draft-ietf-mile-rfc5070-bis-15.txt   draft-ietf-mile-rfc5070-bis-16.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) February 1, 2016
Intended status: Standards Track RSA Intended status: Standards Track
Expires: April 18, 2016 October 16, 2015 Expires: August 4, 2016
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-15 draft-ietf-mile-rfc5070-bis-16
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for sharing information commonly exchanged by
Computer Security Incident Response Teams (CSIRTs) about computer Computer Security Incident Response Teams (CSIRTs) about computer
security incidents. This document describes the information model security incidents. This document describes the information model
for the IODEF and provides an associated data model specified with for the IODEF and provides an associated data model specified with
XML Schema. XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2016. This Internet-Draft will expire on August 4, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 21 skipping to change at page 2, line 21
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8
1.5. About the IODEF Implementation . . . . . . . . . . . . . 9 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 10 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 10 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 11 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 11
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 11 2.8. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 12 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12
2.12. Person or Organization . . . . . . . . . . . . . . . . . 12 2.12. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12 2.13. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 12 2.14. Uniform Resource Locator strings . . . . . . . . . . . . 12
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 13 2.15. Identifiers and Identifier References . . . . . . . . . . 12
2.16. Identifiers and Identifier References . . . . . . . . . . 13 2.16. Software . . . . . . . . . . . . . . . . . . . . . . . . 13
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 13 2.16.1. SoftwareReference Class . . . . . . . . . . . . . . 13
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 13 2.17. Extension . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 14 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 18
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 18 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 18
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 18 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 19
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 19 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 23
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 19 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 23
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 20 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 24
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 21
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 22 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 25
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 23 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 26
3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 24 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 26
3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 26 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 28
3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 30 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 29
3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 31 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29
3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 31 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 33
3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 32 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 34
3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 32 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 35
3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 33 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 36
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 33 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 37
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 33 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 39
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 33 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 40
3.11.5. GenerationTime Class . . . . . . . . . . . . . . . . 33 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 41
3.11.6. DateTime . . . . . . . . . . . . . . . . . . . . . . 33 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 42
3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 33 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 44
3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 35 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 46
3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 36 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 48
3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 37 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 50
3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 38 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 51
3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 40 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 52
3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 43 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 53
3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 45 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 55
3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 47 3.14.1. Relating the Incident and EventData Classes . . . . 57
3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 48 3.14.2. Cardinality of EventData . . . . . . . . . . . . . . 57
3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 48 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 58
3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 49 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 61
3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 51 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 62
3.16.1. Relating the Incident and EventData Classes . . . . 53 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 65
3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 53 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 66
3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 54 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 68
3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 57 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 71
3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 73
3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 75
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 76
3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 77
3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 79
3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 79
3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 71 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 80
3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 81
3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 72 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 82
3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 73 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 83
3.22.1. ServiceName Class . . . . . . . . . . . . . . . . . 74 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 85
3.22.2. ApplicationHeader Class . . . . . . . . . . . . . . 75 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85
3.22.3. Application Class . . . . . . . . . . . . . . . . . 77 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 86
3.22.4. SoftwareReference Class . . . . . . . . . . . . . . 78 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 87
3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 79 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 87
3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 79 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 88
3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 80
3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 81 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89
3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 82 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91
3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 84 3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 92
3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 93
3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93
3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 86 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93
3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 86 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96
3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 87 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96
3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 88 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97
3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 89 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103
3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91 3.29.5. Expressions with IndicatorExpression . . . . . . . . 104
3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91 3.29.6. ObservableReference Class . . . . . . . . . . . . . 106
3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 92 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 106
3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 92 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 107
3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93 4. Processing Considerations . . . . . . . . . . . . . . . . . . 108
3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 108
3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 95 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 108
3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 96 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109
3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 101 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 109
3.32.5. Expressions with IndicatorExpression . . . . . . . . 103 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 110
3.32.6. ObservableReference Class . . . . . . . . . . . . . 104 5.1. Extending the Enumerated Values of Attributes . . . . . . 110
3.32.7. IndicatorReference Class . . . . . . . . . . . . . . 105 5.1.1. Private Extension of Enumerated Values . . . . . . . 110
4. Processing Considerations . . . . . . . . . . . . . . . . . . 105 5.1.2. Public Extension of Enumerated Values . . . . . . . . 111
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 105 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 111
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 106 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 113
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 106 6. Internationalization Issues . . . . . . . . . . . . . . . . . 114
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 107 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 115
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 108 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 115
5.1. Extending the Enumerated Values of Attributes . . . . . . 108 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116
5.1.1. Private Extension of Enumerated Values . . . . . . . 109 7.3. Incident Report . . . . . . . . . . . . . . . . . . . . . 117
5.1.2. Public Extension of Enumerated Values . . . . . . . . 109 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 117
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 109 9. Security Considerations . . . . . . . . . . . . . . . . . . . 156
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 111 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 157
6. Internationalization Issues . . . . . . . . . . . . . . . . . 112 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 157
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 113 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 157
7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 113 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 160
7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 114 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 160
7.3. Incident Report . . . . . . . . . . . . . . . . . . . . . 115 12.1. Normative References . . . . . . . . . . . . . . . . . . 160
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 115 12.2. Informative References . . . . . . . . . . . . . . . . . 162
9. Security Considerations . . . . . . . . . . . . . . . . . . . 160 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 163
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 161
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 161
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 161
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 164
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 164
12.1. Normative References . . . . . . . . . . . . . . . . . . 164
12.2. Informative References . . . . . . . . . . . . . . . . . 166
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 167
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 10, line 28 skipping to change at page 10, line 13
ML_STRING data type. ML_STRING data type.
ML_STRING data type is implemented as the "iodef:MLStringType" type ML_STRING data type is implemented as the "iodef:MLStringType" type
in the schema. This type extends the "xs:string" to include two in the schema. This type extends the "xs:string" to include two
attributes. The body of any class that uses this type is the attributes. The body of any class that uses this type is the
multilingual string. multilingual string.
+------------------------+ +------------------------+
| iodef:MLStringType | | iodef:MLStringType |
+------------------------+ +------------------------+
| xs:string |
| |
| ENUM xml:lang | | ENUM xml:lang |
| STRING translation-id | | STRING translation-id |
| |
+------------------------+ +------------------------+
Figure 1: The iodef:MLStringType Type Figure 1: The iodef:MLStringType Type
Classes of the iodef:MLStringType type have two attributes: The content of the class is a character string of type "xs:string"
whose language MAY be specified by the xml:lang attribute.
The attributes of the iodef:MLStringType type are:
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The [W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
translation-id translation-id
Optional. STRING. An identifier to relate other instances of Optional. STRING. An identifier to relate other instances of
this class with the same parent as translations of this text. The this class with the same parent as translations of this text. The
scope of this identifier is limited to all of the direct, peer scope of this identifier is limited to all of the direct, peer
child classes of a given parent class. child classes of a given parent class.
Using this class enables representing translation of the same text in Using this class enables representing translations of the same text
multiple language. Each translation is a distinct instance of this in multiple languages. Each translation is a distinct instance of
class with a common parent. This relationship between multiple this class with a common parent. A group of classes each with a
classes being translated instances of the same text is indicated by a translated instance of text is related by setting a common identifier
common identifier set in the translation-id attribute. The language in the translation-id attribute. The language of a given class is
of a given class of this type is set by the xml:lang attribute. set by the xml:lang attribute.
2.5. Bytes 2.5. Bytes
A binary octet is represented by the BYTE data type. A sequence of A binary octet is represented by the BYTE data type. A sequence of
binary octets is represented by the BYTE[] data type. These octets binary octets is represented by the BYTE[] data type. These octets
are encoded using base64. are encoded using base64.
The BYTE data type is implemented as an "xs:base64Binary" in The BYTE data type is implemented as an "xs:base64Binary" in
[W3C.SCHEMA.DTYPES]. [W3C.SCHEMA.DTYPES].
skipping to change at page 11, line 35 skipping to change at page 11, line 24
2.7. Enumerated Types 2.7. Enumerated Types
Enumerated types are represented by the ENUM data type, and consist Enumerated types are represented by the ENUM data type, and consist
of an ordered list of acceptable values. Each value has a of an ordered list of acceptable values. Each value has a
representative keyword. Within the IODEF schema, the enumerated type representative keyword. Within the IODEF schema, the enumerated type
keywords are used as attribute values. keywords are used as attribute values.
The ENUM data type is implemented as a series of "xs:NMTOKEN" in the The ENUM data type is implemented as a series of "xs:NMTOKEN" in the
schema. schema.
2.8. Date-Time Strings 2.8. Date-Time String
Date-time strings are represented by the DATETIME data type. Each Date-Time strings are represented by the DATETIME data type. Each
date-time string identifies a particular instant in time. Ranges are date-time string identifies a particular instant in time. Ranges are
not supported. not supported.
Date-time strings are formatted according to a subset of [ISO8601] Date-time strings are formatted according to a subset of [ISO8601]
documented in [RFC3339]. documented in [RFC3339].
The DATETIME data type is implemented as an "xs:dateTime" in the The DATETIME data type is implemented as an "xs:dateTime" in the
schema. schema.
2.9. Timezone String 2.9. Timezone String
skipping to change at page 12, line 18 skipping to change at page 12, line 7
an "xs:dateTime". an "xs:dateTime".
2.10. Port Lists 2.10. Port Lists
A list of network ports are represented by the PORTLIST data type. A A list of network ports are represented by the PORTLIST data type. A
PORTLIST consists of a comma-separated list of numbers and ranges PORTLIST consists of a comma-separated list of numbers and ranges
(N-M means ports N through M, inclusive). It is formatted according (N-M means ports N through M, inclusive). It is formatted according
to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*".
For example, "2,5-15,30,32,40-50,55-60". For example, "2,5-15,30,32,40-50,55-60".
The PORTLIST data type is implemented as an "xs:string" with a The PORTLIST data type is implemented as an "iodef:PortlistType" in
regular expression constraint in the schema. the schema.
2.11. Postal Address 2.11. Postal Address
A postal address is represented by the POSTAL data type. This data A postal address is represented by the POSTAL data type. The format
type is an ML_STRING whose format is documented in Section 2.23 of of the POSTAL data type is documented in Section 2.23 of [RFC4519] as
[RFC4519]. It defines a postal address as a free-form multi-line a free-form multi-line string separated by the "$" character.
string separated by the "$" character.
The POSTAL data type is implemented as an "xs:string" in the schema.
2.12. Person or Organization
The name of an individual or organization is represented by the NAME
data type. This data type is an ML_STRING whose format is documented
in Section 2.3 of [RFC4519].
The NAME data type is implemented as an "xs:string" in the schema. The POSTAL data type is implemented as an "iodef:MLStringType" in the
schema.
2.13. Telephone and Fax Numbers 2.12. Telephone and Fax Numbers
A telephone or fax number is represented by the PHONE data type. The A telephone or fax number is represented by the PHONE data type. The
format of the PHONE data type is documented in Section 2.35 of format of the PHONE data type is documented in Section 2.35 of
[RFC4519]. [RFC4519].
The PHONE data type is implemented as an "xs:string" in the schema. The PHONE data type is implemented as an "xs:string" in the schema.
2.14. Email String 2.13. Email String
An email address is represented by the EMAIL data type. The format An email address is represented by the EMAIL data type. The format
of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. of the EMAIL data type is documented in Section 3.4.1 [RFC5322].
The EMAIL data type is implemented as an "xs:string" in the schema. The EMAIL data type is implemented as an "xs:string" in the schema.
2.15. Uniform Resource Locator strings 2.14. Uniform Resource Locator strings
A uniform resource locator (URL) is represented by the URL data type. A uniform resource locator (URL) is represented by the URL data type.
The format of the URL data type is documented in [RFC3986]. The format of the URL data type is documented in [RFC3986].
The URL data type is implemented as an "xs:anyURI" in the schema. The URL data type is implemented as an "xs:anyURI" in the schema.
2.16. Identifiers and Identifier References 2.15. Identifiers and Identifier References
An identifier unique to the Document is represented by the ID data An identifier unique to the Document is represented by the ID data
type. A reference to this identifier is represented by the IDREF type. A reference to this identifier is represented by the IDREF
data type. The acceptable format of ID and IDREF is documented in data type. The acceptable format of ID and IDREF is documented in
Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES]. Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES].
The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF" The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF"
in the schema. in the schema.
2.16. Software
The SOFTWARE data type describes a particular version of software.
This description can be made by using a reference, a URL or with
free-form text.
+--------------------+
| iodef:SoftwareType |
+--------------------+
| |<>--{0..1}--[ SoftwareReference ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+--------------------+
Figure 2: The SoftwareType Type
The aggregate classes of the SoftwareType type are:
SoftwareReference
Zero or one. Reference to a software application. See
Section 2.16.1.
URL
Zero or more. URL. A URL associated with the application.
Description
Zero or more. ML_STRING. A free-form text description of this
application.
At least one of these classes MUST be present.
The iodef:SoftwareType type has no attributes.
2.16.1. SoftwareReference Class
The SoftwareReference class is a reference to a particular version of
software.
+----------------------+
| SoftwareReference |
+----------------------+
| xs:any |
| |
| ENUM spec-name |
| STRING ext-spec-name |
| ENUM dtype |
| STRING enum-dtype |
+----------------------+
Figure 3: The SoftwareReference Class
The element content of this type is varies according to the value of
the spec-name attribute. This content is defined as "xs:any" in the
schema.
The attributes of the SoftwareReference class are:
spec-name
Required. ENUM. Identifies the format and semantics of the
element body of this class. Formal standards and specifications
can be referenced as well as free-form description with user-
provided data-types. These values are maintained in the
"SoftwareReference-spec-id" IANA registry per Table 1
1. custom. The element content is free-form and of the data type
specified by the dtype attribute. If this value is selected,
then the dtype attribute MUST be set.
2. cpe. The element content describes a Common Platform
Enumeration (CPE) entry [fix me. reference].
3. swid. The element content describes a software identification
(SWID) tag per ISO/IEC 19770-2:2009 [fix me. reference].
4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-spec-name
Optional. STRING. A means by which to extend the spec-name
attribute. See Section 5.1.1.
dtype
Optional. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default
value is "string". These values are maintained in the
"SoftwareReference-dtype" IANA registry per Table 1.
1. bytes. The element content is of type HEXBIN.
2. integer. The element content is of type INTEGER.
3. real. The element content is of type REAL.
4. string. The element content is of type STRING.
5. xml. The element content is XML. See Section 5.
6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1.
2.17. Extension
The EXTENSION data type is an extension mechanism for information not
otherwise represented in the data model. The data type of the
extension is described by the dtype attribute. For simple
information, atomic data types (e.g., integers, strings) are
supported. Their semantics is further described by the meaning and
formatid attributes. This data type can also be used to extend the
data model (and the associated schema) by encapsulating entire XML
documents conforming to another schema. A detailed discussion for
extending the data model and the schema can be found in Section 5.
Additional coordination may be required to ensure that a recipient of
a document using this type can parse and process it.
+------------------------+
| iodef:ExtensionType |
+------------------------+
| xs:any |
| |
| STRING name |
| ENUM dtype |
| STRING ext-dtype |
| STRING meaning |
| STRING formatid |
| ENUM restriction |
| STRING ext-restriction |
| ID observable-id |
+------------------------+
Figure 4: The iodef:ExtensionType Type
The element content of this type is the extension being added to the
data model. This content is defined as "xs:any" in the schema.
The attributes of the iodef:ExtensionType type are:
name
Optional. STRING. A free-form name of the field or data element.
dtype
Required. ENUM. The data type of the element content. The
default value is "string". These values are maintained in the
"ExtensionType-dtype" IANA registry per Table 1.
1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE.
3. bytes. The element content is of type HEXBIN.
4. character. The element content is of type CHARACTER.
5. date-time. The element content is of type DATETIME.
6. ntpstamp. Same as date-time.
7. integer. The element content is of type INTEGER.
8. portlist. The element content is of type PORTLIST.
9. real. The element content is of type REAL.
10. string. The element content is of type STRING.
11. file. The element content is a base64 encoded binary file
encoded as a BYTE[] type.
12. path. The element content is a file-system path encoded as a
STRING type.
13. frame. The element content is a layer-2 frame encoded as a
HEXBIN type.
14. packet. The element content is a layer-3 packet encoded as a
HEXBIN type.
15. ipv4-packet. The element content is an IPv4 packet encoded
as a HEXBIN type.
16. ipv6-packet. The element content is an IPv6 packet encoded
as a HEXBIN type.
17. url. The element content is of type URL.
18. csv. The element content is a common separated value (CSV)
list per Section 2 of [RFC4180] encoded as a STRING type.
19. winreg. The element content is a Windows registry key
encoded as a STRING type.
20. xml. The element content is XML. See Section 5.
21. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1.
meaning
Optional. STRING. A free-form description of the element
content.
formatid
Optional. STRING. An identifier referencing the format or
semantics of the element content.
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
3. The IODEF Data Model 3. The IODEF Data Model
In this section, the individual components of the IODEF data model In this section, the individual components of the IODEF data model
will be discussed in detail. For each class, the semantics will be will be discussed in detail. For each class, the semantics will be
described and the relationship with other classes will be depicted described and the relationship with other classes will be depicted
with UML. When necessary, specific comments will be made about with UML. When necessary, specific comments will be made about
corresponding definition in the schema in Section 8 corresponding definition in the schema in Section 8
3.1. IODEF-Document Class 3.1. IODEF-Document Class
skipping to change at page 13, line 45 skipping to change at page 18, line 35
+--------------------------+ +--------------------------+
| IODEF-Document | | IODEF-Document |
+--------------------------+ +--------------------------+
| STRING version |<>--{1..*}--[ Incident ] | STRING version |<>--{1..*}--[ Incident ]
| ENUM xml:lang |<>--{0..*}--[ AdditionalData ] | ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
| STRING format-id | | STRING format-id |
| STRING private-enum-name | | STRING private-enum-name |
| STRING private-enum-id | | STRING private-enum-id |
+--------------------------+ +--------------------------+
Figure 2: IODEF-Document Class Figure 5: IODEF-Document Class
The aggregate class that constitute IODEF-Document is: The aggregate classes of the IODEF-Document class are:
Incident Incident
One or more. The information related to a single incident. One or more. The information related to a single incident. See
Section 3.2.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. EXTENSION. Mechanism by which to extend the data
Section 3.9 model.
