-
View source
XARF - eXtended Abuse Reporting Format
Latest Release
Find the latest schema release on the releases page.
xarf_bundled.schema.json- includes all versions (superschema)
- all schema definitions in one file
- contains only internal references
- small file size
- best for most use cases, when the used tool is good enough to understand complex internal references (multiple hops)
xarf_deref.schema.json- includes all versions (superschema)
- all schema definitions in one file
- contains no references
- pretty big file size
- can be useful for some not-so-sophisticated code generation tools that can't handle references
Current Version
3Up-To-Date Tested Sample XARF Reports
Build status
Coverage
Please note that you won't be able to see source code for the generated code due to the way CodeCov works. CodeCov doesn't show percentages for code that doesn't exist in the repo. The coverage will probably never reach 100% because of the way the code is generated, but it is still a useful metric to see how well our samples cover the schema.
Superschema
The xarf schema contains the history of all versions including the current development preview. It is recommended to use latest version. Be aware that in
alphathere was no requirement to specify the version.developmentshould not be used in production and is unstable.XARF via SMTP
For the purpose of sending XARF reports in an email we "extend" RFC5965 (An Extensible Format for Email Feedback Reports) which defines the ARF format, this is so that anyone that currently parses ARF can extend their code slightly to receive XARF reports.
RFC5965 requires that the email sent uses an outer Content-Type of
multipart/report; report-type=feedback-report(defined in https://tools.ietf.org/html/rfc6522) and this requires an additional two MIME parts minimum:- A human-readable part to describe the condition(s) that caused the report to be generated
- A machine-readable part that RFC5965 defines. This requires a minimum of 3 fields: Feedback-Type, User-Agent and Version.
The Feedback-Type field in the standard only allows for
abuse,fraud,virus,otherornot-spamvalues but we unofficially add thexarftype, so that a normal ARF receiver would fail at this point, but an XARF compatible parser will then know to expect an XARF report in the next MIME part.The 3rd MIME part in a RFC6522 message would normally be a
message/rfc822part containing the message being reported, but for XARF this would beapplication/jsonand will contain the XARF report.Here is an example of the proposed XARF message:
Content-Type: multipart/report; report-type=feedback-report; boundary="--_NmP-f348b15e0b4a4931-Part_1" From: Abusix <[email protected]> To: Max Musterman <[email protected]> Subject: XARF test Message-ID: <[email protected]> Date: Tue, 21 Apr 2020 10:25:47 +0000 MIME-Version: 1.0 ----_NmP-f348b15e0b4a4931-Part_1 Content-Type: text/plain Content-Transfer-Encoding: 7bit This is the human readable description ----_NmP-f348b15e0b4a4931-Part_1 Content-Type: message/feedback-report Content-Disposition: inline Feedback-Type: xarf User-Agent: Abusix/1.0 Version: 1 ----_NmP-f348b15e0b4a4931-Part_1 Content-Type: application/json; name=xarf.json Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=xarf.json ewogICJWZXJzaW9uIjogIjEiLAogICJSZXBvcnRlckluZm8iOiB7CiAgICAiUmVwb3J0ZXJPcmci OiAiRXhhbXBsZU9yZyIsCiAgICAiUmVwb3J0ZXJPcmdEb21haW4iOiAiZXhhbXBsZS5jb20iLAog ICAgIlJlcG9ydGVyT3JnRW1haWwiOiAicmVwb3J0c0BleGFtcGxlLmNvbSIsCiAgICAiUmVwb3J0 ZXJDb250YWN0RW1haWwiOiAiY29udGFjdEBleGFtcGxlLmNvbSIsCiAgICAiUmVwb3J0ZXJDb250 YWN0TmFtZSI6ICJNci4gRXhhbXBsZSIsCiAgICAiUmVwb3J0ZXJDb250YWN0UGhvbmUiOiAiKyAw MSAwMDAgMTIzNDU2NyIKICB9LAogICJEaXNjbG9zdXJlIjogdHJ1ZSwKICAiUmVwb3J0Ijogewog ICAgIlJlcG9ydENsYXNzIjogIkFjdGl2aXR5IiwKICAgICJSZXBvcnRUeXBlIjogIlNwYW0iLAog ICAgIlJlcG9ydFN1YlR5cGUiOiAiVHJhcCIsCiAgICAiRGF0ZSI6ICIyMDE4LTAyLTA1VDE0OjE3 OjEwWiIsCiAgICAiU291cmNlSXAiOiAiMTkyLjAuMi41NSIsCiAgICAiU291cmNlUG9ydCI6IDU0 MzIxLAogICAgIkRlc3RpbmF0aW9uSXAiOiAiMTk4LjUxLjEwMC4zMyIsCiAgICAiRGVzdGluYXRp b25Qb3J0IjogMjUsCiAgICAiU210cE1haWxGcm9tQWRkcmVzcyI6ICJzcGFtQGV4YW1wbGUuY29t IiwKICAgICJTbXRwUmNwdFRvQWRkcmVzcyI6ICJ2aWN0aW1AZXhhbXBsZS5jb20iLAogICAgIlNh bXBsZXMiOiBbCiAgICAgIHsKICAgICAgICAiQ29udGVudFR5cGUiOiAibWVzc2FnZS9yZmM4MjIi LAogICAgICAgICJCYXNlNjRFbmNvZGVkIjogdHJ1ZSwKICAgICAgICAiRGVzY3JpcHRpb24iOiAi VGhlIHNwYW0gbWFpbCIsCiAgICAgICAgIlBheWxvYWQiOiAiYldGcGJBPT0iCiAgICAgIH0KICAg IF0KICB9Cn0= ----_NmP-f348b15e0b4a4931-Part_1--Validating json-schema samples
Command line
With ajv-cli >= 4.0.0
npm install -g ajv-cli ajv-formats ajv -c ajv-formats -s xarf.schema.json -d "samples/positive/**/*.json" -r "schemas/**/*.schema.json"With ajv-cli < 4.0.0
npm install -g [email protected] ajv -s xarf.schema.json -d "samples/positive/**/*.json" -r "schemas/**/*.schema.json"Project structure
<table> <thead> <tr> <th>File(s)</th> <th align="center">Content</th> </tr> </thead> <tbody> <tr> <td>xarf.schema.json</td> <td align="center">super schema containing links to all schema versions</td> </tr> <tr> <td>schemas/{version}/xarf.schema.json</td> <td align="center">contains links to schema types</td> </tr> <tr> <td>schemas/{version}/xarf_shared.schema.json</td> <td align="center">reusable sub schemas</td> </tr> <tr> <td>schemas/{version}/*.schema.json</td> <td align="center">specific schemas</td> </tr> <tr> <td>samples/positive/{version}/*.json</td> <td align="center">example documents for the schemas</td> </tr> <tr> <td>samples/negative/{version}/*.json</td> <td align="center">invalid examples</td> </tr> <tr> <td>bundle_xarf.js</td> <td align="center">allows combining the schema into a single file</td> </tr> </tbody> </table>Adding a new schema
- Fork the github repo
- Add a new schema in
schemas/development/as [subtype].schema.json and try to reuse as much as possible from xarf_shared.schema.json - Add an example sample to
samples/positive/development/ - Add the new schema to the list in
schemas/development/xarf.schema.json - Run tests locally:
npm run test-xarf - Open up a github PR
- Discuss and improve
Release a new schema version
- Make sure tests are green
- Script dependencies:
- ./relase_new_version.sh {version}
- Update "Current Release" Info in this Readme
Writing the schema to a single file:
Use our bundling script to create a single file schema.
