draft-ietf-mile-rfc5070-bis-16.txt   draft-ietf-mile-rfc5070-bis-17.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) February 1, 2016 Obsoletes: 5070 (if approved) March 20, 2016
Intended status: Standards Track Intended status: Standards Track
Expires: August 4, 2016 Expires: September 21, 2016
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-16 draft-ietf-mile-rfc5070-bis-17
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for security incident reports and cyber
Computer Security Incident Response Teams (CSIRTs) about computer indicators commonly exchanged by operational security teams for
security incidents. This document describes the information model mitigation and watch and warning. This document describes the
for the IODEF and provides an associated data model specified with information model for the IODEF and provides an associated data model
XML Schema. specified with XML Schema.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 4, 2016. This Internet-Draft will expire on September 21, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 22
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 6
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 7
1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 7
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 7
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 7
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 7
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 8
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 8
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 9
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 11 2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11 2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 9
2.8. Date-Time String . . . . . . . . . . . . . . . . . . . . 11 2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 9
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 9
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 10
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12 2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 10
2.12. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12 2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 10
2.13. Email String . . . . . . . . . . . . . . . . . . . . . . 12 2.13. Uniform Resource Locator strings . . . . . . . . . . . . 10
2.14. Uniform Resource Locator strings . . . . . . . . . . . . 12 2.14. Identifiers and Identifier References . . . . . . . . . . 10
2.15. Identifiers and Identifier References . . . . . . . . . . 12 2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 11
2.16. Software . . . . . . . . . . . . . . . . . . . . . . . . 13 2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 11
2.16.1. SoftwareReference Class . . . . . . . . . . . . . . 13 2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 13
2.17. Extension . . . . . . . . . . . . . . . . . . . . . . . . 15 3. The IODEF Information Model . . . . . . . . . . . . . . . . . 16
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 18 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 16
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 18 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 17
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 19 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 21
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 23 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 21
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 23 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 22
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 24 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 23
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 24
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 25 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 24
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 26 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 26
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 26 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 27
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 28 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 28
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 29 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 31
3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 29 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 32
3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 33 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 33
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 34 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 34
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 35 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 35
3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 36 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 37
3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 37 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 38
3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 39 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 39
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 40 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 40
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 41 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 42
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 42 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 44
3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 44 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 46
3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 46 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 48
3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 48 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 49
3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 50 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 50
3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 51 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 51
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 52 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 53
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 53 3.14.1. Relating the Incident and EventData Classes . . . . 55
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 55 3.14.2. Recursive Definition of EventData . . . . . . . . . 55
3.14.1. Relating the Incident and EventData Classes . . . . 57 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 56
3.14.2. Cardinality of EventData . . . . . . . . . . . . . . 57 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 59
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 58 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 60
3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 61 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 63
3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 62 3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 64
3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 65 3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 65
3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 66 3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 68
3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 68 3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 71
3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 71 3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 73
3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 73 3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 74
3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 75 3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 74
3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 76 3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 76
3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 77 3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 77
3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 79 3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 77
3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 79 3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 79
3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 80 3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 80
3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 81 3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 81
3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 82 3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 83
3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 83 3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 84
3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 85 3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 85
3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85 3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 85
3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 86 3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 86
3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 87 3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 87
3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 87 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 88
3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 88 3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 90
3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 90
3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 89 3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 91
3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 92
3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 92 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 92
3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 93 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95
3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 93 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 95
3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 96
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 96 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 102
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96 3.29.5. Expressions with IndicatorExpression . . . . . . . . 103
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 97 3.29.6. ObservableReference Class . . . . . . . . . . . . . 105
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 103 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 105
3.29.5. Expressions with IndicatorExpression . . . . . . . . 104 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 106
3.29.6. ObservableReference Class . . . . . . . . . . . . . 106 4. Processing Considerations . . . . . . . . . . . . . . . . . . 107
3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 106 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 107
3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 107 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 107
4. Processing Considerations . . . . . . . . . . . . . . . . . . 108 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 108
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 108 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 108
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 108 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 109
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 109 5.1. Extending the Enumerated Values of Attributes . . . . . . 109
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 109 5.1.1. Private Extension of Enumerated Values . . . . . . . 109
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 110 5.1.2. Public Extension of Enumerated Values . . . . . . . . 110
5.1. Extending the Enumerated Values of Attributes . . . . . . 110 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 110
5.1.1. Private Extension of Enumerated Values . . . . . . . 110 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 112
5.1.2. Public Extension of Enumerated Values . . . . . . . . 111 6. Internationalization Issues . . . . . . . . . . . . . . . . . 113
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 111 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 113 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 114
6. Internationalization Issues . . . . . . . . . . . . . . . . . 114 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 115
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 115 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 116
7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 115 9. Security Considerations . . . . . . . . . . . . . . . . . . . 155
7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 116 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 156
7.3. Incident Report . . . . . . . . . . . . . . . . . . . . . 117 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 156
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 117 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 156
9. Security Considerations . . . . . . . . . . . . . . . . . . . 156 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 159
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 157 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 159
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 157 12.1. Normative References . . . . . . . . . . . . . . . . . . 159
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 157 12.2. Informative References . . . . . . . . . . . . . . . . . 161
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 160 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 162
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 160
12.1. Normative References . . . . . . . . . . . . . . . . . . 160
12.2. Informative References . . . . . . . . . . . . . . . . . 162
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 163
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a
network, or sharing watch-lists of known malicious IP addresses in a botnet, or sharing watch-lists of known malicious indicators in a
consortium. consortium.
The Incident Object Description Exchange Format (IODEF) is a format The Incident Object Description Exchange Format (IODEF) is a format
for representing computer security information commonly exchanged for representing computer security information commonly exchanged
between Computer Security Incident Response Teams (CSIRTs). It between Computer Security Incident Response Teams (CSIRTs). It
provides an XML representation for conveying: provides an XML representation for conveying:
o cyber intelligence to characterize threats; o cyber intelligence to characterize threats;
o cyber incident reports to document particular cyber security o cyber incident reports to document particular cyber security
events or relationships between events; events or relationships between events;
o cyber event mitigation to request proactive and reactive o cyber event mitigation activity to proactively and reactively
mitigation approaches to cyber intelligence or incidents; and mitigate activity; and
o cyber information sharing meta-data so that these various classes
of information can be exchanged among parties.
The data model encodes information about hosts, networks, and the o meta-data so that these various classes of information can be
services running on these systems; attack methodology and associated exchanged among parties.
forensic evidence; impact of the activity; and limited approaches for
documenting workflow.
The overriding purpose of the IODEF is to enhance the operational The purpose of the IODEF is to enhance the operational capabilities
capabilities of CSIRTs. Community adoption of the IODEF provides an of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT
improved ability to resolve incidents and convey situational to resolve security incidents; understand cyber threats; and
awareness by simplifying collaboration and data sharing. This coordinate response activities and proactive mitigations by
simplifying collaboration and data sharing with its partners. This
structured format provided by the IODEF allows for: structured format provided by the IODEF allows for:
o increased automation in processing of incident data, since the o machine-to-machine exchange of incident and cyber intelligence
resources of security analysts to parse free-form textual data;
documents will be reduced;
o decreased effort in normalizing similar data (even when highly
structured) from different sources; and
o a common format on which to build interoperable tools for incident
handling and subsequent analysis, specifically when data comes
from multiple constituencies.
Coordinating with other CSIRTs is not strictly a technical problem.
There are numerous procedural, trust, and legal considerations that
might prevent an organization from sharing information. The IODEF
does not attempt to address them. However, operational
implementations of the IODEF will need to consider this broader
context.
Sections 3 and 8 specify the IODEF data model with text and an XML
schema. The types used by the data model are covered in Section 2.
Processing considerations, the handling of extensions, and
internationalization issues related to the data model are covered in
Sections 4, 5, and 6, respectively. Examples are listed in
Section 7. Section 1 provides the background for the IODEF, and
Section 9 documents the security considerations.
1.1. Changes from 5070
This document contains changes with respect to its predecessor
RFC5070.
o All of the RFC5070 Errata was implemented.
o Imported the xmlns:ds namespace to include digital signature hash
classes.
o The following classes were added to IODEF-Document:
AdditionalData.
o The following class and attribute was added to Incident:
IndicatorData and @status.
o The following classes were added to Incident and EventData:
GenerationTime and Discovery.
o The following classes and attributes were added to the Service
class: EmailData, DomainData, AssetID, ApplicationHeader @virtual,
and @ownership. Service@ip_protocol was renamed to @ip-protocol.
o The following classes were added to the Record class: HashData and
WindowsRegistryKeysModified.
o The following classes were added to the RelatedActivity class:
ThreatActor, Campaign, Confidence, Description, and
AdditionalData.
o The following classes were added to Assessment: IncidentCategory,
SystemImpact, BusinessImpact, IntendedImpact and MitigatingFactor.
o The following classes were added to Node: PostalAddress and
DomainData. The following classes were removed from Node: Removed
NodeName and DateTime.
o The following classes were added to the Contact class:
ContactTitle.
o The following classes were added to Expectation and HistoryItem:
DefinedCOA.
o The following classes were added to Service: ServiceName
o The following classes were added to Reference: ReferenceName
(replaced Name).
o The following attributes were added to Counter: type and unit.
o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category, Incident@purpose, Contact@role,
AdditionalData@dtype, System@spoofed.
o Added option for public extension of enumerated attributes with an
IANA registry and added @ext-restriction.
o Removed Impact class in favor of using SystemImpact and o automated processing of this data whereby allowing more rapid
IncidentCategory. execution of appropriate courses of action; and
o iodef:MLStringType uses xml:lang and @translation-id. o the development of an ecosystem of interoperable tools enabling
security operations.
o Incident/ReportTime and Assessment are longer mandatory. Sharing and coordinating with other organizations is not strictly a
technical problem. There are numerous procedural, cultural, legal
and trust-related barriers to overcome. The IODEF does not attempt
to address them directly. However, operational implementations of
the IODEF will need to consider these challenges.
o Incident/GenerateTime is mandatory. Section 1 provides the background for the IODEF. Sections 3 and 8
specify the IODEF information and data model respectively. The data
types used in this document are described in Section 2. Processing
considerations, extending the specification, internationalization and
security issues are covered in Sections 4, 5, 6 and 9 respectively.
Examples are listed in Section 7.
1.2. Terminology 1.1. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related 1.2. Notations
terminology used in this document can be found in Section 2 of
[refs.requirements].
1.3. Notations
The normative IODEF data model is specified with the text in The IODEF is specified as an Extensible Markup Language (XML)
Section 3 and the XML schema in Section 8. To help in the [W3C.XML] Schema [W3C.SCHEMA]. The normative IODEF data model is
understanding of the data elements, Section 3 also depicts the found in the XML schema in Section 8. To aid in the understanding of
underlying information model using Unified Modeling Language (UML). the data elements, Section 3 also depicts the underlying information
This abstract presentation of the IODEF is not normative. model using Unified Modeling Language (UML). This abstract
presentation of the IODEF is not normative.
For clarity in this document, the term "XML document" will be used For clarity in this document, the term "XML document" will be used
when referring generically to any instance of an XML document. The when referring generically to any instance of an XML document. The
term "IODEF document" will be used to refer to specific elements and term "IODEF document" will be used to refer to an XML document
attributes of the IODEF schema. The terms "class" and "element" will conforming to the IODEF specification. The terms "schema" will be
be used interchangeably to reference either the corresponding data used to refer to Section 8 of this document. The terms "data model"
element in the information or data models, respectively. and "schema" will be used interchangeably. The terms "class" and
"element" will be used to reference either the corresponding data
1.4. About the IODEF Data Model element in the UML-based information or XML Schema-based data models,
respectively.
The IODEF data model is a data representation that provides a
framework for sharing information commonly exchanged by CSIRTs about
computer security incidents. A number of considerations were made in
the design of the data model.
o The data model serves as a transport format. Therefore, its
specific representation is not the optimal representation for on-
disk storage, long-term archiving, or in-memory processing.
o As there is no precise widely agreed upon definition for an
incident, the data model does not attempt to dictate one through
its implementation. Rather, a broad understanding is assumed in
the IODEF that is flexible enough to encompass most operators.
o Describing an incident for all definitions would require an 1.3. About the IODEF Data Model
extremely complex data model. Therefore, the IODEF only intends
to be a framework to convey commonly exchanged incident
information. It ensures that there are ample mechanisms for
extensibility to support organization-specific information, and
techniques to reference information kept outside of the explicit
data model.
o The domain of security analysis is not fully standardized and must A number of considerations were made in the design of the IODEF data
rely on free-form textual descriptions. The IODEF attempts to model.
strike a balance between supporting this free-form content, while
still allowing automated processing of incident information.
o The IODEF is only one of several security relevant data o The data model found in this document is an evolution of the one
representations being standardized. Attempts were made to ensure previously specified in [RFC5070]. New fields were added to
they were complementary. The data model of the Intrusion represent additional information. [RFC5070] was developed
Detection Message Exchange Format [RFC4765] influenced the design primarily to represent incident reports. This document builds
of the IODEF. upon it by adding support for cyber indicators and revising it to
reflect the current challenges faced by CSIRTs. An attempt was
made to preserve backward compatibility but this was not possible
in all cases. See Section 4.4.
Further discussion of the desirable properties for the IODEF can be o The IODEF is a transport format. Therefore, the data model may
found in the Requirements for the Format for Incident Information not be the optimal archival or in-memory processing format.
Exchange (FINE) [refs.requirements].
1.5. About the IODEF Implementation o The IODEF is intended to be a framework to convey only commonly
exchanged information. It ensures that there are mechanisms for
extensibility to support organization-specific information and
techniques to reference information kept outside of the data
model.
The IODEF implementation is specified as an Extensible Markup o Not all commonly exchanged information has a well-defined format
Language (XML) [W3C.XML] Schema [W3C.SCHEMA]. or taxonomy. The IODEF attempts to strike a balance between
enforcing sufficient structure to allow automated processing and
supporting free-form content that enables maximum flexibility.
Implementing the IODEF in XML provides numerous advantages. Its o The IODEF fits into a broader ecosystem of standards and
extensibility makes it ideal for specifying a data encoding framework conventions. An attempt was made to harmonize the data model with
that supports various character encodings. Likewise, the abundance this context.
of related technologies (e.g., XSL, XPath, XML-Signature) makes for
simplified manipulation. However, XML is fundamentally a text
representation, which makes it inherently inefficient when binary
data must be embedded or large volumes of data must be exchanged.
2. IODEF Data Types 2. IODEF Data Types
The various data elements of the IODEF data model are typed. This The IODEF uses a number of simple and complex types. This section
section discusses these data types. When possible, native Schema describes these data types.
data types were adopted, but for more complicated formats, regular
expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external
standards were used.
2.1. Integers 2.1. Integers
An integer is represented by the INTEGER data type. Integer data An integer is represented in the information model by the INTEGER
MUST be encoded in Base 10. data type. Integer data MUST be encoded in Base 10.
The INTEGER data type is implemented as an "xs:integer" in The INTEGER data type is implemented in the data model as a
[W3C.SCHEMA.DTYPES]. "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES].
2.2. Real Numbers 2.2. Real Numbers
Real (floating-point) attributes are represented by the REAL data A real (floating-point) number is represented in the information
type. Real data MUST be encoded in Base 10. model by the REAL data type. Real data MUST be encoded in Base 10.
The REAL data type is implemented as an "xs:float" in The REAL data type is implemented in the data model as a "xs:float"
[W3C.SCHEMA.DTYPES]. type per Section 3.2.4 of [W3C.SCHEMA.DTYPES].
2.3. Characters and Strings 2.3. Characters and Strings
A single character is represented by the CHARACTER data type. A A single character is represented in the information model by the
character string is represented by the STRING data type. Special CHARACTER data type. A string is represented by the STRING data
characters must be encoded using entity references. See Section 4.1. type. Special characters MUST be encoded using entity references.
See Section 4.1.
The CHARACTER and STRING data types are implemented as an "xs:string" The CHARACTER and STRING data types are implemented in the data model
in [W3C.SCHEMA.DTYPES]. as a "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
2.4. Multilingual Strings 2.4. Multilingual Strings
A character string that needs to be represented in a language A string that needs to be represented in a human-readable language
different than the default encoding of the document is of the different than the default encoding of the document is represented in
ML_STRING data type. the information model by the ML_STRING data type.
ML_STRING data type is implemented as the "iodef:MLStringType" type The ML_STRING data type is implemented in the data model as the
in the schema. This type extends the "xs:string" to include two "iodef:MLStringType" type. This type extends the "xs:string" to
attributes. The body of any class that uses this type is the include two attributes.
multilingual string.
+------------------------+ +------------------------+
| iodef:MLStringType | | iodef:MLStringType |
+------------------------+ +------------------------+
| xs:string | | xs:string |
| | | |
| ENUM xml:lang | | ENUM xml:lang |
| STRING translation-id | | STRING translation-id |
+------------------------+ +------------------------+
Figure 1: The iodef:MLStringType Type Figure 1: The iodef:MLStringType Type
The content of the class is a character string of type "xs:string" The content of the class is a character string of type "xs:string"
whose language MAY be specified by the xml:lang attribute. whose language MAY be specified by the xml:lang attribute.
The attributes of the iodef:MLStringType type are: The attributes of the iodef:MLStringType type are:
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The [W3C.XML] whose values and format are described in [RFC5646]. The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
translation-id translation-id
Optional. STRING. An identifier to relate other instances of Optional. STRING. An identifier to relate other instances of
this class with the same parent as translations of this text. The this class with the same parent as translations of this text. The
scope of this identifier is limited to all of the direct, peer scope of this identifier is limited to all of the direct, peer
child classes of a given parent class. child classes of a given parent class.
Using this class enables representing translations of the same text Using this class enables representing translations of the same text
in multiple languages. Each translation is a distinct instance of in multiple languages. Each translation is a distinct instance of
this class with a common parent. A group of classes each with a this class with a common parent. A group of classes each with a
translated instance of text is related by setting a common identifier translated instance of text is related by setting a common identifier
in the translation-id attribute. The language of a given class is in the translation-id attribute. The language of a given class is
set by the xml:lang attribute. set by the xml:lang attribute. See Section 6 for more details on
representing translations of free-form text.
2.5. Bytes 2.5. Binary Strings
A binary octet is represented by the BYTE data type. A sequence of Binary octets can be represented with two encodings.
binary octets is represented by the BYTE[] data type. These octets
are encoded using base64.
The BYTE data type is implemented as an "xs:base64Binary" in 2.5.1. Base64 Bytes
[W3C.SCHEMA.DTYPES].
2.6. Hexadecimal Bytes A binary octet encoded with Base64 is represented in the information
model by the BYTE data type. A sequence of these octets is of the
BYTE[] data type.
A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. The BYTE and BYTE[] data types are implemented in the data model as a
This octet is encoded as a character tuple consisting of two "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].
hexadecimal digits.
The HEXBIN data type is implemented as an "xs:hexBinary" in 2.5.2. Hexadecimal Bytes
[W3C.SCHEMA.DTYPES].
2.7. Enumerated Types A binary octet encoded as a character tuple consistent of two
hexadecimal digits is represented in the information model by the
HEXBIN data type. A sequence of these octets is of the HEXBIN[] data
type.
Enumerated types are represented by the ENUM data type, and consist The HEXBIN and HEXBIN[] data types are implemented in the data model
of an ordered list of acceptable values. Each value has a as a "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES].
representative keyword. Within the IODEF schema, the enumerated type
keywords are used as attribute values.
The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 2.6. Enumerated Types
schema.
2.8. Date-Time String An enumerated type is represented in the information model by the
ENUM data type. It is an ordered list of acceptable string values.
Each value has a representative keyword. Within the data model, the
enumerated type keywords are used as attribute values.
Date-Time strings are represented by the DATETIME data type. Each The ENUM data type is implemented in the data model as values of a
date-time string identifies a particular instant in time. Ranges are "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES].
not supported.
Date-time strings are formatted according to a subset of [ISO8601] 2.7. Date-Time String
documented in [RFC3339].
The DATETIME data type is implemented as an "xs:dateTime" in the A date-time strings that describes a particular instant in time is
schema. represented in the information model by the DATETIME data type.
Ranges are not supported.
2.9. Timezone String The DATETIME data type is implemented in the data model as a
"xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].
A timezone offset from UTC is represented by the TIMEZONE data type. 2.8. Timezone String
It is formatted according to the following regular expression:
"Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
The TIMEZONE data type is implemented as an "xs:string" with a A timezone offset from UTC is represented in the information model by
regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular the TIMEZONE data type. It is formatted according to the following
expression is identical to the timezone representation implemented in regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
an "xs:dateTime".
2.10. Port Lists The TIMEZONE data type is implemented in the data model as an
"iodef:TimezoneType" type.
A list of network ports are represented by the PORTLIST data type. A 2.9. Port Lists
PORTLIST consists of a comma-separated list of numbers and ranges
(N-M means ports N through M, inclusive). It is formatted according
to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*".
For example, "2,5-15,30,32,40-50,55-60".
The PORTLIST data type is implemented as an "iodef:PortlistType" in A list of network ports is represented in the information model by
the schema. the PORTLIST data type. A PORTLIST consists of a comma-separated
list of numbers and ranges (N-M means ports N through M, inclusive).
It is formatted according to the following regular expression:
2.11. Postal Address "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example,
"2,5-15,30,32,40-50,55-60".
A postal address is represented by the POSTAL data type. The format The PORTLIST data type is implemented in the data model as an
of the POSTAL data type is documented in Section 2.23 of [RFC4519] as "iodef:PortlistType" type.
a free-form multi-line string separated by the "$" character.
The POSTAL data type is implemented as an "iodef:MLStringType" in the 2.10. Postal Address
schema.
2.12. Telephone and Fax Numbers A postal address is represented in the information model by the
POSTAL data type. The format of the POSTAL data type is documented
in Section 2.23 of [RFC4519] as a free-form multi-line string
separated by the "$" character.
A telephone or fax number is represented by the PHONE data type. The The POSTAL data type is implemented in the data model as an
format of the PHONE data type is documented in Section 2.35 of "iodef:MLStringType" type.
[RFC4519].
The PHONE data type is implemented as an "xs:string" in the schema. 2.11. Telephone Number
2.13. Email String A telephone number is represented in the information model by the
PHONE data type. The format of the PHONE data type is documented in
Section 2.35 of [RFC4519].
An email address is represented by the EMAIL data type. The format The PHONE data type is implemented in the data model as a "xs:string"
of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
The EMAIL data type is implemented as an "xs:string" in the schema. 2.12. Email String
2.14. Uniform Resource Locator strings An email address is represented in the information model by the EMAIL
data type. The format of the EMAIL data type is documented in
Section 3.4.1 [RFC5322].
A uniform resource locator (URL) is represented by the URL data type. The EMAIL data type is implemented in the data model as a "xs:string"
The format of the URL data type is documented in [RFC3986]. type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
The URL data type is implemented as an "xs:anyURI" in the schema. 2.13. Uniform Resource Locator strings
2.15. Identifiers and Identifier References A uniform resource locator (URL) is represented in the information
model by the URL data type. The format of the URL data type is
documented in [RFC3986].
An identifier unique to the Document is represented by the ID data The URL data type is implemented as a "xs:anyURI" type per
type. A reference to this identifier is represented by the IDREF Section 3.2.17 of [W3C.SCHEMA.DTYPES].
data type. The acceptable format of ID and IDREF is documented in
Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES].
The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF" 2.14. Identifiers and Identifier References
in the schema.
2.16. Software An identifier unique to the IODEF document is represented in the
information model by the ID data type. A reference to this
identifier is represented by the IDREF data type. The acceptable
format of ID and IDREF is documented in Section 3.3.8 and 3.3.9 of
[W3C.SCHEMA.DTYPES].
The SOFTWARE data type describes a particular version of software. The ID and IDREF data types are implemented in the model as "xs:ID"
This description can be made by using a reference, a URL or with and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of
free-form text. [W3C.SCHEMA.DTYPES].
2.15. Software
A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by
using a reference, a URL or with free-form text.
The SOFTWARE data type is implemented in the data model as the
"iodef:SoftwareType" type.
