{
"$schema": "http://json-schema.org/draft-04/schema#", "title": "OpenTPX", "description": "An Open Threat Partner eXchange (OpenTPX) file", "definitions": { "suffixed_schema": { "type": "object", "patternProperties": { "_ipv4_i$": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "_ipv4_ui$": { "type": "integer", "minimum": 0, "maximum": 4294967295 }, "_ipv4_s$": { "type": "string", "format": "ipv4" }, "_cidrv4_s$": { "type": "string" }, "_ipv6_ll$": { "type": "integer", "minimum": 0 }, "_ipv6_s$": { "type": "string", "format": "ipv6" }, "_cidrv6_s$": { "type": "string" }, "_fqdn_s$": { "type": "string" }, "_asn_number_ui$": { "type": "integer", "minimum": 0 }, "_asn_s$": { "type": "string" }, "_md5_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]{32}$" }, "_sha1_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]{40}$" }, "_sha256_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" }, "_sha512_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]{128}$" }, "_t$": { "type": "integer", "minimum": 0 }, "_s$": { "type": "string" }, "_i$": { "type": "integer" }, "_ui$": { "type": "integer" }, "_ll$": { "type": "integer" }, "_h$": { "type": "string", "pattern": "^[A-Fa-f0-9]+$" }, "_f$": { "type": "number" }, "_c_array$": { "type": "array", "minItems": 1, "items": { "type": "object" } }, "_c_map$": { "type": "object" }, "_s_array$": { "type": "array", "minItems": 1, "items": { "type": "string"} } }, "additionalProperties": false }, "observable": { "allOf": [{ "type": "object", "properties": { "observable_id_s": { "description": "The name of the observable", "type": "string" }, "criticality_i": { "description": "The threat observable’s relative criticality between 1 and 100", "type": "integer", "minimum": 1, "maximum": 100 }, "score_i": { "description": "Optional overridden threat score between 1 and 100.", "type": "integer", "minimum": 1, "maximum": 100 }, "score_24hr_decay_i": { "description": "Optional parameter that defines the percentage of the score decays over time if no new observation. A valid decay is between 0 and 100. A value of 0 switches off decay due to time.", "type": "integer", "minimum": 0, "maximum": 100 }, "score_calc_setting_s":{ "description": "Optional parameter that defines whether the score was calculated based on a manual or automatic calculation. Default: auto", "type": "string", "pattern": "^(auto|manual)$" }, "description_s": { "description": "A user displayable description of the observable", "type": "string" }, "classification_c_array": { "description": "An array of classification of this threat observable.", "type": "array", "minItems": 1, "items": { "allOf": [{ "type": "object", "properties": { "classification_id_s": { "description": "The name of the classification", "type": "string" }, "classification_family_s": { "description": "The descriptive family name for this classification", "type": "string" }, "score_i": { "description": "The criticality/score of the classification between 1 and 100 where a higher number is a higher risk classification", "type": "integer", "minimum": 1, "maximum": 100 } }, "additionalProperties": false, "required": ["classification_id_s"] }, { "$ref": "#/definitions/suffixed_schema" }] } }, "attribute_c_map": { "description": "An map of attributes associated with the observable that are common across all subjects", "$ref": "#/definitions/suffixed_schema" }, "summary_s": { "description": "A user displayable summary of the observable description", "type": "string" }, "notes_s": { "description": "A user defined set of notes that provide background to the description", "type": "string" }, "reference_s_array": { "description": "An array of string URL references to background information on the observable", "type": "array", "minItems": 1, "items": { "type": "string", "format": "uri" } } }, "required": ["observable_id_s", "description_s", "classification_c_array"] }, { "$ref": "#/definitions/suffixed_schema" }] }, "network": { "type": "object", "properties": { "asn_i": { "description": "The ID number of the ASN", "type": "integer" }, "as_owner_s": { "description": "The owner of the ASN", "type": "string" }, "asn_routers_ip_array": { "description": "The array of routers that make up this ASN", "type": "array", "minItems": 1, "items": { "type": "string", "pattern": ".*" } }, "asn_router_conns_ip_array": { "description": "The array of router interconnections in this ASN", "type": "array", "minItems": 1, "items": { "type": "string", "pattern": ".*" } }, "asn_cidr_announcements_c_array": { "description": "The array of CIDR announcements in this ASN", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/suffixed_schema" } }, "asn_downstream_i_array": { "description": "The array of downstream ASNs from this ASN", "type": "array", "minItems": 1, "items": { "type": "integer" } }, "asn_upstream_i_array": { "description": "The array of upstream ASNs from this ASN", "type": "array", "minItems": 1, "items": { "type": "integer" } }, "asn_community_c_array": { "description": "The array of communities within this ASN", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/suffixed_schema" } } } }, "collection": { "type": "object", "properties": { "name_id_s": { "description": "The name of the collection", "type": "string" }, "last_updated_t": { "description": "The UTC Epoch time of the last update to this collection", "type": "integer", "minimum": 