The IODEF-Document class has three attributes: The attributes of the IODEF-Document class are:
version version
Required. STRING. The IODEF specification version number to Required. STRING. The IODEF specification version number to
which this IODEF document conforms. The value of this attribute which this IODEF document conforms. The value of this attribute
MUST be "2.00" MUST be "2.00"
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The [W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
skipping to change at page 15, line 15 skipping to change at page 20, line 15
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM status |<>--{0..*}--[ RelatedActivity ] | ENUM status |<>--{0..*}--[ RelatedActivity ]
| STRING ext-status |<>--{0..1}--[ DetectTime ] | STRING ext-status |<>--{0..1}--[ DetectTime ]
| ENUM xml:lang |<>--{0..1}--[ StartTime ] | ENUM xml:lang |<>--{0..1}--[ StartTime ]
| ENUM restriction |<>--{0..1}--[ EndTime ] | ENUM restriction |<>--{0..1}--[ EndTime ]
| STRING ext-restriction |<>--{0..1}--{ RecoveryTime ] | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
| STRING observable-id |<>--{0..1}--[ ReportTime ] | ID observable-id |<>--{0..1}--[ ReportTime ]
| |<>----------[ GenerationTime ] | |<>----------[ GenerationTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ] | |<>--{0..*} [ Discovery ]
| |<>--{0..*}--[ Assessment ] | |<>--{0..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ IndicatorData ] | |<>--{0..1}--[ IndicatorData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 3: The Incident Class Figure 6: The Incident Class
The aggregate classes that constitute Incident are: The aggregate classes of the Incident class are:
IncidentID IncidentID
One. An incident tracking number assigned to this incident by the One. An incident tracking number assigned to this incident by the
CSIRT that generated the IODEF document. CSIRT that generated the IODEF document. See Section 3.4.
AlternativeID AlternativeID
Zero or one. The incident tracking numbers used by other CSIRTs Zero or one. The incident tracking numbers used by other CSIRTs
to refer to the incident described in the document. to refer to the incident described in the document. See
Section 3.5.
RelatedActivity RelatedActivity
Zero or more. Related activity and attribution of this activity. Zero or more. Related activity and attribution of this activity.
See Section 3.6.
DetectTime DetectTime
Zero or one. The time the incident was first detected. Zero or one. DATETIME. The time the incident was first detected.
StartTime StartTime
Zero or one. The time the incident started. Zero or one. DATETIME. The time the incident started.
EndTime EndTime
Zero or one. The time the incident ended. Zero or one. DATETIME. The time the incident ended.
RecoveryTime RecoveryTime
Zero or one. The time the site recovered from the incident. Zero or one. DATETIME. The time the site recovered from the
incident.
ReportTime ReportTime
Zero or one. The time the incident was reported. Zero or one. DATETIME. The time the incident was reported.
GenerationTime GenerationTime
One. The time the content in this Incident class was generated. One. DATETIME. The time the content in this Incident class was
generated.
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
incident. incident.
Discovery Discovery
Zero or more. The means by which this incident was detected. Zero or more. The means by which this incident was detected. See
Section 3.10.
Assessment Assessment
Zero or more. A characterization of the impact of the incident. Zero or more. A characterization of the impact of the incident.
See Section 3.12.
Method Method
Zero or more. The techniques used by the intruder in the Zero or more. The techniques used by the intruder in the
incident. incident. See Section 3.11.
Contact Contact
One or more. Contact information for the parties involved in the One or more. Contact information for the parties involved in the
incident. incident. See Section 3.9.
EventData EventData
Zero or more. Description of the events comprising the incident. Zero or more. Description of the events comprising the incident.
See Section 3.14.
IndicatorData IndicatorData
Zero or more. Description of indicators. Zero or one. Description of indicators. See Section 3.28.
History History
Zero or one. A log of significant events or actions that occurred Zero or one. A log of significant events or actions that occurred
during the course of handling the incident. during the course of handling the incident. See Section 3.13.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. Zero or more. EXTENSION. Mechanism by which to extend the data
model.
The Incident class has eight attributes: The attributes of the Incident class are:
purpose purpose
Required. ENUM. The purpose attribute represents the reason why Required. ENUM. The purpose attribute represents the reason why
the IODEF document was created. It is closely related to the the IODEF document was created. It is closely related to the
Expectation class (Section 3.17). These values are maintained in Expectation class (Section 3.15). These values are maintained in
the "Incident-purpose" IANA registry per Table 1. This attribute the "Incident-purpose" IANA registry per Table 1. This attribute
is defined as an enumerated list: is defined as an enumerated list:
1. traceback. The document was sent for trace-back purposes. 1. traceback. The document was sent for trace-back purposes.
2. mitigation. The document was sent to request aid in 2. mitigation. The document was sent to request aid in
mitigating the described activity. mitigating the described activity.
3. reporting. The document was sent to comply with reporting 3. reporting. The document was sent to comply with reporting
requirements. requirements.
4. watch. The document was sent to convey indicators to watch 4. watch. The document was sent to convey indicators to watch
for particular activity. for particular activity.
5. other. The document was sent for purposes specified in the 5. other. The document was sent for purposes specified in the
Expectation class. Expectation class.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-purpose ext-purpose
Optional. STRING. A means by which to extend the purpose Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
status status
Optional. ENUM. The status attribute conveys the state in a Optional. ENUM. The status attribute conveys the state in a
workflow where the incident is currently found. These values are workflow where the incident is currently found. These values are
maintained in the "Incident-status" IANA registry per Table 1. maintained in the "Incident-status" IANA registry per Table 1.
This attribute is defined as an enumerated list: This attribute is defined as an enumerated list:
skipping to change at page 17, line 46 skipping to change at page 23, line 5
investigation. investigation.
3. forwarded. The document has been forwarded to another party 3. forwarded. The document has been forwarded to another party
for handling. for handling.
4. resolved. The investigation into the activity in this 4. resolved. The investigation into the activity in this
document has concluded. document has concluded.
5. future. The described activity has not yet been detected. 5. future. The described activity has not yet been detected.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-status ext-status
Optional. STRING. A means by which to extend the status Optional. STRING. A means by which to extend the status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The [W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1. The default value is
"private".
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.3. Common Attributes 3.3. Common Attributes
skipping to change at page 19, line 32 skipping to change at page 24, line 40
parties. parties.
6. white. Same as 'public'. 6. white. Same as 'public'.
7. green. Same as 'partner'. 7. green. Same as 'partner'.
8. amber. Same as 'need-to-know'. 8. amber. Same as 'need-to-know'.
9. red. Same as 'private'. 9. red. Same as 'private'.
10. ext-value. An escape value used to extend this attribute. See 10. ext-value. A value used to indicate that this attribute is
Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
3.3.2. observable-id Attribute 3.3.2. observable-id Attribute
Information included in an incident report may be an observable Information included in an incident report may be an observable
relevant to an indicator. The observable-id attribute provides a relevant to an indicator. The observable-id attribute provides a
unique identifier in the scope of the document for this observable. unique identifier in the scope of the document for this observable.
This identifier can then be used to reference the observable with an This identifier can then be used to reference the observable with an
ObservableReference class to define an indicator in the IndicatorData ObservableReference class to define an indicator in the IndicatorData
class. class.
skipping to change at page 20, line 18 skipping to change at page 25, line 27
| IncidentID | | IncidentID |
+------------------------+ +------------------------+
| STRING | | STRING |
| | | |
| STRING name | | STRING name |
| STRING instance | | STRING instance |
| ENUM restriction | | ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 4: The IncidentID Class Figure 7: The IncidentID Class
The IncidentID class has four attributes: The content of the class is an incident identifier of type STRING.
The attributes of the IncidentID class are:
name name
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the document. In order to have a globally unique CSIRT created the document. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. MUST be used.
instance instance
Optional. STRING. An identifier referencing a subset of the Optional. STRING. An identifier referencing a subset of the
named incident. named incident.
restriction restriction
Optional. ENUM. See Section 3.3.1. The default value is Optional. ENUM. See Section 3.3.1.
"public".
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.5. AlternativeID Class 3.5. AlternativeID Class
The AlternativeID class lists the incident tracking numbers used by The AlternativeID class lists the incident tracking numbers used by
CSIRTs, other than the one generating the document, to refer to the CSIRTs, other than the one generating the document, to refer to the
identical activity described in the IODEF document. A tracking identical activity described in the IODEF document. A tracking
skipping to change at page 21, line 12 skipping to change at page 26, line 22
CSIRT that generated the IODEF document must never be considered an CSIRT that generated the IODEF document must never be considered an
AlternativeID. AlternativeID.
+------------------------+ +------------------------+
| AlternativeID | | AlternativeID |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ] | ENUM restriction |<>--{1..*}--[ IncidentID ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 5: The AlternativeID Class Figure 8: The AlternativeID Class
The aggregate class that constitutes AlternativeID is: The aggregate class of the AlternativeID class is:
IncidentID IncidentID
One or more. The incident tracking number of another CSIRT. One or more. The incident tracking number of another CSIRT. See
Section 3.4.
The AlternativeID class has two attributes: The attributes of the AlternativeID class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.6. RelatedActivity Class 3.6. RelatedActivity Class
skipping to change at page 21, line 46 skipping to change at page 27, line 17
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ IncidentID ] | ENUM restriction |<>--{0..*}--[ IncidentID ]
| STRING ext-restriction |<>--{0..*}--[ URL ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ] | |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ] | |<>--{0..*}--[ Campaign ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 6: RelatedActivity Class Figure 9: RelatedActivity Class
The aggregate classes that constitutes RelatedActivity are: The aggregate classes of the RelatedActivity class are:
IncidentID IncidentID
One or more. The incident tracking number of a related incident. Zero or more. The incident tracking number of a related incident.
See Section 3.4.
URL URL
One or more. URL. A URL to activity related to this incident. Zero or more. URL. A URL to activity related to this incident.
ThreatActor ThreatActor
One or more. The threat actor to whom the described activity is Zero or more. The threat actor to whom the described activity is
attributed. attributed. See Section 3.7.
Campaign Campaign
One or more. The campaign of a given threat actor to whom the Zero or more. The campaign of a given threat actor to whom the
described activity is attributed. described activity is attributed. See Section 3.8.
Confidence Confidence
Zero or one. An estimate of the confidence in attributing this Zero or one. An estimate of the confidence in attributing this
RelatedActivity to the event described in the document. RelatedActivity to the event described in the document. See
Section 3.12.5.
Description Description
Zero or more. ML_STRING. A description of how these Zero or more. ML_STRING. A description of how these
relationships were derived. relationships were derived.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. EXTENSION. A mechanism by which to extend the data
model.
RelatedActivity MUST at least have one instance of IncidentID, URL, RelatedActivity MUST at least have one instance of a child class.
ThreatActor, or Campaign.
The RelatedActivity class has two attributes: The attributes of the RelatedActivity class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.7. ThreatActor Class 3.7. ThreatActor Class
The ThreatActor class describes a given actor. The ThreatActor class describes a given actor.
+------------------------+ +------------------------+
| ThreatActor | | ThreatActor |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ ThreatActorID ] | ENUM restriction |<>--{0..*}--[ ThreatActorID ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 7: ThreatActor Class Figure 10: ThreatActor Class
The aggregate classes that constitutes ThreatActor are: The aggregate classes of the ThreatActor class are:
ThreatActorID ThreatActorID
One or more. STRING. An identifier for the ThreatActor. Zero or more. STRING. An identifier for the ThreatActor.
URL
Zero or more. URL. A URL associated with the ThreatActor.
Description Description
One or more. ML_STRING. A description of the ThreatActor. Zero or more. ML_STRING. A description of the ThreatActor.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. EXTENSION. A mechanism by which to extend the data
model.
ThreatActor MUST have at least one instance of a ThreatActorID or ThreatActor MUST have at least one instance of a child class.
Description.
The ThreatActor class has two attributes: The attributes of the ThreatActor class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.8. Campaign Class 3.8. Campaign Class
The Campaign class describes a campaign of attacks by a threat actor. The Campaign class describes a campaign of attacks by a threat actor.
+------------------------+ +------------------------+
| Campaign | | Campaign |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ CampaignID ] | ENUM restriction |<>--{0..*}--[ CampaignID ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 8: Campaign Class Figure 11: Campaign Class
The aggregate classes that constitutes Campaign are: The aggregate classes of the Campaign class are:
CampaignID CampaignID
One or more. STRING. An identifier for the Campaign. Zero or more. STRING. An identifier for the Campaign.
Description Description
One or more. ML_STRING. A description of the Campaign. Zero or more. ML_STRING. A description of the Campaign.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. EXTENSION. A mechanism by which to extend the data
model.
Campaign MUST have at least one instance of a Campaign or Campaign MUST have at least one instance of a Campaign or
Description. Description.
The Campaign class has two attributes: The attributes of the Campaign class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.9. AdditionalData Class
The AdditionalData class serves as an extension mechanism for
information not otherwise represented in the data model. For
relatively simple information, atomic data types (e.g., integers,
strings) are provided with a mechanism to annotate their meaning.
The class can also be used to extend the data model (and the
associated Schema) to support proprietary extensions by encapsulating
entire XML documents conforming to another Schema. A detailed
discussion for extending the data model and the schema can be found
in Section 5.
Unlike XML, which is self-describing, atomic data must be documented
to convey its meaning. This information is described in the
'meaning' attribute. Since these description are outside the scope
of the specification, some additional coordination may be required to
ensure that a recipient of a document using the AdditionalData
classes can make sense of the custom extensions.
+------------------------+
| AdditionalData |
+------------------------+
| ANY |
| |
| ENUM dtype |
| STRING ext-dtype |
| STRING meaning |
| STRING formatid |
| ENUM restriction |
| STRING ext-restriction |
+------------------------+
Figure 9: The AdditionalData Class
The AdditionalData class has six attributes:
dtype
Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default
value is "string". These values are maintained in the
"AdditionalData-dtype" IANA registry per Table 1.
1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE.
3. bytes. The element content is of type HEXBIN.
4. character. The element content is of type CHARACTER.
5. date-time. The element content is of type DATETIME.
6. ntpstamp. Same as date-time.
7. integer. The element content is of type INTEGER.
8. portlist. The element content is of type PORTLIST.
9. real. The element content is of type REAL.
10. string. The element content is of type STRING.
11. file. The element content is a base64 encoded binary file
encoded as a BYTE[] type.
12. path. The element content is a file-system path encoded as a
STRING type.
13. frame. The element content is a layer-2 frame encoded as a
HEXBIN type.
14. packet. The element content is a layer-3 packet encoded as a
HEXBIN type.
15. ipv4-packet. The element content is an IPv4 packet encoded
as a HEXBIN type.
16. ipv6-packet. The element content is an IPv6 packet encoded
as a HEXBIN type.
17. url. The element content is of type URL.
18. csv. The element content is a common separated value (CSV)
list per Section 2 of [RFC4180] encoded as a STRING type.
19. winreg. The element content is a Windows registry key
encoded as a STRING type.
20. xml. The element content is XML. See Section 5.
21. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1.
meaning
Optional. STRING. A free-form description of the element
content.
formatid
Optional. STRING. An identifier referencing the format and
semantics of the element content.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.10. Contact Class 3.9. Contact Class
The Contact class describes contact information for organizations and The Contact class describes contact information for organizations and
personnel involved in the incident. This class allows for the naming personnel involved in the incident. This class allows for the naming
of the involved party, specifying contact information for them, and of the involved party, specifying contact information for them, and
identifying their role in the incident. identifying their role in the incident.
People and organizations are treated interchangeably as contacts; one People and organizations are treated interchangeably as contacts; one
can be associated with the other using the recursive definition of can be associated with the other using the recursive definition of
the class (the Contact class is aggregated into the Contact class). the class (the Contact class is aggregated into the Contact class).
The 'type' attribute disambiguates the type of contact information The 'type' attribute disambiguates the type of contact information
being provided. being provided.
The inheriting definition of Contact provides a way to relate The inheriting definition of Contact provides a way to relate
information without requiring the explicit use of identifiers in the information without requiring the explicit use of identifiers in the
classes or duplication of data. A complete point of contact is classes or duplication of data. A complete point of contact is
derived by a particular traversal from the root Contact class to the derived by a particular traversal from the root Contact class to the
leaf Contact class. As such, multiple points of contact might be leaf Contact class. As such, multiple points of contact might be
specified in a single instance of a Contact class. Each child specified in a single instance of a Contact class. Each child
Contact class logically inherits contact information from its Contact class logically inherits contact information from its
skipping to change at page 27, line 15 skipping to change at page 30, line 27
+------------------------+ +------------------------+
| Contact | | Contact |
+------------------------+ +------------------------+
| ENUM role |<>--{0..*}--[ ContactName ] | ENUM role |<>--{0..*}--[ ContactName ]
| STRING ext-role |<>--{0..*}--[ ContactTitle ] | STRING ext-role |<>--{0..*}--[ ContactTitle ]
| ENUM type |<>--{0..*}--[ Description ] | ENUM type |<>--{0..*}--[ Description ]
| STRING ext-type |<>--{0..*}--[ RegistryHandle ] | STRING ext-type |<>--{0..*}--[ RegistryHandle ]
| ENUM restriction |<>--{0..1}--[ PostalAddress ] | ENUM restriction |<>--{0..1}--[ PostalAddress ]
| STRING ext-restriction |<>--{0..*}--[ Email ] | STRING ext-restriction |<>--{0..*}--[ Email ]
| |<>--{0..*}--[ Telephone ] | |<>--{0..*}--[ Telephone ]
| |<>--{0..1}--[ Fax ]
| |<>--{0..1}--[ Timezone ] | |<>--{0..1}--[ Timezone ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 10: The Contact Class Figure 12: The Contact Class
The aggregate classes that constitute the Contact class are: The aggregate classes of the Contact class are:
ContactName ContactName
Zero or more. ML_STRING. The name of the contact. The contact Zero or more. ML_STRING. The name of the contact. The contact
may either be an organization or a person. The type attribute may either be an organization or a person. The type attribute
disambiguates the semantics. disambiguates the semantics.
ContactTitle ContactTitle
Zero or more. ML_STRING. The title for the individual named in Zero or more. ML_STRING. The title for the individual named in
the ContactName. the ContactName.
Description Description
Zero or more. ML_STRING. A free-form description of this Zero or more. ML_STRING. A free-form description of this
contact. In the case of a person, this is often the contact. In the case of a person, this is often the
organizational title of the individual. organizational title of the individual.
RegistryHandle RegistryHandle
Zero or more. A handle name into the registry of the contact. Zero or more. A handle name into the registry of the contact.
See Section 3.9.1.
PostalAddress PostalAddress
Zero or one. The postal address of the contact. Zero or more. The postal address of the contact. See
Section 3.9.2.
Email Email
Zero or more. The email address of the contact. Zero or more. The email address of the contact. See
Section 3.9.3.
Telephone Telephone
Zero or more. The telephone number of the contact. Zero or more. The telephone number of the contact. See
Section 3.9.4.
Fax
Zero or one. The facsimile telephone number of the contact.
Timezone Timezone
Zero or one. TIMEZONE. The timezone in which the contact resides Zero or one. TIMEZONE. The timezone in which the contact resides
formatted according to Section 2.9. formatted according to Section 2.9.
Contact Contact
Zero or more. A Contact instance contained within another Contact Zero or more. A Contact instance contained within another Contact
instance inherits the values of the parent(s). This recursive instance inherits the values of the parent(s). This recursive
definition can be used to group common data pertaining to multiple definition can be used to group common data pertaining to multiple
points of contact and is especially useful when listing multiple points of contact and is especially useful when listing multiple
contacts at the same organization. contacts at the same organization. See Section 3.9.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. EXTENSION. A mechanism by which to extend the data
model.