+--------------------+ +--------------------+
| iodef:SoftwareType | | iodef:SoftwareType |
+--------------------+ +--------------------+
| |<>--{0..1}--[ SoftwareReference ] | |<>--{0..1}--[ SoftwareReference ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+--------------------+ +--------------------+
Figure 2: The SoftwareType Type Figure 2: The SoftwareType Type
The aggregate classes of the SoftwareType type are: The aggregate classes of the SoftwareType type are:
SoftwareReference SoftwareReference
Zero or one. Reference to a software application. See Zero or one. Reference to a software application. See
Section 2.16.1. Section 2.15.1.
URL URL
Zero or more. URL. A URL associated with the application. Zero or more. URL. A URL to a resource describing the software.
Description Description
Zero or more. ML_STRING. A free-form text description of this Zero or more. ML_STRING. A free-form text description of the
application. software.
At least one of these classes MUST be present. At least one of these classes MUST be present.
The iodef:SoftwareType type has no attributes. The iodef:SoftwareType type has no attributes.
2.16.1. SoftwareReference Class 2.15.1. SoftwareReference Class
The SoftwareReference class is a reference to a particular version of The SoftwareReference class is a reference to a particular version of
software. software.
+----------------------+ +----------------------+
| SoftwareReference | | SoftwareReference |
+----------------------+ +----------------------+
| xs:any | | xs:any |
| | | |
| ENUM spec-name | | ENUM spec-name |
| STRING ext-spec-name | | STRING ext-spec-name |
| ENUM dtype | | ENUM dtype |
| STRING enum-dtype | | STRING enum-dtype |
+----------------------+ +----------------------+
Figure 3: The SoftwareReference Class Figure 3: The SoftwareReference Class
The element content of this type is varies according to the value of The element content varies according to the value of the spec-name
the spec-name attribute. This content is defined as "xs:any" in the attribute. It is defined in the data model as "xs:any" per
schema. [W3C.SCHEMA].
The attributes of the SoftwareReference class are: The attributes of the SoftwareReference class are:
spec-name spec-name
Required. ENUM. Identifies the format and semantics of the Required. ENUM. Identifies the format and semantics of the
element body of this class. Formal standards and specifications element body of this class. Formal standards and specifications
can be referenced as well as free-form description with user- can be referenced as well as a free-form text description with a a
provided data-types. These values are maintained in the user-provided data type. These values are maintained in the
"SoftwareReference-spec-id" IANA registry per Table 1 "SoftwareReference-spec-id" IANA registry per Section 10.2
1. custom. The element content is free-form and of the data type 1. custom. The element content is free-form and of the data type
specified by the dtype attribute. If this value is selected, specified by the dtype attribute. If this value is selected,
then the dtype attribute MUST be set. then the dtype attribute MUST be set.
2. cpe. The element content describes a Common Platform 2. cpe. The element content describes a Common Platform
Enumeration (CPE) entry [fix me. reference]. Enumeration (CPE) entry.
3. swid. The element content describes a software identification 3. swid. The element content describes a software identification
(SWID) tag per ISO/IEC 19770-2:2009 [fix me. reference]. (SWID) tag per ISO/IEC 19770-2:2009.
4. ext-value. A value used to indicate that this attribute is 4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-spec-name ext-spec-name
Optional. STRING. A means by which to extend the spec-name Optional. STRING. A means by which to extend the spec-name
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
dtype dtype
Optional. ENUM. The data type of the element content. The Optional. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". These values are maintained in the value is "string". These values are maintained in the
"SoftwareReference-dtype" IANA registry per Table 1. "SoftwareReference-dtype" IANA registry per Section 10.2.
1. bytes. The element content is of type HEXBIN. 1. bytes. The element content is of type HEXBIN.
2. integer. The element content is of type INTEGER. 2. integer. The element content is of type INTEGER.
3. real. The element content is of type REAL. 3. real. The element content is of type REAL.
4. string. The element content is of type STRING. 4. string. The element content is of type STRING.
5. xml. The element content is XML. See Section 5. 5. xml. The element content is XML. See Section 5.2.
6. ext-value. A value used to indicate that this attribute is 6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
2.17. Extension 2.16. Extension
The EXTENSION data type is an extension mechanism for information not Information not otherwise represented in the IODEF can be added using
otherwise represented in the data model. The data type of the the EXTENSION data type. This data type is a generic extension
extension is described by the dtype attribute. For simple mechanism.
information, atomic data types (e.g., integers, strings) are
supported. Their semantics is further described by the meaning and The EXTENSION data type is implemented in the data model as the
formatid attributes. This data type can also be used to extend the "iodef:ExtensionType" type.
data model (and the associated schema) by encapsulating entire XML
documents conforming to another schema. A detailed discussion for The data type of an EXTENSION is described by the dtype attribute.
extending the data model and the schema can be found in Section 5. For simple information, atomic data types (e.g., integers, strings)
Additional coordination may be required to ensure that a recipient of are supported. Their semantics are further described by the meaning
a document using this type can parse and process it. and formatid attributes. Encapsulating XML documents conforming to
another schema is also supported. A detailed discussion of extending
the schema can be found in Section 5. Additional coordination may be
required to ensure that a recipient of a document using this type can
parse and process it.
+------------------------+ +------------------------+
| iodef:ExtensionType | | iodef:ExtensionType |
+------------------------+ +------------------------+
| xs:any | | xs:any |
| | | |
| STRING name | | STRING name |
| ENUM dtype | | ENUM dtype |
| STRING ext-dtype | | STRING ext-dtype |
| STRING meaning | | STRING meaning |
| STRING formatid | | STRING formatid |
| ENUM restriction | | ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
| ID observable-id | | ID observable-id |
+------------------------+ +------------------------+
Figure 4: The iodef:ExtensionType Type Figure 4: The iodef:ExtensionType Type
The element content of this type is the extension being added to the The element content of this type is the extension being added to the
data model. This content is defined as "xs:any" in the schema. data model. This content is defined in the data model as "xs:any"
per [W3C.SCHEMA].
The attributes of the iodef:ExtensionType type are: The attributes of the iodef:ExtensionType type are:
name name
Optional. STRING. A free-form name of the field or data element. Optional. STRING. A free-form name of the field or data element.
dtype dtype
Required. ENUM. The data type of the element content. The Required. ENUM. The data type of the element content. The
default value is "string". These values are maintained in the default value is "string". These values are maintained in the
"ExtensionType-dtype" IANA registry per Table 1. "ExtensionType-dtype" IANA registry per Section 10.2.
1. boolean. The element content is of type BOOLEAN. 1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE. 2. byte. The element content is of type BYTE.
3. bytes. The element content is of type HEXBIN. 3. bytes. The element content is of type HEXBIN.
4. character. The element content is of type CHARACTER. 4. character. The element content is of type CHARACTER.
5. date-time. The element content is of type DATETIME. 5. date-time. The element content is of type DATETIME.
skipping to change at page 17, line 44 skipping to change at page 15, line 44
21. ext-value. A value used to indicate that this attribute is 21. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
meaning meaning
Optional. STRING. A free-form description of the element Optional. STRING. A free-form text description of the element
content. content.
formatid formatid
Optional. STRING. An identifier referencing the format or Optional. STRING. An identifier referencing the format or
semantics of the element content. semantics of the element content.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3. The IODEF Data Model 3. The IODEF Information Model
In this section, the individual components of the IODEF data model The specifics of the IODEF information model are discussed in this
will be discussed in detail. For each class, the semantics will be section. Each class and its relationships with the other classes is
described and the relationship with other classes will be depicted described. When necessary, clarifications are made about translating
with UML. When necessary, specific comments will be made about this information model to the schema in Section 8.
corresponding definition in the schema in Section 8
3.1. IODEF-Document Class 3.1. IODEF-Document Class
The IODEF-Document class is the top level class in the IODEF data The IODEF-Document class is the top level class in the IODEF data
model. All IODEF documents are an instance of this class. model. All IODEF documents are an instance of this class.
+--------------------------+ +--------------------------+
| IODEF-Document | | IODEF-Document |
+--------------------------+ +--------------------------+
| STRING version |<>--{1..*}--[ Incident ] | STRING version |<>--{1..*}--[ Incident ]
skipping to change at page 19, line 18 skipping to change at page 17, line 18
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
format-id format-id
Optional. STRING. A free-form string to convey processing Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must instructions to the recipient of the document. Its semantics must
be negotiated out-of-band. be negotiated out-of-band.
private-enum-name private-enum-name
Optional. STRING. A globally unique identifier for the CSIRT Optional. STRING. A globally unique identifier for the CSIRT
generating the document to deconflict private extensions used in generating the document to deconflict private extensions used in
the Document. The fully qualified domain name associated with the the document. The fully qualified domain name associated with the
CSIRT MUST be used as the identifier. CSIRT MUST be used as the identifier. See Section 5.3.
private-enum-id private-enum-id
Optional. STRING. An organizationally unique identifier for an Optional. STRING. An organizationally unique identifier for an
extension used in the Document. If this attribute is set, the extension used in the document. If this attribute is set, the
private-enum-name MUST also be set. private-enum-name MUST also be set. See Section 5.3.
3.2. Incident Class 3.2. Incident Class
Every incident is represented by an instance of the Incident class. The Incident class describes commonly exchanged information when
This class provides a standardized representation for commonly reporting or sharing derived analysis from security incidents.
exchanged incident data.
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM status |<>--{0..*}--[ RelatedActivity ] | ENUM status |<>--{0..*}--[ RelatedActivity ]
| STRING ext-status |<>--{0..1}--[ DetectTime ] | STRING ext-status |<>--{0..1}--[ DetectTime ]
| ENUM xml:lang |<>--{0..1}--[ StartTime ] | ENUM xml:lang |<>--{0..1}--[ StartTime ]
| ENUM restriction |<>--{0..1}--[ EndTime ] | ENUM restriction |<>--{0..1}--[ EndTime ]
skipping to change at page 21, line 17 skipping to change at page 19, line 17
incident. incident.
ReportTime ReportTime
Zero or one. DATETIME. The time the incident was reported. Zero or one. DATETIME. The time the incident was reported.
GenerationTime GenerationTime
One. DATETIME. The time the content in this Incident class was One. DATETIME. The time the content in this Incident class was
generated. generated.
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form text description of the
incident. incident.
Discovery Discovery
Zero or more. The means by which this incident was detected. See Zero or more. The means by which this incident was detected. See
Section 3.10. Section 3.10.
Assessment Assessment
Zero or more. A characterization of the impact of the incident. Zero or more. A characterization of the impact of the incident.
See Section 3.12. See Section 3.12.
Method Method
Zero or more. The techniques used by the intruder in the Zero or more. The techniques used by the threat actor in the
incident. See Section 3.11. incident. See Section 3.11.
Contact Contact
One or more. Contact information for the parties involved in the One or more. Contact information for the parties involved in the
incident. See Section 3.9. incident. See Section 3.9.
EventData EventData
Zero or more. Description of the events comprising the incident. Zero or more. Description of the events comprising the incident.
See Section 3.14. See Section 3.14.
IndicatorData IndicatorData
Zero or one. Description of indicators. See Section 3.28. Zero or one. Indicators from the analysis of an incident. See
Section 3.28.
History History
Zero or one. A log of significant events or actions that occurred Zero or one. A log of significant events or actions that occurred
during the course of handling the incident. See Section 3.13. during the course of handling the incident. See Section 3.13.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The attributes of the Incident class are: The attributes of the Incident class are:
purpose purpose
Required. ENUM. The purpose attribute represents the reason why Required. ENUM. The purpose attribute represents describes the
the IODEF document was created. It is closely related to the rational for document the information in this class. It is
Expectation class (Section 3.15). These values are maintained in closely related to the Expectation class (Section 3.15). These
the "Incident-purpose" IANA registry per Table 1. This attribute values are maintained in the "Incident-purpose" IANA registry per
is defined as an enumerated list: Section 10.2. This attribute is defined as an enumerated list:
1. traceback. The document was sent for trace-back purposes. 1. traceback. The Incident was sent for trace-back purposes.
2. mitigation. The document was sent to request aid in 2. mitigation. The Incident was sent to request aid in
mitigating the described activity. mitigating the described activity.
3. reporting. The document was sent to comply with reporting 3. reporting. The Incident was sent to comply with reporting
requirements. requirements.
4. watch. The document was sent to convey indicators to watch 4. watch. The Incident was sent to convey indicators that should
for particular activity. be monitored.
5. other. The document was sent for purposes specified in the 5. other. The Incident was sent for purposes specified in the
Expectation class. Expectation class.
6. ext-value. A value used to indicate that this attribute is 6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-purpose ext-purpose
Optional. STRING. A means by which to extend the purpose Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
status status
Optional. ENUM. The status attribute conveys the state in a Optional. ENUM. The status attribute conveys the state in a
workflow where the incident is currently found. These values are workflow where the incident is currently found. These values are
maintained in the "Incident-status" IANA registry per Table 1. maintained in the "Incident-status" IANA registry per
This attribute is defined as an enumerated list: Section 10.2. This attribute is defined as an enumerated list:
1. new. The document is newly reported and has not been 1. new. The Incident is newly reported and has not been
actioned. actioned.
2. in-progress. The contents of this document are under 2. in-progress. The contents of this Incident are under
investigation. investigation.
3. forwarded. The document has been forwarded to another party 3. forwarded. The Incident has been forwarded to another party
for handling. for handling.
4. resolved. The investigation into the activity in this 4. resolved. The investigation into the activity in this
document has concluded. Incident has concluded.
5. future. The described activity has not yet been detected. 5. future. The described activity has not yet been detected.
6. ext-value. A value used to indicate that this attribute is 6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-status ext-status
Optional. STRING. A means by which to extend the status Optional. STRING. A means by which to extend the status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 23, line 31 skipping to change at page 21, line 31
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.3. Common Attributes 3.3. Common Attributes
There are a number of recurring attributes used by the data model. There are a number of recurring attributes used in the information
They are documented in this section. model. They are documented in this section.
3.3.1. restriction Attribute 3.3.1. restriction Attribute
The restriction attribute indicates the disclosure guidelines to The restriction attribute indicates the disclosure guidelines to
which the sender expects the recipient to adhere for the information which the sender expects the recipient to adhere for the information
represented in this class and its children. This guideline provides represented in this class and its children. This guideline provides
no security since there are no specified technical means to ensure no security since there are no technical means to ensure that the
that the recipient of the document handles the information as the recipient of the document handles the information as the sender
sender requested. requested.
The value of this attribute is logically inherited by the children of The value of this attribute is logically inherited by the children of
this class. That is to say, the disclosure rules applied to this this class. That is to say, the disclosure rules applied to this
class, also apply to its children. class, also apply to its children.
It is possible to set a granular disclosure policy, since all of the It is possible to set a granular disclosure policy, since all of the
high-level classes (i.e., children of the Incident class) have a high-level classes (i.e., children of the Incident class) have a
restriction attribute. Therefore, a child can override the restriction attribute. Therefore, a child can override the
guidelines of a parent class, be it to restrict or relax the guidelines of a parent class, be it to restrict or relax the
disclosure rules (e.g., a child has a weaker policy than an ancestor; disclosure rules (e.g., a child has a weaker policy than an ancestor;
skipping to change at page 24, line 14 skipping to change at page 22, line 14
more rigid controls). The implicit value of the restriction more rigid controls). The implicit value of the restriction
attribute for a class that did not specify one can be found in the attribute for a class that did not specify one can be found in the
closest ancestor that did specify a value. closest ancestor that did specify a value.
This attribute is defined as an enumerated value with a default value This attribute is defined as an enumerated value with a default value
of "private". Note that the default value of the restriction of "private". Note that the default value of the restriction
attribute is only defined in the context of the Incident class. In attribute is only defined in the context of the Incident class. In
other classes where this attribute is used, no default is specified. other classes where this attribute is used, no default is specified.
These values are maintained in the "Restriction" IANA registry per These values are maintained in the "Restriction" IANA registry per
Table 1. Section 10.2.
1. public. The information can be freely distributed without 1. public. The information can be freely distributed without
restriction. restriction.
2. partner. The information may be shared within a closed 2. partner. The information may be shared within a closed
community of peers, partners, or affected parties, but cannot be community of peers, partners, or affected parties, but cannot be
openly published. openly published.
3. need-to-know. The information may be shared only within the 3. need-to-know. The information may be shared only within the
organization with individuals that have a need to know. organization with individuals that have a need to know.
skipping to change at page 24, line 46 skipping to change at page 22, line 46
8. amber. Same as 'need-to-know'. 8. amber. Same as 'need-to-know'.
9. red. Same as 'private'. 9. red. Same as 'private'.
10. ext-value. A value used to indicate that this attribute is 10. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
3.3.2. observable-id Attribute 3.3.2. observable-id Attribute
Information included in an incident report may be an observable The observable-id attribute tags information in the document as an
relevant to an indicator. The observable-id attribute provides a observable so that it can be referenced later in the description of
unique identifier in the scope of the document for this observable. an indicator. The value of this attribute is a unique identifier in
This identifier can then be used to reference the observable with an the scope of the document. It is used by the ObservableReference
ObservableReference class to define an indicator in the IndicatorData class to enumerate observables when defining an indicator with the
class. IndicatorData class.
3.4. IncidentID Class 3.4. IncidentID Class
The IncidentID class represents an incident tracking number that is The IncidentID class represents a tracking number that is unique in
unique in the context of the CSIRT and identifies the activity the context of the CSIRT. It serves as an identifier for an incident
characterized in an IODEF Document. This identifier would serve as or a document identifier when sharing indicators. This identifier
an index into the CSIRT incident handling system. The combination of would serve as an index into a CSIRT's incident handling or knowledge
the name attribute and the string in the element content MUST be a management system.
globally unique identifier describing the activity. Documents
generated by a given CSIRT MUST NOT reuse the same value unless they The combination of the name attribute and the string in the element
are referencing the same incident. content MUST be a globally unique identifier describing the activity.
Documents generated by a given CSIRT MUST NOT reuse the same value
unless they are referencing the same incident.
+------------------------+ +------------------------+
| IncidentID | | IncidentID |
+------------------------+ +------------------------+
| STRING | | STRING |
| | | |
| STRING name | | STRING name |
| STRING instance | | STRING instance |
| ENUM restriction | | ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
skipping to change at page 26, line 7 skipping to change at page 24, line 7
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.5. AlternativeID Class 3.5. AlternativeID Class
The AlternativeID class lists the incident tracking numbers used by The AlternativeID class lists the tracking numbers used by CSIRTs,
CSIRTs, other than the one generating the document, to refer to the other than the one generating the document, to refer to the identical
identical activity described in the IODEF document. A tracking activity described in the IODEF document. A tracking number listed
number listed as an AlternativeID references the same incident as an AlternativeID references the same incident detected by another
detected by another CSIRT. The incident tracking numbers of the CSIRT. The tracking numbers of the CSIRT that generated the IODEF
CSIRT that generated the IODEF document must never be considered an document must never be considered an AlternativeID.
AlternativeID.
+------------------------+ +------------------------+
| AlternativeID | | AlternativeID |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ] | ENUM restriction |<>--{1..*}--[ IncidentID ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 8: The AlternativeID Class Figure 8: The AlternativeID Class
The aggregate class of the AlternativeID class is: The aggregate class of the AlternativeID class is:
IncidentID IncidentID
One or more. The incident tracking number of another CSIRT. See One or more. The tracking number of another CSIRT. See
Section 3.4. Section 3.4.
The attributes of the AlternativeID class are: The attributes of the AlternativeID class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.6. RelatedActivity Class 3.6. RelatedActivity Class
The RelatedActivity class relates the information described in the The RelatedActivity class relates the information described in the
rest of the IODEF document to previously observed incidents or rest of the document to previously observed incidents or activity;
activity; and allows attribution to a specific actor or campaign. and allows attribution to a specific actor or campaign.
+------------------------+ +------------------------+
| RelatedActivity | | RelatedActivity |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ IncidentID ] | ENUM restriction |<>--{0..*}--[ IncidentID ]
| STRING ext-restriction |<>--{0..*}--[ URL ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ] | |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ] | |<>--{0..*}--[ Campaign ]
| |<>--{0..*}--[ IndicatorID ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 9: RelatedActivity Class Figure 9: RelatedActivity Class
The aggregate classes of the RelatedActivity class are: The aggregate classes of the RelatedActivity class are:
IncidentID IncidentID
Zero or more. The incident tracking number of a related incident. Zero or more. The tracking number of a related incident. See
See Section 3.4. Section 3.4.
URL URL
Zero or more. URL. A URL to activity related to this incident. Zero or more. URL. A URL to activity related to this incident.
ThreatActor ThreatActor
Zero or more. The threat actor to whom the described activity is Zero or more. The threat actor to whom the incident activity is
attributed. See Section 3.7. attributed. See Section 3.7.
Campaign Campaign
Zero or more. The campaign of a given threat actor to whom the Zero or more. The campaign of a given threat actor to whom the
described activity is attributed. See Section 3.8. described activity is attributed. See Section 3.8.
IndicatorID
Zero or more. A reference to a related indicator. See
Section 3.4.
Confidence Confidence
Zero or one. An estimate of the confidence in attributing this Zero or one. An estimate of the confidence in attributing this
RelatedActivity to the event described in the document. See RelatedActivity to the events described in the document. See
Section 3.12.5. Section 3.12.5.
Description Description
Zero or more. ML_STRING. A description of how these Zero or more. ML_STRING. A description of how these
relationships were derived. relationships were derived.
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
RelatedActivity MUST at least have one instance of a child class. The RelatedActivity class MUST have at least one instance of any of
the following child classes: IncidentID, URL, ThreatActor, Campaign,
Description or AdditionalData.
The attributes of the RelatedActivity class are: The attributes of the RelatedActivity class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.7. ThreatActor Class 3.7. ThreatActor Class
The ThreatActor class describes a given actor. The ThreatActor class describes a threat actor.
+------------------------+ +------------------------+
| ThreatActor | | ThreatActor |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ ThreatActorID ] | ENUM restriction |<>--{0..*}--[ ThreatActorID ]
| STRING ext-restriction |<>--{0..*}--[ URL ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 10: ThreatActor Class Figure 10: ThreatActor Class
The aggregate classes of the ThreatActor class are: The aggregate classes of the ThreatActor class are:
ThreatActorID ThreatActorID
Zero or more. STRING. An identifier for the ThreatActor. Zero or more. STRING. An identifier for the threat actor.
URL URL
Zero or more. URL. A URL associated with the ThreatActor. Zero or more. URL. A URL to a reference describing the threat
actor.
Description Description
Zero or more. ML_STRING. A description of the ThreatActor. Zero or more. ML_STRING. A description of the threat actor.
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
ThreatActor MUST have at least one instance of a child class. The ThreatActor class MUST have at least one instance of a child
class.
The attributes of the ThreatActor class are: The attributes of the ThreatActor class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.8. Campaign Class 3.8. Campaign Class
The Campaign class describes a campaign of attacks by a threat actor. The Campaign class describes a campaign of attacks by a threat actor.
+------------------------+ +------------------------+
| Campaign | | Campaign |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ CampaignID ] | ENUM restriction |<>--{0..*}--[ CampaignID ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 11: Campaign Class Figure 11: Campaign Class
The aggregate classes of the Campaign class are: The aggregate classes of the Campaign class are:
CampaignID CampaignID
Zero or more. STRING. An identifier for the Campaign. Zero or more. STRING. An identifier for the campaign.
URL
Zero or more. URL. A URL to a reference describing the campaign.
Description Description
Zero or more. ML_STRING. A description of the Campaign. Zero or more. ML_STRING. A description of the campaign.
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
Campaign MUST have at least one instance of a Campaign or The Campaign class MUST have at least one instance of a child class.
Description.
The attributes of the Campaign class are: The attributes of the Campaign class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 30, line 4 skipping to change at page 28, line 15
3.9. Contact Class 3.9. Contact Class
The Contact class describes contact information for organizations and The Contact class describes contact information for organizations and
personnel involved in the incident. This class allows for the naming personnel involved in the incident. This class allows for the naming
of the involved party, specifying contact information for them, and of the involved party, specifying contact information for them, and
identifying their role in the incident. identifying their role in the incident.
