{"description":"A report for an abusive attack carried out by a malware", "type":"object", "properties":{ "Reported-From":{ "type":"string", "format":"email" }, "Report-ID":{ "type":"string", "format":"email" }, "Category":{ "type":"string", "enum":["abuse"] }, "Report-Type":{ "description":"This field follows - in brief - the overall description above", "type":"string", "enum":["malware-attack"] }, "Destination-System":{ "description":"This field describes - more or less exactly - the targeted system which provides the evidence laid down in this report", "type":"string", "enum":["real-world","honeypot","spamtrap","honeyd","nepenthes"], "optional":true }, "User-Agent":{ "description":"This field describes the software which generated this report email, this is not necessarily software used on the targeted system", "type":"string" }, "Date":{ "type":"string", "format":"date-time" }, "Source":{ "description":"This field describes the source-ip of the infection, no matter how the attack was carried out", "type":"string" }, "Source-Type":{ "type":"string", "enum":["ipv4","ipv6","ip-address"] }, "Download-Link":{ "type":"string", "format":"uri", "optional":true }, "Malware-MD5":{ "type":"string", "optional":true }, "Antivirus-Result":{ "type":"string", "optional":true }, "Antivirus-Vendor":{ "type":"string", "optional":true, "requires":"Antivirus-Result" }, "Attachment":{ "description":"An attachment should provide information about how and from where the malware infection took place if not already evident by the yaml report information", "type":"string", "enum":["none","text/plain", "message/rfc822"] }, "Schema-URL":{ "type":"string", "format":"uri" }, "Version":{ "type":"number", "optional":true }, "Occurrences":{ "type":"integer", "optional":true }, "TLP":{ "type":"string", "enum":["white","green","amber","red"], "optional":true } } }