git clone https://github.com/abusix/xarf.git cd xarf npm install npm run bundle-xarfIt will generate two files:
<table> <thead> <tr> <th>File</th> <th align="center">Content</th> </tr> </thead> <tbody> <tr> <td>xarf_bundled.schema.json</td> <td align="center">bundled and minimized using internal refs, might not work with all json schema tools</td> </tr> <tr> <td>xarf_deref.schema.json</td> <td align="center">bundled and completely derefed. might be bigger in size, but should work with all tools</td> </tr> </tbody> </table> -
View source{"$schema":"http://json-schema.org/draft-07/schema#","$id":"https://raw.githubusercontent.com/xarf/schema-discussion/master/xarf.schema.json","title":"XARF","description":"Super-Schema containing all XARF schema versions going forward.","anyOf":[{"title":"XARF","description":"Any xarf schema type.","oneOf":[{"title":"XARF RPZ","description":"A format to report RPZ events.","allOf":[{"description":"Base properties for all xarf reports","type":"object","properties":{"ReporterInfo":{"type":"object","properties":{"ReporterOrg":{"type":"string","description":"name of the reporter organisation","minLength":3},"ReporterOrgDomain":{"type":"string","description":"domain.tld of the reporter organisation","format":"hostname"},"ReporterOrgEmail":{"type":"string","description":"email-address of the reporter organisation","format":"email"},"ReporterOrgAddress":{"type":"string","description":"address of the reporter organisation"},"ReporterContactEmail":{"type":"string","description":"email-address of the reporter contact","format":"email"},"ReporterContactName":{"type":"string","description":"name of the reporter contact","minLength":3},"ReporterContactPhone":{"type":"string","description":"phone number of the reporter contact","minLength":3}},"required":["ReporterOrg","ReporterOrgDomain","ReporterOrgEmail"]},"OnBehalfOf":{"type":"object","properties":{"ComplainantOrg":{"type":"string","description":"name of the complainant organisation","minLength":3},"ComplainantOrgDomain":{"type":"string","description":"domain.tld of the complainant organisation","format":"hostname"},"ComplainantOrgEmail":{"type":"string","description":"email-address of the complainant organisation","format":"email"},"ComplainantContactEmail":{"type":"string","description":"email-address of the complainant contact","format":"email"},"ComplainantContactName":{"type":"string","description":"name of the complainant contact","minLength":3},"ComplainantContactPhone":{"type":"string","description":"phone number of the complainant contact","minLength":3}},"required":["ComplainantOrg","ComplainantOrgDomain","ComplainantOrgEmail"]},"Disclosure":{"type":"boolean","description":"if this event is disclosed or not","default":true},"Version":{"const":"alpha"}},"required":["ReporterInfo","Disclosure"]},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"description":"Base properties for the report part of all xarf report types","type":"object","properties":{"ReportClass":{"type":"string","description":"class of the reported abuse event","enum":["Content","Activity","Vulnerability"]},"ReportType":{"type":"string","description":"type of the reported abuse event","minLength":1},"ReportSubType":{"type":"string","description":"subtype of the reported abuse event"},"ReporterCaseID":{"type":"string","description":"case id of this report given by the reporter"},"ReporterSeverity":{"type":"string","description":"class of the reported abuse event","enum":["low","medium","high"]},"ReporterNotes":{"type":"string","description":"free text - notes by the reporter"}},"required":["ReportClass","ReportType"]},{"description":"stores either a single date or two dates, one for the first occurrence of the event, one for the most recent","type":"object","required":["Date"],"properties":{"Date":{"format":"date-time","type":"string","description":"most recent date-time the event was noticed"},"FirstSeen":{"format":"date-time","type":"string","description":"date-time the event was first noticed. Can be omitted if it is the same as Date"}}},{"type":"object","properties":{"SourceIp":{"description":"ip from that the abuse event originated","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"SourcePort":{"type":"integer","description":"source port from that the abuse event originated","minimum":0,"maximum":65535},"ASN":{"type":"integer","description":"autonomous system number the reportet ip belongs to","minimum":1,"maximum":4199999999}},"required":["SourceIp"]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Malware"]},"ReportSubType":{"type":"string","enum":["RPZ-Rewrite"]},"RpzDomain":{"type":"string","description":"Domain that was looked up","format":"hostname"},"MalwareName":{"type":"string","description":"Name of malware that performed the lookup"}}}]}}}]},{"title":"XARF DDOS","description":"A format to report DDOS events.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["DOS"]}}},{"type":"object","description":"specify a target or destination","properties":{"DestinationIp":{"description":"targeted ip","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"DestinationPort":{"oneOf":[{"type":"array","items":{"type":"integer","description":"targeted port","minimum":0,"maximum":65535}},{"type":"integer","description":"targeted port","minimum":0,"maximum":65535}]}}},{"type":"object","properties":{"ByteCount":{"type":"integer","description":"Bytes per second"},"PacketCount":{"type":"integer","description":"Packets per second"}}},{"type":"object","description":"collection of common, but not easily classified fields","properties":{"Ongoing":{"type":"boolean","description":"is the reported abuse ongoing?"},"ThreatActor":{"type":"string","description":"!TODO!"},"Samples":{"type":"array","description":"Samples of the abuse taking place, e.g. malware file or spam email","items":{"description":"Evidence sample","type":"object","anyOf":[{"properties":{"ContentType":{"type":"string","description":"content type of the sample (e.g. application/rfc822 or image/jpg)"},"Base64Encoded":{"type":"boolean","description":"if payload is base64 encoded. Useful to avoid losing encoding information (e.g. in mails)","default":false},"Description":{"type":"string","description":"description of the sample in plain text"},"Payload":{"type":"string","description":"actual sample"}},"required":["ContentType","Payload"]},{"$ref":"#/anyOf/0/oneOf/6/allOf/1/properties/Report/allOf/2"}]},"minItems":1}}}]}}}]},{"title":"XARF MALWARE","description":"A format to report MALWARE events.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/0"},{"$ref":"#/anyOf/0/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/1"},{"type":"object","properties":{"SourcePort":{"type":"integer","description":"source port from that the abuse event originated","minimum":0,"maximum":65535}}},{"anyOf":[{"type":"object","required":["SourceIp"],"properties":{"SourceIp":{"description":"ip from that the abuse event originated","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"ASN":{"type":"integer","description":"autonomous system number the reportet ip belongs to","minimum":1,"maximum":4199999999}}},{"type":"object","required":["SourceUrl"],"properties":{"SourceUrl":{"type":"string","description":"url of the abuse event origin","format":"uri"}}}]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Malware"]},"MalwareName":{"type":"string","description":"name of the malware"}},"required":["SourceUrl"]},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PHISHING","description":"A format to report Phishing events.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Phishing"]}},"required":["SourceUrl"]},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PORTSCAN","description":"A format to report PORTSCAN events.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["PortScan"]}}},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF SPAM","description":"A format to report SPAM events.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Spam"]}}},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/4"},{"type":"object","description":"Simplified e-mail object to attach the source e-mail to a report","properties":{"FromAddress":{"type":"string","format":"email"},"ToAddress":{"type":"string","format":"email"}}}]}}}]},{"title":"XARF COPYRIGHT","description":"A format to report Copyright infringements.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Copyright"]},"InfringedMaterial":{"type":"string","description":"name of the copyrighted material"},"InfringingUrl":{"type":"string","description":"url to the illegally hosted material","format":"uri"},"MaterialType":{"type":"string","description":"type of copyrighted material, eg. Movie, Music, etc."},"SharingProtocol":{"type":"string","description":"protocol used to distribute the material"},"CourtOrder":{"type":"string","description":"url to the court order about this infringement","format":"uri"}},"required":["ReportClass","ReportType","InfringedMaterial"]},{"description":"Additional properties for xarf report types about a specific file","type":"object","properties":{"FileName":{"type":"string","description":"name of the file"},"FileSize":{"type":"integer","description":"file size in byte","minimum":0},"FileHash":{"type":"string","description":"hash value of the file"}},"required":["FileName"]}]}}}]},{"title":"XARF TRADEMARK","description":"A format to report Trademark infringements.