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the Contact class. This is not enforced in the IODEF schema as of the Contact class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The Contact class has six attributes: The attributes of the Contact class are:
role role
Required. ENUM. Indicates the role the contact fulfills. This Required. ENUM. Indicates the role the contact fulfills. This
attribute is defined as an enumerated list. These values are attribute is defined as an enumerated list. These values are
maintained in the "Contact-role" IANA registry per Table 1. maintained in the "Contact-role" IANA registry per Table 1.
1. creator. The entity that generate the document. 1. creator. The entity that generate the document.
2. reporter. The entity that reported the information. 2. reporter. The entity that reported the information.
skipping to change at page 29, line 29 skipping to change at page 32, line 41
15. vendor. The vendor that produces an asset. 15. vendor. The vendor that produces an asset.
16. vendor-support. A vendor that provides services. 16. vendor-support. A vendor that provides services.
17. victim. A victim in the incident. 17. victim. A victim in the incident.
18. victim-notified. A victim in the incident who has been 18. victim-notified. A victim in the incident who has been
notified. notified.
19. ext-value. An escape value used to extend this attribute. 19. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-role ext-role
Optional. STRING. A means by which to extend the role attribute. Optional. STRING. A means by which to extend the role attribute.
See Section 5.1.1. See Section 5.1.1.
type type
Required. ENUM. Indicates the type of contact being described. Required. ENUM. Indicates the type of contact being described.
This attribute is defined as an enumerated list. These values are This attribute is defined as an enumerated list. These values are
maintained in the "Contact-type" IANA registry per Table 1. maintained in the "Contact-type" IANA registry per Table 1.
1. person. The information for this contact references an 1. person. The information for this contact references an
individual. individual.
2. organization. The information for this contact references an 2. organization. The information for this contact references an
organization. organization.
3. ext-value. An escape value used to extend this attribute. 3. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.10.1. RegistryHandle Class 3.9.1. RegistryHandle Class
The RegistryHandle class represents a handle into an Internet The RegistryHandle class represents a handle into an Internet
registry or community-specific database. The handle is specified in registry or community-specific database.
the element content and the type attribute specifies the database.
+---------------------+ +---------------------+
| RegistryHandle | | RegistryHandle |
+---------------------+ +---------------------+
| STRING | | STRING |
| | | |
| ENUM registry | | ENUM registry |
| STRING ext-registry | | STRING ext-registry |
+---------------------+ +---------------------+
Figure 11: The RegistryHandle Class Figure 13: The RegistryHandle Class
The RegistryHandle class has two attributes: The content of the class is a handle into a registry of type STRING.
The attributes of the RegistryHandle class are:
registry registry
Required. ENUM. The database to which the handle belongs. These Required. ENUM. The database to which the handle belongs. These
values are maintained in the "RegistryHandle-registry" IANA values are maintained in the "RegistryHandle-registry" IANA
registry per Table 1. The possible values are: registry per Table 1. The possible values are:
1. internic. Internet Network Information Center 1. internic. Internet Network Information Center
2. apnic. Asia Pacific Network Information Center 2. apnic. Asia Pacific Network Information Center
3. arin. American Registry for Internet Numbers 3. arin. American Registry for Internet Numbers
4. lacnic. Latin-American and Caribbean IP Address Registry 4. lacnic. Latin-American and Caribbean IP Address Registry
5. ripe. Reseaux IP Europeens 5. ripe. Reseaux IP Europeens
6. afrinic. African Internet Numbers Registry 6. afrinic. African Internet Numbers Registry
skipping to change at page 30, line 50 skipping to change at page 34, line 16
3. arin. American Registry for Internet Numbers 3. arin. American Registry for Internet Numbers
4. lacnic. Latin-American and Caribbean IP Address Registry 4. lacnic. Latin-American and Caribbean IP Address Registry
5. ripe. Reseaux IP Europeens 5. ripe. Reseaux IP Europeens
6. afrinic. African Internet Numbers Registry 6. afrinic. African Internet Numbers Registry
7. local. A database local to the CSIRT 7. local. A database local to the CSIRT
8. ext-value. An escape value used to extend this attribute. 8. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-registry ext-registry
Optional. STRING. A means by which to extend the registry Optional. STRING. A means by which to extend the registry
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.10.2. PostalAddress Class 3.9.2. PostalAddress Class
The PostalAddress class specifies a postal address formatted The PostalAddress class specifies an postal address and associated
according to the POSTAL data type (Section 2.11). annotation.
+---------------------+ +--------------------+
| PostalAddress | | PostalAddress |
+---------------------+ +--------------------+
| POSTAL | | ENUM type |<>----------[ PAddress ]
| | | STRING ext-type |<>--{0..*}--[ Description ]
| STRING meaning | +--------------------+
| ENUM xml:lang |
+---------------------+
Figure 12: The PostalAddress Class Figure 14: The PostalAddress Class
The PostalAddress class has two attributes: The aggregate classes of the PostalAddress class are:
meaning PAddress
Optional. STRING. A free-form description of the element One. POSTAL. A postal address.
content.
xml:lang Description
Optional. ENUM. A language identifier per Section 2.12 of Zero or more. ML_STRING. A free-form text description of the
[W3C.XML] whose values and form are described in [RFC5646]. The address.
interpretation of this code is described in Section 6.
3.10.3. Email Class The attributes of the PostalAddress class are:
The Email class specifies an email address formatted according to type
EMAIL data type (Section 2.14). Optional. ENUM. Categorizes the type of address described in the
PAddress class. These values are maintained in the
"PostalAddress-type" IANA registry per Table 1.
+--------------+ 1. street. An address describing a physical location.
| Email |
+--------------+
| EMAIL |
| |
| ENUM meaning |
+--------------+
Figure 13: The Email Class 2. mailing. An address to which correspondence should be sent.
The Email class has one attribute: 3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
meaning ext-type
Optional. ENUM. A free-form description of the element content. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
3.10.4. Telephone and Fax Classes 3.9.3. Email Class
The Telephone and Fax classes specify a voice or fax telephone number The Email class specifies an email address and associated annotation.
respectively, and are formatted according to PHONE data type
(Section 2.13).
+--------------------+ +--------------------+
| {Telephone | Fax } | | Email |
+--------------------+ +--------------------+
| PHONE | | ENUM type |<>----------[ EmailTo ]
| | | STRING ext-type |<>--{0..*}--[ Description ]
| ENUM meaning |
+--------------------+ +--------------------+
Figure 14: The Telephone and Fax Classes Figure 15: The Email Class
The Telephone class has one attribute: The aggregate classes of the Email class are:
meaning EmailTo
Optional. ENUM. A free-form description of the element content One. EMAIL. An email address.
(e.g., hours of coverage for a given number).
3.11. Time Classes Description
Zero or more. ML_STRING. A free-form text description of the
email address.
The data model uses six different classes to represent a timestamp. The attributes of the Email class are:
Their definition is identical, but each has a distinct name to convey
a difference in semantics.
The element content of each class is a timestamp formatted according type
to the DATETIME data type (see Section 2.8). Optional. ENUM. Categorizes the type of email address described
in the EmailTo class. These values are maintained in the "Email-
type" IANA registry per Table 1.
+-----------------+ 1. direct. A email address of an individual.
| StartTime |
| EndTime |
| ReportTime |
| DetectTime |
| GenerationTime |
| DateTime |
+-----------------+
| DATETIME |
+-----------------+
Figure 15: The Time Classes 2. hotline. A email address regularly monitored for operational
purposes.
3.11.1. StartTime Class 3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
The StartTime class represents the time the incident began. ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
3.11.2. EndTime Class 3.9.4. Telephone Class
The EndTime class represents the time the incident ended. The Telephone class describes a telephone number and associated
annotation.
3.11.3. DetectTime Class +--------------------+
| Telephone |
+--------------------+
| ENUM type |<>----------[ TelephoneNumber ]
| STRING ext-type |<>--{0..*}--[ Description ]
+--------------------+
The DetectTime class represents the time the first activity of the Figure 16: The Telephone Class
incident was detected.
3.11.4. ReportTime Class The aggregate classes of the Telephone class are:
The ReportTime class represents the time the incident was reported. TelephoneNumber
One. PHONE. A telephone number.
3.11.5. GenerationTime Class Description
Zero or more. ML_STRING. A free-form text description of the
phone number.
The GenerationTime class represents the time when the IODEF document The attributes of the Telephone class are:
was produced. This timestamp MUST be the time at which the IODEF
document was generated.
3.11.6. DateTime type
Optional. ENUM. Categorizes the type of telephone number
described in the TelephoneNumber class. These values are
maintained in the "Telephone-type" IANA registry per Table 1.
The DateTime class is a generic representation of a timestamp. Infer 1. direct. A number at an individual.
its semantics from the parent class in which it is aggregated.
3.12. Discovery Class 2. mobile. A number of a mobile phone.
3. fax. A number to a fax machine.
4. hotline. A number to a regularly monitored operational
hotline.
5. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
3.10. Discovery Class
The Discovery class describes how an incident was detected. The Discovery class describes how an incident was detected.
+------------------------+ +------------------------+
| Discovery | | Discovery |
+------------------------+ +------------------------+
| ENUM source |<>--{0..*}--[ Description ] | ENUM source |<>--{0..*}--[ Description ]
| STRING ext-source |<>--{0..*}--[ Contact ] | STRING ext-source |<>--{0..*}--[ Contact ]
| ENUM restriction |<>--{0..*}--[ DetectionPattern ] | ENUM restriction |<>--{0..*}--[ DetectionPattern ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 16: The Discovery Class Figure 17: The Discovery Class
The Discovery class is composed of three aggregate classes. The aggregate classes of the Discovery class are:
Description Description
Zero or more. ML_STRING. A free-form text description of how Zero or more. ML_STRING. A free-form text description of how
this incident was detected. this incident was detected.
Contact Contact
Zero or more. Contact information for the party that discovered Zero or more. Contact information for the party that discovered
the incident. the incident. See Section 3.9.
DetectionPattern DetectionPattern
Zero or more. Describes an application-specific configuration Zero or more. Describes an application-specific configuration
that detected the incident. that detected the incident. See Section 3.10.1.
The Discovery class has four attribute: The attributes of the Discovery class are:
source source
Optional. ENUM. Categorizes the techniques used to discover the Optional. ENUM. Categorizes the techniques used to discover the
incident. These values are partially derived from Table 3-1 of incident. These values are partially derived from Table 3-1 of
[NIST800.61rev2]. These values are maintained in the "Discovery- [NIST800.61rev2]. These values are maintained in the "Discovery-
source" IANA registry per Table 1. source" IANA registry per Table 1.
1. nidps. Network Intrusion Detection or Prevention system. 1. nidps. Network Intrusion Detection or Prevention system.
2. hips. Host-based Intrusion Prevention system. 2. hips. Host-based Intrusion Prevention system.
skipping to change at page 35, line 19 skipping to change at page 39, line 5
organization. organization.
17. partner. A customer or business partner reported the 17. partner. A customer or business partner reported the
activity to the victim organization. activity to the victim organization.
18. actor. The threat actor directly or indirectly reported this 18. actor. The threat actor directly or indirectly reported this
activity to the victim organization. activity to the victim organization.
19. unknown. Unknown detection approach. 19. unknown. Unknown detection approach.
20. ext-value. An escape value used to extend this attribute. 20. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-source ext-source
Optional. STRING. A means by which to extend the source Optional. STRING. A means by which to extend the source
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.12.1. DetectionPattern Class 3.10.1. DetectionPattern Class
The DetectionPattern class describes a configuration or signature The DetectionPattern class describes a configuration or signature
that can be used by an IDS/IPS, SIEM, anti-virus, end-point that can be used by an IDS/IPS, SIEM, anti-virus, end-point
protection, network analysis, malware analysis, or host forensics protection, network analysis, malware analysis, or host forensics
tool to identify a particular phenomenon. This class requires the tool to identify a particular phenomenon. This class requires the
identification of the target application and allows the configuration identification of the target application and allows the configuration
to be describes in either free-form or machine readable form. to be describes in either free-form or machine readable form.
+------------------------+ +------------------------+
| DetectionPattern | | DetectionPattern |
+------------------------+ +------------------------+
| ENUM restriction |<>----------[ Application ] | ENUM restriction |<>----------[ Application ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ DetectionConfiguration ] | |<>--{0..*}--[ DetectionConfiguration ]
+------------------------+ +------------------------+
Figure 17: The DetectionPattern Class Figure 18: The DetectionPattern Class
The DetectionPattern class is composed of three aggregate classes. The aggregate classes of the DetectionPattern class are:
Application Application
One. The application for which the DetectionConfiguration or One. SOFTWARE. The application for which the
Description is being provided. DetectionConfiguration or Description is being provided.
Description Description
Zero or more. ML_STRING. A free-form text description of how to Zero or more. ML_STRING. A free-form text description of how to
use the Application or provided DetectionConfiguration. use the Application or provided DetectionConfiguration.
DetectionConfiguration DetectionConfiguration
Zero or more. STRING. A machine consumable configuration to find Zero or more. STRING. A machine consumable configuration to find
a pattern of activity. a pattern of activity.
Either an instance of the Description or DetectionConfiguration class Either an instance of the Description or DetectionConfiguration class
MUST be present. MUST be present.
The DetectionPattern class has two attributes: The attributes of the DetectionPattern class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.13. Method Class 3.11. Method Class
The Method class describes the tactics, techniques, procedures or The Method class describes the tactics, techniques, procedures or
underlying issue used by the intruder in the incident. This class underlying issue used by the intruder in the incident. This class
consists of both a list of references describing the attack methods consists of both a list of references describing the attack methods
and weaknesses and a free form description. and weaknesses and a free form description.
+------------------------+ +------------------------+
| Method | | Method |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ Reference ] | ENUM restriction |<>--{0..*}--[ Reference ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ sci:AttackPattern ] | |<>--{0..*}--[ sci:AttackPattern ]
| |<>--{0..*}--[ sci:Vulnerability ] | |<>--{0..*}--[ sci:Vulnerability ]
| |<>--{0..*}--[ sci:Weakness ] | |<>--{0..*}--[ sci:Weakness ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 18: The Method Class Figure 19: The Method Class
The Method class is composed of six aggregate classes. The aggregate classes of the Method class are:
enum:Reference Reference
Zero or more. A reference to a vulnerability, malware sample, Zero or more. A reference to a vulnerability, malware sample,
advisory, or analysis of an attack technique. advisory, or analysis of an attack technique. See Section 3.11.1.
Description Description
Zero or more. ML_STRING. A free-form text description of Zero or more. ML_STRING. A free-form text description of
techniques, tactics, or procedures used by the intruder. techniques, tactics, or procedures used by the intruder.
sci:AttackPattern sci:AttackPattern
Zero or more. A reference to an pattern of attack or exploitation Zero or more. A reference to an pattern of attack or exploitation
per [RFC-SCI] per [RFC-SCI]
sci:Vulnerability sci:Vulnerability
Zero or more. A reference to a vulnerability per [RFC-SCI] Zero or more. A reference to a vulnerability per [RFC-SCI]
sci:Weakness sci:Weakness
Zero or more. A reference to the exploited weakness per [RFC-SCI] Zero or more. A reference to the exploited weakness per [RFC-SCI]
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. EXTENSION. A mechanism by which to extend the data
model.
An instance of one of these child MUST be present. An instance of one of these child MUST be present.
The Method class has two attributes: The attributes of the Method class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.13.1. Reference Class 3.11.1. Reference Class
The Reference class is an external reference to relevant information The Reference class is an external reference to relevant information
such a vulnerability, IDS alert, malware sample, advisory, or attack such a vulnerability, IDS alert, malware sample, advisory, or attack
technique. A reference consists of a name, a URL to this reference, technique. A reference consists of a name, a URL to this reference,
and an optional description. and an optional description.
+-------------------------+ +-------------------------+
| Reference | | Reference |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ enum:ReferenceName ] | ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+-------------------------+ +-------------------------+
Figure 19: The Reference Class Figure 20: The Reference Class
The aggregate classes that constitute Reference: The aggregate classes of the Reference class are:
ReferenceName enum:ReferenceName
Zero or one. Reference identifier per [RFC-ENUM]. Zero or one. Reference identifier per [RFC-ENUM].
URL URL
Zero or more. URL. A URL associated with the reference. Zero or more. URL. A URL associated with the reference.
Description Description
Zero or more. ML_STRING. A free-form text description of this Zero or more. ML_STRING. A free-form text description of this
reference. reference.
At least one of these classes MUST be present. At least one of these classes MUST be present.
The Reference class has one attribute. The attribute of the Reference class is:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.14. Assessment Class 3.12. Assessment Class
The Assessment class describes the repercussions of the incident to The Assessment class describes the repercussions of the incident to
the victim. the victim.
+-------------------------+ +-------------------------+
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ IncidentCategory ] | ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
| ENUM restriction |<>--{0..*}--[ SystemImpact ] | ENUM restriction |<>--{0..*}--[ SystemImpact ]
| STRING ext-restriction |<>--{0..*}--[ BusinessImpact ] | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
| ID observable-id |<>--{0..*}--[ TimeImpact ] | ID observable-id |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ IntendedImpact ] | |<>--{0..*}--[ IntendedImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..*}--[ MitigatingFactor ] | |<>--{0..*}--[ MitigatingFactor ]
| |<>--{0..*}--[ Cause ] | |<>--{0..*}--[ Cause ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 20: Assessment Class Figure 21: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes of the Assessment class are:
IncidentCategory IncidentCategory
Zero or more. ML_STRING. A free-form text description Zero or more. ML_STRING. A free-form text description
categorizing the type of Incident. categorizing the type of Incident.
SystemImpact SystemImpact
Zero or more. Technical characterization of the impact of the Zero or more. Technical characterization of the impact of the
activity on the victim's enterprise. activity on the victim's enterprise. See Section 3.12.1.
BusinessImpact BusinessImpact
Zero or more. Impact of the activity on the business functions of Zero or more. Impact of the activity on the business functions of
the victim organization. the victim organization. See Section 3.12.2.
TimeImpact TimeImpact
Zero or more. Impact of the activity measured with respect to Zero or more. Impact of the activity measured with respect to
time. time. See Section 3.12.3.
MonetaryImpact MonetaryImpact
Zero or more. Impact of the activity measured with respect to Zero or more. Impact of the activity measured with respect to
financial loss. financial loss. See Section 3.12.4.
IntendedImpact IntendedImpact
Zero or more. Intended impact to the victim by the attacker. Zero or more. Intended impact to the victim by the attacker.
Identically defined as Section 3.14.2 but describes intent rather Defined identically to the BusinessImpact defined in
than the realized impact. Section 3.12.2, but describes intent rather than the realized
impact.
Counter Counter
Zero or more. A counter with which to summarize the magnitude of Zero or more. A counter with which to summarize the magnitude of
the activity. the activity. See Section 3.18.3.