People and organizations are treated interchangeably as contacts; one People and organizations are treated interchangeably as contacts; one
can be associated with the other using the recursive definition of can be associated with the other using the recursive definition of
the class (the Contact class is aggregated into the Contact class). the class (the Contact class is aggregated into the Contact class).
The 'type' attribute disambiguates the type of contact information The 'type' attribute disambiguates the type of contact information
being provided. being provided.
The inheriting definition of Contact provides a way to relate The recursive definition of Contact provides a way to relate
information without requiring the explicit use of identifiers in the information without requiring the explicit use of identifiers or
classes or duplication of data. A complete point of contact is duplication of data. A complete point of contact is derived by a
derived by a particular traversal from the root Contact class to the particular traversal from the root Contact class to the leaf Contact
leaf Contact class. As such, multiple points of contact might be class. Each child Contact class logically inherits contact
specified in a single instance of a Contact class. Each child information from its ancestors.
Contact class logically inherits contact information from its
ancestors.
+------------------------+ +------------------------+
| Contact | | Contact |
+------------------------+ +------------------------+
| ENUM role |<>--{0..*}--[ ContactName ] | ENUM role |<>--{0..*}--[ ContactName ]
| STRING ext-role |<>--{0..*}--[ ContactTitle ] | STRING ext-role |<>--{0..*}--[ ContactTitle ]
| ENUM type |<>--{0..*}--[ Description ] | ENUM type |<>--{0..*}--[ Description ]
| STRING ext-type |<>--{0..*}--[ RegistryHandle ] | STRING ext-type |<>--{0..*}--[ RegistryHandle ]
| ENUM restriction |<>--{0..1}--[ PostalAddress ] | ENUM restriction |<>--{0..1}--[ PostalAddress ]
| STRING ext-restriction |<>--{0..*}--[ Email ] | STRING ext-restriction |<>--{0..*}--[ Email ]
skipping to change at page 30, line 46 skipping to change at page 29, line 6
ContactName ContactName
Zero or more. ML_STRING. The name of the contact. The contact Zero or more. ML_STRING. The name of the contact. The contact
may either be an organization or a person. The type attribute may either be an organization or a person. The type attribute
disambiguates the semantics. disambiguates the semantics.
ContactTitle ContactTitle
Zero or more. ML_STRING. The title for the individual named in Zero or more. ML_STRING. The title for the individual named in
the ContactName. the ContactName.
Description Description
Zero or more. ML_STRING. A free-form description of this Zero or more. ML_STRING. A free-form text description of the
contact. In the case of a person, this is often the contact.
organizational title of the individual.
RegistryHandle RegistryHandle
Zero or more. A handle name into the registry of the contact. Zero or more. A handle name into the registry of the contact.
See Section 3.9.1. See Section 3.9.1.
PostalAddress PostalAddress
Zero or more. The postal address of the contact. See Zero or more. The postal address of the contact. See
Section 3.9.2. Section 3.9.2.
Email Email
Zero or more. The email address of the contact. See Zero or more. The email address of the contact. See
Section 3.9.3. Section 3.9.3.
Telephone Telephone
Zero or more. The telephone number of the contact. See Zero or more. The telephone number of the contact. See
Section 3.9.4. Section 3.9.4.
Timezone Timezone
Zero or one. TIMEZONE. The timezone in which the contact resides Zero or one. TIMEZONE. The timezone in which the contact
formatted according to Section 2.9. resides.
Contact Contact
Zero or more. A Contact instance contained within another Contact Zero or more. A recursive definition of the Contact class. This
instance inherits the values of the parent(s). This recursive
definition can be used to group common data pertaining to multiple definition can be used to group common data pertaining to multiple
points of contact and is especially useful when listing multiple points of contact and is especially useful when listing multiple
contacts at the same organization. See Section 3.9. contacts at the same organization.
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the Contact class. This is not enforced in the IODEF schema as of the Contact class.
there is no simple way to accomplish it.
The attributes of the Contact class are: The attributes of the Contact class are:
role role
Required. ENUM. Indicates the role the contact fulfills. This Required. ENUM. Indicates the role the contact fulfills. These
attribute is defined as an enumerated list. These values are values are maintained in the "Contact-role" IANA registry per
maintained in the "Contact-role" IANA registry per Table 1. Section 10.2.
1. creator. The entity that generate the document. 1. creator. The entity that generate the document.
2. reporter. The entity that reported the information. 2. reporter. The entity that reported the information.
3. admin. An administrative contact or business owner for an 3. admin. An administrative contact or business owner for an
asset or organization. asset or organization.
4. tech. An entity responsible for the day-to-day management of 4. tech. An entity responsible for the day-to-day management of
technical issues for an asset or organization. technical issues for an asset or organization.
skipping to change at page 32, line 52 skipping to change at page 31, line 10
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-role ext-role
Optional. STRING. A means by which to extend the role attribute. Optional. STRING. A means by which to extend the role attribute.
See Section 5.1.1. See Section 5.1.1.
type type
Required. ENUM. Indicates the type of contact being described. Required. ENUM. Indicates the type of contact being described.
This attribute is defined as an enumerated list. These values are This attribute is defined as an enumerated list. These values are
maintained in the "Contact-type" IANA registry per Table 1. maintained in the "Contact-type" IANA registry per Section 10.2.
1. person. The information for this contact references an 1. person. The information for this contact references an
individual. individual.
2. organization. The information for this contact references an 2. organization. The information for this contact references an
organization. organization.
3. ext-value. A value used to indicate that this attribute is 3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
skipping to change at page 33, line 49 skipping to change at page 32, line 8
Figure 13: The RegistryHandle Class Figure 13: The RegistryHandle Class
The content of the class is a handle into a registry of type STRING. The content of the class is a handle into a registry of type STRING.
The attributes of the RegistryHandle class are: The attributes of the RegistryHandle class are:
registry registry
Required. ENUM. The database to which the handle belongs. These Required. ENUM. The database to which the handle belongs. These
values are maintained in the "RegistryHandle-registry" IANA values are maintained in the "RegistryHandle-registry" IANA
registry per Table 1. The possible values are: registry per Section 10.2. The possible values are:
1. internic. Internet Network Information Center 1. internic. Internet Network Information Center
2. apnic. Asia Pacific Network Information Center 2. apnic. Asia Pacific Network Information Center
3. arin. American Registry for Internet Numbers 3. arin. American Registry for Internet Numbers
4. lacnic. Latin-American and Caribbean IP Address Registry 4. lacnic. Latin-American and Caribbean IP Address Registry
5. ripe. Reseaux IP Europeens 5. ripe. Reseaux IP Europeens
6. afrinic. African Internet Numbers Registry 6. afrinic. African Internet Numbers Registry
skipping to change at page 35, line 6 skipping to change at page 33, line 12
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
address. address.
The attributes of the PostalAddress class are: The attributes of the PostalAddress class are:
type type
Optional. ENUM. Categorizes the type of address described in the Optional. ENUM. Categorizes the type of address described in the
PAddress class. These values are maintained in the PAddress class. These values are maintained in the
"PostalAddress-type" IANA registry per Table 1. "PostalAddress-type" IANA registry per Section 10.2.
1. street. An address describing a physical location. 1. street. An address describing a physical location.
2. mailing. An address to which correspondence should be sent. 2. mailing. An address to which correspondence should be sent.
3. ext-value. A value used to indicate that this attribute is 3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
skipping to change at page 35, line 47 skipping to change at page 34, line 6
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
email address. email address.
The attributes of the Email class are: The attributes of the Email class are:
type type
Optional. ENUM. Categorizes the type of email address described Optional. ENUM. Categorizes the type of email address described
in the EmailTo class. These values are maintained in the "Email- in the EmailTo class. These values are maintained in the "Email-
type" IANA registry per Table 1. type" IANA registry per Section 10.2.
1. direct. A email address of an individual. 1. direct. A email address of an individual.
2. hotline. A email address regularly monitored for operational 2. hotline. A email address regularly monitored for operational
purposes. purposes.
3. ext-value. A value used to indicate that this attribute is 3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
skipping to change at page 36, line 44 skipping to change at page 34, line 49
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
phone number. phone number.
The attributes of the Telephone class are: The attributes of the Telephone class are:
type type
Optional. ENUM. Categorizes the type of telephone number Optional. ENUM. Categorizes the type of telephone number
described in the TelephoneNumber class. These values are described in the TelephoneNumber class. These values are
maintained in the "Telephone-type" IANA registry per Table 1. maintained in the "Telephone-type" IANA registry per Section 10.2.
1. direct. A number at an individual. 1. wired. A number of a wire-line (land-line) phone.
2. mobile. A number of a mobile phone. 2. mobile. A number of a mobile phone.
3. fax. A number to a fax machine. 3. fax. A number to a fax machine.
4. hotline. A number to a regularly monitored operational 4. hotline. A number to a regularly monitored operational
hotline. hotline.
5. ext-value. A value used to indicate that this attribute is 5. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
skipping to change at page 37, line 51 skipping to change at page 36, line 7
DetectionPattern DetectionPattern
Zero or more. Describes an application-specific configuration Zero or more. Describes an application-specific configuration
that detected the incident. See Section 3.10.1. that detected the incident. See Section 3.10.1.
The attributes of the Discovery class are: The attributes of the Discovery class are:
source source
Optional. ENUM. Categorizes the techniques used to discover the Optional. ENUM. Categorizes the techniques used to discover the
incident. These values are partially derived from Table 3-1 of incident. These values are partially derived from Table 3-1 of
[NIST800.61rev2]. These values are maintained in the "Discovery- [NIST800.61rev2]. These values are maintained in the "Discovery-
source" IANA registry per Table 1. source" IANA registry per Section 10.2.
1. nidps. Network Intrusion Detection or Prevention system. 1. nidps. Network Intrusion Detection or Prevention system.
2. hips. Host-based Intrusion Prevention system. 2. hips. Host-based Intrusion Prevention system.
3. siem. Security Information and Event Management System. 3. siem. Security Information and Event Management System.
4. av. Antivirus or and antispam software. 4. av. Antivirus or and antispam software.
5. third-party-monitoring. Contracted third-party monitoring 5. third-party-monitoring. Contracted third-party monitoring
skipping to change at page 40, line 20 skipping to change at page 38, line 22
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.11. Method Class 3.11. Method Class
The Method class describes the tactics, techniques, procedures or The Method class describes the tactics, techniques, procedures or
underlying issue used by the intruder in the incident. This class weakness used by the threat actor in an incident. This class
consists of both a list of references describing the attack methods consists of both a list of references describing the attack methods
and weaknesses and a free form description. and weaknesses and a free-form text description.
+------------------------+ +------------------------+
| Method | | Method |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ Reference ] | ENUM restriction |<>--{0..*}--[ Reference ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ sci:AttackPattern ] | |<>--{0..*}--[ sci:AttackPattern ]
| |<>--{0..*}--[ sci:Vulnerability ] | |<>--{0..*}--[ sci:Vulnerability ]
| |<>--{0..*}--[ sci:Weakness ] | |<>--{0..*}--[ sci:Weakness ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
skipping to change at page 40, line 45 skipping to change at page 38, line 47
Figure 19: The Method Class Figure 19: The Method Class
The aggregate classes of the Method class are: The aggregate classes of the Method class are:
Reference Reference
Zero or more. A reference to a vulnerability, malware sample, Zero or more. A reference to a vulnerability, malware sample,
advisory, or analysis of an attack technique. See Section 3.11.1. advisory, or analysis of an attack technique. See Section 3.11.1.
Description Description
Zero or more. ML_STRING. A free-form text description of Zero or more. ML_STRING. A free-form text description of
techniques, tactics, or procedures used by the intruder. techniques, tactics, or procedures used by the threat actor.
sci:AttackPattern sci:AttackPattern
Zero or more. A reference to an pattern of attack or exploitation Zero or more. A reference to an pattern of attack or exploitation
per [RFC-SCI] per [RFC-SCI]
sci:Vulnerability sci:Vulnerability
Zero or more. A reference to a vulnerability per [RFC-SCI] Zero or more. A reference to a vulnerability per [RFC-SCI]
sci:Weakness sci:Weakness
Zero or more. A reference to the exploited weakness per [RFC-SCI] Zero or more. A reference to the exploited weakness per [RFC-SCI]
skipping to change at page 41, line 27 skipping to change at page 39, line 30
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.11.1. Reference Class 3.11.1. Reference Class
The Reference class is an external reference to relevant information The Reference class is an external reference to relevant information
such a vulnerability, IDS alert, malware sample, advisory, or attack such a vulnerability, IDS alert, malware sample, advisory, or attack
technique. A reference consists of a name, a URL to this reference, technique.
and an optional description.
+-------------------------+ +-------------------------+
| Reference | | Reference |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ enum:ReferenceName ] | ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+-------------------------+ +-------------------------+
Figure 20: The Reference Class Figure 20: The Reference Class
The aggregate classes of the Reference class are: The aggregate classes of the Reference class are:
enum:ReferenceName enum:ReferenceName
Zero or one. Reference identifier per [RFC-ENUM]. Zero or one. Reference identifier per [RFC-ENUM].
URL URL
Zero or more. URL. A URL associated with the reference. Zero or more. URL. A URL to a reference.
Description Description
Zero or more. ML_STRING. A free-form text description of this Zero or more. ML_STRING. A free-form text description of this
reference. reference.
At least one of these classes MUST be present. At least one of these classes MUST be present.
The attribute of the Reference class is: The attribute of the Reference class is:
observable-id observable-id
skipping to change at page 42, line 40 skipping to change at page 40, line 42
Figure 21: Assessment Class Figure 21: Assessment Class
The aggregate classes of the Assessment class are: The aggregate classes of the Assessment class are:
IncidentCategory IncidentCategory
Zero or more. ML_STRING. A free-form text description Zero or more. ML_STRING. A free-form text description
categorizing the type of Incident. categorizing the type of Incident.
SystemImpact SystemImpact
Zero or more. Technical characterization of the impact of the Zero or more. A technical characterization of the impact of the
activity on the victim's enterprise. See Section 3.12.1. incident activity on the victim's enterprise. See Section 3.12.1.
BusinessImpact BusinessImpact
Zero or more. Impact of the activity on the business functions of Zero or more. Impact of the incident activity on the business
the victim organization. See Section 3.12.2. functions of the victim organization. See Section 3.12.2.
TimeImpact TimeImpact
Zero or more. Impact of the activity measured with respect to Zero or more. A characterization of the victim organization due
time. See Section 3.12.3. to the incident activity as a function of time. See
Section 3.12.3.
MonetaryImpact MonetaryImpact
Zero or more. Impact of the activity measured with respect to Zero or more. The financial loss due to the incident activity.
financial loss. See Section 3.12.4. See Section 3.12.4.
IntendedImpact IntendedImpact
Zero or more. Intended impact to the victim by the attacker. Zero or more. The intended outcome to the victim sought by the
Defined identically to the BusinessImpact defined in threat actor. Defined identically to the BusinessImpact defined
Section 3.12.2, but describes intent rather than the realized in Section 3.12.2, but describes intent rather than the realized
impact. impact.
Counter Counter
Zero or more. A counter with which to summarize the magnitude of Zero or more. A counter with which to summarize the magnitude of
the activity. See Section 3.18.3. the activity. See Section 3.18.3.
MitigatingFactor MitigatingFactor
Zero or more. ML_STRING. A description of a mitigating factor an Zero or more. ML_STRING. A description of a mitigating factor
impact. relative to the impact on the victim organization.
Cause Cause
Zero or more. ML_STRING. A description of the underlying cause Zero or more. ML_STRING. A description of an underlying cause of
of the impact. the impact.
Confidence Confidence
Zero or one. An estimate of confidence in the assessment. See Zero or one. An estimate of confidence in the impact assessment.
Section 3.12.5. See Section 3.12.5.
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
A least one instance of the possible five impact classes (i.e., A least one instance of the possible five impact classes (i.e.,
SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact or
IntendedImpact) MUST be present. IntendedImpact) MUST be present.
The attributes of the Assessment class are: The attributes of the Assessment class are:
skipping to change at page 45, line 10 skipping to change at page 43, line 12
successful. The permitted values are shown below. There is no successful. The permitted values are shown below. There is no
default value. default value.
1. failed. The attempted activity was not successful. 1. failed. The attempted activity was not successful.
2. succeeded. The attempted activity succeeded. 2. succeeded. The attempted activity succeeded.
type type
Required. ENUM. Classifies the impact. The permitted values are Required. ENUM. Classifies the impact. The permitted values are
shown below. The default value is "unknown". These values are shown below. The default value is "unknown". These values are
maintained in the "SystemImpact-type" IANA registry per Table 1. maintained in the "SystemImpact-type" IANA registry per
Section 10.2.
1. takeover-account. Control was taken of a given account 1. takeover-account. Control was taken of a given account.
(e.g., a social media account).
2. takeover-service. Control was taken of a given service. 2. takeover-service. Control was taken of a given service.
3. takeover-system. Control was taken of a given system. 3. takeover-system. Control was taken of a given system.
4. cps-manipulation. A cyber physical system was manipulated. 4. cps-manipulation. A cyber physical system was manipulated.
5. cps-damage. A cyber physical system was damaged. 5. cps-damage. A cyber physical system was damaged.
6. availability-data. Access to particular data was degraded or 6. availability-data. Access to particular data was degraded or
skipping to change at page 46, line 14 skipping to change at page 44, line 16
17. integrity-configuration. Application or system configuration 17. integrity-configuration. Application or system configuration
was modified. was modified.
18. integrity-hardware. Firmware of a hardware component was 18. integrity-hardware. Firmware of a hardware component was
modified. modified.
19. traffic-redirection. Network traffic on the system was 19. traffic-redirection. Network traffic on the system was
redirected redirected
20. monitoring-traffic. Network traffic emerging from a host was 20. monitoring-traffic. Network traffic emerging from a host or
monitored. enclave was monitored.
21. monitoring-host. System activity (e.g., running processes, 21. monitoring-host. System activity (e.g., running processes,
keystrokes) were monitored. keystrokes) were monitored.
22. policy. Activity violated the system owner's acceptable use 22. policy. Activity violated the system owner's acceptable use
policy. policy.
23. unknown. The impact is unknown. 23. unknown. The impact is unknown.
24. ext-value. A value used to indicate that this attribute is 24. ext-value. A value used to indicate that this attribute is
skipping to change at page 47, line 9 skipping to change at page 45, line 11
Figure 23: BusinessImpact Class Figure 23: BusinessImpact Class
The aggregate class of the BusinessImpact class is: The aggregate class of the BusinessImpact class is:
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
impact to the organization. impact to the organization.
The attributes of the BusinessImpact class are: The attributes of the BusinessImpact class are:
xml:lang
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
translation-id
Optional. STRING. An identifier to relate other instances of
this class as translations of this text. See Section 6.
severity severity
Optional. ENUM. Characterizes the severity of the incident on Optional. ENUM. Characterizes the severity of the incident on
business functions. The permitted values are shown below. They business functions. The permitted values are shown below. They
were derived from Table 3-2 of [NIST800.61rev2]. The default were derived from Table 3-2 of [NIST800.61rev2]. The default
value is "unknown". These values are maintained in the value is "unknown". These values are maintained in the
"BusinessImpact-severity" IANA registry per Table 1. "BusinessImpact-severity" IANA registry per Section 10.2.
1. none. No effect to the organization's ability to provide all 1. none. No effect to the organization's ability to provide all
services to all users. services to all users.
2. low. Minimal effect as the organization can still provide all 2. low. Minimal effect as the organization can still provide all
critical services to all users but has lost efficiency. critical services to all users but has lost efficiency.
3. medium. The organization has lost the ability to provide a 3. medium. The organization has lost the ability to provide a
critical service to a subset of system users. critical service to a subset of system users.
skipping to change at page 47, line 51 skipping to change at page 45, line 44
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-severity ext-severity
Optional. STRING. A means by which to extend the severity Optional. STRING. A means by which to extend the severity
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
type type
Required. ENUM. Characterizes the effect this incident had on Required. ENUM. Characterizes the effect this incident had on
the business. The permitted values are shown below. The default the business. The permitted values are shown below. The default
value is "unknown". These values are maintained in the value is "unknown". These values are maintained in the
"BusinessImpact-type" IANA registry per Table 1. "BusinessImpact-type" IANA registry per Section 10.2.
1. breach-proprietary. Sensitive or proprietary information was 1. breach-proprietary. Sensitive or proprietary information was
accessed or exfiltrated. accessed or exfiltrated.
2. breach-privacy. Personally identifiable information was 2. breach-privacy. Personally identifiable information was
accessed or exfiltrated. accessed or exfiltrated.
3. breach-credential. Credential information was accessed or 3. breach-credential. Credential information was accessed or
exfiltrated. exfiltrated.
skipping to change at page 49, line 19 skipping to change at page 47, line 19
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metric | | STRING ext-metric |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 24: TimeImpact Class Figure 24: TimeImpact Class
The content of the class is a positive, floating point number of type The content of the class is of type REAL and specifies an amount of
REAL specifying a unit of time. The duration and metric attributes time. The duration attribute provides units for this content; and
will imply the semantics. the metric attribute explains what this content is measuring.
The attributes of the TimeImpact class are: The attributes of the TimeImpact class are:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
metric metric
Required. ENUM. Defines the metric in which the time is Required. ENUM. Defines the meaning of the value in the element
expressed. The permitted values are shown below. There is no content. These values are maintained in the "TimeImpact-metric"
default value. These values are maintained in the "TimeImpact- IANA registry per Section 10.2.
metric" IANA registry per Table 1.
1. labor. Total staff-time to recovery from the activity (e.g., 1. labor. Total staff-time to recovery from the activity (e.g.,
2 employees working 4 hours each would be 8 hours). 2 employees working 4 hours each would be 8 hours).
2. elapsed. Elapsed time from the beginning of the recovery to 2. elapsed. Elapsed time from the beginning of the recovery to
its completion (i.e., wall-clock time). its completion (i.e., wall-clock time).
3. downtime. Duration of time for which some provided service(s) 3. downtime. Duration of time for which some provided service(s)
was not available. was not available.
4. ext-value. A value used to indicate that this attribute is 4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-metric ext-metric
Optional. STRING. A means by which to extend the metric Optional. STRING. A means by which to extend the metric
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
duration duration
Optional. ENUM. Defines a unit of time, that when combined with Optional. ENUM. Defines the unit of time for the value in the
the metric attribute, fully describes a metric of impact that will element content. The default value is "hour". These values are
be conveyed in the element content. The permitted values are maintained in the "TimeImpact-duration" IANA registry per
shown below. The default value is "hour". These values are Section 10.2.
maintained in the "TimeImpact-duration" IANA registry per Table 1.
1. second. The unit of the element content is seconds. 1. second. The unit of the element content is seconds.
2. minute. The unit of the element content is minutes. 2. minute. The unit of the element content is minutes.
3. hour. The unit of the element content is hours. 3. hour. The unit of the element content is hours.
4. day. The unit of the element content is days. 4. day. The unit of the element content is days.
5. month. The unit of the element content is months. 5. month. The unit of the element content is months.
skipping to change at page 51, line 16 skipping to change at page 49, line 16
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 25: MonetaryImpact Class Figure 25: MonetaryImpact Class
The content of the class is a positive, floating point number of type The content of the class is of type REAL and specifies a quantity of
REAL specifying a unit of currency described in the currency money. The currency attribute defines the currently of this value.
attribute.
The attributes of the MonetaryImpact class are: The attributes of the MonetaryImpact class are:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
currency currency
Optional. STRING. Defines the currency in which the monetary Optional. STRING. Defines the currency in which the value in the
impact is expressed. The permitted values are defined in "Codes element content is expressed. The permitted values are defined in
for the representation of currencies and funds" of [ISO4217]. "Codes for the representation of currencies and funds" of
There is no default value. [ISO4217]. There is no default value.
3.12.5. Confidence Class 3.12.5. Confidence Class
The Confidence class represents a best estimate of the validity and The Confidence class represents an estimate of the validity and
accuracy of the described impact (see Section 3.12) of the incident accuracy of data expressed in the document. This estimate can be
activity. This estimate can be expressed as a category or a numeric expressed as a category or a numeric calculation.
calculation.