0 }, "author_s": { "description": "A name associated with the last team, group, company or person making the change", "type": "string" }, "workspace_s": { "description": "A collaboration space this collection is associated with", "type": "string" }, "fqdn_ref_c_array": { "description": "An array of FQDN elements referenced by this collection", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/suffixed_schema" } }, "ip_ref_c_array": { "description": "An array of IP (v4 and v6) elements referenced by this collection", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/suffixed_schema" } }, "asn_ref_c_array": { "description": "An array of ASN elements referenced by this collection", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/suffixed_schema" } }, "cidr_ref_c_array": { "description": "An array of CIDR elements referenced by this collection", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/suffixed_schema" } }, "observable_ref_c_array": { "description": "An array of observables referenced by this collection", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/suffixed_schema" } }, "collection_c_array": { "description": "An array of children collections contained within this collection", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/collection" } } }, "required": ["name_id_s"] }, "element_observable": { "allOf": [{ "type": "object", "properties": { "score_i": { "description": "The element’s overridden score if not derived from scoring of the observables", "type": "integer", "minimum": 1, "maximum": 100 }, "score_24hr_decay_i": { "description": "The element’s overridden score decay if not derived from the observable’s decay parameter. 0 indicates this particular element’s score will not change due to time decay alone.", "type": "integer", "minimum": 0, "maximum": 100 }, "threat_observable_c_map": { "description": "A map of Threat Observables that are associated with the subject. The threat observable must already be defined in the observable dictionary to be referenced by this map.", "type": "object", "patternProperties": { ".+": { "allOf": [{ "type": "object", "properties": { "occurred_at_t": { "description": "The Epoch UTC timestamp when this particular threat observable was first observed associated with the subject", "type": "integer", "minimum": 0 }, "last_seen_t": { "description": "The Epoch UTC timestamp of the last update when this threat observable was observed associated with the subject", "type": "integer", "minimum": 0 }, "country_code_s": { "description": "The 2 or 3 digit country code associated with the threat observable", "type": "string", "minLength": 2, "maxLength": 3 }, "destination_fqdn_s": { "description": "The domain that a particular botnet or peer to peer communication threat was destined to", "type": "string" }, "description_s": { "description": "The description of the observable or element or collection", "type": "string" }, "url_s": { "description": "The description of the observable or element or collection", "type": "string", "format": "uri" }, "score_i": { "description": "The criticality/score of the classification between 1 and 100 where a higher number is a higher risk observable", "type": "integer", "minimum": 1, "maximum": 100 }, "classification_s": { "description": "The name of the classification", "type": "string" }, "filesize_i": { "description": "The size of a file used to convey some behavior", "type": "integer", "minimum": 0 }, "magic_s": { "description": "The description of the file", "type": "string" }, "mime_type_s": { "description": "The mime type of the file", "type": "string" }, "hash_md5_h": { "description": "The MD5 hash of a file", "type": "string" }, "hash_sha1_h": { "description": "The SHA1 hash of a file", "type": "string" }, "hash_sha256_h": { "description": "The SHA256 hash of a file", "type": "string" }, "hash _sha512_h": { "description": "The SHA512 hash of a file", "type": "string" }, "dns_request_c_array": { "description": "The list of DNS requests made", "type": "array", "items": { "$ref": "#/definitions/suffixed_schema" } }, "dns_response_c_array": { "description": "The list of DNS responses where each response is { Dns-record-type : Dns-value}", "type": "array", "items": { "$ref": "#/definitions/suffixed_schema" } }, "host_c_array": { "description": "The list of hosts in the PCAP", "type": "array", "items": { "$ref": "#/definitions/suffixed_schema" } }, "http_c_array": { "description": "The list of HTTP key/value pairs in the PCAP", "type": "array", "items": { "$ref": "#/definitions/suffixed_schema" } }, "smtp_c_array": { "description": "The list of SMTP key/value pairs in the PCAP", "type": "array", "items": { "$ref": "#/definitions/suffixed_schema" } }, "tcp_c_array": { "description": "The list of TCP key/value pairs in the PCAP", "type": "array", "items": { "$ref": "#/definitions/suffixed_schema" } }, "fqdn_c_array": { "description": "The list of SMTP key/value pairs in the PCAP", "type": "array", "items": { "$ref": "#/definitions/suffixed_schema" } }, "ssl_c_array": { "description": "The list of SSL key/value pairs in the PCAP", "type": "array", "items": { "$ref": "#/definitions/suffixed_schema" } }, "geoloc_lat_f": { "description": "The latitude of the observable if known", "type": "number" }, "geoloc_long_f": { "description": "The longitude of the observable if known", "type": "number" }, "dest_port_i": { "description": "A destination protocol port", "type": "integer" }, "dest_ipv4_s": { "description": "A destination IP v4 address as a string", "type": "string" }, "dest_ipv4_i": { "description": "A destination IP v4 address as an integer", "type": "integer" }, "src_port_i": { "description": "A source protocol port", "type": "integer" }, "src_ipv4_s": { "description": "A source IP v4 address as a string", "type": "string" }, "src_ipv4_i": { "description": "A source IP v4 address as an integer", "type": "integer" }, "size_i": { "description": "A size in bytes of a communication or entity", "type": "integer" }, "tlp_i": { "description": "The Traffic Light Protocol value. 