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Trademark"]},"TrademarkedMaterial":{"type":"string","description":"description of what is trademarked"},"InfringingUrl":{"type":"string","description":"url to the illegally hosted material","format":"uri"},"RegistrationOffice":{"type":"string","description":"office the trademark has been registered"},"RegistrationNumber":{"type":"string","description":"trademark registration number"}},"required":["TrademarkedMaterial"]}]}}}]},{"title":"XARF LOGINATTACK","description":"A format to report login attacks.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["LoginAttack"]}}},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF CHILDABUSE","description":"A format to report child abuse events.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["ChildAbuse"]}}}]}}}]},{"title":"XARF BOTNET","description":"A format to report Botnet events.","allOf":[{"$ref":"#/anyOf/0/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/0/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Botnet"]},"BotnetName":{"type":"string","description":"name of the botnet"}}},{"$ref":"#/anyOf/0/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]}]},{"title":"XARF","description":"Any xarf schema type.","oneOf":[{"title":"XARF RPZ","description":"A format to report RPZ events.","allOf":[{"description":"Base properties for all xarf reports","type":"object","allOf":[{"type":"object","properties":{"ReporterInfo":{"type":"object","additionalProperties":false,"properties":{"ReporterType":{"$comment":"Contact info is optional if the reporter is a natural person","enum":["Org","Person"]},"ReporterOrg":{"type":"string","description":"name of the reporter organisation","minLength":3},"ReporterOrgDomain":{"type":"string","description":"domain.tld of the reporter organisation","format":"hostname"},"ReporterOrgEmail":{"type":"string","description":"email-address of the reporter organisation","format":"email"},"ReporterOrgAddress":{"type":"string","description":"address of the reporter organisation"},"ReporterContactEmail":{"type":"string","description":"email-address of the reporter contact","format":"email"},"ReporterContactName":{"type":"string","description":"name of the reporter contact","minLength":3},"ReporterContactPhone":{"type":"string","description":"phone number of the reporter contact","minLength":3}},"if":{"not":{"properties":{"ReporterType":{"const":"Person"}}}},"then":{"required":["ReporterOrg","ReporterOrgDomain","ReporterOrgEmail"]}},"OnBehalfOf":{"type":"object","properties":{"ComplainantType":{"$comment":"Contact info is optional if the reporter is a natural person","enum":["Org","Person"]},"ComplainantOrg":{"type":"string","description":"name of the complainant organisation","minLength":3},"ComplainantOrgDomain":{"type":"string","description":"domain.tld of the complainant organisation","format":"hostname"},"ComplainantOrgEmail":{"type":"string","description":"email-address of the complainant organisation","format":"email"},"ComplainantContactEmail":{"type":"string","description":"email-address of the complainant contact","format":"email"},"ComplainantContactName":{"type":"string","description":"name of the complainant contact","minLength":3},"ComplainantContactPhone":{"type":"string","description":"phone number of the complainant contact","minLength":3}},"if":{"not":{"properties":{"ComplainantType":{"const":"Person"}}}},"then":{"required":["ComplainantOrg","ComplainantOrgDomain","ComplainantOrgEmail"]}}},"required":["ReporterInfo"]},{"type":"object","properties":{"Disclosure":{"type":"boolean","description":"if this event is disclosed or not","default":true},"Version":{"const":"development"},"InternalProcessing":{"type":"object","description":"Information about the reportee for internal processing. This should be ignored if the reporter isn't authorized. It's intended to be used for relaying internaly generated xarf-reports to automation software.","properties":{"SubscriberInformation":{"type":"object","description":"Information about the reportee/customer.","properties":{"ID":{"type":"string","description":"Internal ID of the reportee."},"SubscriberData":{"type":"object","description":"Data about a customer normally returned by a resolver in the process of determining the reportee.","additionalProperties":{"type":"string"}}}},"ContractInformation":{"type":"object","description":"Information about the reportee's/customer's contract.","properties":{"ID":{"type":"string","description":"Internal ID of the reportee's contract."},"ResolverData":{"type":"object","description":"Data about a customers contract normaly returned by a resolver in the process of determining the reportee.","additionalProperties":{"type":"string"}}}},"EventTags":{"type":"array","description":"Custom tags for classification, metrics and other internal uses.","items":{"type":"string"}}}}},"required":["Disclosure","Version"]}]},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"description":"Base properties for the report part of all xarf report types","type":"object","properties":{"ReportClass":{"type":"string","description":"class of the reported abuse event","enum":["Content","Activity","Vulnerability"]},"ReportType":{"type":"string","description":"type of the reported abuse event","minLength":1},"ReportSubType":{"type":"string","description":"subtype of the reported abuse event"},"ReporterCaseID":{"type":"string","description":"case id of this report given by the reporter"},"ReporterSeverity":{"type":"string","description":"class of the reported abuse event","enum":["low","medium","high"]},"ReporterNotes":{"type":"string","description":"free text - notes by the reporter"},"Custom":{"type":"object","description":"allows for custom key-value fields","additionalProperties":{"anyOf":[{"type":"string"},{"type":"integer"}]}}},"required":["ReportClass","ReportType"]},{"description":"stores either a single date or two dates, one for the first occurrence of the event, one for the most recent","type":"object","required":["Date"],"properties":{"Date":{"format":"date-time","type":"string","description":"most recent date-time the event was noticed"},"FirstSeen":{"format":"date-time","type":"string","description":"date-time the event was first noticed. Can be omitted if it is the same as Date"}}},{"type":"object","properties":{"SourceIp":{"title":"IP information, either ipv4 or ipv6","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"SourcePort":{"title":"Port information","type":"integer","minimum":0,"maximum":65535},"ASN":{"type":"integer","description":"autonomous system number the reported ip belongs to","minimum":1,"maximum":4199999999}},"required":["SourceIp"]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Malware"]},"ReportSubType":{"type":"string","enum":["RPZ-Rewrite"]},"RpzDomain":{"type":"string","description":"Domain that was looked up","format":"hostname"},"MalwareName":{"type":"string","description":"Name of malware that performed the lookup"}}}]}}}]},{"title":"XARF DDOS","description":"A format to report DDOS events.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["DOS"]}}},{"type":"object","description":"specify a target or destination","properties":{"DestinationIp":{"description":"targeted ip","$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourceIp"},"DestinationPort":{"oneOf":[{"type":"array","items":{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort","description":"targeted port"}},{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort","description":"targeted port"}]}}},{"type":"object","properties":{"ByteCount":{"type":"integer","description":"Bytes per second"},"PacketCount":{"type":"integer","description":"Packets per second"}}},{"type":"object","description":"collection of common, but not easily classified fields","properties":{"Ongoing":{"type":"boolean","description":"is the reported abuse ongoing?"},"ThreatActor":{"type":"string","description":"!TODO!"},"Samples":{"type":"array","description":"Samples of the abuse taking place, e.g. malware file or spam email","items":{"description":"Evidence sample","type":"object","anyOf":[{"properties":{"ContentType":{"type":"string","description":"content type of the sample (e.g. application/rfc822 or image/jpg)"},"Base64Encoded":{"type":"boolean","description":"if payload is base64 encoded. Useful to avoid losing encoding information (e.g. in mails)","default":false},"Description":{"type":"string","description":"description of the sample in plain text"},"Payload":{"type":"string","description":"actual sample"}},"required":["ContentType","Payload"]},{"$ref":"#/anyOf/1/oneOf/6/allOf/1/properties/Report/allOf/2"}]},"minItems":1}}}]}}}]},{"title":"XARF MALWARE","description":"A format to report MALWARE events.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/0"},{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/1"},{"type":"object","properties":{"SourcePort":{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort"}}},{"anyOf":[{"type":"object","required":["SourceIp"],"properties":{"SourceIp":{"description":"ip from which the abuse event originated","$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourceIp"},"ASN":{"type":"integer","description":"autonomous system number the reported ip belongs to","minimum":1,"maximum":4199999999}}},{"type":"object","required":["SourceUrl"],"properties":{"SourceUrl":{"type":"string","description":"url of the abuse event origin","format":"uri"}}}]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Malware"]},"MalwareName":{"type":"string","description":"name of the malware"}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PHISHING","description":"A format to report Phishing events.