{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://securitycompliancehub.io/schemas/soc-prefill.schema.json",
  "title": "SCH SOC Maturity Pre-fill Schema",
  "description": "Schema for importing SIEM, EDR, SOAR, and ITSM data into the SCH SOC Maturity & AI Readiness assessment. 7 domains, 70 questions. Useful data sources: Splunk, Microsoft Sentinel, CrowdStrike, SentinelOne, ServiceNow ITSM, PagerDuty, ThreatConnect.",
  "version": "1.0.0",
  "type": "object",
  "required": ["assessmentType", "generated", "questions"],
  "additionalProperties": false,
  "properties": {
    "assessmentType": {
      "type": "string",
      "const": "soc",
      "description": "Must be 'soc'."
    },
    "source": {
      "type": "string",
      "description": "Tool or pipeline that generated this file.",
      "examples": ["splunk", "microsoft-sentinel", "crowdstrike", "servicenow-itsm", "custom-script"]
    },
    "generated": {
      "type": "string",
      "format": "date-time"
    },
    "questions": {
      "type": "object",
      "description": "Map of question radio names to pre-fill values. Key format: soc_{domain}{number}. Domains and their prefixes: G (Detection & Response, G1–G10), T (Threat Intelligence, T1–T10), P (Processes & Procedures, P1–P10), Pr (People & Training, Pr1–Pr10), S (Systems & Technology, S1–S10), TOM (Target Operating Model, TOM1–TOM10), AI (AI & Automation Readiness, AI1–AI10). Example keys: soc_G1, soc_T4, soc_AI7. Note: some questions are enterprise-only and hidden for Small/Mid-size and MSSP SOC types.",
      "propertyNames": {
        "pattern": "^soc_(G|T|P|Pr|S|TOM|AI)[0-9]+$"
      },
      "additionalProperties": {
        "$ref": "#/$defs/questionEntry"
      },
      "examples": [
        {
          "soc_G1": {
            "suggested_value": "fully-implemented",
            "evidence_summary": "SIEM deployed (Splunk Enterprise Security); ingesting logs from 100% of critical assets; average detection-to-alert time 4.2 minutes"
          },
          "soc_T1": {
            "suggested_value": "partially-implemented",
            "evidence_summary": "TI platform in use (ThreatConnect); feeds from 3 commercial sources; integration with SIEM partial — IOC enrichment automated, attribution manual",
            "evidence_detail": "ThreatConnect workspace: soc-ti@org.example. Automated IOC feeds: AlienVault OTX, Recorded Future, CISA KEV. Manual enrichment queue averages 47 items/day.",
            "raw_stats": {
              "ti_feeds": 3,
              "automated_ioc_enrichment": true,
              "manual_enrichment_queue_per_day": 47,
              "mean_ioc_triage_minutes": 12
            }
          },
          "soc_AI1": {
            "suggested_value": "partially-implemented",
            "evidence_summary": "SOAR platform deployed (Splunk SOAR); 8 of 15 target playbooks automated; MTTR reduced 34% since deployment"
          }
        }
      ]
    }
  },
  "$defs": {
    "questionEntry": {
      "type": "object",
      "required": ["suggested_value"],
      "additionalProperties": false,
      "properties": {
        "suggested_value": {
          "type": "string",
          "enum": ["fully-implemented", "partially-implemented", "not-implemented", "na"],
          "description": "'fully-implemented' = mature capability, 'partially-implemented' = developing, 'not-implemented' = absent, 'na' = not applicable to SOC type. The user reviews and confirms before submission."
        },
        "evidence_summary": {
          "type": "string",
          "maxLength": 500,
          "description": "CLAUDE-SAFE. Aggregated, identifier-free summary. May be included in Phronesis analysis. No system names, IP addresses, or analyst identifiers."
        },
        "evidence_detail": {
          "type": "string",
          "description": "EVIDENCE VAULT ONLY. Detailed SOC metrics or system specifics. Never sent to Phronesis AI."
        },
        "raw_stats": {
          "type": "object",
          "description": "EVIDENCE VAULT ONLY. Machine-readable statistics. Never sent to Phronesis AI.",
          "additionalProperties": true
        }
      }
    }
  }
}