This class if based upon [RFC4765].
+------------------+ +-------------------+
| Confidence | | Confidence |
+------------------+ +-------------------+
| REAL | | REAL |
| | | |
| ENUM rating | | ENUM rating |
+------------------+ | STRING ext-rating |
+-------------------+
Figure 26: Confidence Class Figure 26: Confidence Class
The content of the class is a numerical assessment in the confidence The content of the class is of type REAL and specifies a numerical
of the data of type REAL when the value of the rating attribute is assessment in the confidence of the data when the value of the rating
"numeric". Otherwise, this element MUST be empty. attribute is "numeric". Otherwise, this element MUST be empty.
The attribute of the Confidence class is: The attributes of the Confidence class are:
rating rating
Required. ENUM. A rating of the analytical validity of the Required. ENUM. A qualitative assessment of confidence.
specified Assessment. The permitted values are shown below.
There is no default value.
1. low. Low confidence in the validity. 1. low. Low confidence.
2. medium. Medium confidence in the validity. 2. medium. Medium confidence.
3. high. High confidence in the validity. 3. high. High confidence.
4. numeric. The element content contains a number that conveys 4. numeric. The element content contains a number that conveys
the confidence of the data. The semantics of this number the confidence of the data. The semantics of this number
outside the scope of this specification. outside the scope of this specification.
5. unknown. The confidence rating value is not known. 5. unknown. The confidence rating value is not known.
6. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1.
ext-rating
Optional. STRING. A means by which to extend the rating
attribute. See Section 5.1.1.
3.13. History Class 3.13. History Class
The History class is a log of the significant events or actions The History class is a log of the significant events or actions
performed by the involved parties during the course of handling the performed by the involved parties during the course of handling the
incident. incident.
The level of detail maintained in this log is left up to the The level of detail maintained in this log is left up to the
discretion of those handling the incident. discretion of those handling the incident.
+------------------------+ +------------------------+
skipping to change at page 53, line 17 skipping to change at page 51, line 17
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ] | ENUM restriction |<>--{1..*}--[ HistoryItem ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 27: The History Class Figure 27: The History Class
The aggregate classes of the History class are: The aggregate classes of the History class are:
HistoryItem HistoryItem
One or more. Entry in the history log of significant events or One or more. An entry in the history log of significant events or
actions performed by the involved parties. See Section 3.13.1. actions performed by the involved parties. See Section 3.13.1.
The attributes of the History class are: The attributes of the History class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. The default value is Optional. ENUM. See Section 3.3.1.
"default".
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.13.1. HistoryItem Class 3.13.1. HistoryItem Class
The HistoryItem class is an entry in the History (Section 3.13) log The HistoryItem class is an entry in the History (Section 3.13) log
that documents a particular action or event that occurred in the that documents a particular action or event that occurred in the
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form text description, but each can be categorized with the type
attribute. attribute.
+-------------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM action |<>----------[ DateTime ] | ENUM action |<>----------[ DateTime ]
| STRING ext-action |<>--{0..1}--[ IncidentId ] | STRING ext-action |<>--{0..1}--[ IncidentID ]
| ENUM restriction |<>--{0..1}--[ Contact ] | ENUM restriction |<>--{0..1}--[ Contact ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DefinedCOA ] | ID observable-id |<>--{0..*}--[ DefinedCOA ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 28: HistoryItem Class Figure 28: HistoryItem Class
The aggregate classes of the HistoryItem class are: The aggregate classes of the HistoryItem class are:
DateTime DateTime
One. DATETIME. Timestamp of this entry in the history log (e.g., One. DATETIME. A timestamp of this entry in the history log.
when the action described in the Description was taken).
IncidentID IncidentID
Zero or One. In a history log created by multiple parties, the Zero or One. In a history log created by multiple parties, the
IncidentID provides a mechanism to specify which CSIRT created a IncidentID provides a mechanism to specify which CSIRT created a
particular entry and references this organization's incident particular entry and references this organization's tracking
tracking number. When a single organization is maintaining the number. When a single organization is maintaining the log, this
log, this class can be ignored. See Section 3.4. class can be ignored. See Section 3.4.
Contact Contact
Zero or One. Provides contact information for the person that Zero or One. Provides contact information for the entity that
performed the action documented in this class. See Section 3.9. performed the action documented in this class. See Section 3.9.
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form text description of the
action or event. action or event.
DefinedCOA DefinedCOA
Zero or more. ML_STRING. A unique identifier meaningful to the Zero or more. STRING. An identifier meaningful to the sender and
sender and recipient of this document that references a course of recipient of this document that references a course of action.
action. This class MUST be present if the action attribute is set This class MUST be present if the action attribute is set to
to "defined-coa". "defined-coa".
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
The attributes of the HistoryItem class are: The attributes of the HistoryItem class are:
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation. This attribute is
to the action attribute of the Expectation class. The difference identical to the action attribute of the Expectation class. The
is only one of tense. When an action is in this class, it has difference is only one of tense. When an action is in this class,
been completed. See Section 3.15. it has been completed. See Section 3.15.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.14. EventData Class 3.14. EventData Class
The EventData class describes a particular event of the incident for The EventData class is a container class to organize data about
a given set of hosts or networks. This description includes the events that occurred during an incident.
systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered.
+-------------------------+ +-------------------------+
| EventData | | EventData |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| STRING ext-restriction |<>--{0..1}--[ DetectTime ] | STRING ext-restriction |<>--{0..1}--[ DetectTime ]
| ID observable-id |<>--{0..1}--[ StartTime ] | ID observable-id |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ RecoveryTime ] | |<>--{0..1}--[ RecoveryTime ]
| |<>--{0..1}--[ ReportTime ] | |<>--{0..1}--[ ReportTime ]
skipping to change at page 55, line 43 skipping to change at page 53, line 38
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 29: The EventData Class Figure 29: The EventData Class
The aggregate classes of the EventData class are: The aggregate classes of the EventData class are:
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form text description of the
event. event.
DetectTime DetectTime
Zero or one. DATETIME. The time the event was detected. Zero or one. DATETIME. The time the event was detected.
StartTime StartTime
Zero or one. DATETIME. The time the event started. Zero or one. DATETIME. The time the event started.
EndTime EndTime
Zero or one. DATETIME. The time the event ended. Zero or one. DATETIME. The time the event ended.
skipping to change at page 56, line 24 skipping to change at page 54, line 17
Contact Contact
Zero or more. Contact information for the parties involved in the Zero or more. Contact information for the parties involved in the
event. See Section 3.9. event. See Section 3.9.
Discovery Discovery
Zero or more. The means by which the event was detected. See Zero or more. The means by which the event was detected. See
Section 3.10. Section 3.10.
Assessment Assessment
Zero or one. The impact of the event on the target and the Zero or one. The impact of the event on the victim and the
actions taken. See Section 3.12. actions taken. See Section 3.12.
Method Method
Zero or more. The technique used by the intruder in the event. Zero or more. The technique used by the threat actor in the
See Section 3.11. event. See Section 3.11.
Flow Flow
Zero or more. A description of the systems or networks involved. Zero or more. A description of the systems or networks involved.
See Section 3.16. See Section 3.16.
Expectation Expectation
Zero or more. The expected action to be performed by the Zero or more. The expected action to be performed by the
recipient for the described event. See Section 3.15. recipient for the described event. See Section 3.15.
Record Record
Zero or one. Supportive data (e.g., log files) that provides Zero or one. Supportive data (e.g., log files) that provides
additional information about the event. See Section 3.22. additional information about the event. See Section 3.22.
EventData EventData
Zero or more. EventData instances contained within another Zero or more. A recursive definition of the EventData class. See
EventData instance inherit the values of the parent(s); this Section 3.14.2 for an explanation on using this class.
recursive definition can be used to group common data pertaining
to multiple events. When EventData elements are defined
recursively, only the leaf instances (those EventData instances
not containing other EventData instances) represent actual events.
See Section 3.14.
AdditionalData AdditionalData
Zero or more. EXTENSION. An extension mechanism for data not Zero or more. EXTENSION. An extension mechanism for data not
explicitly represented in the data model. explicitly represented in the data model.
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the EventData class. This is not enforced in the IODEF schema as of the EventData class.
there is no simple way to accomplish it.
The attributes of the EventData class are: The attributes of the EventData class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. The default value is Optional. ENUM. See Section 3.3.1. The default value is
"default". "default".
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.14.1. Relating the Incident and EventData Classes 3.14.1. Relating the Incident and EventData Classes
There is substantial overlap in the Incident and EventData classes. There is substantial overlap in the child classes aggregated in the
Nevertheless, the semantics of these classes are quite different. Incident and EventData classes. Nevertheless, the semantics of these
The Incident class provides summary information about the entire classes are quite different. The Incident class provides summary
incident, while the EventData class provides information about the information about the entire incident, while the EventData class
individual events comprising the incident. In the most common case, provides information about the individual events comprising the
the EventData class will provide more specific information for the incident. In the common case, the EventData class will provide more
general description provided in the Incident class. However, it may specific information for the general description provided in the
also be possible that the overall summarized information about the Incident class. However, in the case where the summarized
incident conflicts with some individual information in an EventData information in the Incident class conflicts the detailed information
class when there is a substantial composition of various events in in an EventData class the more specific EventData class MUST
the incident. In such a case, the interpretation of the more supersede the more generic information provided in Incident class.
specific EventData MUST supersede the more generic information
provided in Incident.
3.14.2. Cardinality of EventData 3.14.2. Recursive Definition of EventData
The EventData class is container for the properties of an event in an The EventData class is container for the properties of an event in an
incident. These properties include: the hosts involved, impact of incident. These properties include: the hosts involved, impact of
the incident activity on the hosts, forensic logs, etc. With an the incident activity on the hosts, forensic logs, etc. The
instance of the EventData class, hosts are grouped around these recursive definition of EvenData allows for the grouping of related
common properties. information with common properties. This approach eliminates the
need for explicit identifiers to relate information or duplicate it.
The recursive definition of the EventData class (the EventData class Instead, the relative depth (nesting) of a class is used to group
is aggregated into the EventData class) provides a way to relate (relate) information.
information without requiring the explicit use of unique attribute
identifiers in the classes or duplicating information. Instead, the
relative depth (nesting) of a class is used to group (relate)
information.
For example, an EventData class might be used to describe two For example, consider a case where two hosts experience different
machines involved in an incident. This description can be achieved impacts during an incident. However, these two hosts have common
using multiple instances of the Flow class. It happens that there is contact information. A depiction of how this situation would be
a common technical contact (i.e., Contact class) for these two represented can be found in Figure 30. EventData (2) and (3) group
machines, but the impact (i.e., Assessment class) on them is each of the two hosts with their unique impact. EventData (1)
different. A depiction of the representation for this situation can describes the common Contact class these two hosts share.
be found in Figure 30.
+------------------+ +------------------+
| EventData | | EventData (1) |
+------------------+ +------------------+
| |<>----[ Contact ] | |<>----[ Contact ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData (2) ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData (3) ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
+------------------+ +------------------+
Figure 30: Recursion in the EventData Class Figure 30: Recursion in the EventData Class
3.15. Expectation Class 3.15. Expectation Class
The Expectation class conveys to the recipient of the IODEF document The Expectation class conveys to the recipient of the IODEF document
the actions the sender is requesting. The scope of the requested the actions the sender is requesting.
action is limited to purview of the EventData class in which this
class is aggregated.
+-------------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------------+ +-------------------------+
| ENUM action |<>--{0..*}--[ Description ] | ENUM action |<>--{0..*}--[ Description ]
| STRING ext-action |<>--{0..*}--[ DefinedCOA ] | STRING ext-action |<>--{0..*}--[ DefinedCOA ]
| ENUM severity |<>--{0..1}--[ StartTime ] | ENUM severity |<>--{0..1}--[ StartTime ]
| ENUM restriction |<>--{0..1}--[ EndTime ] | ENUM restriction |<>--{0..1}--[ EndTime ]
| STRING ext-restriction |<>--{0..1}--[ Contact ] | STRING ext-restriction |<>--{0..1}--[ Contact ]
| ID observable-id | | ID observable-id |
+-------------------------+ +-------------------------+
Figure 31: The Expectation Class Figure 31: The Expectation Class
The aggregate classes of the Expectation class are: The aggregate classes of the Expectation class are:
Description Description
Zero or more. ML_STRING. A free-form description of the desired Zero or more. ML_STRING. A free-form text description of the
action(s). desired action(s).
DefinedCOA DefinedCOA
Zero or more. ML_STRING. A unique identifier meaningful to the Zero or more. STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
StartTime StartTime
Zero or one. DATETIME. The time at which the sender would like Zero or one. DATETIME. The time at which the sender would like
the action performed. A timestamp that is earlier than the the action performed. A timestamp that is earlier than the
ReportTime specified in the Incident class denotes that the sender ReportTime specified in the Incident class denotes that the sender
would like the action performed as soon as possible. The absence would like the action performed as soon as possible. The absence
of this element indicates no expectations of when the recipient of this element indicates no expectations of when the recipient
would like the action performed. would like the action performed.
EndTime EndTime
Zero or one. DATETIME. The time by which the sender expects the Zero or one. DATETIME. The time by which the sender expects the
recipient to complete the action. If the recipient cannot recipient to complete the action. If the recipient cannot
complete the action before EndTime, the recipient MUST NOT carry complete the action before EndTime, the recipient MUST NOT carry
out the action. Because of transit delays, clock drift, and so out the action. Because of transit delays and clock drift the
on, the sender MUST be prepared for the recipient to have carried sender MUST be prepared for the recipient to have carried out the
out the action, even if it completes past EndTime. action, even if it completes past EndTime.
Contact Contact
Zero or one. The expected actor for the action. See Section 3.9. Zero or one. The entity expected to perform the action. See
Section 3.9.
The attributes of the Expectation class are: The attributes of the Expectation class are:
action action
Optional. ENUM. Classifies the type of action requested. This Optional. ENUM. Classifies the type of action requested. The
attribute is an enumerated list with a default value of "other". default value of "other". These values are maintained in the
These values are maintained in the "Expectation-action" IANA "Expectation-action" IANA registry per Section 10.2.
registry per Table 1.
1. nothing. No action is requested. Do nothing with the 1. nothing. No action is requested. Do nothing with the
information. information.
2. contact-source-site. Contact the site(s) identified as the 2. contact-source-site. Contact the site(s) identified as the
source of the activity. source of the activity.
3. contact-target-site. Contact the site(s) identified as the 3. contact-target-site. Contact the site(s) identified as the
target of the activity. target of the activity.
skipping to change at page 60, line 22 skipping to change at page 58, line 11
9. rate-limit-host. Rate-limit the traffic from the machine(s) 9. rate-limit-host. Rate-limit the traffic from the machine(s)
listed as sources in the event. listed as sources in the event.
10. rate-limit-network. Rate-limit the traffic from the 10. rate-limit-network. Rate-limit the traffic from the
network(s) lists as sources in the event. network(s) lists as sources in the event.
11. rate-limit-port. Rate-limit the port(s) listed as sources in 11. rate-limit-port. Rate-limit the port(s) listed as sources in
the event. the event.
12. redirect-traffic. Redirect traffic from intended recipient 12. redirect-traffic. Redirect traffic from the intended
for further analysis. recipient for further analysis.
13. honeypot. Redirect traffic to a honeypot for further 13. honeypot. Redirect traffic from systems listed in the event
analysis. to a honeypot for further analysis.
14. upgrade-software. Upgrade or patch the software or firmware 14. upgrade-software. Upgrade or patch the software or firmware
on an asset. on an asset listed in the event.
15. rebuild-asset. Reinstall the operating system or 15. rebuild-asset. Reinstall the operating system or
applications on an asset. applications on an asset listed in the event.
16. harden-asset. Change the configuration an asset (e.g., 16. harden-asset. Change the configuration an asset listed in
reduce the number of services or user accounts) to reduce the the event to reduce the attack surface.
attack surface.
17. remediate-other. Remediate the activity in a way other than 17. remediate-other. Remediate the activity in a way other than
by rate limiting or blocking. by rate limiting or blocking.
18. status-triage. Conveys receipts and the triaging of an 18. status-triage. Confirm receipt and begin triaging the
incident. incident.
19. status-new-info. Conveys that new information was received 19. status-new-info. Notify the sender when new information is
for this incident. received for this incident.
20. watch-and-report. Watch for the described activity and share 20. watch-and-report. Watch for the described activity or
if seen. indicators; and notify the sender when seen.
21. training. Train user to identify or mitigate a threat. 21. training. Train user to identify or mitigate the described
threat.
22. defined-coa. Perform a predefined course of action (COA). 22. defined-coa. Perform a predefined course of action (COA).
The COA is named in the DefinedCOA class. The COA is named in the DefinedCOA class.
23. other. Perform some custom action described in the 23. other. Perform a custom action described in the Description
Description class. class.
24. ext-value. A value used to indicate that this attribute is 24. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
severity severity
skipping to change at page 61, line 43 skipping to change at page 59, line 31
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.16. Flow Class 3.16. Flow Class
The Flow class groups related the source and target hosts. The Flow class describes the systems and networks involved in the
incident; and the relationships between them.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 32: The Flow Class Figure 32: The Flow Class
The aggregate class of the Flow class is: The aggregate class of the Flow class is:
System System
One or More. A host or network involved in an event. See One or More. A host or network involved in an event. See
Section 3.17. Section 3.17.
The Flow class has no attributes. The Flow class has no attributes.
3.17. System Class 3.17. System Class
The System class describes a system or network involved in an event. The System class describes a system or network involved in an event.
The systems or networks represented by this class are categorized
according to the role they played in the incident through the
category attribute. The value of this category attribute dictates
the semantics of the aggregated classes in the System class. If the
category attribute has a value of "source", then the aggregated
classes denote the machine and service from which the activity is
originating. With a category attribute value of "target" or
"intermediary", then the machine or service is the one targeted in
the activity. A value of "sensor" dictates that this System was part
of an instrumentation to monitor the network.
+------------------------+ +------------------------+
| System | | System |
+------------------------+ +------------------------+
| ENUM category |<>----------[ Node ] | ENUM category |<>----------[ Node ]
| STRING ext-category |<>--{0..*}--[ NodeRole ] | STRING ext-category |<>--{0..*}--[ NodeRole ]
| STRING interface |<>--{0..*}--[ Service ] | STRING interface |<>--{0..*}--[ Service ]
| ENUM spoofed |<>--{0..*}--[ OperatingSystem ] | ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
| ENUM virtual |<>--{0..*}--[ Counter ] | ENUM virtual |<>--{0..*}--[ Counter ]
| ENUM ownership |<>--{0..*}--[ AssetID ] | ENUM ownership |<>--{0..*}--[ AssetID ]
skipping to change at page 63, line 33 skipping to change at page 61, line 14
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
The attributes of the System class are: The attributes of the System class are:
category category
Optional. ENUM. Classifies the role the host or network played Optional. ENUM. Classifies the role the host or network played
in the incident. These values are maintained in the "System- in the incident. These values are maintained in the "System-
category" IANA registry per Table 1. The possible values are: category" IANA registry per Section 10.2.
1. source. The System was the source of the event. 1. source. The System was the source of the event.
2. target. The System was the target of the event. 2. target. The System was the target of the event.
3. intermediate. The System was an intermediary in the event. 3. intermediate. The System was an intermediary in the event.
4. sensor. The System was a sensor monitoring the event. 4. sensor. The System was a sensor monitoring the event.
5. infrastructure. The System was an infrastructure node of 5. infrastructure. The System was an infrastructure node of
skipping to change at page 64, line 19 skipping to change at page 61, line 49
spoofed spoofed
Optional. ENUM. An indication of confidence in whether this Optional. ENUM. An indication of confidence in whether this
System was the true target or attacking host. The permitted System was the true target or attacking host. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"unknown". "unknown".
1. unknown. The accuracy of the category attribute value is 1. unknown. The accuracy of the category attribute value is
unknown. unknown.
2. yes. The category attribute value is probably incorrect. In 2. yes. The category attribute value is likely incorrect. In
the case of a source, the System is likely a decoy; with a the case of a source, the System is likely a decoy; with a
target, the System was likely not the intended victim. target, the System was likely not the intended victim.
3. no. The category attribute value is believed to be correct. 3. no. The category attribute value is believed to be correct.
virtual virtual
Optional. ENUM. Indicates whether this System is a virtual or Optional. ENUM. Indicates whether this System is a virtual or
physical device. The default value is "unknown". The possible physical device. The default value is "unknown".
values are:
1. yes. The System is a virtual device. 1. yes. The System is a virtual device.
2. no. The System is a physical device. 2. no. The System is a physical device.
3. unknown. It is not known if the System is virtual. 3. unknown. It is not known if the System is virtual.
ownership ownership
Optional. ENUM. Describes the ownership of this System relative Optional. ENUM. Describes the ownership of this System relative
to the sender of the IODEF document. These values are maintained to the victim in the incident. These values are maintained in the
in the "System-ownership" IANA registry per Table 1. The possible "System-ownership" IANA registry per Section 10.2.
values are:
1. organization. The System is owned by the organization. 1. organization. Corporate or enterprise-owned.
2. personal. The System is owned by employee or affiliate of the 2. personal. Personally-owned by an employee or affiliate of the
organization. corporation or enterprise.
3. partner. The System is owned by a partner of the 3. partner. Owned by a partner of the corporation or enterprise.
organization.
4. customer. The System is owned by a customer of the 4. customer. Owned by a customer of the corporation or
organization. enterprise.
5. no-relationship. The System is owned by an entity that has no 5. no-relationship. Owned by an entity that has no known
known relationship with the organization. relationship with victim organization.
6. unknown. The ownership of the System is unknown. 6. unknown. Ownership is unknown.
7. ext-value. A value used to indicate that this attribute is 7. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-ownership ext-ownership
Optional. STRING. A means by which to extend the ownership Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.18. Node Class 3.18. Node Class
The Node class names an asset or network. The Node class identifies a system, asset or network; and its
location.
This class was derived from [RFC4765].
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ] | |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Location ] | |<>--{0..*}--[ Location ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
+---------------+ +---------------+
Figure 34: The Node Class Figure 34: The Node Class
The aggregate classes of the Node class are: The aggregate classes of the Node class are:
DomainData DomainData
Zero or more. The detailed domain (DNS) information associated Zero or more. The domain (DNS) information associated with this
with this Node. If an Address is not provided, at least one Node. If an Address is not provided, at least one DomainData MUST
DomainData MUST be specified. See Section 3.19. be specified. See Section 3.19.
Address Address
Zero or more. The hardware, network, or application address of Zero or more. The hardware, network, or application address of
the Node. If a DomainData is not provided, at least one Address the Node. If a DomainData is not provided, at least one Address
MUST be specified. See Section 3.18.1. MUST be specified. See Section 3.18.1.
PostalAddress PostalAddress
Zero or one. POSTAL. The postal address of the asset. Zero or one. POSTAL. The postal address of the node.
Location Location
Zero or more. ML_STRING. A free-form description of the physical Zero or more. ML_STRING. A free-form text description of the
location of the Node. This description may provide a more physical location of the Node. This description may provide a
detailed description of where in the PostalAddress this Node is more detailed description of where in the PostalAddress this Node
found (e.g., room number, rack number, slot number in a chassis). is found (e.g., room number, rack number, slot number in a
chassis).
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarizes properties of
this host or network. See Section 3.18.3. this host or network. See Section 3.18.3.
The Node class has no attributes. The Node class has no attributes.
3.18.1. Address Class 3.18.1. Address Class
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (layer-2), network (layer-3),
or application (layer-7) address. or application (layer-7) address.
This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Address | | Address |
+-------------------------+ +-------------------------+
| STRING | | STRING |
| | | |
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
| ID observable-id | | ID observable-id |
+-------------------------+ +-------------------------+
Figure 35: The Address Class Figure 35: The Address Class
The content of the class is an address of type STRING whose semantics The content of the class is an address of type STRING whose semantics
are determined by the category attribute. are determined by the category attribute.