MitigatingFactor MitigatingFactor
Zero or more. ML_STRING. A description of a mitigating factor an Zero or more. ML_STRING. A description of a mitigating factor an
impact. impact.
Cause Cause
Zero or more. ML_STRING. A description of the underlying cause Zero or more. ML_STRING. A description of the underlying cause
of the impact. of the impact.
Confidence Confidence
Zero or one. An estimate of confidence in the assessment. Zero or one. An estimate of confidence in the assessment. See
Section 3.12.5.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. EXTENSION. A mechanism by which to extend the data
model.
A least one instance of the possible three impact classes (i.e., A least one instance of the possible five impact classes (i.e.,
Impact, TimeImpact, or MonetaryImpact) MUST be present. SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or
IntendedImpact) MUST be present.
The Assessment class has four attributes: The attributes of the Assessment class are:
occurrence occurrence
Optional. ENUM. Specifies whether the assessment is describing Optional. ENUM. Specifies whether the assessment is describing
actual or potential outcomes. actual or potential outcomes.
1. actual. This assessment describes activity that has occurred. 1. actual. This assessment describes activity that has occurred.
2. potential. This assessment describes potential activity that 2. potential. This assessment describes potential activity that
might occur. might occur.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.14.1. SystemImpact Class 3.12.1. SystemImpact Class
The SystemImpact class describes the technical impact of the incident The SystemImpact class describes the technical impact of the incident
to the systems on the network. to the systems on the network.
This class is based on [RFC4765].
+-----------------------+ +-----------------------+
| SystemImpact | | SystemImpact |
+-----------------------+ +-----------------------+
| ML_STRING | | ENUM severity |<>--{0..*}--[ Description ]
| |
| ENUM xml:lang |
| STRING translation-id |
| ENUM severity |
| ENUM completion | | ENUM completion |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+-----------------------+ +-----------------------+
Figure 21: SystemImpact Class Figure 22: SystemImpact Class
The element content will be a free-form textual description of the
impact.
The SystemImpact class has six attributes: The aggregate class of the SystemImpact class is:
xml:lang Description
Optional. ENUM. A language identifier. See Section 6. Zero or more. ML_STRING. A free-form text description of the
impact to the system.
translation-id The attributes of the SystemImpact class are:
Optional. STRING. An identifier to relate other instances of
this class as translations of this text. See Section 6.
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
skipping to change at page 42, line 47 skipping to change at page 46, line 25
monitored. monitored.
21. monitoring-host. System activity (e.g., running processes, 21. monitoring-host. System activity (e.g., running processes,
keystrokes) were monitored. keystrokes) were monitored.
22. policy. Activity violated the system owner's acceptable use 22. policy. Activity violated the system owner's acceptable use
policy. policy.
23. unknown. The impact is unknown. 23. unknown. The impact is unknown.
24. ext-value. An escape value used to extend this attribute. 24. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
3.14.2. BusinessImpact Class 3.12.2. BusinessImpact Class
The BusinessImpact class describes and characterizes the degree to The BusinessImpact class describes and characterizes the degree to
which the function of the organization was impacted by the Incident. which the function of the organization was impacted by the Incident.
The element body describes the impact to the organization as a free-
form text string. The two attributes characterize the impact.
+-------------------------+ +-------------------------+
| BusinessImpact | | BusinessImpact |
+-------------------------+ +-------------------------+
| ML_STRING | | ENUM severity |<>--{0..*}--[ Description ]
| |
| ENUM xml:lang |
| STRING translation-id |
| ENUM severity |
| STRING ext-severity | | STRING ext-severity |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+-------------------------+ +-------------------------+
Figure 22: BusinessImpact Class Figure 23: BusinessImpact Class
The element content will be a free-form textual description of the The aggregate class of the BusinessImpact class is:
impact to the organization.
The BusinessImpact class has four attributes: Description
Zero or more. ML_STRING. A free-form text description of the
impact to the organization.
The attributes of the BusinessImpact class are:
xml:lang xml:lang
Optional. ENUM. A language identifier. See Section 6. Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
translation-id translation-id
Optional. STRING. An identifier to relate other instances of Optional. STRING. An identifier to relate other instances of
this class as translations of this text. See Section 6. this class as translations of this text. See Section 6.
severity severity
Optional. ENUM. Characterizes the severity of the incident on Optional. ENUM. Characterizes the severity of the incident on
business functions. The permitted values are shown below. They business functions. The permitted values are shown below. They
were derived from Table 3-2 of [NIST800.61rev2]. The default were derived from Table 3-2 of [NIST800.61rev2]. The default
value is "unknown". These values are maintained in the value is "unknown". These values are maintained in the
skipping to change at page 44, line 13 skipping to change at page 47, line 39
critical services to all users but has lost efficiency. critical services to all users but has lost efficiency.
3. medium. The organization has lost the ability to provide a 3. medium. The organization has lost the ability to provide a
critical service to a subset of system users. critical service to a subset of system users.
4. high. The organization is no longer able to provide some 4. high. The organization is no longer able to provide some
critical services to any users. critical services to any users.
5. unknown. The impact is not known. 5. unknown. The impact is not known.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-severity ext-severity
Optional. STRING. A means by which to extend the severity Optional. STRING. A means by which to extend the severity
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
type type
Required. ENUM. Characterizes the effect this incident had on Required. ENUM. Characterizes the effect this incident had on
the business. The permitted values are shown below. There is no the business. The permitted values are shown below. The default
default value. These values are maintained in the value is "unknown". These values are maintained in the
"BusinessImpact-type" IANA registry per Table 1. "BusinessImpact-type" IANA registry per Table 1.
1. breach-proprietary. Sensitive or proprietary information was 1. breach-proprietary. Sensitive or proprietary information was
accessed or exfiltrated. accessed or exfiltrated.
2. breach-privacy. Personally identifiable information was 2. breach-privacy. Personally identifiable information was
accessed or exfiltrated. accessed or exfiltrated.
3. breach-credential. Credential information was accessed or 3. breach-credential. Credential information was accessed or
exfiltrated. exfiltrated.
skipping to change at page 45, line 8 skipping to change at page 48, line 35
9. asset-damage. A cyber-physical system was damaged. 9. asset-damage. A cyber-physical system was damaged.
10. asset-manipulation. A cyber-physical system was manipulated. 10. asset-manipulation. A cyber-physical system was manipulated.
11. legal. The incident resulted in legal or regulatory action. 11. legal. The incident resulted in legal or regulatory action.
12. extortion. The incident resulted in actors extorting the 12. extortion. The incident resulted in actors extorting the
victim organization. victim organization.
13. ext-value. An escape value used to extend this attribute. 13. unknown. The impact is unknown.
See Section 5.1.1.
14. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
3.14.3. TimeImpact Class 3.12.3. TimeImpact Class
The TimeImpact class describes the impact of the incident on an The TimeImpact class describes the impact of the incident on an
organization as a function of time. It provides a way to convey down organization as a function of time. It provides a way to convey down
time and recovery time. time and recovery time.
+---------------------+ +---------------------+
| TimeImpact | | TimeImpact |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metrics | | STRING ext-metric |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 23: TimeImpact Class Figure 24: TimeImpact Class
The element content is a positive, floating point (REAL) number The content of the class is a positive, floating point number of type
specifying a unit of time. The duration and metric attributes will REAL specifying a unit of time. The duration and metric attributes
imply the semantics of the element content. will imply the semantics.
The TimeImpact class has five attributes: The attributes of the TimeImpact class are:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
skipping to change at page 46, line 20 skipping to change at page 50, line 5
1. labor. Total staff-time to recovery from the activity (e.g., 1. labor. Total staff-time to recovery from the activity (e.g.,
2 employees working 4 hours each would be 8 hours). 2 employees working 4 hours each would be 8 hours).
2. elapsed. Elapsed time from the beginning of the recovery to 2. elapsed. Elapsed time from the beginning of the recovery to
its completion (i.e., wall-clock time). its completion (i.e., wall-clock time).
3. downtime. Duration of time for which some provided service(s) 3. downtime. Duration of time for which some provided service(s)
was not available. was not available.
4. ext-value. An escape value used to extend this attribute. 4. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-metric ext-metric
Optional. STRING. A means by which to extend the metric Optional. STRING. A means by which to extend the metric
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
duration duration
Optional. ENUM. Defines a unit of time, that when combined with Optional. ENUM. Defines a unit of time, that when combined with
the metric attribute, fully describes a metric of impact that will the metric attribute, fully describes a metric of impact that will
be conveyed in the element content. The permitted values are be conveyed in the element content. The permitted values are
shown below. The default value is "hour". These values are shown below. The default value is "hour". These values are
skipping to change at page 46, line 48 skipping to change at page 50, line 34
3. hour. The unit of the element content is hours. 3. hour. The unit of the element content is hours.
4. day. The unit of the element content is days. 4. day. The unit of the element content is days.
5. month. The unit of the element content is months. 5. month. The unit of the element content is months.
6. quarter. The unit of the element content is quarters. 6. quarter. The unit of the element content is quarters.
7. year. The unit of the element content is years. 7. year. The unit of the element content is years.
8. ext-value. An escape value used to extend this attribute. 8. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.14.4. MonetaryImpact Class 3.12.4. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the The MonetaryImpact class describes the financial impact of the
activity on an organization. For example, this impact may consider activity on an organization. For example, this impact may consider
losses due to the cost of the investigation or recovery, diminished losses due to the cost of the investigation or recovery, diminished
productivity of the staff, or a tarnished reputation that will affect productivity of the staff, or a tarnished reputation that will affect
future opportunities. future opportunities.
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 24: MonetaryImpact Class Figure 25: MonetaryImpact Class
The element content is a positive, floating point number (REAL) The content of the class is a positive, floating point number of type
specifying a unit of currency described in the currency attribute. REAL specifying a unit of currency described in the currency
attribute.
The MonetaryImpact class has two attributes: The attributes of the MonetaryImpact class are:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
currency currency
Optional. STRING. Defines the currency in which the monetary Optional. STRING. Defines the currency in which the monetary
impact is expressed. The permitted values are defined in "Codes impact is expressed. The permitted values are defined in "Codes
for the representation of currencies and funds" of [ISO4217]. for the representation of currencies and funds" of [ISO4217].
There is no default value. There is no default value.
3.14.5. Confidence Class 3.12.5. Confidence Class
The Confidence class represents a best estimate of the validity and The Confidence class represents a best estimate of the validity and
accuracy of the described impact (see Section 3.14) of the incident accuracy of the described impact (see Section 3.12) of the incident
activity. This estimate can be expressed as a category or a numeric activity. This estimate can be expressed as a category or a numeric
calculation. calculation.
This class if based upon [RFC4765]. This class if based upon [RFC4765].
+------------------+ +------------------+
| Confidence | | Confidence |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM rating | | ENUM rating |
+------------------+ +------------------+
Figure 25: Confidence Class Figure 26: Confidence Class
The element content expresses a numerical assessment in the The content of the class is a numerical assessment in the confidence
confidence of the data when the value of the rating attribute is of the data of type REAL when the value of the rating attribute is
"numeric". Otherwise, this element MUST be empty. "numeric". Otherwise, this element MUST be empty.
The Confidence class has one attribute. The attribute of the Confidence class is:
rating rating
Required. ENUM. A rating of the analytical validity of the Required. ENUM. A rating of the analytical validity of the
specified Assessment. The permitted values are shown below. specified Assessment. The permitted values are shown below.
There is no default value. There is no default value.
1. low. Low confidence in the validity. 1. low. Low confidence in the validity.
2. medium. Medium confidence in the validity. 2. medium. Medium confidence in the validity.
3. high. High confidence in the validity. 3. high. High confidence in the validity.
4. numeric. The element content contains a number that conveys 4. numeric. The element content contains a number that conveys
the confidence of the data. The semantics of this number the confidence of the data. The semantics of this number
outside the scope of this specification. outside the scope of this specification.
5. unknown. The confidence rating value is not known. 5. unknown. The confidence rating value is not known.
3.15. History Class 3.13. History Class
The History class is a log of the significant events or actions The History class is a log of the significant events or actions
performed by the involved parties during the course of handling the performed by the involved parties during the course of handling the
incident. incident.
The level of detail maintained in this log is left up to the The level of detail maintained in this log is left up to the
discretion of those handling the incident. discretion of those handling the incident.
+------------------------+ +------------------------+
| History | | History |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ] | ENUM restriction |<>--{1..*}--[ HistoryItem ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 26: The History Class Figure 27: The History Class
The class that constitutes History is: The aggregate classes of the History class are:
HistoryItem HistoryItem
One or many. Entry in the history log of significant events or One or more. Entry in the history log of significant events or
actions performed by the involved parties. actions performed by the involved parties. See Section 3.13.1.
The History class has two attributes: The attributes of the History class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. The default value is Optional. ENUM. See Section 3.3.1. The default value is
"default". "default".
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.15.1. HistoryItem Class 3.13.1. HistoryItem Class
The HistoryItem class is an entry in the History (Section 3.15) log The HistoryItem class is an entry in the History (Section 3.13) log
that documents a particular action or event that occurred in the that documents a particular action or event that occurred in the
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form description, but each can be categorized with the type
attribute. attribute.
+-------------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM action |<>----------[ DateTime ]
| STRING ext-restriction |<>--{0..1}--[ IncidentId ] | STRING ext-action |<>--{0..1}--[ IncidentId ]
| ENUM action |<>--{0..1}--[ Contact ] | ENUM restriction |<>--{0..1}--[ Contact ]
| STRING ext-action |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DefinedCOA ] | ID observable-id |<>--{0..*}--[ DefinedCOA ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 27: HistoryItem Class Figure 28: HistoryItem Class
The aggregate classes that constitute HistoryItem are: The aggregate classes of the HistoryItem class are:
DateTime DateTime
One. Timestamp of this entry in the history log (e.g., when the One. DATETIME. Timestamp of this entry in the history log (e.g.,
action described in the Description was taken). when the action described in the Description was taken).
IncidentID IncidentID
Zero or One. In a history log created by multiple parties, the Zero or One. In a history log created by multiple parties, the
IncidentID provides a mechanism to specify which CSIRT created a IncidentID provides a mechanism to specify which CSIRT created a
particular entry and references this organization's incident particular entry and references this organization's incident
tracking number. When a single organization is maintaining the tracking number. When a single organization is maintaining the
log, this class can be ignored. log, this class can be ignored. See Section 3.4.
Contact Contact
Zero or One. Provides contact information for the person that Zero or One. Provides contact information for the person that
performed the action documented in this class. performed the action documented in this class. See Section 3.9.
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
action or event. action or event.
DefinedCOA DefinedCOA
Zero or more. ML_STRING. A unique identifier meaningful to the Zero or more. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. EXTENSION. A mechanism by which to extend the data
model.
The HistoryItem class has five attributes:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction The attributes of the HistoryItem class are:
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation, this attribute is identical
to the action attribute of the Expectation class. The difference to the action attribute of the Expectation class. The difference
is only one of tense. When an action is in this class, it has is only one of tense. When an action is in this class, it has
been completed. See Section 3.17. been completed. See Section 3.15.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.16. EventData Class 3.14. EventData Class
The EventData class describes a particular event of the incident for The EventData class describes a particular event of the incident for
a given set of hosts or networks. This description includes the a given set of hosts or networks. This description includes the
systems from which the activity originated and those targeted, an systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered. activity on the organization, and any forensic evidence discovered.
+-------------------------+ +-------------------------+
| EventData | | EventData |
+-------------------------+ +-------------------------+
skipping to change at page 51, line 40 skipping to change at page 55, line 38
| |<>--{0..*}--[ Discovery ] | |<>--{0..*}--[ Discovery ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 28: The EventData Class Figure 29: The EventData Class
The aggregate classes that constitute EventData are: The aggregate classes of the EventData class are:
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
event. event.
DetectTime DetectTime
Zero or one. The time the event was detected. Zero or one. DATETIME. The time the event was detected.
StartTime StartTime
Zero or one. The time the event started. Zero or one. DATETIME. The time the event started.
EndTime EndTime
Zero or one. The time the event ended. Zero or one. DATETIME. The time the event ended.
RecoveryTime RecoveryTime
Zero or one. The time the site recovered from the event. Zero or one. DATETIME. The time the site recovered from the
event.
ReportTime ReportTime
One. The time the event was reported. One. DATETIME. The time the event was reported.
Contact Contact
Zero or more. Contact information for the parties involved in the Zero or more. Contact information for the parties involved in the
event. event. See Section 3.9.
Discovery Discovery
Zero or more. The means by which the event was detected. Zero or more. The means by which the event was detected. See
Section 3.10.
Assessment Assessment
Zero or one. The impact of the event on the target and the Zero or one. The impact of the event on the target and the
actions taken. actions taken. See Section 3.12.
Method Method
Zero or more. The technique used by the intruder in the event. Zero or more. The technique used by the intruder in the event.
See Section 3.11.
Flow Flow
Zero or more. A description of the systems or networks involved. Zero or more. A description of the systems or networks involved.
See Section 3.16.
Expectation Expectation
Zero or more. The expected action to be performed by the Zero or more. The expected action to be performed by the
recipient for the described event. recipient for the described event. See Section 3.15.
Record Record
Zero or one. Supportive data (e.g., log files) that provides Zero or one. Supportive data (e.g., log files) that provides
additional information about the event. additional information about the event. See Section 3.22.
EventData EventData
Zero or more. EventData instances contained within another Zero or more. EventData instances contained within another
EventData instance inherit the values of the parent(s); this EventData instance inherit the values of the parent(s); this
recursive definition can be used to group common data pertaining recursive definition can be used to group common data pertaining
to multiple events. When EventData elements are defined to multiple events. When EventData elements are defined
recursively, only the leaf instances (those EventData instances recursively, only the leaf instances (those EventData instances
not containing other EventData instances) represent actual events. not containing other EventData instances) represent actual events.
See Section 3.14.
AdditionalData AdditionalData
Zero or more. An extension mechanism for data not explicitly Zero or more. EXTENSION. An extension mechanism for data not
represented in the data model. explicitly represented in the data model.
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the EventData class. This is not enforced in the IODEF schema as of the EventData class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The EventData class has three attributes: The attributes of the EventData class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. The default value is Optional. ENUM. See Section 3.3.1. The default value is
"default". "default".
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.16.1. Relating the Incident and EventData Classes 3.14.1. Relating the Incident and EventData Classes
There is substantial overlap in the Incident and EventData classes. There is substantial overlap in the Incident and EventData classes.
Nevertheless, the semantics of these classes are quite different. Nevertheless, the semantics of these classes are quite different.
The Incident class provides summary information about the entire The Incident class provides summary information about the entire
incident, while the EventData class provides information about the incident, while the EventData class provides information about the
individual events comprising the incident. In the most common case, individual events comprising the incident. In the most common case,
the EventData class will provide more specific information for the the EventData class will provide more specific information for the
general description provided in the Incident class. However, it may general description provided in the Incident class. However, it may
also be possible that the overall summarized information about the also be possible that the overall summarized information about the
incident conflicts with some individual information in an EventData incident conflicts with some individual information in an EventData
class when there is a substantial composition of various events in class when there is a substantial composition of various events in
the incident. In such a case, the interpretation of the more the incident. In such a case, the interpretation of the more
specific EventData MUST supersede the more generic information specific EventData MUST supersede the more generic information
provided in Incident. provided in Incident.
