Observables",
|
576
|
+
"type": "array",
|
577
|
+
"minItems": 1,
|
578
|
+
"items": {
|
579
|
+
"$ref": "#/definitions/element_observable"
|
580
|
+
}
|
581
|
+
},
|
582
|
+
"collection_c_array": {
|
583
|
+
"description": "An array of Collections",
|
584
|
+
"type": "array",
|
585
|
+
"minItems": 1,
|
586
|
+
"items": {
|
587
|
+
"$ref": "#/definitions/collection"
|
588
|
+
}
|
589
|
+
},
|
590
|
+
"asn_c_array": {
|
591
|
+
"description": "An array of ASN network information",
|
592
|
+
"type": "array",
|
593
|
+
"minItems": 1,
|
594
|
+
"items": {
|
595
|
+
"$ref": "#/definitions/network"
|
596
|
+
}
|
597
|
+
},
|
598
|
+
"dictionary_file_manifest": {
|
599
|
+
"description": "An array of filenames (fully qualified path) where the dictionary files are",
|
600
|
+
"type": "array",
|
601
|
+
"minItems": 1,
|
602
|
+
"items": {
|
603
|
+
"type": "string"
|
604
|
+
}
|
605
|
+
},
|
606
|
+
"observable_element_file_manifest": {
|
607
|
+
"description": "An array of filenames (fully qualified path) where the element observable files are",
|
608
|
+
"type": "array",
|
609
|
+
"minItems": 1,
|
610
|
+
"items": {
|
611
|
+
"type": "string"
|
612
|
+
}
|
613
|
+
},
|
614
|
+
"collection_file_manifest": {
|
615
|
+
"description": "An array of filenames (fully qualified path) where the collection files are",
|
616
|
+
"type": "array",
|
617
|
+
"minItems": 1,
|
618
|
+
"items": {
|
619
|
+
"type": "string"
|
620
|
+
}
|
621
|
+
},
|
622
|
+
"network_file_manifest": {
|
623
|
+
"description": "An array of filenames (fully qualified path) where the network files are",
|
624
|
+
"type": "array",
|
625
|
+
"minItems": 1,
|
626
|
+
"items": {
|
627
|
+
"type": "string"
|
628
|
+
}
|
629
|
+
}
|
630
|
+
},
|
631
|
+
"required": ["schema_version_s", "provider_s", "source_observable_s", "last_updated_t", "list_name_s"]
|
632
|
+
}
|