The attributes of the Address class are: The attributes of the Address class are:
category category
Optional. ENUM. The type of address represented. The permitted Required. ENUM. The type of address represented. The default
values for this attribute are shown below. The default value is value is "ipv6-addr". These values are maintained in the
"ipv6-addr". These values are maintained in the "Address- "Address-category" IANA registry per Section 10.2.
category" IANA registry per Table 1.
1. asn. Autonomous System Number 1. asn. Autonomous System Number.
2. atm. Asynchronous Transfer Mode (ATM) address 2. atm. Asynchronous Transfer Mode (ATM) address.
3. e-mail. Electronic mail address (RFC 822) 3. e-mail. Email address (RFC 822).
4. ipv4-addr. IPv4 host address in dotted-decimal notation 4. ipv4-addr. IPv4 host address in dotted-decimal notation
(a.b.c.d) (a.b.c.d).
5. ipv4-net. IPv4 network address in dotted-decimal notation, 5. ipv4-net. IPv4 network address in dotted-decimal notation,
slash, significant bits (i.e., a.b.c.d/nn) slash, significant bits (i.e., a.b.c.d/nn).
6. ipv4-net-mask. IPv4 network address in dotted-decimal 6. ipv4-net-mask. IPv4 network address in dotted-decimal
notation, slash, network mask in dotted-decimal notation notation, slash, network mask in dotted-decimal notation
(i.e., a.b.c.d/w.x.y.z) (i.e., a.b.c.d/w.x.y.z).
7. ipv6-addr. IPv6 host address 7. ipv6-addr. IPv6 host address.
8. ipv6-net. IPv6 network address, slash, significant bits 8. ipv6-net. IPv6 network address, slash, significant bits.
9. ipv6-net-mask. IPv6 network address, slash, network mask 9. ipv6-net-mask. IPv6 network address, slash, network mask.
10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f) 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f).
11. site-uri. A URL or URI for a resource. 11. site-uri. A URL or URI for a resource.
12. ext-value. A value used to indicate that this attribute is 12. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 68, line 7 skipping to change at page 65, line 32
vlan-num vlan-num
Optional. STRING. The number of the Virtual LAN to which the Optional. STRING. The number of the Virtual LAN to which the
address belongs. address belongs.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.18.2. NodeRole Class 3.18.2. NodeRole Class
The NodeRole class describes the function performed by a particular The NodeRole class describes the function performed by or role of a
system. particular system, asset or network.
+-----------------------+ +-----------------------+
| NodeRole | | NodeRole |
+-----------------------+ +-----------------------+
| ENUM category |<>--{0..*}--[ Description ] | ENUM category |<>--{0..*}--[ Description ]
| STRING ext-category | | STRING ext-category |
+-----------------------+ +-----------------------+
Figure 36: The NodeRole Class Figure 36: The NodeRole Class
The aggregate class of the NodeRole class is: The aggregate class of the NodeRole class is:
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
role of the system. role of the system.
The attributes of the NodeRole class are: The attributes of the NodeRole class are:
xml:lang
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
translation-id
Optional. STRING. An identifier to relate other instances of
this class as translations of this text. See Section 6.
category category
Required. ENUM. Functionality provided by a node. These values Required. ENUM. Function or role of a node. These values are
are maintained in the "NodeRole-category" IANA registry per maintained in the "NodeRole-category" IANA registry per
Table 1. Section 10.2.
1. client. Client computer 1. client. Client computer.
2. client-enterprise. Client computer on the enterprise network 2. client-enterprise. Client computer on the enterprise
network.
3. client-partner. Client computer on network of a partner 3. client-partner. Client computer on network of a partner.
4. client-remote. Client computer remotely connected to the 4. client-remote. Client computer remotely connected to the
enterprise network enterprise network.
5. client-kiosk. Client computer is serves as a kiosk 5. client-kiosk. Client computer serving as a kiosk.
6. client-mobile. Client is a mobile device 6. client-mobile. Mobile device.
7. server-internal. Server with internal services
8. server-public. Server with public services 7. server-internal. Server with internal services.
9. www. WWW server 8. server-public. Server with public services.
10. mail. Mail server 9. www. WWW server.
11. webmail. Web mail server 10. mail. Mail server.
12. messaging. Messaging server (e.g., NNTP, IRC, IM) 11. webmail. Web mail server.
13. streaming. Streaming-media server 12. messaging. Messaging server (e.g., NNTP, IRC, IM).
14. voice. Voice server (e.g., SIP, H.323) 13. streaming. Streaming-media server.
15. file. File server (e.g., SMB, CVS, AFS) 14. voice. Voice server (e.g., SIP, H.323).
16. ftp. FTP server 15. file. File server.
17. p2p. Peer-to-peer node 16. ftp. FTP server.
18. name. Name server (e.g., DNS, WINS) 17. p2p. Peer-to-peer node.
19. directory. Directory server (e.g., LDAP, finger, whois) 18. name. Name server (e.g., DNS, WINS).
19. directory. Directory server (e.g., LDAP, finger, whois).
20. credential. Credential server (e.g., domain controller, 20. credential. Credential server (e.g., domain controller,
Kerberos) Kerberos).
21. print. Print server 21. print. Print server.
22. application. Application server 22. application. Application server.
23. database. Database server 23. database. Database server.
24. backup. Backup server 24. backup. Backup server.
25. dhcp. DHCP server 25. dhcp. DHCP server.
26. assessment. Assessment server (e.g., vulnerability scanner, 26. assessment. Assessment server (e.g., vulnerability scanner,
end-point assessment) end-point assessment).
27. source-control. Source code control server 27. source-control. Source code control server.
28. config-management. Configuration management server 28. config-management. Configuration management server.
29. monitoring. Security monitoring server (e.g., IDS) 29. monitoring. Security monitoring server (e.g., IDS).
30. infra. Infrastructure server (e.g., router, firewall, DHCP)
31. infra-firewall. Firewall 30. infra. Infrastructure server (e.g., router, firewall, DHCP).
32. infra-router. Router 31. infra-firewall. Firewall.
33. infra-switch. Switch 32. infra-router. Router.
34. camera. Camera and video system 33. infra-switch. Switch.
35. proxy. Proxy server 34. camera. Camera and video system.
36. remote-access. Remote access server 35. proxy. Proxy server.
37. log. Log server (e.g., syslog) 36. remote-access. Remote access server.
38. virtualization. Server running virtual machines 37. log. Log server (e.g., syslog).
39. pos. Point-of-sale device 38. virtualization. Server running virtual machines.
40. scada. Supervisory control and data acquisition system 39. pos. Point-of-sale device.
41. scada-supervisory. Supervisory system for a SCADA 40. scada. Supervisory control and data acquisition (SCADA)
system.
42. sinkhole. Traffic sinkhole destination 41. scada-supervisory. Supervisory system for a SCADA.
43. honeypot. Honeypot server 42. sinkhole. Traffic sinkhole destination.
44. anonymization. Anonymization server (e.g., Tor node) 43. honeypot. Honeypot server.
45. c2-server. Malicious command and control server 44. anonymization. Anonymization server (e.g., Tor node).
45. c2-server. Malicious command and control server.
46. malware-distribution. Server that distributes malware 46. malware-distribution. Server that distributes malware
47. drop-server. Server to which exfiltrated content is 47. drop-server. Server to which exfiltrated content is
uploaded. uploaded.
48. hop-point. Intermediary server used to get to a victim. 48. hop-point. Intermediary server used to get to a victim.
49. reflector. A system used in a reflector attacker. 49. reflector. A system used in a reflector attack.
50. phishing-site. Site hosting phishing content 50. phishing-site. Site hosting phishing content.
51. spear-phishing-site. Site hosting spear-phishing content 51. spear-phishing-site. Site hosting spear-phishing content.
52. recruiting-site. Site to recruit 52. recruiting-site. Site to recruit.
53. fraudulent-site. Fraudulent site. 53. fraudulent-site. Fraudulent site.
54. ext-value. A value used to indicate that this attribute is 54. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.18.3. Counter Class 3.18.3. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarizes multiple occurrences of an event or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates of various features.
events).
The value of the counter is the element content with its units The complete semantics of this class are context dependent based on
represented in the type attribute. A rate for a given feature can be the class in which it is aggregated.
expressed by setting the duration attribute. The complete semantics
are entirely context dependent based on the class in which the
Counter is aggregated.
+---------------------+ +---------------------+
| Counter | | Counter |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| ENUM unit | | ENUM unit |
| STRING ext-unit | | STRING ext-unit |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 37: The Counter Class Figure 37: The Counter Class
The content of the class is a counter value of type REAL. The content of the class is a value of type REAL whose meaning and
units are determined by the type and duration attributes,
respectively. If the duration attribute is present, the element
content is a rather. Otherwise, it is a simple counter.
The attributes of the Counter class are: The attributes of the Counter class are:
type type
Required. ENUM. Specifies the type of counter specified in the Required. ENUM. Specifies the type of counter specified in the
element content. These values are maintained in the "Counter- element content. These values are maintained in the "Counter-
type" IANA registry per Table 1. type" IANA registry per Section 10.2.
1. count. The Counter class value is a counter. 1. count. The Counter class value is a counter.
2. peak. The Counter class value is a peak value. 2. peak. The Counter class value is a peak value.
3. average. The Counter class value is an average. 3. average. The Counter class value is an average.
4. ext-value. A value used to indicate that this attribute is 4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
unit unit
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
These values are maintained in the "Counter-unit" IANA registry These values are maintained in the "Counter-unit" IANA registry
per Table 1. per Section 10.2.
1. byte. Bytes transferred. 1. byte. Bytes transferred.
2. mbit. Megabits (Mbits) transfered. 2. mbit. Megabits (Mbits) transfered.
3. packet. Packets. 3. packet. Packets.
4. flow. Network flow records. 4. flow. Network flow records.
5. session. Sessions. 5. session. Sessions.
skipping to change at page 73, line 4 skipping to change at page 70, line 35
12. ext-value. A value used to indicate that this attribute is 12. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-unit ext-unit
Optional. STRING. A means by which to extend the unit attribute. Optional. STRING. A means by which to extend the unit attribute.
See Section 5.1.1. See Section 5.1.1.
meaning meaning
Optional. STRING. A free-form description of the metric Optional. STRING. A free-form text description of the metric
represented by the Counter. represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate. Optional. ENUM. If present, the Counter class represents a rate.
This attribute specifies unit of time over which the rate whose This attribute specifies unit of time over which the rate whose
units are specified in the unit attribute is being conveyed. This units are specified in the unit attribute is being conveyed. This
attribute is the the denominator of the rate (where the unit attribute is the the denominator of the rate (where the unit
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.12.3 attribute are defined in the duration attribute of Section 3.12.3
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.19. DomainData Class 3.19. DomainData Class
The DomainData class describes a domain name and meta-data associated The DomainData class describes a domain name and meta-data associated
with this domain. with this domain.
skipping to change at page 73, line 41 skipping to change at page 71, line 27
| ID observable-id |<>--{0..*}--[ RelatedDNS ] | ID observable-id |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ] | |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ] | |<>--{0..1}--[ DomainContacts ]
+--------------------------+ +--------------------------+
Figure 38: The DomainData Class Figure 38: The DomainData Class
The aggregate classes of the DomainData class are: The aggregate classes of the DomainData class are:
Name Name
One. STRING. The domain name of the Node (e.g., fully qualified One. STRING. The domain name of a system.
domain name).
DateDomainWasChecked DateDomainWasChecked
Zero or one. DATETIME. A timestamp of when the Name was Zero or one. DATETIME. A timestamp of when the domain listed in
resolved. the Name class was resolved.
RegistrationDate RegistrationDate
Zero or one. DATETIME. A timestamp of when domain listed in Name Zero or one. DATETIME. A timestamp of when domain listed in Name
was registered. class was registered.
ExpirationDate ExpirationDate
Zero or one. DATETIME. A timestamp of when the domain listed in Zero or one. DATETIME. A timestamp of when the domain listed in
Name is set to expire. Name class is set to expire.
RelatedDNS RelatedDNS
Zero or more. EXTENSION. Additional DNS records associated with Zero or more. EXTENSION. Additional DNS records associated with
this domain. this domain.
Nameservers Nameservers
Zero or more. The name servers identified for the domain listed Zero or more. The name servers identified for the domain listed
in Name. See Section 3.19.1. in Name class. See Section 3.19.1.
DomainContacts DomainContacts
Zero or one. Contact information for the domain listed in Name Zero or one. Contact information for the domain listed in Name
supplied by the registrar or through a whois query. class supplied by the registrar or through a whois query.
The attributes of the DomainData class are: The attributes of the DomainData class are:
system-status system-status
Required. ENUM. Assesses the domain's involvement in the event. Required. ENUM. Assesses the domain's involvement in the event.
These values are maintained in the "DomainData-system-status" IANA These values are maintained in the "DomainData-system-status" IANA
registry per Table 1. registry per Section 10.2.
1. spoofed. This domain was spoofed. 1. spoofed. This domain was spoofed.
2. fraudulent. This domain was operated with fraudulent 2. fraudulent. This domain was operated with fraudulent
intentions. intentions.
3. innocent-hacked. This domain was compromised by a third 3. innocent-hacked. This domain was compromised by a third
party. party.
4. innocent-hijacked. This domain was deliberately hijacked. 4. innocent-hijacked. This domain was deliberately hijacked.
skipping to change at page 75, line 4 skipping to change at page 72, line 36
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-system-status ext-system-status
Optional. STRING. A means by which to extend the system-status Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
domain-status domain-status
Required. ENUM. Categorizes the registry status of the domain at Required. ENUM. Categorizes the registry status of the domain at
the time the document was generated. These values and their the time the document was generated. These values and their
associated descriptions are derived from Section 3.2.2 of associated descriptions are derived from Section 3.2.2 of
[RFC3982]. These values are maintained in the "DomainData-domain- [RFC3982]. These values are maintained in the "DomainData-domain-
status" IANA registry per Table 1. status" IANA registry per Section 10.2.
1. reservedDelegation. The domain is permanently inactive. 1. reservedDelegation. The domain is permanently inactive.
2. assignedAndActive. The domain is in a normal state. 2. assignedAndActive. The domain is in a normal state.
3. assignedAndInactive. The domain has an assigned registration 3. assignedAndInactive. The domain has an assigned registration
but the delegation is inactive. but the delegation is inactive.
4. assignedAndOnHold. The domain is under dispute. 4. assignedAndOnHold. The domain is in dispute.
5. revoked. The domain is in the process of being purged from 5. revoked. The domain is in the process of being purged from
the database. the database.
6. transferPending. The domain is pending a change in 6. transferPending. The domain is pending a change in
authority. authority.
7. registryLock. The domain is on hold by the registry. 7. registryLock. The domain is on hold by the registry.
8. registrarLock. Same as "registryLock". 8. registrarLock. Same as "registryLock".
skipping to change at page 77, line 15 skipping to change at page 74, line 42
instead of an explicit definition with the Contact class. instead of an explicit definition with the Contact class.
Contact Contact
One or more. Contact information for the domain. See One or more. Contact information for the domain. See
Section 3.9. Section 3.9.
The DomainContacts class has no attributes. The DomainContacts class has no attributes.
3.20. Service Class 3.20. Service Class
The Service class describes a network service of a host or network. The Service class describes a network service. The service is
The service is identified by specific port or list of ports, along described by protocol, port, protocol header field and application
with the application listening on that port. providing or using the service.
When Service occurs as an aggregate class of a System that is a
source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to
which activity of interest is directed.
This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
| INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
| ID observable-id |<>--{0..1}--[ Port ] | ID observable-id |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..1}--[ ApplicationHeader ] | |<>--{0..1}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 41: The Service Class Figure 41: The Service Class
The aggregate classes of the Service class are: The aggregate classes of the Service class are:
ServiceName ServiceName
Zero or one. Identifies the the observed service. Zero or one. A protocol name.
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers.
according to Section 2.10.
ProtoCode ProtoCode
Zero or one. INTEGER. A transport layer (layer 4) protocol- Zero or one. INTEGER. A transport layer (layer 4) protocol-
specific code field (e.g., ICMP code field). specific code field (e.g., ICMP code field).
ProtoType ProtoType
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific type field (e.g., ICMP type field). specific type field (e.g., ICMP type field).
ProtoField ProtoField
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific flag field (e.g., TCP flag field). specific flag field (e.g., TCP flag field).
ApplicationHeader ApplicationHeader
Zero or one. A protocol header. See Section 3.20.2. Zero or one. A protocol header. See Section 3.20.2.
EmailData EmailData
Zero or one. Headers associated with an email. See Section 3.21. Zero or one. Headers associated with an email message. See
Section 3.21.
Application Application
Zero or one. SOFTWARE. The application bound to the specified Zero or one. SOFTWARE. The application acting as either the
Port or Portlist. client or server for the service.
Either a Port or Portlist class MUST be specified for a given Either a Port or Portlist class MUST be specified for a given
instance of a Service class. instance of a Service class.
When a given System classes with category="source" and another with When a given System classes with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Portlists exists. If N ports are listed relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
skipping to change at page 79, line 7 skipping to change at page 76, line 33
ip-protocol ip-protocol
Required. INTEGER. The IANA assigned IP protocol number per Required. INTEGER. The IANA assigned IP protocol number per
[IANA.Protocols]. [IANA.Protocols].
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.20.1. ServiceName Class 3.20.1. ServiceName Class
The ServiceName class names an application protocol. It can be The ServiceName class identifies an application protocol. It can be
described by referencing an IANA registered protocol, a URL or with described by referencing an IANA registered protocol, a URL or with
free-form text. free-form text.
+--------------------+ +--------------------+
| ServiceName | | ServiceName |
+--------------------+ +--------------------+
| |<>--{0..1}--[ IANAService ] | |<>--{0..1}--[ IANAService ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+--------------------+ +--------------------+
Figure 42: The ServiceName Class Figure 42: The ServiceName Class
The aggregate classes of the ServiceName class are: The aggregate classes of the ServiceName class are:
IANAService IANAService
Zero or one. STRING. The name of the service per the "Service Zero or one. STRING. The name of the service per the "Service
Name" field of the [IANA.Ports] registry. Name" field of the [IANA.Ports] registry.
URL URL
Zero or more. URL. A URL describing the service. Zero or more. URL. A URL to a resource describing the service.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
service. service.
At least one of these classes MUST be present. At least one of these classes MUST be present.
The ServiceName class has no attributes. The ServiceName class has no attributes.
3.20.2. ApplicationHeader Class 3.20.2. ApplicationHeader Class
The ApplicationHeader class allows the representation of arbitrary The ApplicationHeader class describes arbitrary fields from a
fields from a protocol header and its corresponding value. protocol header and its corresponding value.
+--------------------------+ +--------------------------+
| ApplicationHeader | | ApplicationHeader |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ ApplicationHeaderField ] | |<>--{1..*}--[ ApplicationHeaderField ]
+--------------------------+ +--------------------------+
Figure 43: The ApplicationHeader Class Figure 43: The ApplicationHeader Class
The aggregate class of the ApplicationHeader class is: The aggregate class of the ApplicationHeader class is:
ApplicationHeaderField ApplicationHeaderField
One or more. EXTENSION. A field name and value in the header. One or more. EXTENSION. A field name and value in a protocol
The 'name' attribute of the ApplicationHeader MUST be set with the header. The 'name' attribute MUST be set to the field name. The
field name. field value MUST be set in the element content.
The ApplicationHeader class has no attributes. The ApplicationHeader class has no attributes.
3.21. EmailData Class 3.21. EmailData Class
The EmailData class describes headers from an email message. Common The EmailData class describes headers from an email message and
headers have dedicated classes, but arbitrary headers can also be cryptographic hash and signatures applied to it.
described.
+-------------------------+ +-------------------------+
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ EmailTo ] | ID observable-id |<>--{0..*}--[ EmailTo ]
| |<>--{0..1}--[ EmailFrom ] | |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..1}--[ EmailHeaders ]
| |<>--{0..1}--[ EmailBody ]
| |<>--{0..1}--[ EmailMessage ]
| |<>--{0..*}--[ HashData ] | |<>--{0..*}--[ HashData ]
| |<>--{0..*}--[ SignatureData ] | |<>--{0..*}--[ SignatureData ]
+-------------------------+ +-------------------------+
Figure 44: EmailData Class Figure 44: EmailData Class
The aggregate classes of the EmailData class are: The aggregate classes of the EmailData class are:
EmailTo EmailTo
Zero or one. EMAIL. The value of the "To:" header field Zero or more. EMAIL. The value of the "To:" header field
(Section 3.6.3 of [RFC5322]) in an email. (Section 3.6.3 of [RFC5322]) in an email.
EmailFrom EmailFrom
Zero or one. EMAIL. The value of the "From:" header field Zero or one. EMAIL. The value of the "From:" header field
(Section 3.6.2 of [RFC5322]) in an email. (Section 3.6.2 of [RFC5322]) in an email.
EmailSubject EmailSubject
Zero or one. STRING. The value of the "Subject:" header field in Zero or one. STRING. The value of the "Subject:" header field in
an email. See Section 3.6.4 of [RFC5322]. an email. See Section 3.6.4 of [RFC5322].
EmailX-Mailer EmailX-Mailer
Zero or one. STRING. The value of the "X-Mailer:" header field Zero or one. STRING. The value of the "X-Mailer:" header field
in an email. in an email.
EmailHeaderField EmailHeaderField
Zero or one. EXTENSION. The value of an arbitrary header field Zero or more. EXTENSION. The header name and value of an
in the email. The attribute of EmailHeaderField MUST be set as arbitrary header field of the email message. The 'name' attribute
follows: name MUST be the the name of the SMTP header field; and MUST be set to header name. The header value MUST be set in the
dtype="string". element body. The dtype attribute MUST be set to "string".
EmailHeaders
Zero or one. STRING. The headers of an email message.
EmailBody
Zero or one. STRING. The body of an email message.
EmailMessage
Zero or one. STRING. The headers and body of an email message.
HashData HashData
Zero or One. Hash(es) associated with this email. See Zero or One. Hash(es) associated with this email message. See
Section 3.26. Section 3.26.
SignatureData SignatureData
Zero or One. Signature(s) associated with this email. See Zero or One. Signature(s) associated with this email message.
Section 3.27. See Section 3.27.
The attribute of the EmailData class is: The attribute of the EmailData class is:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.22. Record Class 3.22. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the events in an incident. The
this data will often be the output of monitoring tools. These logs source of this data will often be the output of monitoring tools.
substantiate the activity described in the document. These logs substantiate the activity described in the document.
+------------------------+ +------------------------+
| Record | | Record |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 45: Record Class Figure 45: Record Class
The aggregate classes of the Record class are: The aggregate classes of the Record class are:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular tool.
sensor. Separate instances of the RecordData class SHOULD be used Separate instances of the RecordData class SHOULD be used for each
for each sensor type. See Section 3.22.1. type of log. See Section 3.22.1.
The attributes of the Record class are: The attributes of the Record class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.22.1. RecordData Class 3.22.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class describes or references log or audit data from a
(e.g., IDS, firewall log) and provides a way to annotate the output. given type of tool and provides a means to annotate the output.
+------------------------+ +------------------------+
| RecordData | | RecordData |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..1}--[ Application ] | ID observable-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ FileData ] | |<>--{0..*}--[ FileData ]
| |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}-- | |<>--{0..*}--
| | [ WindowsRegistryKeysModified ] | | [ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 46: The RecordData Class Figure 46: The RecordData Class
The aggregate classes of the RecordData class are: The aggregate classes of the RecordData class are:
DateTime DateTime
Zero or one. DATETIME. Timestamp of the RecordItem data. Zero or one. DATETIME. A timestamp of the data found in the
RecordItem or URL classes.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. A free-form text description of the
provided RecordItem data. At minimum, this description should data provided in the RecordItem or URL classes.
convey the significance of the provided RecordItem data.
Application Application
Zero or one. SOFTWARE. Information about the sensor used to Zero or one. SOFTWARE. Identifies the tool used to generate the
generate the RecordItem data. data in the RecordItem or URL classes.
RecordPattern RecordPattern
Zero or more. A search string to precisely find the relevant data Zero or more. A search string to precisely find the relevant data
in a RecordItem. See Section 3.22.2. in the RecordItem or URL classes. See Section 3.22.2.