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Phishing"]}},"required":["SourceUrl"]},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PORTSCAN","description":"A format to report PORTSCAN events.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["PortScan"]}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF SPAM","description":"A format to report SPAM events.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Spam"]}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"},{"type":"object","description":"Simplified e-mail object to attach the source e-mail to a report","properties":{"SmtpMailFromAddress":{"type":"string","format":"email"},"SmtpRcptToAddress":{"type":"string","format":"email"}}}]}}}]},{"title":"XARF COPYRIGHT","description":"A format to report Copyright infringements.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Copyright"]},"InfringedMaterial":{"type":"string","description":"name of the copyrighted material"},"MaterialType":{"type":"string","description":"type of copyrighted material, eg. Movie, Music, etc."},"SharingProtocol":{"type":"string","description":"protocol used to distribute the material"},"CourtOrder":{"type":"string","description":"url to the court order about this infringement","format":"uri"}},"required":["ReportClass","ReportType","InfringedMaterial"]},{"description":"Additional properties for xarf report types about a specific file","type":"object","properties":{"FileName":{"type":"string","description":"name of the file"},"FileSize":{"type":"integer","description":"file size in byte","minimum":0},"FileHash":{"description":"The hash value of eg. a file or a password.","type":"object","properties":{"HashValue":{"type":"string"},"HashAlgorithm":{"type":"string","enum":["sha1","sha2","sha3","sha256","sha512","md5","argon2id","scrypt","bcrypt","pbkdf2"]},"HashComplete":{"type":"boolean","default":true,"description":"Whether the complete hash is attached. The alternative is to only attach the first N characters of the computed hash."}},"required":["HashValue","HashAlgorithm"]}},"required":["FileName"]}]}}}]},{"title":"XARF TRADEMARK","description":"A format to report Trademark infringements.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Trademark"]},"TrademarkedMaterial":{"type":"string","description":"description of what is trademarked"},"RegistrationOffice":{"type":"string","description":"office the trademark has been registered"},"RegistrationNumber":{"type":"string","description":"trademark registration number"}},"required":["TrademarkedMaterial"]}]}}}]},{"title":"XARF LOGINATTACK","description":"A format to report login attacks.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["LoginAttack"]}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF EXPLOIT","description":"A format to report exploit attempts.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Exploit"]}}},{"type":"object","description":"Transport protocol used by the reportee","properties":{"TransportProtocol":{"type":"string","enum":["tcp","udp"]}}},{"type":"object","description":"CVE reference number","properties":{"CVE":{"type":"string","pattern":"^CVE-\\d{4}-\\d{4,7}$"}}},{"type":"object","description":"CVSS Severity and Metrics","properties":{"CVSS":{"type":"object","required":["Version","Vector"],"properties":{"Score":{"type":"number"},"Version":{"type":"string","enum":["3.1","3.0","2"]},"Vector":{"type":"string"},"Severity":{"type":"string"}},"if":{"properties":{"Version":{"const":"2"}}},"then":{"properties":{"Severity":{"enum":["Low","Medium","High"]},"Vector":{"pattern":"^\\(?AV:[LAN]\\/AC:[HML]\\/Au:[MSN]\\/C:[NPC]\\/I:[NPC]\\/A:[NPC](\\/E:((ND)|(POC)|[UFH])\\/RL:([WU]|(ND)|(OF)|(TF))\\/RC:(C|(ND)|(UC)|(UR)))?(\\/CDP:([NLH]|ND|LM|MH)\\/TD:(ND|[NLMH])\\/CR:(ND|[NLMH])\\/IR:(ND|[LMH])\\/AR:(ND|[LMH]))?\\)?$","type":"string"}}},"else":{"properties":{"Severity":{"enum":["None","Low","Medium","High","Critical"]},"Vector":{"pattern":"^CVSS:3.[01]\\/AV:[NALP]\\/AC:[LH]\\/PR:[NLH]\\/UI:[NR]\\/S:[UC]\\/C:[NLH]\\/I:[NLH]\\/A:[NLH](\\/E:[XUPFH]\\/RL:[XOTWU]\\/RC:[XURC])?(\\/CR:[XLMH]\\/IR:[XLMH]\\/AR:[XLMH]\\/MAV:[XNALP]\\/MAC:[XLH]\\/MPR:[XNLH]\\/MUI:[XNR]\\/MS:[XUC]\\/MC:[XNLH]\\/MI:[XNLH]\\/MA:[XNLH])?$","type":"string"}}}}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/2"},{"type":"object","description":"Specify a service to report","properties":{"ServiceName":{"type":"string"},"ServiceVersion":{"type":"string","description":"Affected service version or version range"}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF COMPROMISED ACCOUNT","description":"Report format to notify victims of a potentially leaked login data. Used for reporting observed usages of possibly leaked user information in login attempts.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/0"},{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/1"},{"type":"object","required":["Account"],"properties":{"Account":{"type":"object","minProperties":1,"description":"Account data of the reportee","properties":{"AccountIdentifier":{"type":"string","description":"reported account name or other identifier","not":{"description":"email based user accounts should go to the AccountEmail field","format":"email"}},"AccountEmail":{"type":"string","description":"email account of the user"}}}}}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["PotentiallyCompromisedAccount"]}}},{"not":{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"}},{"type":"object","description":"Specify the source of an attack. Used when attack source is not the subject of the report, eg. in an PotentiallyCompromisedAccount report.","properties":{"AttackerIp":{"description":"attacker ip","$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourceIp"},"AttackerPort":{"oneOf":[{"type":"array","items":{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort","description":"attack port"}},{"$ref":"#/anyOf/1/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort","description":"attack port"}]}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"},{"description":"Password information","type":"object","properties":{"PasswordHash":{"$ref":"#/anyOf/1/oneOf/6/allOf/1/properties/Report/allOf/2/properties/FileHash"}}}]}}}]},{"title":"XARF CHILDSEXUALABUSEMATERIAL","description":"A format to report content depicting child sexual abuse.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["ChildSexualAbuseMaterial"]},"ReportSubType":{"type":"string","enum":["Link-Sharing"]}}}]}}}]},{"title":"XARF BOTNET","description":"A format to report Botnet events.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Botnet"]},"BotnetName":{"type":"string","description":"name of the botnet"}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF OPENSERVICE","description":"A format to report open service events.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Vulnerability"]},"ReportType":{"type":"string","enum":["OpenService"]}}},{"$ref":"#/anyOf/1/oneOf/9/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/1/oneOf/9/allOf/1/properties/Report/allOf/6"},{"type":"object","required":["ServiceName"]},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF WEBCRAWLER","description":"A format to report Web-Crawling events.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["WebCrawler"]}}},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF HARASSMENT","description":"A format to report harassment.","allOf":[{"$ref":"#/anyOf/1/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/1/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Harassment"]}}},{"type":"object","description":"Details of someone harassing someone else.","properties":{"Harasser":{"type":"string","description":"Specify the identity of the harassing individual, eg. name, username, phone number or email"},"HarassmentDescription":{"type":"string","description":"Description/Reason why the reported behavior classifies as harassment."