3.16.2. Cardinality of EventData 3.14.2. Cardinality of EventData
The EventData class is container for the properties of an event in an The EventData class is container for the properties of an event in an
incident. These properties include: the hosts involved, impact of incident. These properties include: the hosts involved, impact of
the incident activity on the hosts, forensic logs, etc. With an the incident activity on the hosts, forensic logs, etc. With an
instance of the EventData class, hosts are grouped around these instance of the EventData class, hosts are grouped around these
common properties. common properties.
The recursive definition of the EventData class (the EventData class The recursive definition of the EventData class (the EventData class
is aggregated into the EventData class) provides a way to relate is aggregated into the EventData class) provides a way to relate
information without requiring the explicit use of unique attribute information without requiring the explicit use of unique attribute
identifiers in the classes or duplicating information. Instead, the identifiers in the classes or duplicating information. Instead, the
relative depth (nesting) of a class is used to group (relate) relative depth (nesting) of a class is used to group (relate)
information. information.
For example, an EventData class might be used to describe two For example, an EventData class might be used to describe two
machines involved in an incident. This description can be achieved machines involved in an incident. This description can be achieved
using multiple instances of the Flow class. It happens that there is using multiple instances of the Flow class. It happens that there is
a common technical contact (i.e., Contact class) for these two a common technical contact (i.e., Contact class) for these two
machines, but the impact (i.e., Assessment class) on them is machines, but the impact (i.e., Assessment class) on them is
different. A depiction of the representation for this situation can different. A depiction of the representation for this situation can
be found in Figure 29. be found in Figure 30.
+------------------+ +------------------+
| EventData | | EventData |
+------------------+ +------------------+
| |<>----[ Contact ] | |<>----[ Contact ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
+------------------+ +------------------+
Figure 29: Recursion in the EventData Class Figure 30: Recursion in the EventData Class
3.17. Expectation Class 3.15. Expectation Class
The Expectation class conveys to the recipient of the IODEF document The Expectation class conveys to the recipient of the IODEF document
the actions the sender is requesting. The scope of the requested the actions the sender is requesting. The scope of the requested
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM action |<>--{0..*}--[ Description ]
| STRING ext-restriction |<>--{0..*}--[ DefinedCOA ] | STRING ext-action |<>--{0..*}--[ DefinedCOA ]
| ENUM severity |<>--{0..1}--[ StartTime ] | ENUM severity |<>--{0..1}--[ StartTime ]
| ENUM action |<>--{0..1}--[ EndTime ] | ENUM restriction |<>--{0..1}--[ EndTime ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-restriction |<>--{0..1}--[ Contact ]
| ID observable-id | | ID observable-id |
| |
+-------------------------+ +-------------------------+
Figure 30: The Expectation Class Figure 31: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes of the Expectation class are:
Description Description
Zero or more. ML_STRING. A free-form description of the desired Zero or more. ML_STRING. A free-form description of the desired
action(s). action(s).
DefinedCOA DefinedCOA
Zero or more. ML_STRING. A unique identifier meaningful to the Zero or more. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
StartTime StartTime
Zero or one. The time at which the sender would like the action Zero or one. DATETIME. The time at which the sender would like
performed. A timestamp that is earlier than the ReportTime the action performed. A timestamp that is earlier than the
specified in the Incident class denotes that the sender would like ReportTime specified in the Incident class denotes that the sender
the action performed as soon as possible. The absence of this would like the action performed as soon as possible. The absence
element indicates no expectations of when the recipient would like of this element indicates no expectations of when the recipient
the action performed. would like the action performed.
EndTime EndTime
Zero or one. The time by which the sender expects the recipient Zero or one. DATETIME. The time by which the sender expects the
to complete the action. If the recipient cannot complete the recipient to complete the action. If the recipient cannot
action before EndTime, the recipient MUST NOT carry out the complete the action before EndTime, the recipient MUST NOT carry
action. Because of transit delays, clock drift, and so on, the out the action. Because of transit delays, clock drift, and so
sender MUST be prepared for the recipient to have carried out the on, the sender MUST be prepared for the recipient to have carried
action, even if it completes past EndTime. out the action, even if it completes past EndTime.
Contact Contact
Zero or one. The expected actor for the action. Zero or one. The expected actor for the action. See Section 3.9.
The Expectations class has six attributes:
restriction
Optional. ENUM. See Section 3.3.1. The default value is
"default".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
severity
Optional. ENUM. Indicates the desired priority of the action.
This attribute is an enumerated list with no default value, and
the semantics of these relative measures are context dependent.
1. low. Low priority
2. medium. Medium priority
3. high. High priority The attributes of the Expectation class are:
action action
Optional. ENUM. Classifies the type of action requested. This Optional. ENUM. Classifies the type of action requested. This
attribute is an enumerated list with a default value of "other". attribute is an enumerated list with a default value of "other".
These values are maintained in the "Expectation-action" IANA These values are maintained in the "Expectation-action" IANA
registry per Table 1. registry per Table 1.
1. nothing. No action is requested. Do nothing with the 1. nothing. No action is requested. Do nothing with the
information. information.
skipping to change at page 57, line 29 skipping to change at page 61, line 11
if seen. if seen.
21. training. Train user to identify or mitigate a threat. 21. training. Train user to identify or mitigate a threat.
22. defined-coa. Perform a predefined course of action (COA). 22. defined-coa. Perform a predefined course of action (COA).
The COA is named in the DefinedCOA class. The COA is named in the DefinedCOA class.
23. other. Perform some custom action described in the 23. other. Perform some custom action described in the
Description class. Description class.
24. ext-value. An escape value used to extend this attribute. 24. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
severity
Optional. ENUM. Indicates the desired priority of the action.
This attribute is an enumerated list with no default value, and
the semantics of these relative measures are context dependent.
1. low. Low priority
2. medium. Medium priority
3. high. High priority
restriction
Optional. ENUM. See Section 3.3.1. The default value is
"default".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.18. Flow Class 3.16. Flow Class
The Flow class groups related the source and target hosts. The Flow class groups related the source and target hosts.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 31: The Flow Class Figure 32: The Flow Class
The aggregate class that constitutes Flow is: The aggregate class of the Flow class is:
System System
One or More. A host or network involved in an event. One or More. A host or network involved in an event. See
Section 3.17.
The Flow class has no attributes. The Flow class has no attributes.
3.19. System Class 3.17. System Class
The System class describes a system or network involved in an event. The System class describes a system or network involved in an event.
The systems or networks represented by this class are categorized The systems or networks represented by this class are categorized
according to the role they played in the incident through the according to the role they played in the incident through the
category attribute. The value of this category attribute dictates category attribute. The value of this category attribute dictates
the semantics of the aggregated classes in the System class. If the the semantics of the aggregated classes in the System class. If the
category attribute has a value of "source", then the aggregated category attribute has a value of "source", then the aggregated
classes denote the machine and service from which the activity is classes denote the machine and service from which the activity is
originating. With a category attribute value of "target" or originating. With a category attribute value of "target" or
"intermediary", then the machine or service is the one targeted in "intermediary", then the machine or service is the one targeted in
the activity. A value of "sensor" dictates that this System was part the activity. A value of "sensor" dictates that this System was part
of an instrumentation to monitor the network. of an instrumentation to monitor the network.
+------------------------+ +------------------------+
| System | | System |
+------------------------+ +------------------------+
| ENUM restriction |<>----------[ Node ] | ENUM category |<>----------[ Node ]
| STRING ext-restriction |<>--{0..*}--[ NodeRole ] | STRING ext-category |<>--{0..*}--[ NodeRole ]
| ENUM category |<>--{0..*}--[ Service ] | STRING interface |<>--{0..*}--[ Service ]
| STRING ext-category |<>--{0..*}--[ OperatingSystem ] | ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
| STRING interface |<>--{0..*}--[ Counter ] | ENUM virtual |<>--{0..*}--[ Counter ]
| ENUM spoofed |<>--{0..*}--[ AssetID ] | ENUM ownership |<>--{0..*}--[ AssetID ]
| ENUM virtual |<>--{0..*}--[ Description ] | STRING ext-ownership |<>--{0..*}--[ Description ]
| ENUM ownership |<>--{0..*}--[ AdditionalData ] | ENUM restriction |<>--{0..*}--[ AdditionalData ]
| STRING ext-ownership | | STRING ext-restriction |
| |
+------------------------+ +------------------------+
Figure 32: The System Class Figure 33: The System Class
The aggregate classes that constitute System are: The aggregate classes of the System class are:
Node Node
One. A host or network involved in the incident. One. A host or network involved in the incident. See
Section 3.18.
NodeRole NodeRole
Zero or more. The intended purpose of the system. Zero or more. The intended purpose of the system. See
Section 3.18.2.
Service Service
Zero or more. A network service running on the system. Zero or more. A network service running on the system. See
Section 3.20.
OperatingSystem OperatingSystem
Zero or more. The operating system running on the system. Zero or more. SOFTWARE. The operating system running on the
system.
Counter Counter
Zero or more. A counter with which to summarize properties of Zero or more. A counter with which to summarize properties of
this host or network. this host or network. See Section 3.18.3.
AssetID AssetID
Zero or more. An asset identifier for the System. Zero or more. STRING. An asset identifier for the System.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
System. System.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. EXTENSION. A mechanism by which to extend the data
model.
The System class has nine attributes:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction The attributes of the System class are:
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
category category
Optional. ENUM. Classifies the role the host or network played Optional. ENUM. Classifies the role the host or network played
in the incident. These values are maintained in the "System- in the incident. These values are maintained in the "System-
category" IANA registry per Table 1. The possible values are: category" IANA registry per Table 1. The possible values are:
1. source. The System was the source of the event. 1. source. The System was the source of the event.
2. target. The System was the target of the event. 2. target. The System was the target of the event.
3. intermediate. The System was an intermediary in the event. 3. intermediate. The System was an intermediary in the event.
4. sensor. The System was a sensor monitoring the event. 4. sensor. The System was a sensor monitoring the event.
5. infrastructure. The System was an infrastructure node of 5. infrastructure. The System was an infrastructure node of
IODEF document exchange. IODEF document exchange.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
interface interface
Optional. STRING. Specifies the interface on which the event(s) Optional. STRING. Specifies the interface on which the event(s)
on this System originated. If the Node class specifies a network on this System originated. If the Node class specifies a network
rather than a host, this attribute has no meaning. rather than a host, this attribute has no meaning.
skipping to change at page 61, line 10 skipping to change at page 65, line 10
organization. organization.
4. customer. The System is owned by a customer of the 4. customer. The System is owned by a customer of the
organization. organization.
5. no-relationship. The System is owned by an entity that has no 5. no-relationship. The System is owned by an entity that has no
known relationship with the organization. known relationship with the organization.
6. unknown. The ownership of the System is unknown. 6. unknown. The ownership of the System is unknown.
7. ext-value. An escape value used to extend this attribute. 7. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-ownership ext-ownership
Optional. STRING. A means by which to extend the ownership Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.20. Node Class restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.18. Node Class
The Node class names an asset or network. The Node class names an asset or network.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ] | |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Location ] | |<>--{0..*}--[ Location ]
| |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
+---------------+ +---------------+
Figure 33: The Node Class Figure 34: The Node Class
The aggregate classes that constitute Node are: The aggregate classes of the Node class are:
DomainData DomainData
Zero or more. The detailed domain (DNS) information associated Zero or more. The detailed domain (DNS) information associated
with this Node. If an Address is not provided, at least one with this Node. If an Address is not provided, at least one
DomainData MUST be specified. DomainData MUST be specified. See Section 3.19.
Address Address
Zero or more. The hardware, network, or application address of Zero or more. The hardware, network, or application address of
the Node. If a DomainData is not provided, at least one Address the Node. If a DomainData is not provided, at least one Address
MUST be specified. MUST be specified. See Section 3.18.1.
PostalAddress PostalAddress
Zero or one. The postal address of the asset. Zero or one. POSTAL. The postal address of the asset.
Location Location
Zero or more. ML_STRING. A free-form description of the physical Zero or more. ML_STRING. A free-form description of the physical
location of the Node. This description may provide a more location of the Node. This description may provide a more
detailed description of where in the PostalAddress this Node is detailed description of where in the PostalAddress this Node is
found (e.g., room number, rack number, slot number in a chassis). found (e.g., room number, rack number, slot number in a chassis).
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarizes properties of
this host or network. this host or network. See Section 3.18.3.
The Node class has no attributes. The Node class has no attributes.
3.20.1. Address Class 3.18.1. Address Class
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (layer-2), network (layer-3),
or application (layer-7) address. or application (layer-7) address.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Address | | Address |
+-------------------------+ +-------------------------+
| STRING |
| |
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
| ID observable-id | | ID observable-id |
+-------------------------+ +-------------------------+
Figure 34: The Address Class Figure 35: The Address Class
The Address class has five attributes: The content of the class is an address of type STRING whose semantics
are determined by the category attribute.
The attributes of the Address class are:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". These values are maintained in the "Address- "ipv6-addr". These values are maintained in the "Address-
category" IANA registry per Table 1. category" IANA registry per Table 1.
1. asn. Autonomous System Number 1. asn. Autonomous System Number
2. atm. Asynchronous Transfer Mode (ATM) address 2. atm. Asynchronous Transfer Mode (ATM) address
3. e-mail. Electronic mail address (RFC 822) 3. e-mail. Electronic mail address (RFC 822)
4. ipv4-addr. IPv4 host address in dotted-decimal notation 4. ipv4-addr. IPv4 host address in dotted-decimal notation
(a.b.c.d) (a.b.c.d)
skipping to change at page 63, line 22 skipping to change at page 67, line 33
7. ipv6-addr. IPv6 host address 7. ipv6-addr. IPv6 host address
8. ipv6-net. IPv6 network address, slash, significant bits 8. ipv6-net. IPv6 network address, slash, significant bits
9. ipv6-net-mask. IPv6 network address, slash, network mask 9. ipv6-net-mask. IPv6 network address, slash, network mask
10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f) 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
11. site-uri. A URL or URI for a resource. 11. site-uri. A URL or URI for a resource.
12. ext-value. An escape value used to extend this attribute. 12. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
vlan-name vlan-name
Optional. STRING. The name of the Virtual LAN to which the Optional. STRING. The name of the Virtual LAN to which the
address belongs. address belongs.
vlan-num vlan-num
Optional. STRING. The number of the Virtual LAN to which the Optional. STRING. The number of the Virtual LAN to which the
address belongs. address belongs.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.20.2. NodeRole Class 3.18.2. NodeRole Class
The NodeRole class describes the function performed by a particular . The NodeRole class describes the function performed by a particular
system.
+---------------------+ +-----------------------+
| NodeRole | | NodeRole |
+---------------------+ +-----------------------+
| ENUM category | | ENUM category |<>--{0..*}--[ Description ]
| STRING ext-category | | STRING ext-category |
| ENUM xml:lang | +-----------------------+
+---------------------+
Figure 35: The NodeRole Class Figure 36: The NodeRole Class
The NodeRole class has three attributes: The aggregate class of the NodeRole class is:
Description
Zero or more. ML_STRING. A free-form text description of the
role of the system.
The attributes of the NodeRole class are:
xml:lang
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
translation-id
Optional. STRING. An identifier to relate other instances of
this class as translations of this text. See Section 6.
category category
Required. ENUM. Functionality provided by a node. These values Required. ENUM. Functionality provided by a node. These values
are maintained in the "NodeRole-category" IANA registry per are maintained in the "NodeRole-category" IANA registry per
Table 1. Table 1.
1. client. Client computer 1. client. Client computer
2. client-enterprise. Client computer on the enterprise network 2. client-enterprise. Client computer on the enterprise network
skipping to change at page 66, line 4 skipping to change at page 70, line 33
40. scada. Supervisory control and data acquisition system 40. scada. Supervisory control and data acquisition system
41. scada-supervisory. Supervisory system for a SCADA 41. scada-supervisory. Supervisory system for a SCADA
42. sinkhole. Traffic sinkhole destination 42. sinkhole. Traffic sinkhole destination
43. honeypot. Honeypot server 43. honeypot. Honeypot server
44. anonymization. Anonymization server (e.g., Tor node) 44. anonymization. Anonymization server (e.g., Tor node)
45. c2. Malicious command and control server
45. c2-server. Malicious command and control server
46. malware-distribution. Server that distributes malware 46. malware-distribution. Server that distributes malware
47. drop-server. Server to which exfiltrated content is 47. drop-server. Server to which exfiltrated content is
uploaded. uploaded.
48. hop-point. Intermediary server used to get to a victim. 48. hop-point. Intermediary server used to get to a victim.
49. reflector. A system used in a reflector attacker. 49. reflector. A system used in a reflector attacker.
50. phishing-site. Site hosting phishing content 50. phishing-site. Site hosting phishing content
51. spear-phishing-site. Site hosting spear-phishing content 51. spear-phishing-site. Site hosting spear-phishing content
52. recruiting-site. Site to recruit 52. recruiting-site. Site to recruit
53. fraudulent-site. Fraudulent site. 53. fraudulent-site. Fraudulent site.
54. ext-value. An escape value used to extend this attribute. 54. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
xml:lang 3.18.3. Counter Class
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
3.20.3. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates on various features (e.g., packets, sessions,
events). events).
The value of the counter is the element content with its units The value of the counter is the element content with its units
represented in the type attribute. A rate for a given feature can be represented in the type attribute. A rate for a given feature can be
expressed by setting the duration attribute. The complete semantics expressed by setting the duration attribute. The complete semantics
are entirely context dependent based on the class in which the are entirely context dependent based on the class in which the
Counter is aggregated. Counter is aggregated.
skipping to change at page 67, line 19 skipping to change at page 71, line 39
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| ENUM unit | | ENUM unit |
| STRING ext-unit | | STRING ext-unit |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 36: The Counter Class Figure 37: The Counter Class
The Counter class has seven attribute: The content of the class is a counter value of type REAL.
The attributes of the Counter class are:
type type
Required. ENUM. Specifies the type of counter specified in the Required. ENUM. Specifies the type of counter specified in the
element content. These values are maintained in the "Counter- element content. These values are maintained in the "Counter-
type" IANA registry per Table 1. type" IANA registry per Table 1.
1. count. The Counter class value is a counter. 1. count. The Counter class value is a counter.
2. peak. The Counter class value is a peak value. 2. peak. The Counter class value is a peak value.
3. average. The Counter class value is an average. 3. average. The Counter class value is an average.
4. ext-value. An escape value used to extend this attribute. 4. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
unit unit
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
These values are maintained in the "Counter-unit" IANA registry These values are maintained in the "Counter-unit" IANA registry
per Table 1. per Table 1.
skipping to change at page 68, line 20 skipping to change at page 72, line 43
7. message. Messages (e.g., mail messages). 7. message. Messages (e.g., mail messages).