0 – White, 1 – Green, 2 – Amber, 3 – Red", "type": "integer" }, "name_id_s": { "description": "The name of the country provided as part of a country code file", "type": "string" }, "country_code_i": { "description": "The country identifier as part of the country code file", "type": "integer", "minimum": 0 }, "iso_3_s": { "description": "The ISO 3 letter code for the country", "type": "string", "minLength": 3, "maxLength": 3 }, "iso_2_s": { "description": "The ISO 2 letter code for the country", "type": "string", "minLength": 2, "maxLength": 2 }, "region_code_i": { "description": "The regional code for the country code file", "type": "integer" }, "continent_code_i": { "description": "The continent code for the country code file", "type": "integer" }, "continent_code_s": { "description": "The continent name for the country code file", "type": "string" }, "naics_code_i": { "description": "The NAICS code", "type": "integer" }, "naics_code_s": { "description": "The NAICS code as a string", "type": "string" } }, "required": ["occurred_at_t"] }, { "$ref": "#/definitions/suffixed_schema" } ] } } } }, "required": ["threat_observable_c_map"] }, { "$ref": "#/definitions/suffixed_schema" }, { "oneOf": [ { "required": ["subject_ipv4_i"] }, { "required": ["subject_ipv4_ui"] }, { "required": ["subject_ipv4_s"] }, { "required": ["subject_ipv6_ui"] }, { "required": ["subject_ipv6_s"] }, { "required": ["subject_fqdn_s"] }, { "required": ["subject_cidrv4_s"] }, { "required": ["subject_cidrv6_s"] }, { "required": ["subject_asn_s"] }, { "required": ["subject_asn_ui"] }, { "required": ["subject_md5_h"] }, { "required": ["subject_sha1_h"] }, { "required": ["subject_sha256_h"] }, { "required": ["subject_sha512_h"] }, { "required": ["subject_registrykey_s"] }, { "required": ["subject_filename_s"] }, { "required": ["subject_filepath_s"] }, { "required": ["subject_mutex_s"] }, { "required": ["subject_actor_s"] }, { "required": ["subject_email_s"] } ] } ] } }, "type": "object", "properties": { "schema_version_s": { "description": "The provider’s version of their schema", "type": "string" }, "provider_s": { "description": "The provider’s company name", "type": "string" }, "source_observable_s": { "description": "The prefix associated with this threat list", "type": "string" }, "source_description_s": { "description": "A description of the source feed that provides background to the type of data, the types of information available to the user", "type": "string" }, "source_file_s": { "description": "The file containing the original feed information", "type": "string", "format": "uri" }, "score_i": { "description": "The score of the source feed accuracy. As assessment of the source feed’s accuracy between 1 and 100 where 100 is completely accurate", "type": "integer", "minimum": 1, "maximum": 100 }, "last_updated_t": { "description": "The Epoch UTC timestamp this file was last changed by the provider", "type": "integer", "minimum": 0 }, "distribution_time_t": { "description": "The Epoch UTC timestamp this file was distributed by the provider", "type": "integer", "minimum": 0 }, "list_name_s": { "description": "The threat feed list name", "type": "string" }, "observable_dictionary_c_array": { "description": "An array of observable definitions", "type": "array", "minItems": 0, "items": { "$ref": "#/definitions/observable" } }, "element_observable_c_array": { "description": "An array of Element Threat Observables", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/element_observable" } }, "collection_c_array": { "description": "An array of Collections", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/collection" } }, "asn_c_array": { "description": "An array of ASN network information", "type": "array", "minItems": 1, "items": { "$ref": "#/definitions/network" } }, "dictionary_file_manifest": { "description": "An array of filenames (fully qualified path) where the dictionary files are", "type": "array", "minItems": 1, "items": { "type": "string" } }, "observable_element_file_manifest": { "description": "An array of filenames (fully qualified path) where the element observable files are", "type": "array", "minItems": 1, "items": { "type": "string" } }, "collection_file_manifest": { "description": "An array of filenames (fully qualified path) where the collection files are", "type": "array", "minItems": 1, "items": { "type": "string" } }, "network_file_manifest": { "description": "An array of filenames (fully qualified path) where the network files are", "type": "array", "minItems": 1, "items": { "type": "string" } } }, "required": ["schema_version_s", "provider_s", "source_observable_s", "last_updated_t", "list_name_s"]
}