},"HarassmentType":{"enum":["doxing","stalking","sexual","believes","defamation","extortion","hate"]},"HarassmentLocation":{"enum":["website","chat","game"]}},"required":["Harasser","HarassmentDescription"]},{"$ref":"#/anyOf/1/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]}]},{"title":"XARF","description":"Any xarf schema type.","oneOf":[{"title":"XARF RPZ","description":"A format to report RPZ events.","allOf":[{"description":"Base properties for all xarf reports","type":"object","properties":{"ReporterInfo":{"type":"object","properties":{"ReporterOrg":{"type":"string","description":"name of the reporter organisation","minLength":3},"ReporterOrgDomain":{"type":"string","description":"domain.tld of the reporter organisation","format":"hostname"},"ReporterOrgEmail":{"type":"string","description":"email-address of the reporter organisation","format":"email"},"ReporterOrgAddress":{"type":"string","description":"address of the reporter organisation"},"ReporterContactEmail":{"type":"string","description":"email-address of the reporter contact","format":"email"},"ReporterContactName":{"type":"string","description":"name of the reporter contact","minLength":3},"ReporterContactPhone":{"type":"string","description":"phone number of the reporter contact","minLength":3}},"required":["ReporterOrg","ReporterOrgDomain","ReporterOrgEmail"]},"OnBehalfOf":{"type":"object","properties":{"ComplainantOrg":{"type":"string","description":"name of the complainant organisation","minLength":3},"ComplainantOrgDomain":{"type":"string","description":"domain.tld of the complainant organisation","format":"hostname"},"ComplainantOrgEmail":{"type":"string","description":"email-address of the complainant organisation","format":"email"},"ComplainantContactEmail":{"type":"string","description":"email-address of the complainant contact","format":"email"},"ComplainantContactName":{"type":"string","description":"name of the complainant contact","minLength":3},"ComplainantContactPhone":{"type":"string","description":"phone number of the complainant contact","minLength":3}},"required":["ComplainantOrg","ComplainantOrgDomain","ComplainantOrgEmail"]},"Disclosure":{"type":"boolean","description":"if this event is disclosed or not","default":true},"Version":{"const":"1"}},"required":["ReporterInfo","Disclosure","Version"]},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"description":"Base properties for the report part of all xarf report types","type":"object","properties":{"ReportClass":{"type":"string","description":"class of the reported abuse event","enum":["Content","Activity","Vulnerability"]},"ReportType":{"type":"string","description":"type of the reported abuse event","minLength":1},"ReportSubType":{"type":"string","description":"subtype of the reported abuse event"},"ReporterCaseID":{"type":"string","description":"case id of this report given by the reporter"},"ReporterSeverity":{"type":"string","description":"class of the reported abuse event","enum":["low","medium","high"]},"ReporterNotes":{"type":"string","description":"free text - notes by the reporter"},"Custom":{"type":"object","description":"allows for custom key-value fields","additionalProperties":{"anyOf":[{"type":"string"},{"type":"integer"}]}}},"required":["ReportClass","ReportType"]},{"description":"stores either a single date or two dates, one for the first occurrence of the event, one for the most recent","type":"object","required":["Date"],"properties":{"Date":{"format":"date-time","type":"string","description":"most recent date-time the event was noticed"},"FirstSeen":{"format":"date-time","type":"string","description":"date-time the event was first noticed. Can be omitted if it is the same as Date"}}},{"type":"object","properties":{"SourceIp":{"description":"ip from that the abuse event originated","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"SourcePort":{"type":"integer","description":"source port from that the abuse event originated","minimum":0,"maximum":65535},"ASN":{"type":"integer","description":"autonomous system number the reportet ip belongs to","minimum":1,"maximum":4199999999}},"required":["SourceIp"]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Malware"]},"ReportSubType":{"type":"string","enum":["RPZ-Rewrite"]},"RpzDomain":{"type":"string","description":"Domain that was looked up","format":"hostname"},"MalwareName":{"type":"string","description":"Name of malware that performed the lookup"}}}]}}}]},{"title":"XARF DDOS","description":"A format to report DDOS events.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["DOS"]}}},{"type":"object","description":"specify a target or destination","properties":{"DestinationIp":{"description":"targeted ip","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"DestinationPort":{"oneOf":[{"type":"array","items":{"type":"integer","description":"targeted port","minimum":0,"maximum":65535}},{"type":"integer","description":"targeted port","minimum":0,"maximum":65535}]}}},{"type":"object","properties":{"ByteCount":{"type":"integer","description":"Bytes per second"},"PacketCount":{"type":"integer","description":"Packets per second"}}},{"type":"object","description":"collection of common, but not easily classified fields","properties":{"Ongoing":{"type":"boolean","description":"is the reported abuse ongoing?"},"ThreatActor":{"type":"string","description":"!TODO!"},"Samples":{"type":"array","description":"Samples of the abuse taking place, e.g. malware file or spam email","items":{"description":"Evidence sample","type":"object","anyOf":[{"properties":{"ContentType":{"type":"string","description":"content type of the sample (e.g. application/rfc822 or image/jpg)"},"Base64Encoded":{"type":"boolean","description":"if payload is base64 encoded. Useful to avoid losing encoding information (e.g. in mails)","default":false},"Description":{"type":"string","description":"description of the sample in plain text"},"Payload":{"type":"string","description":"actual sample"}},"required":["ContentType","Payload"]},{"$ref":"#/anyOf/2/oneOf/6/allOf/1/properties/Report/allOf/2"}]},"minItems":1}}}]}}}]},{"title":"XARF MALWARE","description":"A format to report MALWARE events.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/0"},{"$ref":"#/anyOf/2/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/1"},{"type":"object","properties":{"SourcePort":{"type":"integer","description":"source port from that the abuse event originated","minimum":0,"maximum":65535}}},{"anyOf":[{"type":"object","required":["SourceIp"],"properties":{"SourceIp":{"description":"ip from that the abuse event originated","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"ASN":{"type":"integer","description":"autonomous system number the reportet ip belongs to","minimum":1,"maximum":4199999999}}},{"type":"object","required":["SourceUrl"],"properties":{"SourceUrl":{"type":"string","description":"url of the abuse event origin","format":"uri"}}}]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Malware"]},"MalwareName":{"type":"string","description":"name of the malware"}},"required":["SourceUrl"]},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PHISHING","description":"A format to report Phishing events.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Phishing"]}},"required":["SourceUrl"]},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PORTSCAN","description":"A format to report PORTSCAN events.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["PortScan"]}}},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF SPAM","description":"A format to report SPAM events.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Spam"]}}},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/4"},{"type":"object","description":"Simplified e-mail object to attach the source e-mail to a report","properties":{"SmtpMailFromAddress":{"type":"string","format":"email"},"SmtpRcptToAddress":{"type":"string","format":"email"}}}]}}}]},{"title":"XARF COPYRIGHT","description":"A format to report Copyright infringements.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Copyright"]},"InfringedMaterial":{"type":"string","description":"name of the copyrighted material"},"MaterialType":{"type":"string","description":"type of copyrighted material, eg. Movie, Music, etc."},"SharingProtocol":{"type":"string","description":"protocol used to distribute the material"},"CourtOrder":{"type":"string","description":"url to the court order about this infringement","format":"uri"}},"required":["ReportClass","ReportType","InfringedMaterial"]},{"description":"Additional properties for xarf report types about a specific file","type":"object","properties":{"FileName":{"type":"string","description":"name of the file"},"FileSize":{"type":"integer","description":"file size in byte","minimum":0},"FileHash":{"type":"string","description":"hash value of the file"}},"required":["FileName"]}]}}}]},{"title":"XARF TRADEMARK","description":"A format to report Trademark infringements.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Trademark"]},"TrademarkedMaterial":{"type":"string","description":"description of what is trademarked"},"RegistrationOffice":{"type":"string","description":"office the trademark has been registered"},"RegistrationNumber":{"type":"string","description":"trademark registration number"}},"required":["TrademarkedMaterial"]}]}}}]},{"title":"XARF LOGINATTACK","description":"A format to report login attacks.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["LoginAttack"]}}},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF CHILDABUSE","description":"A format to report child abuse events.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["ChildAbuse"]}}}]}}}]},{"title":"XARF BOTNET","description":"A format to report Botnet events.