8. event. Events. 8. event. Events.
9. host. Hosts. 9. host. Hosts.
10. site. Site. 10. site. Site.
11. organization. Organizations. 11. organization. Organizations.
12. ext-value. An escape value used to extend this attribute. 12. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-unit ext-unit
Optional. STRING. A means by which to extend the unit attribute. Optional. STRING. A means by which to extend the unit attribute.
See Section 5.1.1. See Section 5.1.1.
meaning meaning
Optional. STRING. A free-form description of the metric Optional. STRING. A free-form description of the metric
represented by the Counter. represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate. Optional. ENUM. If present, the Counter class represents a rate.
This attribute specifies unit of time over which the rate whose This attribute specifies unit of time over which the rate whose
units are specified in the unit attribute is being conveyed. This units are specified in the unit attribute is being conveyed. This
attribute is the the denominator of the rate (where the unit attribute is the the denominator of the rate (where the unit
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.14.3 attribute are defined in Section 3.12.3
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.21. DomainData Class 3.19. DomainData Class
The DomainData class describes a domain name and meta-data associated The DomainData class describes a domain name and meta-data associated
with this domain. with this domain.
+--------------------------+ +--------------------------+
| DomainData | | DomainData |
+--------------------------+ +--------------------------+
| ENUM system-status |<>----------[ Name ] | ENUM system-status |<>----------[ Name ]
| STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| ID observable-id |<>--{0..*}--[ RelatedDNS ] | ID observable-id |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ] | |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ] | |<>--{0..1}--[ DomainContacts ]
| |
+--------------------------+ +--------------------------+
Figure 37: The DomainData Class Figure 38: The DomainData Class
The aggregate classes that constitute DomainData are: The aggregate classes of the DomainData class are:
Name Name
One. STRING. The domain name of the Node (e.g., fully qualified One. STRING. The domain name of the Node (e.g., fully qualified
domain name). domain name).
DateDomainWasChecked DateDomainWasChecked
Zero or one. DATETIME. A timestamp of when the Name was Zero or one. DATETIME. A timestamp of when the Name was
resolved. resolved.
RegistrationDate RegistrationDate
Zero or one. DATETIME. A timestamp of when domain listed in Name Zero or one. DATETIME. A timestamp of when domain listed in Name
was registered. was registered.
ExpirationDate ExpirationDate
Zero or one. DATETIME. A timestamp of when the domain listed in Zero or one. DATETIME. A timestamp of when the domain listed in
Name is set to expire. Name is set to expire.
RelatedDNS RelatedDNS
Zero or more. Additional DNS records associated with this domain. Zero or more. EXTENSION. Additional DNS records associated with
this domain.
Nameservers Nameservers
Zero or more. The name servers identified for the domain listed Zero or more. The name servers identified for the domain listed
in Name. in Name. See Section 3.19.1.
DomainContacts DomainContacts
Zero or one. Contact information for the domain listed in Name Zero or one. Contact information for the domain listed in Name
supplied by the registrar or through a whois query. supplied by the registrar or through a whois query.
The DomainData class has five attribute: The attributes of the DomainData class are:
system-status system-status
Required. ENUM. Assesses the domain's involvement in the event. Required. ENUM. Assesses the domain's involvement in the event.
These values are maintained in the "DomainData-system-status" IANA These values are maintained in the "DomainData-system-status" IANA
registry per Table 1. registry per Table 1.
1. spoofed. This domain was spoofed. 1. spoofed. This domain was spoofed.
2. fraudulent. This domain was operated with fraudulent 2. fraudulent. This domain was operated with fraudulent
intentions. intentions.
3. innocent-hacked. This domain was compromised by a third 3. innocent-hacked. This domain was compromised by a third
party. party.
4. innocent-hijacked. This domain was deliberately hijacked. 4. innocent-hijacked. This domain was deliberately hijacked.
5. unknown. No categorization for this domain known. 5. unknown. No categorization for this domain known.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-system-status ext-system-status
Optional. STRING. A means by which to extend the system-status Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
domain-status domain-status
Required. ENUM. Categorizes the registry status of the domain at Required. ENUM. Categorizes the registry status of the domain at
the time the document was generated. These values and their the time the document was generated. These values and their
associated descriptions are derived from Section 3.2.2 of associated descriptions are derived from Section 3.2.2 of
[RFC3982]. These values are maintained in the "DomainData-domain- [RFC3982]. These values are maintained in the "DomainData-domain-
status" IANA registry per Table 1. status" IANA registry per Table 1.
1. reservedDelegation. The domain is permanently inactive. 1. reservedDelegation. The domain is permanently inactive.
2. assignedAndActive. The domain is in a normal state. 2. assignedAndActive. The domain is in a normal state.
3. assignedAndInactive. The domain has an assigned registration 3. assignedAndInactive. The domain has an assigned registration
but the delegation is inactive. but the delegation is inactive.
skipping to change at page 71, line 10 skipping to change at page 75, line 32
7. registryLock. The domain is on hold by the registry. 7. registryLock. The domain is on hold by the registry.
8. registrarLock. Same as "registryLock". 8. registrarLock. Same as "registryLock".
9. other. The domain has a known status but it is not one of 9. other. The domain has a known status but it is not one of
the redefined enumerated values. the redefined enumerated values.
10. unknown. The domain has an unknown status. 10. unknown. The domain has an unknown status.
11. ext-value. An escape value used to extend this attribute. 11. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-domain-status ext-domain-status
Optional. STRING. A means by which to extend the domain-status Optional. STRING. A means by which to extend the domain-status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.21.1. RelatedDNS 3.19.1. Nameservers Class
The RelatedDNS class describes additional record types associated
with a given domain name. The record type is described in the
record-type attribute and the value of the record is the element
content. ... TODO Issue #39 ...
+----------------------+
| RelatedDNS |
+----------------------+
| STRING |
| |
| ENUM record-type |
+----------------------+
Figure 38: The RelatedDNS Class
The RelatedDNS class has one attribute:
record-type
Required. ENUM. The DNS record type. ... TODO values need to be
listed ...
3.21.2. Nameservers Class
The Nameservers class describes the name servers associated with a The Nameservers class describes the name servers associated with a
given domain. given domain.
+--------------------+ +--------------------+
| Nameservers | | Nameservers |
+--------------------+ +--------------------+
| |<>----------[ Server ] | |<>----------[ Server ]
| |<>--{1..*}--[ Address ] | |<>--{1..*}--[ Address ]
+--------------------+ +--------------------+
Figure 39: The Nameservers Class Figure 39: The Nameservers Class
The aggregate classes that constitute Nameservers are: The aggregate classes of the Nameservers class are:
Server Server
One. STRING. The domain name of the name server. One. STRING. The domain name of the name server.
Address Address
One or more. The address of the name server. See Section 3.20.1. One or more. The address of the name server. The value of the
category attribute MUST be either "ipv4-addr" or "ipv6-addr". See
Section 3.18.1.
3.21.3. DomainContacts Class The Nameservers class has no attributes.
3.19.2. DomainContacts Class
The DomainContacts class describes the contact information for a The DomainContacts class describes the contact information for a
given domain provided either by the registrar or through a whois given domain provided either by the registrar or through a whois
query. query.
This contact information can be explicitly described through a This contact information can be explicitly described through a
Contact class or a reference can be provided to a domain with Contact class or a reference can be provided to a domain with
identical contact information. Either a single SameDomainContact identical contact information. Either a single SameDomainContact
MUST be present or one or many Contact classes. MUST be present or one or more Contact classes.
+--------------------+ +--------------------+
| DomainContacts | | DomainContacts |
+--------------------+ +--------------------+
| |<>--{0..1}--[ SameDomainContact ] | |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
+--------------------+ +--------------------+
Figure 40: The DomainContacts Class Figure 40: The DomainContacts Class
The aggregate classes that constitute DomainContacts are: The aggregate classes of the DomainContacts class are:
SameDomainContact SameDomainContact
Zero or one. STRING. A domain name already cited in this Zero or one. STRING. A domain name already cited in this
document or through previous exchange that contains the identical document or through previous exchange that contains the identical
contact information as the domain name in question. The domain contact information as the domain name in question. The domain
contact information associated with this domain should be used contact information associated with this domain should be used
instead of an explicit definition with the Contact class. instead of an explicit definition with the Contact class.
Contact Contact
One or more. Contact information for the domain. See One or more. Contact information for the domain. See
Section 3.10. Section 3.9.
3.22. Service Class The DomainContacts class has no attributes.
3.20. Service Class
The Service class describes a network service of a host or network. The Service class describes a network service of a host or network.
The service is identified by specific port or list of ports, along The service is identified by specific port or list of ports, along
with the application listening on that port. with the application listening on that port.
When Service occurs as an aggregate class of a System that is a When Service occurs as an aggregate class of a System that is a
source, then this service is the one from which activity of interest source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to class of a System that is a target, then that service is the one to
which activity of interest is directed. which activity of interest is directed.
skipping to change at page 73, line 30 skipping to change at page 77, line 36
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
| INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
| ID observable-id |<>--{0..1}--[ Port ] | ID observable-id |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..*}--[ ApplicationHeader ] | |<>--{0..1}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 41: The Service Class Figure 41: The Service Class
The aggregate classes that constitute Service are: The aggregate classes of the Service class are:
ServiceName ServiceName
Zero or one. Identifies the the observed service. Zero or one. Identifies the the observed service.
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
according to Section 2.10. according to Section 2.10.
skipping to change at page 74, line 14 skipping to change at page 78, line 20
ProtoType ProtoType
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific type field (e.g., ICMP type field). specific type field (e.g., ICMP type field).
ProtoField ProtoField
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific flag field (e.g., TCP flag field). specific flag field (e.g., TCP flag field).
ApplicationHeader ApplicationHeader
Zero or more. An application layer (layer 7) protocol header. Zero or one. A protocol header. See Section 3.20.2.
See Section 3.22.2.
EmailData EmailData
Zero or one. Headers associated with an email. See Section 3.24. Zero or one. Headers associated with an email. See Section 3.21.
Application Application
Zero or one. The application bound to the specified Port or Zero or one. SOFTWARE. The application bound to the specified
Portlist. See Section 3.22.3. Port or Portlist.
Either a Port or Portlist class MUST be specified for a given Either a Port or Portlist class MUST be specified for a given
instance of a Service class. instance of a Service class.
When a given System classes with category="source" and another with When a given System classes with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Portlists exists. If N ports are listed relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
M. Likewise, the ports MUST be listed in an identical sequence such M. Likewise, the ports MUST be listed in an identical sequence such
that the n-th port in the source corresponds to the n-th port of the that the n-th port in the source corresponds to the n-th port of the
target. If N is greater than 1, a given instance of a Flow class target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and MUST only have a single instance of a System@category="source" and
System@category="target". System@category="target".
The Service class has two attributes: The attributes of the Service class are:
ip-protocol ip-protocol
Required. INTEGER. The IANA assigned IP protocol number per Required. INTEGER. The IANA assigned IP protocol number per
[IANA.Protocols]. [IANA.Protocols].
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.22.1. ServiceName Class 3.20.1. ServiceName Class
The ServiceName class names an application protocol. It can be The ServiceName class names an application protocol. It can be
described by referencing an IANA registered protocol, a URL or with described by referencing an IANA registered protocol, a URL or with
free-form text. free-form text.
+--------------------+ +--------------------+
| ServiceName | | ServiceName |
+--------------------+ +--------------------+
| |<>--{0..1}--[ IANAService ] | |<>--{0..1}--[ IANAService ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+--------------------+ +--------------------+
Figure 42: The ServiceName Class Figure 42: The ServiceName Class
The aggregate classes that constitute ServiceName: The aggregate classes of the ServiceName class are:
IANAService IANAService
Zero or one. The name of the service per the "Service Name" field Zero or one. STRING. The name of the service per the "Service
of the [IANA.Ports] registry. Name" field of the [IANA.Ports] registry.
URL URL
Zero or more. URL. A URL describing the service. Zero or more. URL. A URL describing the service.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
service. service.
At least one of these classes MUST be present. At least one of these classes MUST be present.
The ServiceName class has no attributes. The ServiceName class has no attributes.
3.22.2. ApplicationHeader Class 3.20.2. ApplicationHeader Class
The ApplicationHeader class allows the representation of arbitrary The ApplicationHeader class allows the representation of arbitrary
fields from an application layer protocol header and its fields from a protocol header and its corresponding value.
corresponding value.
+--------------------------+ +--------------------------+
| ApplicationHeader | | ApplicationHeader |
+--------------------------+ +--------------------------+
| ANY | | |<>--{1..*}--[ ApplicationHeaderField ]
| |
| INTEGER proto |
| STRING proto-name |
| STRING field |
| ENUM dtype |
| STRING ext-dtype |
| ID observable-id |
+--------------------------+ +--------------------------+
Figure 43: The ApplicationHeader Class Figure 43: The ApplicationHeader Class
The ApplicationHeader class has six attributes: The aggregate class of the ApplicationHeader class is:
proto
Optional. INTEGER. The IANA assigned port number per the
"Protocol Number" field of the [IANA.Ports] registry corresponding
to the application layer protocol whose field will be represented.
proto-name
Optional. STRING. The IANA assigned service name per the
"Service Name" field of the the [IANA.Ports] registry
corresponding to the application layer protocol whose field will
be represented.
field
Required. STRING. The name of the protocol field whose value
will be found in the element body.
dtype
Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default
value is "string". These values are maintained in the
"ApplicationHeader-proto-dtype" IANA registry per Table 1.
1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE.
3. bytes. The element content is of type HEXBIN.
4. character. The element content is of type CHARACTER.
5. date-time. The element content is of type DATETIME.
6. integer. The element content is of type INTEGER.
7. portlist. The element content is of type PORTLIST.
8. real. The element content is of type REAL.
9. string. The element content is of type STRING.
10. file. The element content is a base64 encoded binary file
encoded as a BYTE[] type.
11. path. The element content is a file-system path encoded as a
STRING type.
12. xml. The element content is XML. See Section 5.
13. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1.
observable-id
Optional. ID. See Section 3.3.2.
Either the proto or proto-name attribute MUST be set. If both are
set, they MUST correspond to the same entry in the registry.
3.22.3. Application Class
The Application class describes a software application. It can be
described by using formal reference, a URL or with free-form text.
+--------------------+
| Application |
+--------------------+
| |<>--{0..1}--[ SoftwareReference ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+--------------------+
Figure 44: The Application Class
The aggregate classes that constitute Application:
SoftwareReference
Zero or one. Reference to a software application.
URL
Zero or more. URL. A URL associated with the application.
Description
Zero or more. ML_STRING. A free-form text description of this
application.
At least one of these classes MUST be present.
The Application class has no attributes.
3.22.4. SoftwareReference Class
The Application class describes a software application. It can be
described by using formal reference, a URL or with free-form text.
+----------------------+
| SoftwareReference |
+----------------------+
| ANY |
| |
| ENUM spec-name |
| STRING ext-spec-name |
| ENUM dtype |
| STRING enum-dtype |
+----------------------+
Figure 45: The SoftwareReference Class
The element body of this class varies according to the value of the
spec-name attribute.
The SoftwareReference class has four attributes:
spec-name
Required. ENUM. Identifies the format and semantics of the
element body of this class. Formal standards and specifications
can be referenced as well as free-form description with user-
provided data-types. These values are maintained in the
"SoftwareReference-spec-id" IANA registry per Table 1
1. custom. The element content is free-form and of the data type
specified by the dtype attribute. If this value is selected,
then the dtype attribute MUST be set.
2. cpe. The element content describes a Common Platform
Enumeration (CPE) entry [fix me. reference].
3. swid. The element content describes a software identification
(SWID) tag per ISO/IEC 19770-2:2009 [fix me. reference].
4. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-spec-name
Optional. STRING. A means by which to extend the spec-name
attribute. See Section 5.1.1.
dtype
Optional. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default
value is "string". These values are maintained in the
"SoftwareReference-dtype" IANA registry per Table 1.
1. bytes. The element content is of type HEXBIN.
2. integer. The element content is of type INTEGER.
3. real. The element content is of type REAL.
4. string. The element content is of type STRING.
5. xml. The element content is XML. See Section 5.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1.
3.23. OperatingSystem Class ApplicationHeaderField
One or more. EXTENSION. A field name and value in the header.
The 'name' attribute of the ApplicationHeader MUST be set with the
field name.
The OperatingSystem class describes the operating system running on a The ApplicationHeader class has no attributes.
System. The definition is identical to the Application class
(Section 3.22.3).
3.24. EmailData Class 3.21. EmailData Class
The EmailData class describes headers from an email message. Common The EmailData class describes headers from an email message. Common
headers have dedicated classes, but arbitrary headers can also be headers have dedicated classes, but arbitrary headers can also be
described. described.
+-------------------------+ +-------------------------+
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ EmailFrom ] | ID observable-id |<>--{0..1}--[ EmailTo ]
| |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..*}--[ HashData ] | |<>--{0..*}--[ HashData ]
| |<>--{0..*}--[ SignatureData ] | |<>--{0..*}--[ SignatureData ]
+-------------------------+ +-------------------------+
Figure 46: EmailData Class Figure 44: EmailData Class
The aggregate class that constitutes EmailData are: The aggregate classes of the EmailData class are:
EmailTo
Zero or one. EMAIL. The value of the "To:" header field
(Section 3.6.3 of [RFC5322]) in an email.
EmailFrom EmailFrom
Zero or one. The value of the "From:" header field in an email. Zero or one. EMAIL. The value of the "From:" header field
See Section 3.6.2 of [RFC5322]. (Section 3.6.2 of [RFC5322]) in an email.
EmailSubject EmailSubject
Zero or one. The value of the "Subject:" header field in an Zero or one. STRING. The value of the "Subject:" header field in
email. See Section 3.6.4 of [RFC5322]. an email. See Section 3.6.4 of [RFC5322].
EmailX-Mailer EmailX-Mailer
Zero or one. The value of the "X-Mailer:" header field in an Zero or one. STRING. The value of the "X-Mailer:" header field
email. in an email.
EmailHeaderField EmailHeaderField
Zero or one. The value of an arbitrary header field in the email. Zero or one. EXTENSION. The value of an arbitrary header field
See Section 3.22.2. The attributes of EmailHeaderField MUST be in the email. The attribute of EmailHeaderField MUST be set as
set as follows: proto="25" or proto-name="smtp", or both can be follows: name MUST be the the name of the SMTP header field; and
set; and dtype="string". The name of the email header field MUST dtype="string".
be set in the field attribute.
HashData HashData
Zero or One. Hash(es) associated with this email. Zero or One. Hash(es) associated with this email. See
Section 3.26.
SignatureData SignatureData
Zero or One. Signature(s) associated with this email. Zero or One. Signature(s) associated with this email. See
Section 3.27.