RecordItem RecordItem
Zero or more. EXTENSION. Log, audit, or forensic data to support Zero or more. EXTENSION. Log, audit, or forensic data to support
the conclusions made during the course of analyzing the incident. the conclusions made during the course of analyzing the incident.
URL
Zero or more. URL. A URL reference to a log or audit data.
FileData FileData
Zero or one. The file name and hash of a file indicator. See Zero or one. The files involved in the incident. See
Section 3.25. Section 3.25.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or more. The registry keys that were modified that are Zero or more. The registry keys that were involved in the
indicator(s). See Section 3.23. incident. See Section 3.23.
CertificateData
Zero or more. The certificates that were involved in the
incident. See Section 3.24.
AdditionalData AdditionalData
Zero or more. EXTENSION. An extension mechanism for data not Zero or more. EXTENSION. An extension mechanism for data not
explicitly represented in the data model. explicitly represented in the data model.
The attributes of the RecordData class are: The attributes of the RecordData class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.22.2. RecordPattern Class 3.22.2. RecordPattern Class
The RecordPattern class describes where in the content of the The RecordPattern class describes where in the log data provided or
RecordItem relevant information can be found. It provides a way to referenced in RecordData class relevant information can be found. It
reference subsets of information, identified by a pattern, in a large provides a way to reference subsets of information, identified by a
log file, audit trail, or forensic data. pattern, in a large log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
+-----------------------+ +-----------------------+
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 47: The RecordPattern Class Figure 47: The RecordPattern Class
The content of the class is the specific pattern to search within the The content of the class is of type STRING and specifies a search
RecordItem of type STRING. pattern.
The attributes of the RecordPattern class are: The attributes of the RecordPattern class are:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". These values are the element content. The default is "regex". These values are
maintained in the "RecordPattern-type" IANA registry per Table 1. maintained in the "RecordPattern-type" IANA registry per
Section 10.2.
1. regex. regular expression as defined by POSIX Extended 1. regex. regular expression as defined by POSIX Extended
Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX]. Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex encoded binary pattern, per the HEXBIN data
type. type.
3. xpath. XML Path (XPath) [W3C.XPATH] 3. xpath. XML Path (XPath) [W3C.XPATH]
4. ext-value. A value used to indicate that this attribute is 4. ext-value. A value used to indicate that this attribute is
skipping to change at page 84, line 32 skipping to change at page 83, line 6
See Section 5.1.1. See Section 5.1.1.
offset offset
Optional. INTEGER. Amount of units (determined by the offsetunit Optional. INTEGER. Amount of units (determined by the offsetunit
attribute) to seek into the RecordItem data before matching the attribute) to seek into the RecordItem data before matching the
pattern. pattern.
offsetunit offsetunit
Optional. ENUM. Describes the units of the offset attribute. Optional. ENUM. Describes the units of the offset attribute.
The default is "line". These values are maintained in the The default is "line". These values are maintained in the
"RecordPattern-offsetunit" IANA registry per Table 1. "RecordPattern-offsetunit" IANA registry per Section 10.2.
1. line. Offset is a count of lines. 1. line. Offset is a count of lines.
2. byte. Offset is a count of bytes. 2. byte. Offset is a count of bytes.
3. ext-value. A value used to indicate that this attribute is 3. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-offsetunit ext-offsetunit
Optional. STRING. A means by which to extend the offsetunit Optional. STRING. A means by which to extend the offsetunit
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
instance instance
Optional. INTEGER. Number of types to apply the specified Optional. INTEGER. Number of times to apply the specified
pattern. pattern.
3.23. WindowsRegistryKeysModified Class 3.23. WindowsRegistryKeysModified Class
The WindowsRegistryKeysModified class describes Windows operating The WindowsRegistryKeysModified class describes Windows operating
system registry keys and the operations that were performed on them. system registry keys and the operations that were performed on them.
This class was derived from [RFC5901]. This class was derived from [RFC5901].
+-----------------------------+ +-----------------------------+
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
skipping to change at page 85, line 31 skipping to change at page 84, line 7
Key Key
One or more. The Window registry key. See Section 3.23.1. One or more. The Window registry key. See Section 3.23.1.
The attribute of the WindowsRegistryKeysModified class is: The attribute of the WindowsRegistryKeysModified class is:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.23.1. Key Class 3.23.1. Key Class
The Key class describes a particular Windows operating system The Key class describes a Windows operating system registry key name
registry key name and value pair, and the operation performed on it. and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id | | ID observable-id |
+---------------------------+ +---------------------------+
Figure 49: The Key Class Figure 49: The Key Class
The aggregate classes of the Key class are: The aggregate classes of the Key class are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of a Windows operating system registry key
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the registry key identified in
encoded as in Microsoft .reg files [KB310516]. the KeyName class encoded per the .reg file format [KB310516].
The attributes of the Key class are: The attributes of the Key class are:
registryaction registryaction
Optional. ENUM. The type of action taken on the registry key. Optional. ENUM. The type of action taken on the registry key.
These values are maintained in the "Key-registryaction" IANA These values are maintained in the "Key-registryaction" IANA
registry per Table 1. registry per Section 10.2.
1. add-key. Registry key added. 1. add-key. Registry key added.
2. add-value. Value added to registry key. 2. add-value. Value added to a registry key.
3. delete-key. Registry key deleted. 3. delete-key. Registry key deleted.
4. delete-value. Value deleted from registry key. 4. delete-value. Value deleted from a registry key.
5. modify-key. Registry key modified. 5. modify-key. Registry key modified.
6. modify-value. Value modified for registry key. 6. modify-value. Value modified in a registry key.
7. ext-value. A value used to indicate that this attribute is 7. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-registryaction ext-registryaction
Optional. STRING. A means by which to extend the registryaction Optional. STRING. A means by which to extend the registryaction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
skipping to change at page 86, line 52 skipping to change at page 85, line 29
| ENUM restriction |<>--{1..*}--[ Certificate ] | ENUM restriction |<>--{1..*}--[ Certificate ]
| STRING ext-restriction | | STRING ext-restriction |
| ID observable-id | | ID observable-id |
+------------------------+ +------------------------+
Figure 50: The CertificateData Class Figure 50: The CertificateData Class
The aggregate classes of the CertificateData class are: The aggregate classes of the CertificateData class are:
Certificate Certificate
One or more. A certificate. See Section 3.24.1. One or more. A description of an X.509 certificate or certificate
chain. See Section 3.24.1.
The attributes of the CertificateData class are: The attributes of the CertificateData class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 87, line 38 skipping to change at page 86, line 21
Figure 51: The Certificate Class Figure 51: The Certificate Class
The aggregate classes of the Certificate class are: The aggregate classes of the Certificate class are:
ds:X509Data ds:X509Data
One. A given X.509 certificate or chain. See Section 4.4.4 of One. A given X.509 certificate or chain. See Section 4.4.4 of
[W3C.XMLSIG]. [W3C.XMLSIG].
Description Description
Zero or more. ML_STRING. Free-form textual description Zero or more. ML_STRING. A free-form text description explaining
explaining the context of this certificate. the context of this certificate.
The attributes of the Certificate class are: The attributes of the Certificate class are:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25. FileData Class 3.25. FileData Class
The FileData class describes files of interest identified during the The FileData class describes a file or set of files.
analysis of an incident.
+------------------------+ +------------------------+
| FileData | | FileData |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ File ] | ENUM restriction |<>--{1..*}--[ File ]
| STRING ext-restriction | | STRING ext-restriction |
| ID observable-id | | ID observable-id |
+------------------------+ +------------------------+
Figure 52: The FileData Class Figure 52: The FileData Class
skipping to change at page 88, line 34 skipping to change at page 87, line 14
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25.1. File Class 3.25.1. File Class
The File class describes a file and its associated meta data. The File class describes a file; its associated meta data; and
cryptographic hashes and signatures applied to it.
+-----------------------+ +-----------------------+
| File | | File |
+-----------------------+ +-----------------------+
| ID observable-id |<>--{0..1}--[ FileName ] | ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ] | |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ] | |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ] | |<>--{0..1}--[ SignatureData ]
skipping to change at page 89, line 29 skipping to change at page 88, line 9
HashData HashData
Zero or One. Hash(es) associated with this file. See Zero or One. Hash(es) associated with this file. See
Section 3.26. Section 3.26.
SignatureData SignatureData
Zero or One. Signature(s) associated with this file. See Zero or One. Signature(s) associated with this file. See
Section 3.27. Section 3.27.
AssociatedSoftware AssociatedSoftware
Zero or One. SOFTWARE. The software application or operating Zero or One. SOFTWARE. The software application or operating
system to which this file belongs. system to which this file belongs or by which it can be processed.
FileProperties FileProperties
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model to describe properties of the file. model to describe properties of the file.
The attributes of the File class are: The attributes of the File class are:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.26. HashData Class 3.26. HashData Class
The HashData class describes different types of hashes on an given The HashData class describes different types of hashes on an given
object (e.g., file, part of a file, email). object (e.g., file, part of a file, email).
+--------------------------+ +--------------------------+
| HashData | | HashData |
+--------------------------+ +--------------------------+
| ENUM scope |<>--{0..1}--[ HashTarget ] | ENUM scope |<>--{0..1}--[ HashTargetID ]
| |<>--{0..*}--[ Hash ] | |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ] | |<>--{0..*}--[ FuzzyHash ]
+--------------------------+ +--------------------------+
Figure 54: The HashData Class Figure 54: The HashData Class
The aggregate classes of the HashData class are: The aggregate classes of the HashData class are:
HashTarget HashTargetID
Zero or One. ML_STRING. An identifier that references a subset Zero or One. STRING. An identifier that references a subset of
of the object per the @scope attribute. the object being hashed. The semantics of this identifier are
specified by the scope attribute.
Hash Hash
Zero or more. The hash generated on the object. See Zero or more. The hash of an object. See Section 3.26.1.
Section 3.26.1.
FuzzyHash FuzzyHash
Zero or more. The fuzzy hash of the object. See Section 3.26.2. Zero or more. The fuzzy hash of an object. See Section 3.26.2.
A single instance of Hash or FuzzyHash MUST be present. A single instance of Hash or FuzzyHash MUST be present.
The attribute of the HashData class is: The attribute of the HashData class is:
scope scope
Required. ENUM. Describes the scope of the hash on a type of Required. ENUM. Describes on which part of the object the hash
object. These values are maintained in the "HashData-scope" IANA should be applied. These values are maintained in the "HashData-
registry per Table 1. scope" IANA registry per Section 10.2.
1. file-contents. A hash computed over the entire contents of a 1. file-contents. A hash computed over the entire contents of a
file. file.
2. file-pe-section. A hash computed on a given section of a 2. file-pe-section. A hash computed on a given section of a
Windows Portable Executable (PE) file. If set to this value, Windows Portable Executable (PE) file. If set to this value,
the HashTargetId class MUST identify the section being hashed. the HashTargetID class MUST identify the section being hashed.
This section is identified by an ordinal number (starting at A section is identified by an ordinal number (starting at 1)
1) corresponding to the the order in which the given section corresponding to the the order in which the given section
header was defined in the Section Table of the PE file header. header was defined in the Section Table of the PE file header.
3. file-pe-iat. A hash computed on the Import Address 3. file-pe-iat. A hash computed on the Import Address
Table (IAT) of a PE file. As IAT hashes are often tool Table (IAT) of a PE file. As IAT hashes are often tool
dependent, if this value is set, the HashTargetId class MUST dependent, if this value is set, the Application class of
specify the tool used to generate the hash. either the Hash or FuzzyHash classes MUST specify the tool
used to generate the hash.
4. file-pe-resource. A hash computed on a given resource in a PE 4. file-pe-resource. A hash computed on a given resource in a PE
file. If set to this value, the HashTargetId class MUST file. If set to this value, the HashTargetID class MUST
identify the resource being hashed. This resource is identify the resource being hashed. A resource is identified
identified by an ordinal number (starting at 1) corresponding by an ordinal number (starting at 1) corresponding to the
to the oder in which the given resource is declared in the order in which the given resource is declared in the Resource
Resource Directory of the Data Dictionary in the PE file Directory of the Data Dictionary in the PE file header.
header.
5. file-pdf-object. A hash computed on a given object in a 5. file-pdf-object. A hash computed on a given object in a
Portable Document Format (PDF) file. If set to this value, Portable Document Format (PDF) file. If set to this value,
the HashTargetId class MUST identify the object being hashed. the HashTargetID class MUST identify the object being hashed.
This object is identified by its offset in the PDF file. This object is identified by its offset in the PDF file.
6. email-hash. A hash computed over the headers and body of an 6. email-hash. A hash computed over the headers and body of an
email message. email message.
7. email-headers-hash. A hash computed over all of the headers 7. email-headers-hash. A hash computed over all of the headers
of an email message. of an email message.
8. email-body-hash. A hash computed over the body of an email 8. email-body-hash. A hash computed over the body of an email
message. message.
skipping to change at page 91, line 37 skipping to change at page 90, line 9
9. ext-value. A value used to indicate that this attribute is 9. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-scope ext-scope
Optional. STRING. A means by which to extend the scope Optional. STRING. A means by which to extend the scope
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.26.1. Hash Class 3.26.1. Hash Class
The Hash class describes a specific hash value, algorithm, and an The Hash class describes a cryptographic hash value; the algorithm
application used to generate it. and application used to generate it; and the canonicalization method
applied to the object being hashed.
+----------------+ +----------------+
| Hash | | Hash |
+----------------+ +----------------+
| |<>----------[ ds:DigestMethod ] | |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ] | |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ ds:CannonicalizationMethod ] | |<>--{0..1}--[ ds:CanonicalizationMethod ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+----------------+ +----------------+
Figure 55: The Hash Class Figure 55: The Hash Class
The aggregate classes of the Hash class are: The aggregate classes of the Hash class are:
ds:DigestMethod ds:DigestMethod
One. The hash algorithm used to generate the hash. See One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG] Section 4.3.3.5 of [W3C.XMLSIG]
ds:DigestValue ds:DigestValue
One. The computed hash value. See Section 4.3.3.6 of One. The computed hash value. See Section 4.3.3.6 of
[W3C.XMLSIG]. [W3C.XMLSIG].
ds:CannonicalizationMethod ds:CanonicalizationMethod
Zero or one. The canonicalization method used for the has. See Zero or one. The canonicalization method used on the object being
Section 4.3.1 of [W3C.XMLSIG]. hashed. See Section 4.3.1 of [W3C.XMLSIG].
Application Application
Zero or One. SOFTWARE. The application used to calculate the Zero or One. SOFTWARE. The application used to calculate the
hash. hash.
The HashData class has no attributes. The HashData class has no attributes.
3.26.2. FuzzyHash Class 3.26.2. FuzzyHash Class
The FuzzyHash class describes a fuzzy hash (in an extensible way) and The FuzzyHash class describes a fuzzy hash and the application used
the application used to generate it. to generate it.
+--------------------------+ +--------------------------+
| FuzzyHash | | FuzzyHash |
+--------------------------+ +--------------------------+
| |<>--{0..*}--[ AdditionalData ] | |<>--{1..*}--[ FuzzyHashValue ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 56: The FuzzyHash Class Figure 56: The FuzzyHash Class
The aggregate classes of the FuzzyHash class are: The aggregate classes of the FuzzyHash class are:
AdditionalData FuzzyHashValue
Zero or more. EXTENSION. Mechanism by which to extend the data One or more. EXTENSION. The computed fuzzy hash value.
model.
Application Application
Zero or One. SOFTWARE. The application used to calculate the Zero or One. SOFTWARE. The application used to calculate the
hash. hash.
AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data
model.
The FuzzyData class has no attributes. The FuzzyData class has no attributes.
3.27. SignatureData Class 3.27. SignatureData Class
The SignatureData class describes different signatures on an given The SignatureData class describes different types of digital
object. signatures on an object.
+--------------------------+ +--------------------------+
| SignatureData | | SignatureData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ ds:Signature ] | |<>--{1..*}--[ ds:Signature ]
+--------------------------+ +--------------------------+
Figure 57: The SignatureData Class Figure 57: The SignatureData Class
The aggregate class of the SignatureData class is: The aggregate class of the SignatureData class is:
Signature Signature
One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
The SignatureData class has no attributes. The SignatureData class has no attributes.
3.28. IndicatorData Class 3.28. IndicatorData Class
The IndicatorData class describes the indicators identified from The IndicatorData class describes cyber indicators and meta-data
analysis of an incident. associated with them.
+--------------------------+ +--------------------------+
| IndicatorData | | IndicatorData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ Indicator ] | |<>--{1..*}--[ Indicator ]
+--------------------------+ +--------------------------+
Figure 58: The IndicatorData Class Figure 58: The IndicatorData Class
The aggregate class of the IndicatorData class is: The aggregate class of the IndicatorData class is:
Indicator Indicator
One or more. An indicator from the incident. See Section 3.29. One or more. A description of an indicator. See Section 3.29.
The IndicatorData class has no attributes. The IndicatorData class has no attributes.
3.29. Indicator Class 3.29. Indicator Class
The Indicator class describes a cyber indicator. An indicator The Indicator class describes a cyber indicator. An indicator
consists of observable features and phenomenon that aid in the consists of observable features and phenomenon that aid in the
forensic or proactive detection of malicious activity, and associated forensic or proactive detection of malicious activity; and associated
meta-data. This indicator can be described outright or reference meta-data. An indicator can be described outright; by referencing or
observable features and phenomenon described elsewhere in the composing previously defined indicators; or by referencing
incident information. Portions of an incident description can be observables described in the incident report found in this document.
composed to define an indicator, as can the indicators themselves.
+------------------------+ +------------------------+
| Indicator | | Indicator |
+------------------------+ +------------------------+
| ENUM restriction |<>----------[ IndicatorID ] | ENUM restriction |<>----------[ IndicatorID ]
| STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ] | STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
skipping to change at page 94, line 38 skipping to change at page 93, line 36
The aggregate classes of the Indicator class are: The aggregate classes of the Indicator class are:
IndicatorID IndicatorID
One. An identifier for this indicator. See Section 3.29.1 One. An identifier for this indicator. See Section 3.29.1
AlternativeIndicatorID AlternativeIndicatorID
Zero or one. An alternative identifier for this indicator. See Zero or one. An alternative identifier for this indicator. See
Section 3.29.2 Section 3.29.2
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form text description of the
indicator. indicator.
StartTime StartTime
Zero or one. DATETIME. A timestamp of the start of the time Zero or one. DATETIME. A timestamp of the start of the time
period during which this indicator is valid. period during which this indicator is valid.
EndTime EndTime
Zero or one. DATETIME. A timestamp of the end of the time period Zero or one. DATETIME. A timestamp of the end of the time period
during which this indicator is valid. during which this indicator is valid.
skipping to change at page 95, line 14 skipping to change at page 94, line 12
Contact Contact
Zero or more. Contact information for this indicator. See Zero or more. Contact information for this indicator. See
Section 3.9. Section 3.9.
Observable Observable
Zero or one. An observable feature or phenomenon of this Zero or one. An observable feature or phenomenon of this
indicator. See Section 3.29.3. indicator. See Section 3.29.3.
ObservableReference ObservableReference
Zero or one. A reference to a feature or phenomenon defined Zero or one. A reference to an observable feature or phenomenon
elsewhere in the document. See Section 3.29.6. defined elsewhere in the document. See Section 3.29.6.
IndicatorExpression IndicatorExpression
Zero or one. A composition of observables. See Section 3.29.4. Zero or one. A composition of observables. See Section 3.29.4.
IndicatorReference IndicatorReference
Zero or one. A reference to an indicator. See Section 3.29.7. Zero or one. A reference to an indicator. See Section 3.29.7.
NodeRole NodeRole
Zero or many. An indication of the role a system to which this Zero or many. The role of the system in the attack should this
indicator is matched might play in an attack. See Section 3.18.2. indicator be matched to it. See Section 3.18.2.
AttackPhase AttackPhase
Zero or many. An indication of which phase in an attack lifecycle Zero or many. The phase in an attack lifecycle during which this
this indicator might be seen. See Section 3.29.8. indicator might be seen. See Section 3.29.8.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The Indicator class MUST have exactly one instance of an Observable, The Indicator class MUST have exactly one instance of an Observable,
IndicatorExpression, ObservableReference, or IndicatorReference IndicatorExpression, ObservableReference, or IndicatorReference
class. class.
The StartTime and EndTime classes can be used to define an interval The StartTime and EndTime classes can be used to define an interval
skipping to change at page 96, line 26 skipping to change at page 95, line 26
| IndicatorID | | IndicatorID |
+------------------+ +------------------+
| ID | | ID |
| | | |
| STRING name | | STRING name |
| STRING version | | STRING version |
+------------------+ +------------------+
Figure 60: The IndicatorID Class Figure 60: The IndicatorID Class
The content of the class is identifier for an indicator of type ID. The content of the class is of type ID and specifies an identifier
for an indicator.
The attributes of the IndicatorID class are: The attributes of the IndicatorID class are:
name name
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the indicator. In order to have a globally unique CSIRT created the indicator. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. This format is identical to the IncidentID@name MUST be used. This format is identical to the IncidentID@name
attribute in Section 3.4. attribute in Section 3.4.
skipping to change at page 99, line 46 skipping to change at page 98, line 46
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The Observable class MUST have exactly one of the possible child The Observable class MUST have exactly one of the possible child
classes. classes.
The Observable class has no attributes. The Observable class has no attributes.
3.29.3.1. BulkObservable Class 3.29.3.1. BulkObservable Class
The BulkObservable class allows the bulk enumeration of single type The BulkObservable class allows the enumeration of a single type of
of observables without requiring each one to be encoded individually observables without requiring each one to be encoded individually in
in multiple instances of the same class. The type attribute multiple instances of the same class.
describes the type observable listed in the child BulkObservableList
class. The BulkObservableFormat class optionally provides additional The type attribute describes the type of observable listed in the
meta-data. child BulkObservableList class. The BulkObservableFormat class
optionally provides additional meta-data.
+---------------------------+ +---------------------------+
| BulkObservable | | BulkObservable |
+---------------------------+ +---------------------------+
| ENUM type |<>--{0..1}--[ BulkObservableFormat ] | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
| STRING ext-type |<>----------[ BulkObservableList ] | STRING ext-type |<>----------[ BulkObservableList ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 63: The BulkObservable Class Figure 63: The BulkObservable Class
The aggregate classes of the BulkObserable class are: The aggregate classes of the BulkObservable class are:
BulkObservableFormat BulkObservableFormat
Zero or one. Provides additional meta-data about the observables Zero or one. Provides additional meta-data about the observables
enumerated in the BulkObservableList class. See enumerated in the BulkObservableList class. See
Section 3.29.3.1.1. Section 3.29.3.1.1.
BulkObservableList BulkObservableList
One. STRING. A list of observables, one per line. Each line is One. STRING. A list of observables, one per line. Each line is
separated with either a LF character or CR-and-LF characters. The separated with either a LF character or CR-and-LF characters. The
type attribute will specify the which observables will be listed. type attribute specifies which observables will be listed.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The attributes of the BulkObservable class are: The attributes of the BulkObservable class are:
type type
Optional. ENUM. The type of the observable listed in the child Optional. ENUM. The type of the observable listed in the child
ObservableList class. These values are maintained in the ObservableList class. These values are maintained in the
"BulkObservable-type" IANA registry per Table 1. "BulkObservable-type" IANA registry per Section 10.2.
1. asn. Autonomous System Number (per the Address@category 1. asn. Autonomous System Number (per the Address@category
attribute). attribute).
2. atm. Asynchronous Transfer Mode (ATM) address (per the 2. atm. Asynchronous Transfer Mode (ATM) address (per the
Address@category attribute). Address@category attribute).
3. e-mail. Electronic mail address (RFC 822) (per the 3. e-mail. Electronic mail address (RFC 822) (per the
Address@category attribute). Address@category attribute).
skipping to change at page 101, line 25 skipping to change at page 100, line 25
9. ipv6-net-mask. IPv6 network address, slash, network mask 9. ipv6-net-mask. IPv6 network address, slash, network mask
(per the Address@category attribute). (per the Address@category attribute).