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Botnet"]},"BotnetName":{"type":"string","description":"name of the botnet"}}},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF OPENSERVICE","description":"A format to report open service events.","allOf":[{"$ref":"#/anyOf/2/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/2/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Vulnerability"]},"ReportType":{"type":"string","enum":["OpenService"]}}},{"type":"object","description":"Transport protocol used by the reportee","properties":{"TransportProtocol":{"type":"string","enum":["tcp","udp"]}}},{"type":"object","description":"Specify a service to report","required":["ServiceName"],"properties":{"ServiceName":{"type":"string"},"ServiceVersion":{"type":"string","description":"Affected service version or version range"}}},{"$ref":"#/anyOf/2/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]}]},{"title":"XARF","description":"Any xarf schema type.","oneOf":[{"title":"XARF RPZ","description":"A format to report RPZ events.","allOf":[{"description":"Base properties for all xarf reports","type":"object","properties":{"ReporterInfo":{"type":"object","properties":{"ReporterOrg":{"type":"string","description":"name of the reporter organisation","minLength":3},"ReporterOrgDomain":{"type":"string","description":"domain.tld of the reporter organisation","format":"hostname"},"ReporterOrgEmail":{"type":"string","description":"email-address of the reporter organisation","format":"email"},"ReporterOrgAddress":{"type":"string","description":"address of the reporter organisation"},"ReporterContactEmail":{"type":"string","description":"email-address of the reporter contact","format":"email"},"ReporterContactName":{"type":"string","description":"name of the reporter contact","minLength":3},"ReporterContactPhone":{"type":"string","description":"phone number of the reporter contact","minLength":3}},"required":["ReporterOrg","ReporterOrgDomain","ReporterOrgEmail"]},"OnBehalfOf":{"type":"object","properties":{"ComplainantOrg":{"type":"string","description":"name of the complainant organisation","minLength":3},"ComplainantOrgDomain":{"type":"string","description":"domain.tld of the complainant organisation","format":"hostname"},"ComplainantOrgEmail":{"type":"string","description":"email-address of the complainant organisation","format":"email"},"ComplainantContactEmail":{"type":"string","description":"email-address of the complainant contact","format":"email"},"ComplainantContactName":{"type":"string","description":"name of the complainant contact","minLength":3},"ComplainantContactPhone":{"type":"string","description":"phone number of the complainant contact","minLength":3}},"required":["ComplainantOrg","ComplainantOrgDomain","ComplainantOrgEmail"]},"Disclosure":{"type":"boolean","description":"if this event is disclosed or not","default":true},"Version":{"const":"2"},"InternalProcessing":{"type":"object","description":"Information about the reportee for internal processing. This should be ignored if the reporter isn't authorized. It's intended to be used for relaying internaly generated xarf-reports to automation software.","properties":{"SubscriberInformation":{"type":"object","description":"Information about the reportee/customer.","properties":{"ID":{"type":"string","description":"Internal ID of the reportee."},"SubscriberData":{"type":"object","description":"Data about a customer normaly returned by a resolver in the process of determining the reportee.","additionalProperties":{"type":"string"}}}},"ContractInformation":{"type":"object","description":"Information about the reportee's/customer's contract.","properties":{"ID":{"type":"string","description":"Internal ID of the reportee's contract."},"ResolverData":{"type":"object","description":"Data about a customers contract normaly returned by a resolver in the process of determining the reportee.","additionalProperties":{"type":"string"}}}},"EventTags":{"type":"array","description":"Custom tags for classification, metrics and other internal uses.","items":{"type":"string"}}}}},"required":["ReporterInfo","Disclosure","Version"]},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"description":"Base properties for the report part of all xarf report types","type":"object","properties":{"ReportClass":{"type":"string","description":"class of the reported abuse event","enum":["Content","Activity","Vulnerability"]},"ReportType":{"type":"string","description":"type of the reported abuse event","minLength":1},"ReportSubType":{"type":"string","description":"subtype of the reported abuse event"},"ReporterCaseID":{"type":"string","description":"case id of this report given by the reporter"},"ReporterSeverity":{"type":"string","description":"class of the reported abuse event","enum":["low","medium","high"]},"ReporterNotes":{"type":"string","description":"free text - notes by the reporter"},"Custom":{"type":"object","description":"allows for custom key-value fields","additionalProperties":{"anyOf":[{"type":"string"},{"type":"integer"}]}}},"required":["ReportClass","ReportType"]},{"description":"stores either a single date or two dates, one for the first occurrence of the event, one for the most recent","type":"object","required":["Date"],"properties":{"Date":{"format":"date-time","type":"string","description":"most recent date-time the event was noticed"},"FirstSeen":{"format":"date-time","type":"string","description":"date-time the event was first noticed. Can be omitted if it is the same as Date"}}},{"type":"object","properties":{"SourceIp":{"description":"ip from that the abuse event originated","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"SourcePort":{"type":"integer","description":"source port from that the abuse event originated","minimum":0,"maximum":65535},"ASN":{"type":"integer","description":"autonomous system number the reportet ip belongs to","minimum":1,"maximum":4199999999}},"required":["SourceIp"]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Malware"]},"ReportSubType":{"type":"string","enum":["RPZ-Rewrite"]},"RpzDomain":{"type":"string","description":"Domain that was looked up","format":"hostname"},"MalwareName":{"type":"string","description":"Name of malware that performed the lookup"}}}]}}}]},{"title":"XARF DDOS","description":"A format to report DDOS events.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["DOS"]}}},{"type":"object","description":"specify a target or destination","properties":{"DestinationIp":{"description":"targeted ip","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"DestinationPort":{"oneOf":[{"type":"array","items":{"type":"integer","description":"targeted port","minimum":0,"maximum":65535}},{"type":"integer","description":"targeted port","minimum":0,"maximum":65535}]}}},{"type":"object","properties":{"ByteCount":{"type":"integer","description":"Bytes per second"},"PacketCount":{"type":"integer","description":"Packets per second"}}},{"type":"object","description":"collection of common, but not easily classified fields","properties":{"Ongoing":{"type":"boolean","description":"is the reported abuse ongoing?"},"ThreatActor":{"type":"string","description":"!TODO!"},"Samples":{"type":"array","description":"Samples of the abuse taking place, e.g. malware file or spam email","items":{"description":"Evidence sample","type":"object","anyOf":[{"properties":{"ContentType":{"type":"string","description":"content type of the sample (e.g. application/rfc822 or image/jpg)"},"Base64Encoded":{"type":"boolean","description":"if payload is base64 encoded. Useful to avoid losing encoding information (e.g. in mails)","default":false},"Description":{"type":"string","description":"description of the sample in plain text"},"Payload":{"type":"string","description":"actual sample"}},"required":["ContentType","Payload"]},{"$ref":"#/anyOf/3/oneOf/6/allOf/1/properties/Report/allOf/2"}]},"minItems":1}}}]}}}]},{"title":"XARF MALWARE","description":"A format to report MALWARE events.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/0"},{"$ref":"#/anyOf/3/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/1"},{"type":"object","properties":{"SourcePort":{"type":"integer","description":"source port from that the abuse event originated","minimum":0,"maximum":65535}}},{"anyOf":[{"type":"object","required":["SourceIp"],"properties":{"SourceIp":{"description":"ip from that the abuse event originated","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"ASN":{"type":"integer","description":"autonomous system number the reportet ip belongs to","minimum":1,"maximum":4199999999}}},{"type":"object","required":["SourceUrl"],"properties":{"SourceUrl":{"type":"string","description":"url of the abuse event origin","format":"uri"}}}]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Malware"]},"MalwareName":{"type":"string","description":"name of the malware"}},"required":["SourceUrl"]},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PHISHING","description":"A format to report Phishing events.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Phishing"]}},"required":["SourceUrl"]},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PORTSCAN","description":"A format to report PORTSCAN events.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["PortScan"]}}},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF SPAM","description":"A format to report SPAM events.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Spam"]}}},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/4"},{"type":"object","description":"Simplified e-mail object to attach the source e-mail to a report","properties":{"SmtpMailFromAddress":{"type":"string","format":"email"},"SmtpRcptToAddress":{"type":"string","format":"email"}}}]}}}]},{"title":"XARF COPYRIGHT","description":"A format to report Copyright infringements.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Copyright"]},"InfringedMaterial":{"type":"string","description":"name of the copyrighted material"},"MaterialType":{"type":"string","description":"type of copyrighted material, eg. Movie, Music, etc."},"SharingProtocol":{"type":"string","description":"protocol used to distribute the material"},"CourtOrder":{"type":"string","description":"url to the court order about this infringement","format":"uri"}},"required":["ReportClass","ReportType","InfringedMaterial"]},{"description":"Additional properties for xarf report types about a specific file","type":"object","properties":{"FileName":{"type":"string","description":"name of the file"},"FileSize":{"type":"integer","description":"file size in byte","minimum":0},"FileHash":{"type":"string","description":"hash value of the file"}},"required":["FileName"]}]}}}]},{"title":"XARF TRADEMARK","description":"A format to report Trademark infringements.