The EmailData class has one attribute: The attribute of the EmailData class is:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25. Record Class 3.22. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the incident. The source of
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------------+ +------------------------+
| Record | | Record |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 47: Record Class Figure 45: Record Class
The aggregate class that constitutes Record is: The aggregate classes of the Record class are:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular type of
sensor. Separate instances of the RecordData class SHOULD be used sensor. Separate instances of the RecordData class SHOULD be used
for each sensor type. for each sensor type. See Section 3.22.1.
The Record class has two attributes: The attributes of the Record class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.25.1. RecordData Class 3.22.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class groups log or audit data from a given sensor
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+------------------------+ +------------------------+
| RecordData | | RecordData |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..1}--[ Application ] | ID observable-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..*}--[ FileData ] | |<>--{0..*}--[ FileData ]
| |<>--{0..*}--[ CertificateData ] | |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}-- | |<>--{0..*}--
| | [ WindowsRegistryKeysModified ] | | [ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 48: The RecordData Class Figure 46: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes of the RecordData class are:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. DATETIME. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
provided RecordItem data. At minimum, this description should provided RecordItem data. At minimum, this description should
convey the significance of the provided RecordItem data. convey the significance of the provided RecordItem data.
Application Application
Zero or one. Information about the sensor used to generate the Zero or one. SOFTWARE. Information about the sensor used to
RecordItem data. generate the RecordItem data.
RecordPattern RecordPattern
Zero or more. A search string to precisely find the relevant data Zero or more. A search string to precisely find the relevant data
in a RecordItem. in a RecordItem. See Section 3.22.2.
RecordItem RecordItem
Zero or more. Log, audit, or forensic data. Zero or more. EXTENSION. Log, audit, or forensic data to support
the conclusions made during the course of analyzing the incident.
FileData FileData
Zero or one. The file name and hash of a file indicator. Zero or one. The file name and hash of a file indicator. See
Section 3.25.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or more. The registry keys that were modified that are Zero or more. The registry keys that were modified that are
indicator(s). indicator(s). See Section 3.23.
AdditionalData AdditionalData
Zero or more. An extension mechanism for data not explicitly Zero or more. EXTENSION. An extension mechanism for data not
represented in the data model. explicitly represented in the data model.
The RecordData class has three attributes: The attributes of the RecordData class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25.2. RecordPattern Class 3.22.2. RecordPattern Class
The RecordPattern class describes where in the content of the The RecordPattern class describes where in the content of the
RecordItem relevant information can be found. It provides a way to RecordItem relevant information can be found. It provides a way to
reference subsets of information, identified by a pattern, in a large reference subsets of information, identified by a pattern, in a large
log file, audit trail, or forensic data. log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
+-----------------------+ +-----------------------+
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 49: The RecordPattern Class Figure 47: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The content of the class is the specific pattern to search within the
the body of the element. It is further annotated by six attributes: RecordItem of type STRING.
The attributes of the RecordPattern class are:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". These values are the element content. The default is "regex". These values are
maintained in the "RecordPattern-type" IANA registry per Table 1. maintained in the "RecordPattern-type" IANA registry per Table 1.
1. regex. regular expression as defined by POSIX Extended 1. regex. regular expression as defined by POSIX Extended
Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX]. Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex encoded binary pattern, per the HEXBIN data
type. type.
3. xpath. XML Path (XPath) [W3C.XPATH] 3. xpath. XML Path (XPath) [W3C.XPATH]
4. ext-value. An escape value used to extend this attribute. 4. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
offset offset
Optional. INTEGER. Amount of units (determined by the offsetunit Optional. INTEGER. Amount of units (determined by the offsetunit
attribute) to seek into the RecordItem data before matching the attribute) to seek into the RecordItem data before matching the
pattern. pattern.
offsetunit offsetunit
Optional. ENUM. Describes the units of the offset attribute. Optional. ENUM. Describes the units of the offset attribute.
The default is "line". These values are maintained in the The default is "line". These values are maintained in the
"RecordPattern-offsetunit" IANA registry per Table 1. "RecordPattern-offsetunit" IANA registry per Table 1.
1. line. Offset is a count of lines. 1. line. Offset is a count of lines.
2. byte. Offset is a count of bytes. 2. byte. Offset is a count of bytes.
3. ext-value. An escape value used to extend this attribute. 3. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-offsetunit ext-offsetunit
Optional. STRING. A means by which to extend the offsetunit Optional. STRING. A means by which to extend the offsetunit
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
instance instance
Optional. INTEGER. Number of types to apply the specified Optional. INTEGER. Number of types to apply the specified
pattern. pattern.
3.25.3. RecordItem Class 3.23. WindowsRegistryKeysModified Class
The RecordItem class provides a way to incorporate relevant logs,
audit trails, or forensic data to support the conclusions made during
the course of analyzing the incident. The class supports both the
direct encapsulation of the data, as well as, provides primitives to
reference data stored elsewhere.
This class is identical to AdditionalData class (Section 3.9).
3.26. WindowsRegistryKeysModified Class
The WindowsRegistryKeysModified class describes Windows operating The WindowsRegistryKeysModified class describes Windows operating
system registry keys and the operations that were performed on them. system registry keys and the operations that were performed on them.
This class was derived from [RFC5901]. This class was derived from [RFC5901].
+-----------------------------+ +-----------------------------+
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
+-----------------------------+ +-----------------------------+
| ID observable-id |<>--{1..*}--[ Key ] | ID observable-id |<>--{1..*}--[ Key ]
+-----------------------------+ +-----------------------------+
Figure 50: The WindowsRegistryKeysModified Class Figure 48: The WindowsRegistryKeysModified Class
The aggregate class that constitutes the WindowsRegistryKeysModified The aggregate classes of the WindowsRegistryKeysModified class are:
class is:
Key Key
One or many. The Window registry key. One or more. The Window registry key. See Section 3.23.1.
The WindowsRegistryKeysModified class has one attribute: The attribute of the WindowsRegistryKeysModified class is:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.26.1. Key Class 3.23.1. Key Class
The Key class describes a particular Windows operating system The Key class describes a particular Windows operating system
registry key name and value pair, and the operation performed on it. registry key name and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id | | ID observable-id |
+---------------------------+ +---------------------------+
Figure 51: The Key Class Figure 49: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes of the Key class are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516]. encoded as in Microsoft .reg files [KB310516].
The Key class has three attributes: The attributes of the Key class are:
registryaction registryaction
Optional. ENUM. The type of action taken on the registry key. Optional. ENUM. The type of action taken on the registry key.
These values are maintained in the "Key-registryaction" IANA These values are maintained in the "Key-registryaction" IANA
registry per Table 1. registry per Table 1.
1. add-key. Registry key added. 1. add-key. Registry key added.
2. add-value. Value added to registry key. 2. add-value. Value added to registry key.
3. delete-key. Registry key deleted. 3. delete-key. Registry key deleted.
4. delete-value. Value deleted from registry key. 4. delete-value. Value deleted from registry key.
5. modify-key. Registry key modified. 5. modify-key. Registry key modified.
6. modify-value. Value modified for registry key. 6. modify-value. Value modified for registry key.
7. ext-value. An escape value used to extend this attribute. 7. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-registryaction ext-registryaction
Optional. STRING. A means by which to extend the registryaction Optional. STRING. A means by which to extend the registryaction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.27. CertificateData Class 3.24. CertificateData Class
The CertificateData class describes X.509 certificates. The CertificateData class describes X.509 certificates.
+------------------------+ +------------------------+
| CertificateData | | CertificateData |
+------------------------+ +------------------------+
| ID observable-id |<>--{1..*}--[ Certificate ] | ENUM restriction |<>--{1..*}--[ Certificate ]
| ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
| ID observable-id |
+------------------------+ +------------------------+
Figure 52: The CertificateData Class Figure 50: The CertificateData Class
The aggregate classes that constitutes CertificateData are: The aggregate classes of the CertificateData class are:
Certificate Certificate
One or more. A certificate. One or more. A certificate. See Section 3.24.1.
The CertificateData class has three attributes:
observable-id The attributes of the CertificateData class are:
Optional. ID. See Section 3.3.2.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.27.1. Certificate Class observable-id
Optional. ID. See Section 3.3.2.
3.24.1. Certificate Class
The Certificate class describes a given X.509 certificate or The Certificate class describes a given X.509 certificate or
certificate chain. certificate chain.
+--------------------------+ +--------------------------+
| Certificate | | Certificate |
+--------------------------+ +--------------------------+
| ID observable-id |<>----------[ ds: X509Data ] | ID observable-id |<>----------[ ds: X509Data ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+--------------------------+ +--------------------------+
Figure 53: The Certificate Class Figure 51: The Certificate Class
The aggregate classes that constitutes Certificate are: The aggregate classes of the Certificate class are:
ds:X509Data ds:X509Data
One. A given X.509 certificate or chain. See Section 4.4.4 of One. A given X.509 certificate or chain. See Section 4.4.4 of
[W3C.XMLSIG]. [W3C.XMLSIG].
Description Description
Zero or more. ML_STRING. Free-form textual description Zero or more. ML_STRING. Free-form textual description
explaining the context of this certificate. explaining the context of this certificate.
The Certificate class has one attribute: The attributes of the Certificate class are:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.28. FileData Class 3.25. FileData Class
The FileData class describes files of interest identified during the The FileData class describes files of interest identified during the
analysis of an incident. analysis of an incident.
+------------------------+ +------------------------+
| FileData | | FileData |
+------------------------+ +------------------------+
| ID observable-id |<>--{1..*}--[ File ] | ENUM restriction |<>--{1..*}--[ File ]
| ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
| ID observable-id |
+------------------------+ +------------------------+
Figure 54: The FileData Class Figure 52: The FileData Class
The aggregate class that constitutes FileData is: The aggregate classes of the FileData class are:
File File
One or more. A description of a file. One or more. A description of a file. See Section 3.25.1.
The FileData class has three attributes:
observable-id The attributes of the FileData class are:
Optional. ID. See Section 3.3.2.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.28.1. File Class observable-id
Optional. ID. See Section 3.3.2.
3.25.1. File Class
The File class describes a file and its associated meta data. The File class describes a file and its associated meta data.
+-----------------------+ +-----------------------+
| File | | File |
+-----------------------+ +-----------------------+
| ID observable-id |<>--{0..1}--[ FileName ] | ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ] | |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ] | |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ] | |<>--{0..1}--[ SignatureData ]
| |<>--{0..1}--[ AssociatedSoftware ] | |<>--{0..1}--[ AssociatedSoftware ]
| |<>--{0..*}--[ FileProperties ] | |<>--{0..*}--[ FileProperties ]
+-----------------------+ +-----------------------+
Figure 55: The File Class Figure 53: The File Class
The aggregate classes that constitutes File are: The aggregate classes of the File class are:
FileName FileName
Zero or One. STRING. The name of the file. Zero or One. STRING. The name of the file.
FileSize FileSize
Zero or One. INTEGER. The size of the file in bytes. Zero or One. INTEGER. The size of the file in bytes.
FileType FileType
Zero or One. STRING. The type of file per the IANA Media Types Zero or One. STRING. The type of file per the IANA Media Types
Registry [IANA.Media]. Valid values correspond to the text in the Registry [IANA.Media]. Valid values correspond to the text in the
"Template" column (e.g., "application/pdf"). "Template" column (e.g., "application/pdf").
URL URL
Zero or more. A URL reference to the file. Zero or more. URL. A URL reference to the file.
HashData HashData
Zero or One. Hash(es) associated with this file. Zero or One. Hash(es) associated with this file. See
Section 3.26.
SignatureData SignatureData
Zero or One. Signature(s) associated with this file. Zero or One. Signature(s) associated with this file. See
Section 3.27.
AssociatedSoftware AssociatedSoftware
Zero or One. The software application or operating system to Zero or One. SOFTWARE. The software application or operating
which this file belongs. See Section 3.22.3 for the definition. system to which this file belongs.
FileProperties FileProperties
Zero or more. Mechanism by which to extend the data model to Zero or more. EXTENSION. Mechanism by which to extend the data
describe properties of the file. See Section 3.9. model to describe properties of the file.
The File class has one attribute: The attributes of the File class are:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.29. HashData Class 3.26. HashData Class
The HashData class describes different types of hashes on an given The HashData class describes different types of hashes on an given
object (e.g., file, part of a file, email). object (e.g., file, part of a file, email).
+--------------------------+ +--------------------------+
| HashData | | HashData |
+--------------------------+ +--------------------------+
| ENUM scope |<>--{0..1}--[ HashTarget ] | ENUM scope |<>--{0..1}--[ HashTarget ]
| |<>--{0..*}--[ Hash ] | |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ] | |<>--{0..*}--[ FuzzyHash ]
+--------------------------+ +--------------------------+
Figure 56: The HashData Class Figure 54: The HashData Class
The aggregate classes that constitutes HashData are: The aggregate classes of the HashData class are:
HashTarget HashTarget
Zero or One. An identifier that references a a subset of the Zero or One. ML_STRING. An identifier that references a subset
object per the @scope attribute. of the object per the @scope attribute.
Hash Hash
Zero or more. The hash generated on the object. Zero or more. The hash generated on the object. See
Section 3.26.1.
FuzzyHash FuzzyHash
Zero or more. The fuzzy hash of the object. Zero or more. The fuzzy hash of the object. See Section 3.26.2.
A single instance of Hash or FuzzyHash MUST be present. A single instance of Hash or FuzzyHash MUST be present.
The HashData class has one attribute: The attribute of the HashData class is:
scope scope
Required. ENUM. Describes the scope of the hash on a type of Required. ENUM. Describes the scope of the hash on a type of
object. These values are maintained in the "HashData-scope" IANA object. These values are maintained in the "HashData-scope" IANA
registry per Table 1. registry per Table 1.
1. file-contents. A hash computed over the entire contents of a 1. file-contents. A hash computed over the entire contents of a
file. file.
2. file-pe-section. A hash computed on a given section of a 2. file-pe-section. A hash computed on a given section of a
skipping to change at page 90, line 42 skipping to change at page 91, line 27
6. email-hash. A hash computed over the headers and body of an 6. email-hash. A hash computed over the headers and body of an
email message. email message.
7. email-headers-hash. A hash computed over all of the headers 7. email-headers-hash. A hash computed over all of the headers
of an email message. of an email message.
8. email-body-hash. A hash computed over the body of an email 8. email-body-hash. A hash computed over the body of an email
message. message.
9. ext-value. An escape value used to extend this attribute. 9. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-scope ext-scope
Optional. STRING. A means by which to extend the scope Optional. STRING. A means by which to extend the scope
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.29.1. Hash Class 3.26.1. Hash Class
The Hash class describes a specific hash value, algorithm, and an The Hash class describes a specific hash value, algorithm, and an
application used to generate it. application used to generate it.
+----------------+ +----------------+
| Hash | | Hash |
+----------------+ +----------------+
| |<>----------[ ds:DigestMethod ] | |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ] | |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ ds:CannonicalizationMethod ] | |<>--{0..1}--[ ds:CannonicalizationMethod ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+----------------+ +----------------+
Figure 57: The Hash Class Figure 55: The Hash Class
The aggregate classes that constitutes Hash are: The aggregate classes of the Hash class are:
ds:DigestMethod ds:DigestMethod
One. The hash algorithm used to generate the hash. See One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG] Section 4.3.3.5 of [W3C.XMLSIG]
ds:DigestValue ds:DigestValue
One. The computed hash value. See Section 4.3.3.6 of One. The computed hash value. See Section 4.3.3.6 of
[W3C.XMLSIG]. [W3C.XMLSIG].
ds:CannonicalizationMethod ds:CannonicalizationMethod
Zero or one. The canonicalization method used for the has. See Zero or one. The canonicalization method used for the has. See
Section 4.3.1 of [W3C.XMLSIG]. Section 4.3.1 of [W3C.XMLSIG].
Application Application
Zero or One. The application used to calculate the hash. Zero or One. SOFTWARE. The application used to calculate the
hash.
The HashData class has no attribute: The HashData class has no attributes.
3.29.2. FuzzyHash Class 3.26.2. FuzzyHash Class
The FuzzyHash class describes a fuzzy hash (in an extensible way) and The FuzzyHash class describes a fuzzy hash (in an extensible way) and
the application used to generate it. the application used to generate it.
+--------------------------+ +--------------------------+
| FuzzyHash | | FuzzyHash |
+--------------------------+ +--------------------------+
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+--------------------------+ +--------------------------+
Figure 58: The FuzzyHash Class Figure 56: The FuzzyHash Class
The aggregate classes that constitutes FuzzyHash are: The aggregate classes of the FuzzyHash class are:
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. EXTENSION. Mechanism by which to extend the data
Section 3.9. model.
Application Application
Zero or One. The application used to calculate the hash. Zero or One. SOFTWARE. The application used to calculate the
hash.
The FuzzyData class has no attribute: The FuzzyData class has no attributes.
3.30. SignatureData Class 3.27. SignatureData Class
The SignatureData class describes different signatures on an given The SignatureData class describes different signatures on an given
object. object.
+--------------------------+ +--------------------------+
| SignatureData | | SignatureData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ ds:Signature ] | |<>--{1..*}--[ ds:Signature ]
+--------------------------+ +--------------------------+
Figure 59: The SignatureData Class Figure 57: The SignatureData Class
The aggregate classes that constitutes SignatureData are: The aggregate class of the SignatureData class is:
Signature Signature
One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
The SignatureData class has no attribute: The SignatureData class has no attributes.
3.31. IndicatorData Class 3.28. IndicatorData Class
The IndicatorData class describes the indicators identified from The IndicatorData class describes the indicators identified from
analysis of an incident. analysis of an incident.
+--------------------------+ +--------------------------+
| IndicatorData | | IndicatorData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ Indicator ] | |<>--{1..*}--[ Indicator ]
+--------------------------+ +--------------------------+
Figure 60: The IndicatorData Class Figure 58: The IndicatorData Class
The aggregate class that constitutes IndicatorData is: The aggregate class of the IndicatorData class is:
Indicator Indicator
One or more. An indicator from the incident. One or more. An indicator from the incident. See Section 3.29.
The IndicatorData class has no attributes. The IndicatorData class has no attributes.
3.32. Indicator Class 3.29. Indicator Class
The Indicator class describes a cyber indicator. An indicator The Indicator class describes a cyber indicator. An indicator
consists of observable features and phenomenon that aid in the consists of observable features and phenomenon that aid in the
forensic or proactive detection of malicious activity, and associated forensic or proactive detection of malicious activity, and associated
meta-data. This indicator can be described outright or reference meta-data. This indicator can be described outright or reference
observable features and phenomenon described elsewhere in the observable features and phenomenon described elsewhere in the
incident information. Portions of an incident description can be incident information. Portions of an incident description can be
composed to define an indicator, as can the indicators themselves. composed to define an indicator, as can the indicators themselves.
