{
  "attributes": {
    "bailiwick": {
      "description": "Best estimate of the apex of the zone where this data is authoritative",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "count": {
      "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.",
      "disable_correlation": true,
      "misp-attribute": "counter",
      "ui-priority": 0
    },
    "origin": {
      "description": "Origin of the Passive DNS response",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "rdata": {
      "description": "Resource records of the queried resource",
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "rrname": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Resource Record name of the queried resource.",
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "rrtype": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Resource Record type as seen by the passive DNS.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "A",
        "AAAA",
        "CNAME",
        "PTR",
        "SOA",
        "TXT",
        "DNAME",
        "NS",
        "SRV",
        "RP",
        "NAPTR",
        "HINFO",
        "A6"
      ],
      "ui-priority": 1
    },
    "sensor_id": {
      "description": "Sensor information where the record was seen",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "text": {
      "description": "Description of the passive DNS record.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "time_first": {
      "description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "time_last": {
      "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "zone_time_first": {
      "description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "zone_time_last": {
      "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    }
  },
  "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
  "meta-category": "network",
  "name": "passive-dns",
  "required": [
    "rrtype",
    "rrname",
    "rdata"
  ],
  "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
  "version": 3
}