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Trademark"]},"TrademarkedMaterial":{"type":"string","description":"description of what is trademarked"},"RegistrationOffice":{"type":"string","description":"office the trademark has been registered"},"RegistrationNumber":{"type":"string","description":"trademark registration number"}},"required":["TrademarkedMaterial"]}]}}}]},{"title":"XARF LOGINATTACK","description":"A format to report login attacks.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["LoginAttack"]}}},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF CHILDABUSE","description":"A format to report child abuse events.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["ChildAbuse"]}}}]}}}]},{"title":"XARF BOTNET","description":"A format to report Botnet events.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Botnet"]},"BotnetName":{"type":"string","description":"name of the botnet"}}},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF OPENSERVICE","description":"A format to report open service events.","allOf":[{"$ref":"#/anyOf/3/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/3/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Vulnerability"]},"ReportType":{"type":"string","enum":["OpenService"]}}},{"type":"object","description":"Transport protocol used by the reportee","properties":{"TransportProtocol":{"type":"string","enum":["tcp","udp"]}}},{"type":"object","description":"Specify a service to report","required":["ServiceName"],"properties":{"ServiceName":{"type":"string"},"ServiceVersion":{"type":"string","description":"Affected service version or version range"}}},{"$ref":"#/anyOf/3/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]}]},{"title":"XARF","description":"Any xarf schema type.","oneOf":[{"title":"XARF RPZ","description":"A format to report RPZ events.","allOf":[{"description":"Base properties for all xarf reports","type":"object","allOf":[{"type":"object","properties":{"ReporterInfo":{"type":"object","additionalProperties":false,"properties":{"ReporterType":{"$comment":"Contact info is optional if the reporter is a natural person","enum":["Org","Person"]},"ReporterOrg":{"type":"string","description":"name of the reporter organisation","minLength":3},"ReporterOrgDomain":{"type":"string","description":"domain.tld of the reporter organisation","format":"hostname"},"ReporterOrgEmail":{"type":"string","description":"email-address of the reporter organisation","format":"email"},"ReporterOrgAddress":{"type":"string","description":"address of the reporter organisation"},"ReporterContactEmail":{"type":"string","description":"email-address of the reporter contact","format":"email"},"ReporterContactName":{"type":"string","description":"name of the reporter contact","minLength":3},"ReporterContactPhone":{"type":"string","description":"phone number of the reporter contact","minLength":3}},"if":{"not":{"properties":{"ReporterType":{"const":"Person"}}}},"then":{"required":["ReporterOrg","ReporterOrgDomain","ReporterOrgEmail"]}},"OnBehalfOf":{"type":"object","properties":{"ComplainantType":{"$comment":"Contact info is optional if the reporter is a natural person","enum":["Org","Person"]},"ComplainantOrg":{"type":"string","description":"name of the complainant organisation","minLength":3},"ComplainantOrgDomain":{"type":"string","description":"domain.tld of the complainant organisation","format":"hostname"},"ComplainantOrgEmail":{"type":"string","description":"email-address of the complainant organisation","format":"email"},"ComplainantContactEmail":{"type":"string","description":"email-address of the complainant contact","format":"email"},"ComplainantContactName":{"type":"string","description":"name of the complainant contact","minLength":3},"ComplainantContactPhone":{"type":"string","description":"phone number of the complainant contact","minLength":3}},"if":{"not":{"properties":{"ComplainantType":{"const":"Person"}}}},"then":{"required":["ComplainantOrg","ComplainantOrgDomain","ComplainantOrgEmail"]}}},"required":["ReporterInfo"]},{"type":"object","properties":{"Disclosure":{"type":"boolean","description":"if this event is disclosed or not","default":true},"Version":{"const":"3"},"InternalProcessing":{"type":"object","description":"Information about the reportee for internal processing. This should be ignored if the reporter isn't authorized. It's intended to be used for relaying internaly generated xarf-reports to automation software.","properties":{"SubscriberInformation":{"type":"object","description":"Information about the reportee/customer.","properties":{"ID":{"type":"string","description":"Internal ID of the reportee."},"SubscriberData":{"type":"object","description":"Data about a customer normally returned by a resolver in the process of determining the reportee.","additionalProperties":{"type":"string"}}}},"ContractInformation":{"type":"object","description":"Information about the reportee's/customer's contract.","properties":{"ID":{"type":"string","description":"Internal ID of the reportee's contract."},"ResolverData":{"type":"object","description":"Data about a customers contract normaly returned by a resolver in the process of determining the reportee.","additionalProperties":{"type":"string"}}}},"EventTags":{"type":"array","description":"Custom tags for classification, metrics and other internal uses.","items":{"type":"string"}}}}},"required":["Disclosure","Version"]}]},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"description":"Base properties for the report part of all xarf report types","type":"object","properties":{"ReportClass":{"type":"string","description":"class of the reported abuse event","enum":["Content","Activity","Vulnerability"]},"ReportType":{"type":"string","description":"type of the reported abuse event","minLength":1},"ReportSubType":{"type":"string","description":"subtype of the reported abuse event"},"ReporterCaseID":{"type":"string","description":"case id of this report given by the reporter"},"ReporterSeverity":{"type":"string","description":"class of the reported abuse event","enum":["low","medium","high"]},"ReporterNotes":{"type":"string","description":"free text - notes by the reporter"},"Custom":{"type":"object","description":"allows for custom key-value fields","additionalProperties":{"anyOf":[{"type":"string"},{"type":"integer"}]}}},"required":["ReportClass","ReportType"]},{"description":"stores either a single date or two dates, one for the first occurrence of the event, one for the most recent","type":"object","required":["Date"],"properties":{"Date":{"format":"date-time","type":"string","description":"most recent date-time the event was noticed"},"FirstSeen":{"format":"date-time","type":"string","description":"date-time the event was first noticed. Can be omitted if it is the same as Date"}}},{"type":"object","properties":{"SourceIp":{"title":"IP information, either ipv4 or ipv6","oneOf":[{"type":"string","format":"ipv4"},{"type":"string","format":"ipv6"}]},"SourcePort":{"title":"Port information","type":"integer","minimum":0,"maximum":65535},"ASN":{"type":"integer","description":"autonomous system number the reported ip belongs to","minimum":1,"maximum":4199999999}},"required":["SourceIp"]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Malware"]},"ReportSubType":{"type":"string","enum":["RPZ-Rewrite"]},"RpzDomain":{"type":"string","description":"Domain that was looked up","format":"hostname"},"MalwareName":{"type":"string","description":"Name of malware that performed the lookup"}}}]}}}]},{"title":"XARF DDOS","description":"A format to report DDOS events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["DOS"]}}},{"type":"object","description":"specify a target or destination","properties":{"DestinationIp":{"description":"targeted ip","$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourceIp"},"DestinationPort":{"oneOf":[{"type":"array","items":{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort","description":"targeted port"}},{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort","description":"targeted port"}]}}},{"type":"object","properties":{"ByteCount":{"type":"integer","description":"Bytes per second"},"PacketCount":{"type":"integer","description":"Packets per second"}}},{"type":"object","description":"collection of common, but not easily classified fields","properties":{"Ongoing":{"type":"boolean","description":"is the reported abuse ongoing?"},"ThreatActor":{"type":"string","description":"!TODO!"