+------------------------+ +------------------------+
skipping to change at page 93, line 31 skipping to change at page 94, line 21
| STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ] | STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ] | |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ] | |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ] | |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ] | |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ AttackPhase ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 61: The Indicator Class Figure 59: The Indicator Class
The aggregate classes that constitute Indicator are: The aggregate classes of the Indicator class are:
IndicatorID IndicatorID
One. An identifier for this indicator. See Section 3.32.1 One. An identifier for this indicator. See Section 3.29.1
AlternativeIndicatorID AlternativeIndicatorID
Zero or one. An alternative identifier for this indicator. See Zero or one. An alternative identifier for this indicator. See
Section 3.32.2 Section 3.29.2
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
indicator. indicator.
StartTime StartTime
Zero or one. DATETIME. A timestamp of the start of the time Zero or one. DATETIME. A timestamp of the start of the time
period during which this indicator is valid. period during which this indicator is valid.
EndTime EndTime
Zero or one. DATETIME. A timestamp of the end of the time period Zero or one. DATETIME. A timestamp of the end of the time period
during which this indicator is valid. during which this indicator is valid.
Confidence Confidence
Zero or one. An estimate of the confidence in the quality of the Zero or one. An estimate of the confidence in the quality of the
indicator. See Section 3.14.5. indicator. See Section 3.12.5.
Contact Contact
Zero or more. Contact information for this indicator. See Zero or more. Contact information for this indicator. See
Section 3.10. Section 3.9.
Observable Observable
Zero or one. An observable feature or phenomenon of this Zero or one. An observable feature or phenomenon of this
indicator. See Section 3.32.3. indicator. See Section 3.29.3.
ObservableReference ObservableReference
Zero or one. A reference to a feature or phenomenon defined Zero or one. A reference to a feature or phenomenon defined
elsewhere in the document. See Section 3.32.6. elsewhere in the document. See Section 3.29.6.
IndicatorExpression IndicatorExpression
Zero or one. A composition of observables. See Section 3.32.4. Zero or one. A composition of observables. See Section 3.29.4.
IndicatorReference IndicatorReference
Zero or one. A reference to an indicator. Zero or one. A reference to an indicator. See Section 3.29.7.
NodeRole
Zero or many. An indication of the role a system to which this
indicator is matched might play in an attack. See Section 3.18.2.
AttackPhase
Zero or many. An indication of which phase in an attack lifecycle
this indicator might be seen. See Section 3.29.8.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. EXTENSION. Mechanism by which to extend the data
Section 3.9 model.
The Indicator class MUST have exactly one instance of an Observable, The Indicator class MUST have exactly one instance of an Observable,
IndicatorExpression, ObservableReference, or IndicatorReference IndicatorExpression, ObservableReference, or IndicatorReference
class. class.
The StartTime and EndTime classes can be used to define an interval The StartTime and EndTime classes can be used to define an interval
during which the indicator is valid. If both classes are present, during which the indicator is valid. If both classes are present,
the indicator is consider valid only during the described interval. the indicator is consider valid only during the described interval.
If neither class is provided, the indicator is considered valid If neither class is provided, the indicator is considered valid
during any time interval. If only a StartTime is provided, the during any time interval. If only a StartTime is provided, the
indicator is valid anytime after this timestamp. If only an EndTime indicator is valid anytime after this timestamp. If only an EndTime
is provided, the indicator is valid anytime prior to this timestamp. is provided, the indicator is valid anytime prior to this timestamp.
The Indicator class has two attributes: The attributes of the Indicator class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.32.1. IndicatorID Class 3.29.1. IndicatorID Class
The IndicatorID class identifies an indicator with a globally unique The IndicatorID class identifies an indicator with a globally unique
identifier. The combination of the name and version attributes, and identifier. The combination of the name and version attributes, and
the element content form this identifier. Indicators generated by the element content form this identifier. Indicators generated by
given CSIRT MUST NOT reuse the same value unless they are referencing given CSIRT MUST NOT reuse the same value unless they are referencing
the same indicator. the same indicator.
+------------------+ +------------------+
| IndicatorID | | IndicatorID |
+------------------+ +------------------+
| ID | | ID |
| | | |
| STRING name | | STRING name |
| STRING version | | STRING version |
+------------------+ +------------------+
Figure 62: The IndicatorID Class Figure 60: The IndicatorID Class
The IndicatorID class has two attributes: The content of the class is identifier for an indicator of type ID.
The attributes of the IndicatorID class are:
name name
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the indicator. In order to have a globally unique CSIRT created the indicator. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. This format is identical to the IncidentID@name MUST be used. This format is identical to the IncidentID@name
attribute in Section 3.4. attribute in Section 3.4.
version version
Required. STRING. A version number of an indicator. Required. STRING. A version number of an indicator.
3.32.2. AlternativeIndicatorID Class 3.29.2. AlternativeIndicatorID Class
The AlternativeIndicatorID class lists alternative identifiers for an The AlternativeIndicatorID class lists alternative identifiers for an
indicator. indicator.
+-------------------------+ +-------------------------+
| AlternativeIndicatorID | | AlternativeIndicatorID |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ] | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| STRING ext-restriction | | STRING ext-restriction |
+-------------------------+ +-------------------------+
Figure 63: The AlternativeIndicatorID Class Figure 61: The AlternativeIndicatorID Class
The aggregate class that constitutes AlternativeIndicatorID is: The aggregate class of the AlternativeIndicatorID class is:
IndicatorReference IndicatorReference
One or more. A reference to an indicator. One or more. A reference to an indicator. See Section 3.29.7
The AlternativeIndicatorID class has two attributes: The attributes of the AlternativeIndicatorID class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.32.3. Observable Class 3.29.3. Observable Class
The Observable class describes a feature and phenomenon that can be The Observable class describes a feature and phenomenon that can be
observed or measured for the purposes of detecting malicious observed or measured for the purposes of detecting malicious
behavior. behavior.
+-------------------+ +-------------------+
| Observable | | Observable |
+-------------------+ +-------------------+
| |<>--{0..1}--[ Address ] | |<>--{0..1}--[ Address ]
| |<>--{0..1}--[ DomainData ] | |<>--{0..1}--[ DomainData ]
| |<>--{0..1}--[ Service ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ ApplicationHeader ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ] | |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ FileData ] | |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ] | |<>--{0..1}--[ CertificateData ]
| |<>--{0..1]--[ RegistryHandle ] | |<>--{0..1]--[ RegistryHandle ]
| |<>--{0..1}--[ RecordData ] | |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ] | |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ] | |<>--{0..1}--[ Incident ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..*}--[ Reference ] | |<>--{0..*}--[ Reference ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ] | |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------+ +-------------------+
Figure 64: The Observable Class Figure 62: The Observable Class
The aggregate classes that constitute Observable are: The aggregate classes of the Observable class are:
Address Address
Zero or One. An Address observable. See Section 3.20.1. Zero or One. An Address observable. See Section 3.18.1.
DomainData DomainData
Zero or One. A DomainData observable. See Section 3.21. Zero or One. A DomainData observable. See Section 3.19.
Service Service
Zero or One. A Service observable. See Section 3.22. Zero or One. A Service observable. See Section 3.20.
EmailData EmailData
Zero or One. A EmailData observable. See Section 3.24. Zero or One. A EmailData observable. See Section 3.21.
ApplicationHeader
Zero or One. An ApplicationHeader observable. See
Section 3.22.2.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or One. A WindowsRegistryKeysModified observable. See Zero or One. A WindowsRegistryKeysModified observable. See
Section 3.26. Section 3.23.
FileData FileData
Zero or One. A FileData observable. See Section 3.28. Zero or One. A FileData observable. See Section 3.25.
CertificateData CertificateData
Zero or One. A CertificateData observable. See Section 3.27. Zero or One. A CertificateData observable. See Section 3.24.
RegistryHandle RegistryHandle
Zero or One. A RegistryHandle observable. See Section 3.10.1. Zero or One. A RegistryHandle observable. See Section 3.9.1.
RecordData RecordData
Zero or One. A RecordData observable. See Section 3.25.1. Zero or One. A RecordData observable. See Section 3.22.1.
EventData EventData
Zero or One. An EventData observable. See Section 3.16. Zero or One. An EventData observable. See Section 3.14.
Incident Incident
Zero or One. An Incident observable. See Section 3.2. Zero or One. An Incident observable. See Section 3.2.
EventData EventData
Zero or One. An EventData observable. See Section 3.16. Zero or One. An EventData observable. See Section 3.14.
Expectation Expectation
Zero or One. An Expectation observable. See Section 3.17. Zero or One. An Expectation observable. See Section 3.15.
Reference Reference
Zero or One. A Reference observable. See Section 3.13.1. Zero or One. A Reference observable. See Section 3.11.1.
Assessment Assessment
Zero or One. An Assessment observable. See Section 3.14. Zero or One. An Assessment observable. See Section 3.12.
HistoryItem HistoryItem
Zero or One. A HistoryItem observable. See Section 3.15.1. Zero or One. A HistoryItem observable. See Section 3.13.1.
BulkObservable BulkObservable
Zero or One. A bulk list of observables. See Section 3.32.3.1. Zero or One. A bulk list of observables. See Section 3.29.3.1.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. EXTENSION. Mechanism by which to extend the data
Section 3.9. model.
The Observable class MUST have exactly one of the possible child The Observable class MUST have exactly one of the possible child
classes. classes.
The Observable class has no attributes. The Observable class has no attributes.
3.32.3.1. BulkObservable Class 3.29.3.1. BulkObservable Class
The BulkObservable class allows the bulk enumeration of single type The BulkObservable class allows the bulk enumeration of single type
of observables without requiring each one to be encoded individually of observables without requiring each one to be encoded individually
in multiple instances of the same class. The type attribute in multiple instances of the same class. The type attribute
describes the type observable listed in the child BulkObservableList describes the type observable listed in the child BulkObservableList
class. The BulkObservableFormat class optionally provides additional class. The BulkObservableFormat class optionally provides additional
meta-data. meta-data.
+---------------------------+ +---------------------------+
| BulkObservable | | BulkObservable |
+---------------------------+ +---------------------------+
| ENUM type |<>--{0..1}--[ BulkObservableFormat ] | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
| STRING ext-type |<>----------[ BulkObservableList ] | STRING ext-type |<>----------[ BulkObservableList ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 65: The BulkObservable Class Figure 63: The BulkObservable Class
The aggregate classes that constitutes BulkObservable are: The aggregate classes of the BulkObserable class are:
BulkObservableFormat BulkObservableFormat
Zero or one. Provides additional meta-data about the observables Zero or one. Provides additional meta-data about the observables
enumerated in the BulkObservableList class. enumerated in the BulkObservableList class. See
Section 3.29.3.1.1.
BulkObservableList BulkObservableList
One. STRING. A list of observables, one per line. Each line is One. STRING. A list of observables, one per line. Each line is
separated with either a LF character or CR-and-LF characters. The separated with either a LF character or CR-and-LF characters. The
type attribute will specify the which observables will be listed. type attribute will specify the which observables will be listed.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. EXTENSION. Mechanism by which to extend the data
Section 3.9. model.
The BulkObservable class has two attributes: The attributes of the BulkObservable class are:
type type
Optional. ENUM. The type of the observable listed in the child Optional. ENUM. The type of the observable listed in the child
ObservableList class. These values are maintained in the ObservableList class. These values are maintained in the
"BulkObservable-type" IANA registry per Table 1. "BulkObservable-type" IANA registry per Table 1.
1. asn. Autonomous System Number (per the Address@category 1. asn. Autonomous System Number (per the Address@category
attribute). attribute).
2. atm. Asynchronous Transfer Mode (ATM) address (per the 2. atm. Asynchronous Transfer Mode (ATM) address (per the
skipping to change at page 100, line 31 skipping to change at page 102, line 8
192.0.2.1, 80, tcp). The protocol name corresponds to the 192.0.2.1, 80, tcp). The protocol name corresponds to the
"Keyword" column in the [IANA.Protocols] registry. "Keyword" column in the [IANA.Protocols] registry.
19. ipv6-port. An IPv6 address, port and protocol tuple (e.g., 19. ipv6-port. An IPv6 address, port and protocol tuple (e.g.,
2001:DB8::3, 80, tcp). The protocol name corresponds to the 2001:DB8::3, 80, tcp). The protocol name corresponds to the
"Keyword" column in the [IANA.Protocols] registry. "Keyword" column in the [IANA.Protocols] registry.
20. windows-reg-key. A Microsoft Windows Registry key. 20. windows-reg-key. A Microsoft Windows Registry key.
21. file-hash. A file hash. The format of this hash is 21. file-hash. A file hash. The format of this hash is
described in the Hashclass that MUST be present in a sibling described in the Hash class that MUST be present in a sibling
BulkObservableFormat class. BulkObservableFormat class.
22. email-x-mailer. An X-Mailer field from an email. 22. email-x-mailer. An X-Mailer field from an email.
23. email-subject. An email subject line. 23. email-subject. An email subject line.
24. http-user-agent. A User Agent field from an HTTP request 24. http-user-agent. A User Agent field from an HTTP request
header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
Gecko/20100101 Firefox/38.0"). Gecko/20100101 Firefox/38.0").
25. http-request-uri. The Request URI from an HTTP request 25. http-request-uri. The Request URI from an HTTP request
header. header.
26. mutex. The name of a system mutex. 26. mutex. The name of a system mutex.
27. file-path. A file path (e.g., "/tmp/local/file", 27. file-path. A file path (e.g., "/tmp/local/file",
"c:\windows\system32\file.sys") "c:\windows\system32\file.sys")
28. user-name. A username. 28. user-name. A username.
29. ext-value. An escape value used to extend this attribute. 29. ext-value. A value used to indicate that this attribute is
See Section 5.1.1. extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
3.32.3.1.1. BulkObservableFormat Class 3.29.3.1.1. BulkObservableFormat Class
The ObservableFormat class specifies meta-data about the format of an The ObservableFormat class specifies meta-data about the format of an
observable enumerated in a sibling BulkObservableList class. observable enumerated in a sibling BulkObservableList class.
+---------------------------+ +---------------------------+
| BulkObservableFormat | | BulkObservableFormat |
+---------------------------+ +---------------------------+
| |<>--{0..1}--[ Hash ] | |<>--{0..1}--[ Hash ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 66: The BulkObservableFormat Class Figure 64: The BulkObservableFormat Class
The aggregate classes that constitutes BulkObservableFormat are: The aggregate classes of the BulkObservableFormat class are:
Hash Hash
Zero or one. Describes the format of a hash. Zero or one. Describes the format of a hash. See Section 3.26.1.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. EXTENSION. Mechanism by which to extend the data
Section 3.9. model.
The BulkObservableFormat class has no attributes. The BulkObservableFormat class has no attributes.
Either Hash or AdditionalData MUST be present. Either Hash or AdditionalData MUST be present.
3.32.4. IndicatorExpression Class 3.29.4. IndicatorExpression Class
The IndicatorExpression describes an expression composed of observed The IndicatorExpression describes an expression composed of observed
phenomenon or features, or indicators. Elements of the expression phenomenon or features, or indicators. Elements of the expression
can be described directly, reference relevant data from other parts can be described directly, reference relevant data from other parts
of a given IODEF document, or reference previously defined of a given IODEF document, or reference previously defined
indicators. indicators.
All child classes of a given instance of IndicatorExpression form a All child classes of a given instance of IndicatorExpression form a
boolean algebraic expression where the operator between them is boolean algebraic expression where the operator between them is
determined by the operator attribute. determined by the operator attribute.
skipping to change at page 102, line 15 skipping to change at page 103, line 38
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ] | |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ] | |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ] | |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 67: The IndicatorExpression Class Figure 65: The IndicatorExpression Class
The aggregate classes that constitute IndicatorExpression are: The aggregate classes of the IndicatorExpression class are:
IndicatorExpression IndicatorExpression
Zero or more. An expression composed of other observables or Zero or more. An expression composed of other observables or
indicators. indicators. See Section 3.29.4.
Observable Observable
Zero or more. A description of an observable. Zero or more. A description of an observable. See
Section 3.29.3.
ObservableReference ObservableReference
Zero or more. A reference to another observable. Zero or more. A reference to another observable. See
Section 3.29.6.
IndicatorReference IndicatorReference
Zero or more. A reference to another indicator. Zero or more. A reference to another indicator. See
Section 3.29.7.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. EXTENSION. Mechanism by which to extend the data
Section 3.9 model.
The IndicatorExpression class has one attribute: The attribute of the IndicatorExpression class is:
operator operator
Optional. ENUM. The operator to be applied between the child Optional. ENUM. The operator to be applied between the child
elements. The default value is "and". These values are elements. The default value is "and". These values are
maintained in the "IndicatorExpression-operator" IANA registry per maintained in the "IndicatorExpression-operator" IANA registry per
Table 1. Table 1.
1. not. negation operator. 1. not. negation operator.
2. and. conjunction operator. 2. and. conjunction operator.
3. or. disjunction operator. 3. or. disjunction operator.
4. xor. exclusive disjunction operator. 4. xor. exclusive disjunction operator.
3.32.5. Expressions with IndicatorExpression 3.29.5. Expressions with IndicatorExpression
Boolean algebraic expressions can be used specify relationships Boolean algebraic expressions can be used specify relationships
between observables and indicator. These expressions are constructed between observables and indicator. These expressions are constructed
through the use of the operator attribute and parent-child through the use of the operator attribute and parent-child
relationships in IndicatorExpressions. These expressions should be relationships in IndicatorExpressions. These expressions should be
parsed as follows: parsed as follows:
1. The operator specified by the operator attribute is applied 1. The operator specified by the operator attribute is applied
between each of the child elements of the immediate parent between each of the child elements of the immediate parent
IndicatorExpression element. If no operator attribute is IndicatorExpression element. If no operator attribute is
skipping to change at page 103, line 31 skipping to change at page 105, line 12
The following four examples illustrate these parsing rules: The following four examples illustrate these parsing rules:
1 : <IndicatorExpression> 1 : <IndicatorExpression>
2 [O1]: <Observable>..</Observable> 2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable> 3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
Equivalent expression: (O1 AND O2) Equivalent expression: (O1 AND O2)
Figure 68: Nested elements in an IndicatorExpression without an Figure 66: Nested elements in an IndicatorExpression without an
operator attribute specified operator attribute specified
1 : <IndicatorExpression operator="or"> 1 : <IndicatorExpression operator="or">
2 [O1]: <Observable>..</Observable> 2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable> 3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
Equivalent expression: (O1 OR O2) Equivalent expression: (O1 OR O2)
Figure 69: Nested elements in an IndicatorExpression with an operator Figure 67: Nested elements in an IndicatorExpression with an operator
attribute specified attribute specified
1 : <IndicatorExpression operator="or"> 1 : <IndicatorExpression operator="or">
2 : <IndicatorExpression operator="or"> 2 : <IndicatorExpression operator="or">
2 [O1]: <Observable>..</Observable> 2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable> 3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
2 [O3]: <Observable>..</Observable> 2 [O3]: <Observable>..</Observable>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
Equivalent expression: ((O1 OR O2) OR O3) Equivalent expression: ((O1 OR O2) OR O3)
Figure 70: Nested elements with a recursive IndicatorExpression with Figure 68: Nested elements with a recursive IndicatorExpression with
an operator attribute specified an operator attribute specified