10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f) 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
(per the Address@category attribute). (per the Address@category attribute).
11. site-uri. A URL or URI for a resource (per the 11. site-uri. A URL or URI for a resource (per the
Address@category attribute). Address@category attribute).
12. fqdn. Fully qualified domain name. 12. domain-name. A fully qualified domain name or part of a
13. domain-name. A fully qualified domain name or part of a
name. (e.g., fqdn.example.com, example.com). name. (e.g., fqdn.example.com, example.com).
14. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as 13. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as
a comma separated list (e.g., "fqdn.example.com, 192.0.2.1"). a comma separated list (e.g., "fqdn.example.com, 192.0.2.1").
15. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as 14. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as
a comma separated list (e.g., "fqdn.example.com, a comma separated list (e.g., "fqdn.example.com,
2001:DB8::3"). 2001:DB8::3").
16. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a 15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a
timestamp (in the DATETIME format) of the resolution (e.g., timestamp (in the DATETIME format) of the resolution (e.g.,
"fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00"). "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").
17. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a 16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a
timestamp (in the DATETIME format) of the resolution (e.g., timestamp (in the DATETIME format) of the resolution (e.g.,
"fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00"). "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").
18. ipv4-port. An IPv4 address, port and protocol tuple (e.g., 17. ipv4-port. An IPv4 address, port and protocol tuple (e.g.,
192.0.2.1, 80, tcp). The protocol name corresponds to the 192.0.2.1, 80, tcp). The protocol name corresponds to the
"Keyword" column in the [IANA.Protocols] registry. "Keyword" column in the [IANA.Protocols] registry.
19. ipv6-port. An IPv6 address, port and protocol tuple (e.g., 18. ipv6-port. An IPv6 address, port and protocol tuple (e.g.,
2001:DB8::3, 80, tcp). The protocol name corresponds to the 2001:DB8::3, 80, tcp). The protocol name corresponds to the
"Keyword" column in the [IANA.Protocols] registry. "Keyword" column in the [IANA.Protocols] registry.
20. windows-reg-key. A Microsoft Windows Registry key. 19. windows-reg-key. A Microsoft Windows Registry key.
21. file-hash. A file hash. The format of this hash is 20. file-hash. A file hash. The format of this hash is
described in the Hash class that MUST be present in a sibling described in the Hash class that MUST be present in a sibling
BulkObservableFormat class. BulkObservableFormat class.
22. email-x-mailer. An X-Mailer field from an email. 21. email-x-mailer. An X-Mailer field from an email.
23. email-subject. An email subject line. 22. email-subject. An email subject line.
24. http-user-agent. A User Agent field from an HTTP request 23. http-user-agent. A User Agent field from an HTTP request
header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
Gecko/20100101 Firefox/38.0"). Gecko/20100101 Firefox/38.0").
25. http-request-uri. The Request URI from an HTTP request 24. http-request-uri. The Request URI from an HTTP request
header. header.
26. mutex. The name of a system mutex. 25. mutex. The name of a system mutex.
27. file-path. A file path (e.g., "/tmp/local/file", 26. file-path. A file path (e.g., "/tmp/local/file",
"c:\windows\system32\file.sys") "c:\windows\system32\file.sys")
28. user-name. A username. 27. user-name. A username.
29. ext-value. A value used to indicate that this attribute is 28. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
3.29.3.1.1. BulkObservableFormat Class 3.29.3.1.1. BulkObservableFormat Class
The ObservableFormat class specifies meta-data about the format of an The ObservableFormat class specifies meta-data about the format of an
skipping to change at page 103, line 32 skipping to change at page 102, line 29
indicators. indicators.
All child classes of a given instance of IndicatorExpression form a All child classes of a given instance of IndicatorExpression form a
boolean algebraic expression where the operator between them is boolean algebraic expression where the operator between them is
determined by the operator attribute. determined by the operator attribute.
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ] | STRING ext-operator |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ] | |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ] | |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 65: The IndicatorExpression Class Figure 65: The IndicatorExpression Class
The aggregate classes of the IndicatorExpression class are: The aggregate classes of the IndicatorExpression class are:
IndicatorExpression IndicatorExpression
Zero or more. An expression composed of other observables or Zero or more. An expression composed of other observables or
indicators. See Section 3.29.4. indicators. See Section 3.29.4.
Observable Observable
Zero or more. A description of an observable. See Zero or more. A description of an observable. See
Section 3.29.3. Section 3.29.3.
ObservableReference ObservableReference
Zero or more. A reference to another observable. See Zero or more. A reference to an observable. See Section 3.29.6.
Section 3.29.6.
IndicatorReference IndicatorReference
Zero or more. A reference to another indicator. See Zero or more. A reference to an indicator. See Section 3.29.7.
Section 3.29.7.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The attribute of the IndicatorExpression class is: The attributes of the IndicatorExpression class are:
operator operator
Optional. ENUM. The operator to be applied between the child Optional. ENUM. The operator to be applied between the child
elements. The default value is "and". These values are elements. See Section 3.29.5 for parsing guidance. The default
maintained in the "IndicatorExpression-operator" IANA registry per value is "and". These values are maintained in the
Table 1. "IndicatorExpression-operator" IANA registry per Section 10.2.
1. not. negation operator. 1. not. negation operator.
2. and. conjunction operator. 2. and. conjunction operator.
3. or. disjunction operator. 3. or. disjunction operator.
4. xor. exclusive disjunction operator. 4. xor. exclusive disjunction operator.
ext-operator
Optional. STRING. A means by which to extend the operator
attribute. See Section 5.1.1.
3.29.5. Expressions with IndicatorExpression 3.29.5. Expressions with IndicatorExpression
Boolean algebraic expressions can be used specify relationships Boolean algebraic expressions can be used to specify relationships
between observables and indicator. These expressions are constructed between observables and indicator. These expressions are constructed
through the use of the operator attribute and parent-child through the use of the operator attribute and parent-child
relationships in IndicatorExpressions. These expressions should be relationships in IndicatorExpressions. These expressions should be
parsed as follows: parsed as follows:
1. The operator specified by the operator attribute is applied 1. The operator specified by the operator attribute is applied
between each of the child elements of the immediate parent between each of the child elements of the immediate parent
IndicatorExpression element. If no operator attribute is IndicatorExpression element. If no operator attribute is
specified, it should be assumed to be an AND. specified, it should be assumed to be the conjunction operator
(i.e., operator="and").
2. A nested IndicatorExpression element with a parent 2. A nested IndicatorExpression element with a parent
IndicatorExpression is the equivalent of a parentheses in the IndicatorExpression is the equivalent of a parentheses in the
expression. expression.
The following four examples illustrate these parsing rules: The following four examples in Figure 66 through Figure 69 illustrate
these parsing rules:
1 : <IndicatorExpression> 1 : <IndicatorExpression>
2 [O1]: <Observable>..</Observable> 2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable> 3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression> 4 : </IndicatorExpression>
Equivalent expression: (O1 AND O2) Equivalent expression: (O1 AND O2)
Figure 66: Nested elements in an IndicatorExpression without an Figure 66: Nested elements in an IndicatorExpression without an
operator attribute specified operator attribute specified
skipping to change at page 106, line 29 skipping to change at page 105, line 29
Figure 70: The ObservableReference Class Figure 70: The ObservableReference Class
The ObservableReference class has no content. The ObservableReference class has no content.
The attribute of the ObservableReference class is: The attribute of the ObservableReference class is:
uid-ref uid-ref
Required. IDREF. An identifier that serves as a reference to a Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this class in the IODEF document. The referenced class will have this
identifier set in the observable-id attribute. identifier set in its observable-id attribute.
3.29.7. IndicatorReference Class 3.29.7. IndicatorReference Class
The IndicatorReference describes a reference to an indicator. This The IndicatorReference describes a reference to an indicator. This
reference may be to an indicator described in the IODEF document or reference may be to an indicator described in this IODEF document or
in a previously exchanged IODEF document. in a previously exchanged IODEF document.
+--------------------------+ +--------------------------+
| IndicatorReference | | IndicatorReference |
+--------------------------+ +--------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
| STRING euid-ref | | STRING euid-ref |
| STRING version | | STRING version |
+--------------------------+ +--------------------------+
Figure 71: The IndicatorReference Class Figure 71: The IndicatorReference Class
The IndicatorReference class has no content. The IndicatorReference class has no content.
The attributes of the IndicatorReference class are: The attributes of the IndicatorReference class are:
uid-ref uid-ref
Optional. IDREF. An identifier that serves as a reference to an Optional. IDREF. An identifier that references an Indicator
Indicator class in the IODEF document. The referenced Indicator class in the IODEF document. The referenced Indicator class will
class will have this identifier set in the IndicatorID class. have this identifier set in its IndicatorID class.
euid-ref euid-ref
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
not in this IODEF document. not in this IODEF document.
version version
Optional. STRING. A version number of an indicator. Optional. STRING. A version number of an indicator.
Either the uid-ref or the euid-ref attribute MUST be set. Either the uid-ref or the euid-ref attribute MUST be set.
3.29.8. AttackPhase Class 3.29.8. AttackPhase Class
The AttackPhase class describes which particular phase of an attack The AttackPhase class describes a particular phase of an attack
lifecycle.
+------------------------+ +------------------------+
| AttackPhase | | AttackPhase |
+------------------------+ +------------------------+
| |<>--{0..*}--[ AttackPhaseID ] | |<>--{0..*}--[ AttackPhaseID ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 72: AttackPhase Class Figure 72: AttackPhase Class
The aggregate classes of the AttackPhase class are: The aggregate classes of the AttackPhase class are:
AttackPhaseID AttackPhaseID
Zero or more. STRING. An identifier for the phase of the attack. Zero or more. STRING. An identifier for the phase of the attack.
URL URL
Zero or more. URL. A URL associated with this phase of the Zero or more. URL. A URL to a resource describing this phase of
attack. the attack.
Description Description
Zero or more. ML_STRING. A description of the phase of the Zero or more. ML_STRING. A free-form text description of this
attack. phase of the attack.
AdditionalData AdditionalData
Zero or more. EXTENSION. A mechanism by which to extend the data Zero or more. EXTENSION. A mechanism by which to extend the data
model. model.
AttackPhase MUST have at least one instance of a child class. AttackPhase MUST have at least one instance of a child class.
The AttackPhase class has no attributes. The AttackPhase class has no attributes.
4. Processing Considerations 4. Processing Considerations
This section defines additional requirements on creating and parsing This section provides additional requirements and guidance on
IODEF documents. creating and processing IODEF documents.
4.1. Encoding 4.1. Encoding
Every IODEF document MUST begin with an XML declaration, and MUST Every IODEF document MUST begin with an XML declaration and MUST
specify the XML version used. The character encoding MUST also be specify the XML version used. The character encoding MUST also be
explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16
[RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD
NOT be used. The IODEF conforms to all XML data encoding conventions NOT be used. The IODEF conforms to all XML data encoding conventions
and constraints. and constraints.
The XML declaration with no character encoding will read as follows: The XML declaration with no character encoding will read as follows:
<?xml version="1.0" ?> <?xml version="1.0" ?>
When a character encoding is specified, the XML declaration will read When a character encoding is specified, the XML declaration will read
like the following: as follows:
<?xml version="1.0" encoding="charset" ?> <?xml version="1.0" encoding="charset" ?>
Where "charset" is the name of the character encoding as registered Where "charset" is the name of the character encoding as registered
with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. with the Internet Assigned Numbers Authority (IANA), see [RFC2978].
The following characters have special meaning in XML and MUST be The following characters have special meaning in XML and MUST be
escaped with their entity reference equivalent: "&", "<", ">", "\"" escaped with their entity reference equivalent: "&", "<", ">", "\""
(double quotation mark), and "'" (apostrophe). These entity (double quotation mark), and "'" (apostrophe). These entity
references are "&amp;", "&lt;", "&gt;", "&quot;", and "&apos;" references are "&amp;", "&lt;", "&gt;", "&quot;", and "&apos;"
skipping to change at page 108, line 50 skipping to change at page 107, line 50
The IODEF schema declares a namespace of The IODEF schema declares a namespace of
"urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS].
Each IODEF document MUST include a valid reference to the IODEF Each IODEF document MUST include a valid reference to the IODEF
schema using the "xsi:schemaLocation" attribute. An example of such schema using the "xsi:schemaLocation" attribute. An example of such
a declaration would look as follows: a declaration would look as follows:
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-2.0" xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-2.0" ...>
4.3. Validation 4.3. Validation
The IODEF documents MUST be well-formed XML. It is RECOMMENDED that IODEF documents MUST be well-formed XML. It is RECOMMENDED that
recipients validate the document against the schema described in recipients validate the document against the schema described in
Section 8. However, mere conformance to the schema is not sufficient Section 8. However, mere conformance to this schema is not
for a semantically valid IODEF document. The text of Section 3 sufficient for a semantically valid IODEF document. The text of
further describes formatting and constraints; some that cannot be Section 3 describes further formatting and constraints; some that
readily encoded in the schema. These MUST must also be considered by cannot be conveniently encoded in the schema. These MUST must also
an IODEF parser. Furthermore, the enumerated values present in this be considered by an IODEF implementation. Furthermore, the
document are a static list that will be incomplete over time as enumerated values present in this document are a static list that
select attributes can be extended by a corresponded IANA registry. will be incomplete over time as select attributes can be extended by
See Table 1. Hence, the schema to validate a given document MUST be a corresponding IANA registry per Section 10.2. Therefore, the
dynamically generated from these registry values. schema to validate a given document MUST be dynamically generated
from these registry values.
4.4. Incompatibilities with v1 4.4. Incompatibilities with v1
Version 2 of the IODEF data model makes a number of changes to The IODEF data model in this document makes a number of changes to
[RFC5070]. Largely, these changes were additive in nature -- classes [RFC5070]. These changes were largely additive -- classes and
and enumerated values were added. The following is a list of enumerated values were added. However, some incompatibilities
incompatibilities where the data model has changed between versions: between [RFC5070] and this new specification were introduced. These
incompatibilities are as follows:
o The IODEF-Document@version attribute is set to "2.0". o The IODEF-Document@version attribute is set to "2.0".
o Attributes with enumerated values can now also be extended with
IANA registries.
o All iodef:MLStringType classes use xml:lang. IODEF-Document also
uses xml:lang.
o The Service@ip_protocol attribute was renamed to @ip-protocol. o The Service@ip_protocol attribute was renamed to @ip-protocol.
o The Node/NodeName class was removed in favor of representing o The Node/NodeName class was removed in favor of representing
domain names with Node/DomainData/Name class. The Node/DataTime domain names with Node/DomainData/Name class. The Node/DataTime
class was also removed so that the Node/DomainData/ class was also removed so that the Node/DomainData/
DateDomainWasChecked class can represent the time at which the DateDomainWasChecked class can represent the time at which the
name to address resolution occurred. name to address resolution occurred.
o The Node/NodeRole class was moved to System/NodeRole. o The Node/NodeRole class was moved to System/NodeRole.
o The Reference class is now defined by [RFC-ENUM]. o The Reference class is now defined by [RFC-ENUM].
o Attributes with enumerated values can now also be extended with
IANA registries.
o The data previously represented in the Impact class is now in the o The data previously represented in the Impact class is now in the
SystemImpact and IncidentCategory classes. The Impact class has SystemImpact and IncidentCategory classes. The Impact class has
been removed. been removed.
o The Description class has been redefined to use xml:lang and o The semantics of Counter@type are now represented in Counter@unit.
@translation-id. IODEF-document also uses xml:lang.
o The semantics of Counter@type in v1 are now represented in
Counter@unit.
o The IODEF-Document@formatid attribute has been renamed to @format- o The IODEF-Document@formatid attribute has been renamed to @format-
id. id.
o Incident/ReportTime is no longer mandatory but GenerationTime is. o Incident/ReportTime is no longer mandatory. However,
GenerationTime is.
o All derived iodef:MLStringType classes use xml:lang/
o The Contact/Fax class is now represented by a generic Contact/ o The Fax class was removed and is now represented by a generic
Telephone class. Telephone class.
o The Contact/Telephone, Email and PostalAddress classes were o The Telephone, Email and PostalAddress classes were redefined from
redefined from improved internationalization. improved internationalization.
5. Extending the IODEF 5. Extending the IODEF
In order to support the changing activity of CSIRTS, the IODEF data In order to support the dynamic nature of security operations, the
model will need to evolve along with them. This section discusses IODEF data model will need to continue to evolve. This section
how new data elements that have no current representation in the data discusses how new data elements can be incorporated into the IODEF.
model can be incorporated into the IODEF. These techniques are There is support to ad additional enumerated values and new classes.
designed so that adding new data will not require a change to the Adding additional attributes to existing classes is not supported.
base IODEF schema. With proven value, well documented extensions can
be incorporated into future versions of the specification. However, These extension mechanisms are designed so that adding new data
this approach also supports private extensions relevant only to a elements is possible without requiring a modifications to this
closed consortium. document. Extensions can be implemented publicly or privately. With
proven value, well documented extensions can be incorporated into
future versions of the specification.
5.1. Extending the Enumerated Values of Attributes 5.1. Extending the Enumerated Values of Attributes
Enumerated values of select attributes can be extended for private Additional enumerated values can be added to select attributes either
use through specially marked attributes with the "ext-" prefix. through the use of specially marked attributes with the "ext-" prefix
Likewise, each extensible attribute has a corresponding IANA registry or through a set of corresponding IANA registries. The former
to which to added public extensions. approach allows for the extension to remain private. The latter
approach is public.
5.1.1. Private Extension of Enumerated Values 5.1.1. Private Extension of Enumerated Values
The data model supports a means by which to add new enumerated values The data model supports adding new enumerated values to an attribute
to an attribute without public registration. For each attribute that without public registration. For each attribute that supports this
supports this extension technique, there is a corresponding attribute extension technique, there is a corresponding attribute in the same
in the same element whose name is identical but with a prefix of element whose name is identical but with a prefix of "ext-". This
"ext-". This special attribute is referred to as the extension special attribute is referred to as the extension attribute. The
attribute, and the attribute being extended is referred to as an attribute being extended is referred to as an extensible attribute.
extensible attribute. For example, an extensible attribute named For example, an extensible attribute named "foo" will have a
"foo" will have a corresponding extension attribute named "ext-foo". corresponding extension attribute named "ext-foo". An element may
An element may have many extensible, and therefore many extension, have many extensible attributes.
attributes.
In addition to a corresponding extension attribute, each extensible In addition to a corresponding extension attribute, each extensible
attribute has "ext-value" as one its possible enumerated values. attribute has "ext-value" as one its possible enumerated values.
This particular value serves as an escape sequence to the implementor
to signal that the extension attribute value should be read. Selection of this particular value in an extensible attribute signals
Otherwise, this value and has no valid meaning. that the extension attribute contains data. Otherwise, this "ext-
value" value has no meaning.
In order to add a new enumerated value to an extensible attribute, In order to add a new enumerated value to an extensible attribute,
the value of this attribute MUST be set to "ext-value", and the new the value of this attribute MUST be set to "ext-value", and the new
desired value MUST be set in the corresponding extension attribute. desired value MUST be set in the corresponding extension attribute.
For example, an extended instance of the type attribute of the For example, extending the type attribute of the SystemImpact class
SystemImpact class would look as follows: would look as follows:
<SystemImpact type="ext-value" ext-type="new-attack-type"> <SystemImpact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding A given extension attribute MUST NOT be set unless the corresponding
extensible attribute has been set to "ext-value". extensible attribute has been set to "ext-value".
5.1.2. Public Extension of Enumerated Values 5.1.2. Public Extension of Enumerated Values
Select enumerated value of the attributes defined in the data model The data model also supports publicly extending select enumerated
can be extended by adding entries to the corresponding IANA registry. attributes. A new entry can be added by registering a new entry in
Table 1 enumerates these registries. Section 4.3 discusses the XML the appropriate IANA registry. Section 10.2 provides a mapping
Validation implications of these types of extensions. between the extensible attributes and their corresponding registry.
Section 4.3 discusses the XML Validation implications of this type of
extension. All extensible attributes that support private extensions
also support public extensions.
5.2. Extending Classes 5.2. Extending Classes
The classes of the EXTENSION type can extend the data model. These Classes of the EXTENSION (iodef:ExtensionType) type can extend the
container classes, collectively referred to as the extensible data model. They provide the ability to have new atomic or XML-
classes, are implemented with the iodef:ExtensionType data type in
the schema. They provide the ability to have new atomic or XML-
encoded data elements in all of the top-level classes of the Incident encoded data elements in all of the top-level classes of the Incident
class and a few of the more complicated subordinate classes. As class and a few of the complex subordinate classes. As there are
there are multiple instances of the extensible classes in the data multiple instances of the extensible classes in the data model, there
model, there is discretion on where to add a new data element. It is is discretion on where to add a new data element. It is RECOMMENDED
RECOMMENDED that the extension be placed in the most closely related that the extension be placed in the most closely related class to the
class to the new information. new information.
Extensions using the atomic data types (i.e., all values of the dtype Extensions using the atomic data types (i.e., all values of the dtype
attributes other than "xml") MUST: attributes other than "xml") MUST:
1. Set the element content of extensible class to the desired value, 1. Set the element content to the desired value, and
and
2. Set the dtype attribute to correspond to the data type of the 2. Set the dtype attribute to correspond to the data type of the
element content. element content.
The following guidelines exist for extensions using XML: The following guidelines exist for extensions using XML (i.e.,
dtype="xml"):
1. The element content of the extensible class MUST be set to the 1. The element content of the extensible class MUST be set to the
desired value and the dtype attribute MUST be set to "xml". desired value and the dtype attribute MUST be set to "xml".
2. The extension schema MUST declare a separate namespace. It is 2. The extension schema MUST declare a separate namespace. It is
RECOMMENDED that these extensions have the prefix "iodef-". This RECOMMENDED that these extensions have the prefix "iodef-". This
recommendation makes readability of the document easier by recommendation makes readability of the document easier by
allowing the reader to infer which namespaces relate to IODEF by allowing the reader to infer which namespaces relate to IODEF by
inspection. inspection.
3. It is RECOMMENDED that extension schemas follow the naming 3. It is RECOMMENDED that extension schemas follow the naming
convention of the IODEF data model. This makes reading an convention of the IODEF data model. This too improves the
extended IODEF document look like any other IODEF document. The readability of extended IODEF documents. The names of all
names of all elements are capitalized. For elements with elements SHOULD be capitalized. For elements with composed
composed names, a capital letter is used for each word. names, a capital letter SHOULD be used for each word. Attribute
Attribute names are lower case. Attributes with composed names names SHOULD be in lower case. Attributes with composed names
are separated by a hyphen. SHOULD be separated by a hyphen.
4. Parsers that encounter an unrecognized element in a namespace 4. Implementations that encounter an unrecognized element in a
that they do support MUST reject the document as a syntax error. supported namespace MUST reject the document as a syntax error.
5. There are security and performance implications in requiring 5. There are security and performance implications in requiring
implementations to dynamically download schemas at run time. implementations to dynamically download schemas at run time.
Thus, implementations SHOULD NOT download schemas at runtime, Therefore, implementations SHOULD NOT download schemas at runtime
unless implementations take appropriate precautions and are unless the appropriate precautions are taken. Implementations
prepared for potentially significant network, processing, and also need to contend with the potential of significant network
time-out demands. and processing issues.
6. Some users of the IODEF may have private schema definitions that 6. Some adopters of the IODEF may have private schema definitions
might not be available on the Internet. In this situation, if a that are not publicly available. Thus implementations may
IODEF document leaks out of the private use space, references to encounter IODEF documents with references to private schemas that
some of those document schemas may not be resolvable. This has may not be resolvable. Hence, IODEF document recipients MUST be
two implications. First, references to private schemas may never prepared for a schema definition in an IODEF document never to
resolve. As such, in addition to the suggestion that resolve.
implementations do not download schemas at runtime mentioned
above, recipients MUST be prepared for a schema definition in an
IODEF document never to resolve.
The following schema and XML document excerpt provide a template for The following schema and XML document excerpt provide a template for
an extension schema and its use in the IODEF document. an extension schema and its use in the IODEF document.