},"Samples":{"type":"array","description":"Samples of the abuse taking place, e.g. malware file or spam email","items":{"description":"Evidence sample","type":"object","anyOf":[{"properties":{"ContentType":{"type":"string","description":"content type of the sample (e.g. application/rfc822 or image/jpg)"},"Base64Encoded":{"type":"boolean","description":"if payload is base64 encoded. Useful to avoid losing encoding information (e.g. in mails)","default":false},"Description":{"type":"string","description":"description of the sample in plain text"},"Payload":{"type":"string","description":"actual sample"}},"required":["ContentType","Payload"]},{"$ref":"#/anyOf/4/oneOf/6/allOf/1/properties/Report/allOf/2"}]},"minItems":1}}}]}}}]},{"title":"XARF MALWARE","description":"A format to report MALWARE events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/0"},{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/1"},{"type":"object","properties":{"SourcePort":{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort"}}},{"anyOf":[{"type":"object","required":["SourceIp"],"properties":{"SourceIp":{"description":"ip from which the abuse event originated","$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourceIp"},"ASN":{"type":"integer","description":"autonomous system number the reported ip belongs to","minimum":1,"maximum":4199999999}}},{"type":"object","required":["SourceUrl"],"properties":{"SourceUrl":{"type":"string","description":"url of the abuse event origin","format":"uri"}}}]}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Malware"]},"MalwareName":{"type":"string","description":"name of the malware"}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PHISHING","description":"A format to report Phishing events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Phishing"]}},"required":["SourceUrl"]},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF PORTSCAN","description":"A format to report PORTSCAN events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["PortScan"]}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF SPAM","description":"A format to report SPAM events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Spam"]}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"},{"type":"object","description":"Simplified e-mail object to attach the source e-mail to a report","properties":{"SmtpMailFromAddress":{"type":"string","format":"email"},"SmtpRcptToAddress":{"type":"string","format":"email"}}}]}}}]},{"title":"XARF COPYRIGHT","description":"A format to report Copyright infringements.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Copyright"]},"InfringedMaterial":{"type":"string","description":"name of the copyrighted material"},"MaterialType":{"type":"string","description":"type of copyrighted material, eg. Movie, Music, etc."},"SharingProtocol":{"type":"string","description":"protocol used to distribute the material"},"CourtOrder":{"type":"string","description":"url to the court order about this infringement","format":"uri"}},"required":["ReportClass","ReportType","InfringedMaterial"]},{"description":"Additional properties for xarf report types about a specific file","type":"object","properties":{"FileName":{"type":"string","description":"name of the file"},"FileSize":{"type":"integer","description":"file size in byte","minimum":0},"FileHash":{"description":"The hash value of eg. a file or a password.","type":"object","properties":{"HashValue":{"type":"string"},"HashAlgorithm":{"type":"string","enum":["sha1","sha2","sha3","sha256","sha512","md5","argon2id","scrypt","bcrypt","pbkdf2"]},"HashComplete":{"type":"boolean","default":true,"description":"Whether the complete hash is attached. The alternative is to only attach the first N characters of the computed hash."}},"required":["HashValue","HashAlgorithm"]}},"required":["FileName"]}]}}}]},{"title":"XARF TRADEMARK","description":"A format to report Trademark infringements.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Trademark"]},"TrademarkedMaterial":{"type":"string","description":"description of what is trademarked"},"RegistrationOffice":{"type":"string","description":"office the trademark has been registered"},"RegistrationNumber":{"type":"string","description":"trademark registration number"}},"required":["TrademarkedMaterial"]}]}}}]},{"title":"XARF LOGINATTACK","description":"A format to report login attacks.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["LoginAttack"]}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/3"},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF EXPLOIT","description":"A format to report exploit attempts.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Exploit"]}}},{"type":"object","description":"Transport protocol used by the reportee","properties":{"TransportProtocol":{"type":"string","enum":["tcp","udp"]}}},{"type":"object","description":"CVE reference number","properties":{"CVE":{"type":"string","pattern":"^CVE-\\d{4}-\\d{4,7}$"}}},{"type":"object","description":"CVSS Severity and Metrics","properties":{"CVSS":{"type":"object","required":["Version","Vector"],"properties":{"Score":{"type":"number"},"Version":{"type":"string","enum":["3.1","3.0","2"]},"Vector":{"type":"string"},"Severity":{"type":"string"}},"if":{"properties":{"Version":{"const":"2"}}},"then":{"properties":{"Severity":{"enum":["Low","Medium","High"]},"Vector":{"pattern":"^\\(?AV:[LAN]\\/AC:[HML]\\/Au:[MSN]\\/C:[NPC]\\/I:[NPC]\\/A:[NPC](\\/E:((ND)|(POC)|[UFH])\\/RL:([WU]|(ND)|(OF)|(TF))\\/RC:(C|(ND)|(UC)|(UR)))?(\\/CDP:([NLH]|ND|LM|MH)\\/TD:(ND|[NLMH])\\/CR:(ND|[NLMH])\\/IR:(ND|[LMH])\\/AR:(ND|[LMH]))?\\)?$"}}},"else":{"properties":{"Severity":{"enum":["None","Low","Medium","High","Critical"]},"Vector":{"pattern":"^CVSS:3.[01]\\/AV:[NALP]\\/AC:[LH]\\/PR:[NLH]\\/UI:[NR]\\/S:[UC]\\/C:[NLH]\\/I:[NLH]\\/A:[NLH](\\/E:[XUPFH]\\/RL:[XOTWU]\\/RC:[XURC])?(\\/CR:[XLMH]\\/IR:[XLMH]\\/AR:[XLMH]\\/MAV:[XNALP]\\/MAC:[XLH]\\/MPR:[XNLH]\\/MUI:[XNR]\\/MS:[XUC]\\/MC:[XNLH]\\/MI:[XNLH]\\/MA:[XNLH])?$"}}}}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/2"},{"type":"object","description":"Specify a service to report","properties":{"ServiceName":{"type":"string"},"ServiceVersion":{"type":"string","description":"Affected service version or version range"}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF COMPROMISED ACCOUNT","description":"Report format to notify victims of a potentially leaked login data. Used for reporting observed usages of possibly leaked user information in login attempts.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/0"},{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/1"},{"type":"object","required":["Account"],"properties":{"Account":{"type":"object","minProperties":1,"description":"Account data of the reportee","properties":{"AccountIdentifier":{"type":"string","description":"reported account name or other identifier","not":{"description":"email based user accounts should go to the AccountEmail field","format":"email"}},"AccountEmail":{"type":"string","description":"email account of the user"}}}}}]},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["PotentiallyCompromisedAccount"]}}},{"not":{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"}},{"type":"object","description":"Specify the source of an attack. Used when attack source is not the subject of the report, eg. in an PotentiallyCompromisedAccount report.","properties":{"AttackerIp":{"description":"attacker ip","$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourceIp"},"AttackerPort":{"oneOf":[{"type":"array","items":{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort","description":"attack port"}},{"$ref":"#/anyOf/4/oneOf/0/allOf/1/properties/Report/allOf/0/allOf/2/properties/SourcePort","description":"attack port"}]}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"},{"description":"Password information","type":"object","properties":{"PasswordHash":{"$ref":"#/anyOf/4/oneOf/6/allOf/1/properties/Report/allOf/2/properties/FileHash"}}}]}}}]},{"title":"XARF CHILDABUSE","description":"A format to report child abuse events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["ChildAbuse"]}}}]}}}]},{"title":"XARF BOTNET","description":"A format to report Botnet events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Content"]},"ReportType":{"type":"string","enum":["Botnet"]},"BotnetName":{"type":"string","description":"name of the botnet"}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF OPENSERVICE","description":"A format to report open service events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Vulnerability"]},"ReportType":{"type":"string","enum":["OpenService"]}}},{"$ref":"#/anyOf/4/oneOf/9/allOf/1/properties/Report/allOf/2"},{"$ref":"#/anyOf/4/oneOf/9/allOf/1/properties/Report/allOf/6"},{"required":["ServiceName"]},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF WEBCRAWLER","description":"A format to report Web-Crawling events.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["WebCrawler"]}}},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]},{"title":"XARF HARASSMENT","description":"A format to report harassment.","allOf":[{"$ref":"#/anyOf/4/oneOf/0/allOf/0"},{"type":"object","properties":{"Report":{"allOf":[{"$ref":"#/anyOf/4/oneOf/2/allOf/1/properties/Report/allOf/0"},{"type":"object","properties":{"ReportClass":{"type":"string","enum":["Activity"]},"ReportType":{"type":"string","enum":["Harassment"]}}},{"type":"object","description":"Details of someone harassing someone else.","properties":{"Harasser":{"type":"string","description":"Specify the identity of the harassing individual, eg. name, username, phone number or email"},"HarassmentDescription":{"type":"string","description":"Description/Reason why the reported behavior classifies as harassment."},"HarassmentType":{"enum":["doxing","stalking","sexual","believes","defamation","extortion","hate"]},"HarassmentLocation":{"enum":["website","chat","game"]}},"required":["Harasser","HarassmentDescription"]},{"$ref":"#/anyOf/4/oneOf/1/allOf/1/properties/Report/allOf/4"}]}}}]}]}]}