This example schema defines a namespace of "iodef-extension1" and a This example schema defines a namespace of "iodef-extension1" and a
single element named "newdata". single element named "newdata".
<xs:schema <xs:schema
targetNamespace="iodef-extension1.xsd" targetNamespace="iodef-extension1.xsd"
xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xs="http://www.w3.org/2001/XMLSchema"> xmlns:xs="http://www.w3.org/2001/XMLSchema">
attributeFormDefault="unqualified" attributeFormDefault="unqualified"
elementFormDefault="qualified"> elementFormDefault="qualified">
<xs:import <xs:import
namespace="urn:ietf:params:xml:ns:iodef-1.0" namespace="urn:ietf:params:xml:ns:iodef-2.0"
schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/> schemaLocation=" urn:ietf:params:xml:schema:iodef-2.0"/>
<xs:element name="newdata" type="xs:string" /> <xs:element name="newdata" type="xs:string" />
</xs:schema> </xs:schema>
The following XML excerpt demonstrates the use of the above schema as The following XML excerpt demonstrates the use of the above schema as
an extension to the IODEF. an extension to the IODEF.
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef=" urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd"> xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<AdditionalData dtype="xml" meaning="xml"> <AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata> <iodef-extension1:newdata>
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</Incident> </Incident>
</IODEF-Document </IODEF-Document
5.3. Deconflicting Private Extensions 5.3. Deconflicting Private Extensions
Private extensions used in a document can be labeled to attribute To disambiguate which private extension is used in an IODEF document,
their original specifier using the private-enum-name and private- the data model provides a means to identify the source of an
enum-id attributes. This allows a recipient of a document to extension. Two attributes in the IODEF-Document class, private-enum-
disambiguate private extensions. Only a single private extension can name and private-enum-id, are used to specify this attribution. Only
be identified in a given IODEF-Document. a single private extension can be identified in a given IODEF-
Document.
If a CSIRT has only a single private extension, then only the If an implementor has a single private extension, then only the
private-enum-name attribute needs to be specified. Additional, private-enum-name attribute needs to be specified. Multiple distinct
multiple distinct private extensions or versioning of a single private extensions or versioning of a single extension can be
extension can be accomplished by also setting the corresponding attributed by also setting the corresponding private-num-id
private-num-id attribute. attribute.
The following XML excerpt demonstrates the specification of a private The following XML excerpt demonstrates the specification of a private
extension from "example.com" with an identifier of "13". extension from "example.com" with an identifier of "13".
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
private-enum-name="example.com" private-enum-name="example.com"
private-enum-id="13" private-enum-id="13"
... ...
</IODEF-Document> </IODEF-Document>
If an unrecognized private extension is encountered in processing, If an unrecognized private extension is encountered in processing,
the recipient MAY reject the entire document as a syntax error. the recipient MAY reject the entire document as a syntax error.
6. Internationalization Issues 6. Internationalization Issues
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF, since it is only through collaboration, often across language IODEF as it facilitates operational coordination with a diverse set
barriers, that certain incidents be resolved and threat information of partners. The IODEF implements internationalization by relying on
shared. The IODEF supports this goal by depending on XML constructs, XML constructs and through explicit design choices in the data model.
and through explicit design choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports Since the IODEF is implemented as an XML Schema, it supports
all the different character encodings, such as UTF-8 and UTF-16, different character encodings, such as UTF-8 and UTF-16, possible
possible with XML. Additionally, each IODEF document MUST specify with XML. Additionally, each IODEF document MUST specify the
the language in which their contents are encoded. The language can language in which its content is encoded. The language can be
be specified with the attribute "xml:lang" (per Section 2.12 of specified with the attribute "xml:lang" (per Section 2.12 of
[W3C.XML]) in the top-level element (i.e., IODEF-Document) and [W3C.XML]) in the top-level element (i.e., IODEF-Document) and
letting all other elements inherit that definition. All IODEF letting all other elements inherit that definition. All IODEF
classes with a free-form text definition (i.e., all those defined of classes with a free-form text definition (i.e., all those defined
type iodef:MLStringType) can also specify a language different from with type iodef:MLStringType) can also specify a language different
the rest of the document. The valid language codes for the from the rest of the document.
"xml:lang" attribute are described in [RFC5646].
The data model supports multiple translations of free-form text. For The data model supports multiple translations of free-form text. All
classes where free-text is used for descriptive purposes (e.g., ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality
classes of the iodef:MLStringType type such as the Description to their parent. This allows the identical text translated into
class), the given class always has a one-to-many cardinality to its different languages to be encoded in different instances of the same
parent. The intent is to allow the identical text to be encoded in class with a common parent. This design also enables the creation of
different instances of the same class, but each being in a different a single document containing all the translations. The IODEF
language. This approach allows an IODEF document author to send implementation SHOULD extract the appropriate language relevant to
recipients speaking different languages an identical document. The the recipient.
IODEF parser SHOULD extract the appropriate language relevant to the
recipient.
Related instances of a given iodef:MLStringType class that are Related instances of a given iodef:MLStringType class that are
translations of each other are identified by a common identifier set translations of each other are identified by a common identifier set
in the translation-id attribute. The example below shows three in the translation-id attribute. The example below shows three
instances of a Description class expressed in three difference instances of a Description class expressed in three different
languages. The relationship between these three instances of the languages. The relationship between these three instances of the
Description class is conveyed by the common value of "1" in the Description class is conveyed by the common value of "1" in the
translation-id attribute. translation-id attribute.
<IODEF-Document version="2.00" xml:lang="en" ... <IODEF-Document version="2.00" xml:lang="en" ...
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<Description translation-id="1" <Description translation-id="1"
xml:lang="en">English</Description> xml:lang="en">English</Description>
<Description translation-id="1" <Description translation-id="1"
xml:lang="de">Englisch</Description> xml:lang="de">Englisch</Description>
<Description translation-id="1" <Description translation-id="1"
xml:lang="fr">Anglais</Description> xml:lang="fr">Anglais</Description>
While the intent of the data model is to provide internationalization The IODEF balances internationalization support with the need for
and localization, the intent is not to do so at the detriment of interoperability. While the IODEF supports different languages, the
interoperability. While the IODEF does support different languages, data model also relies heavily on standardized enumerated attributes
the data model also relies heavily on standardized enumerated that can crudely approximate the contents of the document. With this
attributes that can crudely approximate the contents of the document. approach, a CSIRT should be able to make some sense of an IODEF
With this approach, a CSIRT should be able to make some sense of an document it receives even if the free-form text data elements are
IODEF document it receives even if the text based data elements are written in a language unfamiliar to the recipient.
written in a language unfamiliar to the analyst.
7. Examples 7. Examples
This section provides examples of IODEF documents. These examples do This section provides example of IODEF documents. These examples do
not necessarily represent the only way to encode particular not represent the full capabilities of the data model or the the only
information. way to encode particular information.
7.1. Minimal Example 7.1. Minimal Example
A document containing only the mandatory elements and attributes. A document containing only the mandatory elements and attributes.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- Minimum IODEF document --> <!-- Minimum IODEF document -->
<IODEF-Document version="2.00" xml:lang="en" <IODEF-Document version="2.00" xml:lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation= xsi:schemaLocation=
"http://www.iana.org/assignments/xmlregistry/schema/ "http://www.iana.org/assignments/xmlregistry/schema/
iodef-2.0.xsd"> iodef-2.0.xsd">
<Incident purpose="reporting" restriction="private"> <Incident purpose="reporting" restriction="private">
<IncidentID name="csirt.example.com">492382</IncidentID> <IncidentID name="csirt.example.com">492382</IncidentID>
<GenerationTime>2015-07-18T09:00:00-05:00</GenerationTime> <GenerationTime>2015-07-18T09:00:00-05:00</GenerationTime>
<Contact type="organization" role="creator"> <Contact type="organization" role="creator">
<Email>contact@csirt.example.com</Email> <Email>
<EmailTo>contact@csirt.example.com</EmailTo>
</Email>
</Contact> </Contact>
<!-- Add more fields to make the document useful --> <!-- Add more fields to make the document useful -->
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
7.2. Indicators from a Campaign 7.2. Indicators from a Campaign
An example of C2 domains from a given campaign. An example of C2 domains from a given campaign.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
skipping to change at page 117, line 11 skipping to change at page 115, line 41
<GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime> <GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime>
<Description>Summarizes the Indicators of Compromise <Description>Summarizes the Indicators of Compromise
for the Orange Giraffe campaign of the Aggressive for the Orange Giraffe campaign of the Aggressive
Butterfly crime gang. Butterfly crime gang.
</Description> </Description>
<Assessment> <Assessment>
<BusinessImpact type="breach-proprietary"/> <BusinessImpact type="breach-proprietary"/>
</Assessment> </Assessment>
<Contact type="organization" role="creator"> <Contact type="organization" role="creator">
<ContactName>CSIRT for example.com</ContactName> <ContactName>CSIRT for example.com</ContactName>
<Email>contact@csirt.example.com</Email> <Email>
<EmailTo>contact@csirt.example.com</EmailTo>
</Email>
</Contact> </Contact>
<IndicatorData> <IndicatorData>
<Indicator> <Indicator>
<IndicatorID name="csirt.example.com" version="1"> <IndicatorID name="csirt.example.com" version="1">
G90823490 G90823490
</IndicatorID> </IndicatorID>
<Description>C2 domains</Description> <Description>C2 domains</Description>
<StartTime>2014-12-02T11:18:00-05:00</StartTime> <StartTime>2014-12-02T11:18:00-05:00</StartTime>
<Observable> <Observable>
<BulkObservable type="fqdn"> <BulkObservable type="fqdn">
skipping to change at page 117, line 35 skipping to change at page 116, line 19
klknjwfjiowjefr923.example.org klknjwfjiowjefr923.example.org
oimireik79msd.example.org oimireik79msd.example.org
</BulkObservableList> </BulkObservableList>
</BulkObservable> </BulkObservable>
</Observable> </Observable>
</Indicator> </Indicator>
</IndicatorData> </IndicatorData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
7.3. Incident Report 8. The IODEF Data Model (XML Schema)
An example of an incident report.
... TODO ...
8. The IODEF Schema
<?xml version="1.0"?> <?xml version="1.0"?>
<xs:schema xmlns="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0" xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"
xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0" xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
elementFormDefault="qualified" elementFormDefault="qualified"
skipping to change at page 121, line 20 skipping to change at page 119, line 45
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor" <xs:element ref="iodef:ThreatActor"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign" <xs:element ref="iodef:Campaign"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="ThreatActor"> <xs:element name="ThreatActor">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 122, line 7 skipping to change at page 120, line 35
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="ThreatActorID" type="xs:string"/> <xs:element name="ThreatActorID" type="xs:string"/>
<xs:element name="Campaign"> <xs:element name="Campaign">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:CampaignID" <xs:element ref="iodef:CampaignID"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
skipping to change at page 125, line 4 skipping to change at page 123, line 33
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:TelephoneNumber"/> <xs:element ref="iodef:TelephoneNumber"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="type" <xs:attribute name="type"
type="telephone-type-type" use="optional"/> type="telephone-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="TelephoneNumber" type="xs:string"/> <xs:element name="TelephoneNumber" type="xs:string"/>
<xs:simpleType name="telephone-type-type"> <xs:simpleType name="telephone-type-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="direct"/> <xs:enumeration value="wired"/>
<xs:enumeration value="mobile"/> <xs:enumeration value="mobile"/>
<xs:enumeration value="fax"/> <xs:enumeration value="fax"/>
<xs:enumeration value="hotline"/> <xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:element name="Email"> <xs:element name="Email">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:EmailTo"/> <xs:element ref="iodef:EmailTo"/>
skipping to change at page 126, line 39 skipping to change at page 125, line 21
type="iodef:action-type" use="required"/> type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action" <xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="DefinedCOA" type="iodef:MLStringType"/> <xs:element name="DefinedCOA" type="xs:string"/>
<!-- <!--
=================================================================== ===================================================================
== Expectation class == == Expectation class ==
=================================================================== ===================================================================
--> -->
<xs:element name="Expectation"> <xs:element name="Expectation">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 133, line 21 skipping to change at page 131, line 49
<xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="currency" type="xs:string"/> <xs:attribute name="currency" type="xs:string"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Confidence"> <xs:element name="Confidence">
<xs:complexType> <xs:complexType>
<xs:attribute name="rating" <xs:attribute name="rating"
type="confidence-rating-type" use="required"/> type="confidence-rating-type" use="required"/>
<xs:attribute name="ext-rating"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="confidence-rating-type"> <xs:simpleType name="confidence-rating-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/> <xs:enumeration value="low"/>
<xs:enumeration value="medium"/> <xs:enumeration value="medium"/>
<xs:enumeration value="high"/> <xs:enumeration value="high"/>
<xs:enumeration value="numeric"/> <xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<!-- <!--
=================================================================== ===================================================================
== EventData class == == EventData class ==
=================================================================== ===================================================================
--> -->
<xs:element name="EventData"> <xs:element name="EventData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 140, line 50 skipping to change at page 139, line 33
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<!-- <!--
=================================================================== ===================================================================
== EmailData class == == EmailData class ==
=================================================================== ===================================================================
--> -->
<xs:element name="EmailData"> <xs:element name="EmailData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:EmailTo" minOccurs="0"/> <xs:element ref="iodef:EmailTo"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailFrom" minOccurs="0"/> <xs:element ref="iodef:EmailFrom" minOccurs="0"/>
<xs:element ref="iodef:EmailSubject" minOccurs="0"/> <xs:element ref="iodef:EmailSubject" minOccurs="0"/>
<xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/> <xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/>
<xs:element ref="iodef:EmailHeaderField" minOccurs="0"/> <xs:element ref="iodef:EmailHeaderField"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailHeaders" minOccurs="0"/>
<xs:element ref="iodef:EmailBody" minOccurs="0"/>
<xs:element ref="iodef:EmailMessage" minOccurs="0"/>
<xs:element ref="iodef:HashData" minOccurs="0"/> <xs:element ref="iodef:HashData" minOccurs="0"/>
<xs:element ref="SignatureData" minOccurs="0"/> <xs:element ref="SignatureData" minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="EmailTo" type="xs:string"/> <xs:element name="EmailTo" type="xs:string"/>
<xs:element name="EmailFrom" type="xs:string"/> <xs:element name="EmailFrom" type="xs:string"/>
<xs:element name="EmailSubject" type="xs:string"/> <xs:element name="EmailSubject" type="xs:string"/>
<xs:element name="EmailX-Mailer" type="xs:string"/> <xs:element name="EmailX-Mailer" type="xs:string"/>
<xs:element name="EmailHeaderField" type="iodef:ExtensionType"/> <xs:element name="EmailHeaderField" type="iodef:ExtensionType"/>
<xs:element name="EmailHeaders" type="xs:string"/>
<xs:element name="EmailBody" type="xs:string"/>
<xs:element name="EmailMessage" type="xs:string"/>
<!-- <!--
=================================================================== ===================================================================
== DomainData class == == DomainData class ==
=================================================================== ===================================================================
--> -->
<xs:element name="DomainData"> <xs:element name="DomainData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Name" maxOccurs="1"/> <xs:element ref="iodef:Name" maxOccurs="1"/>
<xs:element ref="iodef:DateDomainWasChecked" <xs:element ref="iodef:DateDomainWasChecked"
skipping to change at page 143, line 29 skipping to change at page 142, line 22
<xs:element name="RecordData"> <xs:element name="RecordData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:DateTime" minOccurs="0"/> <xs:element ref="iodef:DateTime" minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:RecordPattern" <xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem" maxOccurs="unbounded"/> <xs:element ref="iodef:RecordItem" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData" <xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData" <xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
skipping to change at page 146, line 25 skipping to change at page 145, line 20
<xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/> <xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
<xs:element name="FileProperties" type="iodef:ExtensionType"/> <xs:element name="FileProperties" type="iodef:ExtensionType"/>
<!-- <!--
==================================================================== ====================================================================
== HashData Class == == HashData Class ==
==================================================================== ====================================================================
--> -->
<xs:element name="HashData"> <xs:element name="HashData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:HashTarget" minOccurs="0"/> <xs:element ref="iodef:HashTargetID" minOccurs="0"/>
<xs:element ref="iodef:Hash" <xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash" <xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="scope" <xs:attribute name="scope"
type="hashdata-scope-type" use="required"/> type="hashdata-scope-type" use="required"/>
<xs:attribute name="ext-scope" type="xs:string" use="optional"/> <xs:attribute name="ext-scope" type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="HashTarget" type="iodef:MLStringType"/> <xs:element name="HashTargetID" type="xs:string"/>
<xs:simpleType name="hashdata-scope-type"> <xs:simpleType name="hashdata-scope-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/> <xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/> <xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/> <xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/> <xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/> <xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/> <xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/> <xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/> <xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:element name="Hash"> <xs:element name="Hash">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:DigestMethod"/> <xs:element ref="ds:DigestMethod"/>
<xs:element ref="ds:DigestValue"/> <xs:element ref="ds:DigestValue"/>
<xs:element ref="ds:CanonicalizationMethod"/> <xs:element ref="ds:CanonicalizationMethod"
minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FuzzyHash"> <xs:element name="FuzzyHash">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:AdditionalData"/> <xs:element ref="iodef:FuzzHashValue"
<xs:element ref="iodef:Application" minOccurs="0"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
<!-- <!--
=================================================================== ===================================================================
== SignatureData Class == == SignatureData Class ==
=================================================================== ===================================================================
--> -->
<xs:element name="SignatureData"> <xs:element name="SignatureData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:Signature" maxOccurs="unbounded"/> <xs:element ref="ds:Signature" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
skipping to change at page 149, line 47 skipping to change at page 148, line 45
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:FileData" minOccurs="0"/> <xs:element ref="iodef:FileData" minOccurs="0"/>
<xs:element ref="iodef:CertificateData" minOccurs="0"/> <xs:element ref="iodef:CertificateData" minOccurs="0"/>
<xs:element ref="iodef:RegistryHandle" minOccurs="0"/> <xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
<xs:element ref="iodef:RecordData" minOccurs="0"/> <xs:element ref="iodef:RecordData" minOccurs="0"/>
<xs:element ref="iodef:EventData" minOccurs="0"/> <xs:element ref="iodef:EventData" minOccurs="0"/>
<xs:element ref="iodef:Incident" minOccurs="0"/> <xs:element ref="iodef:Incident" minOccurs="0"/>
<xs:element ref="iodef:Expectation" minOccurs="0" <xs:element ref="iodef:Expectation" minOccurs="0"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="Reference" <xs:element ref="Reference" minOccurs="0"
minOccurs="0" maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/> <xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:HistoryItem" minOccurs="0"/> <xs:element ref="iodef:HistoryItem" minOccurs="0"/>
<xs:element ref="iodef:BulkObservable" minOccurs="0"/> <xs:element ref="iodef:BulkObservable" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="BulkObservable"> <xs:element name="BulkObservable">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 150, line 20 skipping to change at page 149, line 18
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="BulkObservable"> <xs:element name="BulkObservable">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/> <xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
<xs:element name="BulkObservableList" <xs:element name="BulkObservableList"
type="xs:string" minOccurs="0"/> type="xs:string" minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="type" <xs:attribute name="type"
type="observable-type-type" use="required"/> type="bulkobservable-type-type" use="required"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="observable-type-type"> <xs:simpleType name="bulkobservable-type-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/> <xs:enumeration value="asn"/>
<xs:enumeration value="atm"/> <xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/> <xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/> <xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/> <xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/> <xs:enumeration value="site-uri"/>
<xs:enumeration value="fqdn"/> <xs:enumeration value="domain-name"/>
<xs:enumeration value="doman-name"/>
<xs:enumeration value="domain-to-ipv4"/> <xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/> <xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/> <xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/> <xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/> <xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/> <xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/> <xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/> <xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/> <xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/> <xs:enumeration value="email-subject"/>
skipping to change at page 151, line 31 skipping to change at page 150, line 30
<xs:element ref="iodef:Observable" minOccurs="0"/> <xs:element ref="iodef:Observable" minOccurs="0"/>
<xs:element ref="iodef:ObservableReference" minOccurs="0"/> <xs:element ref="iodef:ObservableReference" minOccurs="0"/>
<xs:element ref="iodef:IndicatorReference" minOccurs="0"/> <xs:element ref="iodef:IndicatorReference" minOccurs="0"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AlternativeIndicatorID" <xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="operator" <xs:attribute name="operator"
type="indicatorexpression-operator-type" type="indicatorexpression-operator-type"
use="optional" default="and"/> use="optional" default="and"/>
<xs:attribute name="ext-operator"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="indicatorexpression-operator-type"> <xs:simpleType name="indicatorexpression-operator-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/> <xs:enumeration value="not"/>
<xs:enumeration value="and"/> <xs:enumeration value="and"/>
<xs:enumeration value="or"/> <xs:enumeration value="or"/>
<xs:enumeration value="xor"/> <xs:enumeration value="xor"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
skipping to change at page 156, line 27 skipping to change at page 155, line 27
<xs:enumeration value="csv"/> <xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/> <xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/> <xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:schema> </xs:schema>
9. Security Considerations 9. Security Considerations
The IODEF data model itself does not directly introduce security The IODEF data model does not directly introduce security issues.
issues. Rather, it simply defines a representation for incident However, as the data encoded by the IODEF might be considered
information. As the data encoded by the IODEF might be considered sensitive by the parties exchanging it or by those described by it,
privacy sensitive by the parties exchanging the information or by care needs to be taken to ensure appropriate handling during the
those described by it, care needs to be taken in ensuring the document exchange, subsequent processing or archiving.
appropriate disclosure during both document exchange and subsequent
processing. The former must be handled by a messaging format, but
the latter risk must be addressed by the systems that process, store,
and archive IODEF documents and information derived from them.
Executable content could be embedded into the IODEF document directly
or through an extension. The IODEF parser MUST handle this content
with care to prevent unintentional automated execution.
The contents of an IODEF document may include a request for action or The contents of an IODEF document may include a request for action.
an IODEF parser may independently have logic to take certain actions An IODEF implementation may also initiate courses of action based on
based on information that it finds. For this reason, care must be the document contents. For these reasons, care must be taken by
taken by the parser to properly authenticate the recipient of the IODEF implementations to properly authenticate the sender and
document and ascribe an appropriate confidence to the data prior to receiver of the document. The recipient must also ascribe
action. appropriate confidence to the data prior to action.
The underlying messaging format and protocol used to exchange The underlying messaging format and protocol used to exchange
instances of the IODEF MUST provide appropriate guarantees of instances of the IODEF MUST provide appropriate guarantees of
confidentiality, integrity, and authenticity. The use of a confidentiality, integrity, and authenticity. The use of a
standardized security protocol is encouraged. The Real-time Inter- standardized security protocol is encouraged. The Real-time Inter-
network Defense (RID) protocol [RFC6545] and its associated transport network Defense (RID) protocol [RFC6545] and its associated transport
binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
Executable content could be embedded into the IODEF document directly
or through an extension. The IODEF implementation MUST handle this
content with care to prevent unintentional automated execution.
In order to suggest data processing and handling guidelines of the In order to suggest data processing and handling guidelines of the
encoded information, the IODEF allows a document sender to convey a encoded information, the IODEF allows a document sender to convey a
privacy policy using the restriction attribute. The various privacy policy using the restriction attribute. The various
instances of this attribute allow different data elements of the instances of this attribute allow different data elements of the
document to be covered by dissimilar policies. While flexible, it document to be covered by dissimilar policies. While flexible, it
must be stressed that this approach only serves as a guideline from must be stressed that this approach only serves as a guideline from
the sender, as the recipient is free to ignore it. The issue of the sender, as the recipient is free to ignore it.
enforcement is not a technical problem.
10. IANA Considerations 10. IANA Considerations
This document registers a namespace, XML schema, and a number of This document registers a namespace, an XML schema, and a number of
registries that map to enumerated values defined in the schema. registries that map to enumerated values defined in the data model.
10.1. Namespace and Schema 10.1. Namespace and Schema
This document uses URNs to describe an XML namespace and schema This document uses URNs to describe an